Your stolen credit card may end up here

WATERLOO – If you’ve ever wondered where your stolen credit card turns up, a cybersecurity firm is offering hard proof.

Your credit card data is typically stolen in two ways. One is after a data breach like the Capital One incident that affected 106 million customers. The other is e-skimming, where hackers inject JavaScript code into website payment processing pages in order to pilfer credit cards and account data from customers.

“Magecart is one of the most prominent [criminal] groups behind this activity [to] siphon off sensitive card data,” Foss said.

Recently, Magecart has been impersonating legitimate payment applications using homoglyph attacks – for instance, creating a website “g00gle.com” instead of google.com – which fools victims into visiting the malicious site, Foss explained.

The endgame for cybercriminals is peddling stolen credit cards that go for an average rate of $10 to $20 per card on the dark web, according to Foss. PayPal accounts sell for $2 to $10 per account, with accounts holding more money costing even more.

The stolen credit card data is typically offered in a shopping cart format, where the “buyer” can check off which credit cards they want to purchase based on a menu of available credentials.