The theft of bank card data can be done in many ways, some more elaborate than others. And according to research by NordVPN, these can be found for sale very easily on the dark web. The company has analyzed that about 4 million of these cards can be found for sale on the Internet, and 78,654 of them are from Spain.

Using a security breach to access a user’s banking information is not the only way to find out these types of details, according to NordVPN in their study. Many credit or debit cards can be found on the black market of the dark Web., at prices of laughter.

A bank card for as little as $ 10

Finding a fully functional bank card could cost us as little as $ 10. The study has been carried out by independent researchers specialized in cybersecurity, where millions of these cards have been found from 142 different countries.

Through an interactive graph, we can obtain information on the total number of cards that are for sale by country, as well as their average sale price. What’s more, We can also see figures filtered by the type of card, and even the risk index in each country.





From NordVPN they have highlighted some interesting points in this research. In it they highlight that the most frequent are VISA, followed by Mastercard and American Express. Also, it is more common to find debit cards in the markets, since they offer fewer protections. They also emphasize that the origin where more credit cards are for sale is in the United States, with a total of 1,561,739, according to the investigation.

Another key component in the research is the risk index, which is based on the average number of cards a person has per country. Those countries with a higher risk index are Australia, New Zealand, Turkey, or Malaysia, among others..

Brute force, the key to cybercriminals

As mentioned by NordVPN, the bank cards that are sold on the dark web have been obtained through brute force methods. This means that cybercriminals use systems to find out cards through trial and error, with the help of a computer, and tools to eliminate the limit of operations that can be carried out in a short period of time.





When trying to find out the bank information of a card, a user is not specifically attacked, according to NordVPN, but rather is tested until a card works to put it on sale. By being skilled enough, the offender can shorten the number of figures he needs to find. From the web they mention a study from the University of Newcastle, where state that such an attack could last about six seconds.

From the article Some ways to avoid this type of fraud are mentioned, that is, recommendations that both banks and users should follow. Having stronger password systems, and more sophisticated security and fraud detection tools should be the norm in every bank. In addition, at the user level, the minimum that we should have enabled would be two-factor authentication.

Thousands of examples daily

Marcelino Madrigal, computer expert in network analysis, recently shared a thread very interesting in relation to this type of attack. At real examples of bank cards that have been found on the dark web are exposed, some with prices that do not even reach 10 dollars.

According to the expert, “many times this happens due to our carelessness or ignorance“Also, if our system is infected by a Trojan, the cybercriminal could obtain all kinds of data about our life. Madrigal exposes a real example of a computer infected by a Trojan and anonymized that was auctioned on the deep web.

This is a very very real mini thread

They will be able to see something that is rarely taught (With all prudence and duly “anonymised”)

It is part of my daily work.

I will put some real examples of what happens in Deep Web when a Trojan is installed. – mmadrigal (@SoyMmadrigal) November 30, 2021

In this example you can see that, for only $ 12, criminals can obtain information about the country of origin, IPs, passwords, browsers used, and much more. In addition, the web pages that the victim has accessed can also be seen, among other relevant data.

The recommendations are always the same, and they are obvious, but useful. We must always have strong and different passwords in each service to which we register. We must also be very careful with the links we receive from anonymous users, e-mails, or even from our acquaintances who have sent it without criminal intentions. In addition, as we have mentioned above, it is also good to activate two-factor authentication in all the services that have it, in order to receive the access codes on mobile devices, or another linked system.

