Brazen crims selling stolen credit cards on Meta’s Threads

October 28, 2024 TH Author

Exclusive Brazen crooks are selling people’s pilfered financial information on Meta’s Threads, in some cases posting full credit card details, plus stolen credentials, alongside images of the cards themselves.

SpyCloud security researcher Kyla Cardona says she spotted some of these posts while scrolling her feed.

“I was like, what is this? This is fullz information – sensitive PII that could be used for phishing, fraud, any type of cyberattack and cybercrime,” Cardona said in an exclusive interview with The Register.

A Meta spokesperson told us that it’s “aware of this type of behavior, and continues to take action against accounts and content that violate our policies.”

The social media giant could and should be doing more to boot criminals off its platform, according to SpyCloud’s threat hunters, who said they’ve spotted at least 15 accounts with more than 12,000 followers posting people’s financial and personal information, in plain view of anyone on Threads, or, in some cases, on one of Meta’s other platforms.

Security researcher Aurora Johnson said she also saw the ads for stolen cards pop up on her Instagram account. This suggests that not only does this type of criminal activity exist on Threads, but it’s actively promoted by Meta’s algorithm.

Actively moderated? Hmmm

“It doesn’t seem to be something that’s being actively moderated,” Johnson told The Register. “The accounts have been around for a month, two months, and I would assume that Meta has the ability to do some sort of automated processing of OCR [Optical Character Recognition] of the photos, as well as do some automated detection of posts that contain full credit card information. That’s a format where you can put some type of automated protection in place.”

The posts include a combination of card holders’ full names, full and partial credit card numbers plus CVV security codes and expiration dates, PINs and Bank Identification Numbers (BINs) along with bank or credit card lender names, social security numbers, IP addresses, physical addresses, phone numbers, birthdates, email addresses and passwords.

They’re crowdsourcing that the stolen credit card still works, which is kind of crazy

In other words, everything a criminal would need to, at the least, enjoy a shopping spree on someone else’s plastic. Or, even worse, commit identity fraud, engage in social engineering attacks, use the stolen credentials to break into other accounts, and conduct cyberstalking or real-life stalking or swatting, putting victims in physical danger.

Some of the posts even use Threads polls to increase engagement. In one example, a criminal posted card details along with poll options about whether other stolen numbers “Worked fine,” indicating a successful transaction or account opening, or “Declined | Post more” to get new credit card data.

“They’re crowdsourcing that the stolen credit card still works, which is kind of crazy,” Johnson said. “We saw hundreds of reactions, people responding to the polls.”

SpyCloud’s researchers aren’t the only Threads users to notice this uptick in swiped financial details being advertised and sold on the microblogging site, either. Other surprised users have posted similar stories on Reddit, including seeing credit card pictures while scrolling Instagram.

Telegram connection

Sometimes, the miscreants leave out a key piece of data — like the card’s CVV code — and then direct viewers to Telegram accounts or a group of private channels where they try to sell the full details to other criminals.

However, following Telegram CEO Pavel Durov’s arrest and criminal charges in France in late August and subsequent crackdown on criminals using the Russian platform for illicit purposes, some of the Threads’ posts now lead to websites selling the stolen financial info. It’s priced anywhere from $3.50 to $65, Cardona said.

The timing of the new Threads accounts and posts seem to coincide with Durov’s indictment and pledge to do a better job at content moderation on Telegram, the researchers noted.

“In terms of the Telegram accounts that we actively monitor, we have seen a marked increase in the amount of channels getting banned,” Johnson said, adding that the accounts getting booted are heavily SIM swapping and stolen credit card info related.

“Instead of having a channel on Telegram, because of all the takedowns and the cracking down, they’re advertising on Threads, but they’re still willing to make a sale on Telegram,” Cardona noted.

It also indicates that Telegram “doesn’t have to be as central to the criminal underground as it seems to have been for the last few years,” Johnson added. “These threat actors have options.” ®