Wednesday, February 06, 2013

Historical OSINT - Hacked Databases Offered for Sale

In the wake of the recently announced security breaches at the NYTimes, WSJ, and the Washington Post, I decided to shed more light on what happens once a database gets compromised by Russian cybercriminals, compared to (supposedly) Chinese spies, with the idea to provide factual evidence that these breaches are just the tip of the iceberg.

In this intelligence brief, I'll profile a service that was originally operating throughout the entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, through the direct compromise of their databases, hence, the name of the service - GiveMeDB.

Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru
Secondary URL: hxxp://shopdb.blogspot.com
ICQ: 9348793; 5190451

During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European Backbone of LambdaNet), it then changed IPs to 74.54.82.209 (THEPLANET-AS - ThePlanet.com Internet Services, Inc.). The following domains used to respond to the same IP (83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these IPs are known to have been involved in related malicious/cybercrime-friendly activities? Appreciate my rhetoric.

We've got the following MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP (74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal enterprise that's been using it for years.

The following MD5s are known to have phoned back to the same IP (74.54.82.209):
MD5: d48a7ae9934745964951a704bcc70fe9
MD5: 4626de911152ae7618c9936d8d258577
MD5: ca4b79a33ea6e311eafa59a6c3fffee2
MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4

As well as a recent (2011) Palevo C&C activity. Clearly, they've been multi-tasking on multiple fronts.

The structure of propositions is the following: partial URL of the hacked Web site, country of the Web site, Quantity of records per database, First-time price, Exclusive price. The list of affected Web sites is as follows: 
 
Job/CV Databases:
jobsbazaar.*
availablejobs.*
ecarers.*
fecareers.*
healthmeet.*
youths.*
jobpilot.*
thecareerengineer.*
iauk.*
jobboerse.*
creativepool.*
jobsinkent.*
jobsinthemoney.*
jobup.*
rxcareercenter.*
 
 
Dating Databases:
freedating.*
singles-bar.*
muenchner-singles.*
dateclub.*
websingles.*
find-you.*
fitness-singles.*
houstonconnect.*
datingz.*
loveandfriends.*
lovebyrd.*
mydatingplacephx.*
cozydating.*
singletreffen.*
datearea.*
endless-fantasy.*
 
 
Financial Databases:
importers.*
money.*
pcquote.*
investorvillage.*
gurufocus.*
individual.*
arabianbusiness.*
ecademy.*
 
 
Other Databases:
pokersourceonline.*
wickedcolors.*
salespider.*
busytrade.*
funky.*


Purchasing these hacked databases, immediately improves the competitiveness of a potential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, and money mule recruitment campaigns, at their disposal.

For years, novice cybercriminals or unethical competitors have been on purposely joining closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, in obtaining access to a particular database, or for the "defacement" of a specific Web site. What this service proves is that, the model can actually scale to disturbing proportions, offering access to millions of compromised database records to virtually anyone who pays for them.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.