Minerva Studio - stock.adobe.com

Singapore payment card data compromised by JavaScript sniffers

Raw data of thousands of payment cards issued by Singapore banks stolen by the online equivalent of a traditional card sniffer

The payment card information belonging to thousands of customers of Singapore banks was believed to have been compromised by a type of web-based malware and put up for sale on the dark web, according to Singapore-based cyber security company Group-IB.

During their analysis of underground card shops, Group-IB’s threat hunting team discovered a spike in the sale of raw data of 4,166 compromised payment cards – including CVV, card number and expiration date – issued by Singapore banks.

Group-IB said the data was uploaded in April 2019, and that the spike took place on 1 April when a database containing data on 1,726 compromised cards was put up. The mean figure from January to August 2019 was 2,379 cards per month.

The data was likely to have been stolen using JavaScript sniffers, the online equivalent of a traditional card skimmer – a small device installed on ATMs that intercepts payment card details, said Group-IB.

Comprising just a few lines of code, JavaScript sniffers can be injected into websites frequented by online shoppers to capture data entered, such as payment card numbers, names, addresses and passwords.

The malware can infect websites powered by different content management systems and is hard to uncover using traditional signature-based detection methods, making it even more dangerous, said Group-IB.

Ilya Sachkov, CEO and founder at Group-IB, said there had been many high-profile data breaches – such as the recent British Airways incident – facilitated by JavaScript sniffers, suggesting that few e-commerce merchants were aware of this cyber threat.

“In order to minimise losses, in case an online store is infected with a JavaScript sniffer, we advise online shoppers in Singapore not to keep all their eggs in one basket and have a separate pre-paid card for online payments or even a separate bank account exclusively for online purchases,” said Sachkov.

In the first eight months of 2019, Group-IB experts found data on 26,102 compromised payment cards issued by Singapore banks that were put up for sale on dark web card shops. The total underground market value of this data is estimated at nearly $1.8m.

Nevertheless, Group-IB said Singapore offers a higher level of protection compared to other countries in Asia-Pacific, thanks to security measures mandated by Singaporean authorities, such as the use of one-time passwords for online transactions, as well as EMV chip cards.

Read more about cyber security in APAC

Read more on Hackers and cybercrime prevention

Data Center
Data Management