In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg.
In this intelligence brief, I'll profile a service that was originally operating throughout the entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, through the direct compromise of their databases, hence, the name of the service - GiveMeDB.
Secondary URL: hxxp://shopdb.blogspot.com
ICQ: 9348793; 5190451
During 2009, the domain used to respond to 22.214.171.124 (LAMBDANET-AS European Backbone of LambdaNet), it then changed IPs to 126.96.36.199 (THEPLANET-AS - ThePlanet.com Internet Services, Inc.). The following domains used to respond to the same IP (188.8.131.52), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these IPs are known to have been involved in related malicious/cybercrime-friendly activities? Appreciate my rhetoric.
We've got the following MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links to the same (hxxp://184.108.40.206/uksus/?t=3) in particular. Cross-checking the second IP (220.127.116.11) across multiple proprietary and public databases, reveals a diversified criminal enterprise that's been using it for years.
The following MD5s are known to have phoned back to the same IP (18.104.22.168):
As well as a recent (2011) Palevo C&C activity. Clearly, they've been multi-tasking on multiple fronts.
The structure of propositions is the following: partial URL of the hacked Web site, country of the Web site, Quantity of records per database, First-time price, Exclusive price. The list of affected Web sites is as follows:
Purchasing these hacked databases, immediately improves the competitiveness of a potential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, and money mule recruitment campaigns, at their disposal.
For years, novice cybercriminals or unethical competitors have been on purposely joining closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, in obtaining access to a particular database, or for the "defacement" of a specific Web site. What this service proves is that, the model can actually scale to disturbing proportions, offering access to millions of compromised database records to virtually anyone who pays for them.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.