Top three Russian cybercrime forums hacked – krebs on security

In the past few weeks, three of the oldest and most revered Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, attackers seized the forums’ user databases, including email and Internet addresses and hashed passwords. Members of all three forums fear that the incidents could serve as a virtual rosette stone to connect the real identities of the same users on multiple criminal forums.

References to the leaked Mazafaka Crime Forum database have been posted online in the past 48 hours.

On Tuesday, someone emptied thousands of obscure dark web usernames, email addresses and passwords, apparently stolen from Mazafaka (a.k.a “Maza, “MFclub“), an exclusive crime forum that for over a decade hosted some of Russia’s most experienced and infamous cyber thieves.

Atop a 35-page PDF leaked online is a private encryption key purportedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as “I’m Looking For You,” was an instant messaging platform that countless early dwellers in those ancient crime forums trusted before its use fell out of fashion in favor of networks. more private, such as Yawning and Telegram.

This is remarkable because ICQ numbers linked to specific accounts are often a reliable data point that security researchers can use to connect multiple accounts to the same user on many forums and different nicknames over time.

Cyber ​​intelligence firm Intel 471 believes that the disclosed Maza database is legitimate.

“The file consisted of over 3,000 lines, containing usernames, partially obfuscated password hashes, email addresses and other contact details,” Intel 471 discovered, noting that visitors to the Maza forum are now redirected to a violation announcement page. “Initial analysis of the leaked data highlighted their likely authenticity, as at least a portion of the leaked user records correlated with our own data holdings. “

The Maza attack comes just weeks after the looting of another major criminal forum in Russia. On January 20, a longtime administrator of the Russian-language forum Checked revealed that the community’s domain registrar was hacked and the site’s domain was redirected to an internet server controlled by the attackers.

A note posted by an administrator of the Verified forum regarding the hack of his registrar in January.

“Our [bitcoin] the wallet was cracked. Luckily we didn’t keep large amounts in it, but it’s still an unpleasant incident. Once the circumstances became clear, the administrator assumed that THEORETICAL, all forum accounts could have been compromised (the probability is low, but it is there). In our business, it is better to play it safe. So we decided to reset everyone’s codes. It’s not serious. Just write them down and use them from now on.

Shortly after, the admin updated his post saying:

“We are receiving messages indicating that the forum databases were ultimately stolen when the forum was hacked. Everyone’s account passwords have been forcibly reset. Pass this information on to people you know. The forum was hacked through the domain registrar. The registrar was first hacked, then the domain name servers were changed, and the traffic was sniffed.

On February 15, the administrator posted a message purportedly sent on behalf of the intruders, who claimed to have hacked Verified’s domain registrar between January 16 and 20.

“It should be clear by now that the forum administration has not done an acceptable job with the security of all of this,” said the attacker. “Most likely just out of laziness or incompetence, they gave it all up. But the main surprise for us was that they logged all user data, including cookies, referrers, first sign-up IP addresses, connection scans and everything in between.

Other sources say tens of thousands of private messages between verified users have been stolen, including information about bitcoin deposits and withdrawals and Jabber private contacts.

Maza and Verified’s compromise – and perhaps a third major forum – has raised concerns among many in the community that their real identities will be exposed. Feat – perhaps the next largest and most popular Russian forum after Verified, also saw an apparent compromise this week.

According to Intel 471, on March 1, 2021, the administrator of the Exploit Cybercrime forum claimed that a proxy server used by the forum for protection against Distributed Denial of Service (DDoS) attacks may have been compromised by an unknown party. The administrator said that on February 27, 2021, a surveillance system detected unauthorized secure shell access to the server and an attempt to dump network traffic.

Some prowlers at the forum have speculated that these recent compromises appear to be the work of a government spy agency.

“Only intelligence services or people who know where the servers are can do things like this,” reflected one of the pillars of Exploit. “Three forums in a month, it’s just weird. I don’t think they were regular hackers. Someone is deliberately ruining the forums.

Others wonder aloud which forum will fall next and bemoan the loss of user trust that could be bad for business.

“Maybe they work according to the following logic,” wrote one Exploit user. “There will be no forums, there will be no trust between everyone, less cooperation, more difficulties in finding partners – less attacks.”

Update, March 4, 6:58 p.m. ET: Intel 471 says there was a fourth crime forum that was hit recently. From the blog post they just posted on these events: “In February, the administrator of another popular cybercrime forum, Crdclub, announced that the forum had suffered an attack that resulted in the administrator’s account being compromised. In doing so, the actor behind the attack was able to trick the forum’s clients into using a money transfer service allegedly recognized by the forum’s administrators. It was a lie and an unknown amount of money was diverted from the forum. The administrators of the forum promised to reimburse those who were defrauded. No other information appeared to be compromised in the attack.

Harry L. Blanchard