Security firm Finjan has uncovered a website supermarket for stolen card data.
The 'SellCVV2' website was found to be trading the card numbers and other data in a number of sophisticated ways. Criminals visiting the site would be able to earn discounts based on volume bought and choose from a range of tiers, starting at the least valuable Classic Visa or MasterCard - those with the lowest credit limits - through more valuable Gold, Platinum, and Corporate levels.
According to Finjan, prices ranged from $38 (£20) for small volumes of premium card numbers, down to $10 (£5) for the equivalent low-limit cards in chunks of 100 at a time. Criminals worried about being stung themselves by non-working cards were being offered 'guarantees' as well as trial data sets.
No breakdown was given on where or how the cards might have been stolen, but they are believed to be from around the globe and possibly culled using online Trojan-related techniques.
"The site, which appears to use Google's Blogspot service, is typical of a number of portals promoting the exchange of fraudulent card data. But what is apparent from the SellCVV2 site is the level of commercialisation of the traders involved," said Finjan's CTO Yuval Ben-Itzhak.
The site gets its rather apt name from the three-digit CVV2 (Card Verification Value 2) number on the reverse of credit cards, essential for remote transactions, and implying that the numbers themselves are also being supplied.
Finjan recently reported on a similar site found to be selling a large number of valid FTP server logins, many used by large companies around the world. As with SellCVV2, that site used a sophisticated trading model.
"If further proof were needed that there is a very serious problem facing the card acceptance and processing industry, this is it. The level of sophistication shown on the site, acts as a clear warning to anyone who thinks card fraud is a containable problem," said Ben-Itzhak.