A forum where stolen details are traded has been hacked with the contents of its servers now being traded on public file sharing networks.
Security blogger Brian Krebs reported that the German online forum Carders.cc, which is dedicated to helping criminals trade and sell financial data stolen through hacking, was hit, with at least three separate files being traded on Rapidshare.com.
He claimed that the largest is a database file containing what appears to be all of the communications among nearly 5,000 forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, email addresses and in many cases the passwords of forum users.
A third file includes what appears to be internet addresses assigned to various Carders.cc users when those users first signed up as members, and also features an explanation of how the forum was compromised.
Krebs said: “The top portion of this file includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such ‘e-zines' to come from this group.”
The anonymous authors of the e-zine said that they were able to compromise the criminal forum because its operators had been sloppy with security, specifically setting insecure file system permissions on the web server, which essentially turned what might have been a minor site break-in into a total database compromise.
The authors called Carders.cc ‘a marketplace full of everything that is illegal and bad, saying it was full of ‘carding, fraud, drugs, weapons and tons of kiddies' and that what was a small forum grew after it erased ‘1,337', presumably the amount of files.
Krebs said: “On the surface, it's tempting to grin at the misfortune of these fraudsters. Still, the leaked database contains no small amount of password and banking information for many innocent victims.
“In addition, these types of vigilante attacks typically come with hidden costs. For one thing, while it may be true that law enforcement officials could use some of this information to locate people engaged in computer trespass, and buying or selling stolen personal and financial data, the public release of this information could just as easily prompt those individuals to abandon those accounts and internet addresses, and even potentially jeopardise ongoing investigations.”
Blogger Cedric Pernet commented on the incident, saying what interested him most was data about the carders themselves.
He said: “Numerous articles have already been published about the case, but I didn't see any about the specific point of interest for me: the 3,726 unique email addresses of the members of the forum. Seeing all these complete email addresses, I asked myself some questions: do the fraudsters have favourite email services? Do the fraudsters use more generic top-level domains (gTLDs) or country code top-level domains (ccTLDs)? Do the fraudsters use only generic webmail providers, or do they also use specific providers, maybe even corporate addresses?”
His analysis of the data found that from the 3,726 unique email addresses, there were 349 unique providers, the most used was web.de by 731 users.
Pernet said: “We can assume that if these people use a German email address on an email forum, using sometimes German nicknames, chances are that these cyber criminals do not use proxies and browse the forum using their real IP address.
“The first anonymous email address provider is mail.3dl.am, ranked 12. This website guarantees that your IP addresses are never logged when using their services. Sounds like a bulletproof webmail system.”
With regard to the gTLDs, .de was most used by 2,010, followed by .com by 1,065 and .net by 179 users.