author photo
By Bruce Sussman
Wed | Jan 29, 2020 | 11:27 AM PST

The ad for newly-stolen payment card data is eye-popping.

It is complete with atomic explosions, mushroom clouds, Bruce Willis, and the headline: 



This newest database claims to contain more than 30 million records that are brand new, from a nationwide breach. And there's more: it says the stolen credit data comes from people in 40 states and more than 100 countries. 

All available, right now, at Joker's Stash.

What does Joker's Stash have to do with stolen credit card data?

Joker's Stash is a prominent carding forum on the Dark Web. This is one of many sites where cybercriminals buy and sell stolen credit card numbers.

The price per number varies, depending on the information that comes with it. The highest value records include security codes, names, addresses, dates of birth—everything cybercriminals need to open more credit in your name.

Are stolen credit card numbers for sale from the Wawa stores breach?

Researchers at Gemini Advisory discovered the "for sale" announcement and say the database of stolen payment information records comes from the Wawa data breach.

"Gemini has determined that the point of compromise for BIGBADABOOM-III is Wawa. Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time."

Wawa is a chain of several hundred convenience stores and gas stations in the eastern United States.

It issued a statement this week in response to the carding forum discovery and did not dispute Gemini Advisory's findings.

"Today, we became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident announced by Wawa on December 19, 2019. We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information.

We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data."

What is the timeline of the Wawa data breach?

When Wawa announced the data breach last month, it laid out the following timeline.

  • March 4, 2019: Hackers begin installing malware on in-store payment systems. The malware is capable of capturing credit card data. 
  • April 22, 2019: Hackers have completed installing card stealing malware on most or all of Wawa's payment systems. 
  • December 10, 2019: Wawa's information security team identifies the malware. Before that happened, customers from all over the world used credit cards at the stores.
  • December 12, 2019: All malware is blocked or contained, the data stealing part of the breach is over.

And now we can add another item to the data breach timeline:

  • January 27, 2020: Joker's Stash advertises a new major database of stolen credit card data for sale, believed to be from the Wawa breach. 

Who are the players on these carding forums?

Think of carding forums like an eBay for cybercriminals and hackers. Here is a look at the parties typically involved:

  1. Joker's Stash is the middleman or marketplace operator—like eBay, except this is illegal.
  2. Hackers are the sellers here: they break into computer networks and steal credit card and payment data. They want to sell it and make a profit for their time and the risk they took. They list it for sale on a carding forum.
  3. Cybercriminals are the buyers here: criminals of all types use the anonymity of the Dark Web to buy this stolen financial data. They might buy a few records, or they might buy 10,000.
  4. There are some guarantees: many of the carding forums allow buyers and sellers to rate each other. There's no honor among thieves, but there are online reviews. 

For more on the operation of these criminal forums, see our previous story: Hacked Credit Card Numbers: $20M in Fraud from a Single Marketplace.

And like any e-commerce site, the Joker's Stash likes publicity.

"Joker's Stash uses the media coverage of major breaches such as these to bolster their credibility as the most notorious vendor of compromised payment cards."

Gemini Advisory says Joker's Stash previously sold hacked credit card data from the Lord & Taylor and Saks Fifth Avenue data breach.

[RELATED: Wawa data breach announcement]

[RESOURCE: SecureWorld cybersecurity conference 2020 schedule]