Risk Based Security revealed last Monday that an organisation claiming to be Anonymous Ukraine had posted the first million user credentials on Pastebin and laid claim to having information on “more than 800 million credit cards”.
These details were believed to have come from customers with card brands Visa, MasterCard, Discover and American Express, and included valid credit card numbers, banking routing numbers and full user names.
At the time, researchers told SCMagazineUK.com that their investigation was continuing and that they were unable to identify where the card details had come from – although they suspected that they may have come from compromised ATMs or POS systems.
When first investigating the data dump on Pastebin, the firm said that there were 6,064,823 new cards, with this breaking down as 668,279 American Express, 3,255,663 Visa, 1,778,749 MasterCard and 362,132 Discover.
However, the same analysts told us over the weekend that the leak looks increasingly likely to be old data from previously disclosed data breaches.
Inga Goddijn, a researcher with Risk Based Security, told SCMagazineUK.com via email: “Further analysis shows that, while the data appears to be legitimate, there are strong indications the data contained in the dump was previously disclosed.”
The firm also updated its DataLossDB website, which tracks public data breaches, with the following statement: “Based on further analysis along with discussions with journalists, it appears that this credit card dump contains valid, but older card data that had been previously disclosed. To date, there is no solid evidence this represents a new breach. “
Goddijn stressed that the firm has been unable to unearth “where the data was previously disclosed” or who the group behind the attack is – although she admitted to hearing the same rumours - via numerous technology news websites - of it being a smear campaign by Russian opponents . “All I can say is the group is claiming an affiliation and seems to want to disrupt the financial system. Unless there are additional disclosures, it's anyone's guess.”
These findings resulted in part out of the discovery that two of the Pastebin posts had been removed over the weekend, as well as the links to the .exe files – some 300MB in size - containing the credit card details. Malwarebytes analyst Chris Boyd told SC that he had noted that “cached versions seem to be dead this end too.”
Meanwhile, Lee J, a fellow researcher with Risk Based Security, told this writer that ‘very trusted sources' had told him that the leak was a ‘false flag' and said that his firm is now investigating the motives and links.
He was, however, more reluctant to admit that it may not be Ukraine Anonymous. “Well anyone can be part of Anonymous so hard to say [it's] not Anonymous but [it] is fake old data but unsure to its source,” he told SCMagazineUK.com.
The theory of this being the work of Russian protesters certainly stands up on some grounds, with the Twitter account @Op_Ukraine – which originally broke the news of the data dump – having been suspended this weekend. The website had only been active since the initial disclosure on the breach.
Furthermore, Anonymous usually publishes its news on its official social media accounts, while Brook Zimmatore, CEO of Massive PR - which provides cyber security intelligence to banks and other companies, told The Register that the leak was being discussed “almost exclusively” on Russian web forums.