Hackers breached four prominent underground cybercrime forums

A suspicious wave of attacks resulted in the hack of four cybercrime forums Verified, Crdclub, Exploit, and Maza since January.

Since January, a series of mysterious cyberattacks that resulted in the hack of popular Russian-language cybercrime forums.

Unknown threat actors hacked the Verified forum in January, Crdclub in February, and Exploit and Maza in March, the attackers also leaked stolen data and in some cases they offered it for sale.

“Since the beginning of the year, Intel 471 has observed four well-known cybercriminal forums dealing with a breach, including two since the beginning of March.” reads the post published by threat intelligence firm Intel 471. “Intel 471 does not know who is responsible for the hacks, but due to their public nature, we think it is unlikely that this is a law enforcement operation.”

The nature of the data breaches leads the experts into excluding that the hacks were the result of law enforcement operations.

In January, experts noticed on the popular Raid Forums an advertisement for the Verified’s database containing registered users’ data and their private messages, posts, and threads. The database was offered for sale for US $100,000. The attackers also managed to transfer $150,000 worth of cryptocurrency from Verified’s wallet to a wallet under his control.

In February, the administrator of the cybercrime forum Crdclub discloses a cyber attack that resulted in the hack of the administrator’s account.

“By doing so, the actor behind the attack was able to lure forum customers to use a money transfer service that was allegedly vouched for by the forum’s admins. That was a lie, and resulted in an unknown amount of money being diverted from the forum.” continues Intel 471. “The forum’s admins promised to reimburse those who were defrauded. No other information looked to be compromised in the attack.”

In March, the cybercrime forums Exploit and Maza were hacked, the attackers also gained secure shell (SSH) access to an Exploit proxy server destined for distributed denial-of-service (DDoS) protection, and also attempted to dump network traffic.

This week, the administrator of the Exploit cybercrime forum disclosed an unauthorized secure shell (SSH) access to a proxy server used for protection from distributed denial-of-service (DDoS) attacks, he also observed an attempt to dump network traffic.

This week also the Maza cybercrime forum was hacked, its members were redirected to a breach notification page upon signing in. The notice also included a PDF file allegedly containing data of forum users (i.e. usernames, partially obfuscated password hashes, email addresses). Intel 471 researchers confirmed that Maza’s database were breached by the attackers.

The hack of the Maza cybercrime forum was also reported by researchers at Flashpoint.

“Flashpoint analysts successfully obtained the purported leaked data. While the compromised data appears to be extensive, it’s worth noting that the passwords have been hashed and most other data fields included in the dump have been hashed or further obfuscated.” reads Flashpoint. “The leaked Maza data includes the following:

• User id
• Username
• email
• Password (hashed and obfuscated)
• Crt_filename
• Crt_pass
• Icq (when available)
• Aim (when available)
• Yahoo (when available)
• Msn (when available)
• Skype (when available)“

“Users on the Exploit forum are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Others are claiming that the database leaked by the attackers is either old or incomplete,” Flashpoint concludes.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GootKit)

[adrotate banner=”5″]

[adrotate banner=”13″]