The proliferation of malware-as-a-service tools online is accelerating the loss of payment card details to criminals, with an April 2024 snapshot survey revealing that more than 600,000 payment cards were compromised worldwide, with their details later sold on the dark web.

The most popular of these malware-as-a-service tools, RedLine, accounts for six out of every 10 payment cards stolen by criminal hackers, data from the NordVPN, a Europe-based VPN and security vendor, survey reveals.

The RedLine family surfaced in March 2020, during the early stages of the pandemic.

RedLine’s success as a malware-as-a-service tool – a subscription model enabling criminals to purchase data-capturing malware on underground forums – places it significantly above the Vidar, Raccoon and MetaStealer malware families, which together account for just over half the successful payment card thefts of Redline.

Malware-as-a-service is available for as little as US$150 per month from specialist dark web marketplaces. Redline itself is available for as little as US$100 on the dark web.

Adrianus Warmenhoven, a cybersecurity adviser at NordVPN, further explains the malware family’s effectiveness: “Redline is a significant threat due to its affordability, effectiveness, and accessibility.

“It’s easily deployed through social engineering, continually adapts to evade detection, and is supported by dedicated Telegram channels, making it especially dangerous and accessible to novice cybercriminals,” he said.

Redline malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information.

The malware infiltrates a victim’s device via a number of attack vectors, including phishing emails, exploiting software vulnerabilities, deceptive ads, and compromised public USB ports. Sophisticated techniques like man-in-the-middle and remote code attacks are also employed to deliver Redline directly.

“The unfortunate fact is that stolen data is sold and used incredibly quickly — often in a matter of hours,” NordVPN writes.

“Cybercriminals know that the quicker they exploit the stolen payment card details, the higher the chance their fraudulent transactions will go through.”

These malware also capture significantly more data from a card capture campaign than simply payment details.

“As many as 99 per cent of the stolen cards included additional data, such as the victim’s name, computer files, and saved credentials.”

NordVPN notes that payment card thieves seldom use stolen card details themselves.

“They steal to sell. It’s a complex ecosystem with a regular supply and demand for stolen credentials.”

Stolen card details are put up for sale on various channels, such as Telegram and dark web marketplaces like Joker’s Stash.

“Fraudsters and cybercriminals may purchase these card details in bulk or buy them individually, depending on the information available. Cards with additional information are more in demand and likely to sell fast.”

The study also – perhaps tracing the global market share of each credit card option – showed a considerable bias in capturing Visa card details, which represent over half (54 per cent) of the 600,000 stolen payment cards NordVPN uncovered; a third of these cards (33 per cent) were Mastercard. Amex, RuPay, Diners Club US & Canada, GPN and others represented the remaining 13 per cent of stolen cards.