According to Have I Been Pwned, Carding Mafia, a forum for stealing and trading credit cards, has been hacked, exposing 300,000 user accounts.
However, Motherboard suggests that the credit card hacking forum operators have not notified their users estimated to be about 500,000.
Unlike the carding site that offers stolen data to cybercriminals, Have I Been Pwned service allows users to determine if their login information was leaked in any data breach.
Carding site exposes cybercriminals’ emails and IP addresses
The data breach on Card Mafia exposed email addresses, hashed passwords, usernames, and IP addresses of 297,744 carding site users.
Troy Hunt, the founder of Have I Been Pwned confirmed the authenticity of the stolen data. Hunt said that the carding site recognized leaked email addresses through the “forgot password” feature, but failed when random email addresses were used.
The carding site warned that “you have not entered an email address that we recognize” when random emails were entered, according to Motherboard.
Similarly, a hacker surfaced on another popular hacking forum advertising data stolen from the illegal carding site.
According to screenshots shared by Motherboard, the database allegedly stolen from the carding site was 990 GB in size containing 660,000 posts and 130,000 threads. The alleged hacker offered the database for free through his private messaging inbox.
A few months ago, researchers found that most cybercrime transactions were shifting to private messaging apps to avoid alerting authorities and security researchers who usually warn the compromised organizations.
It’s not uncommon for hackers to dispose of stolen data for free to earn “street cred” or reputation on popular hacking forums. They can capitalize on this reputation to request payment for data, and even demand premium prices.
Reputation is a powerful tool in the underground markets such that a few threat actors have dominated the markets by creating a solid reputation over the years. Thus, unknown hackers find it difficult to sell stolen data independently and resort to using data brokers and parting with generous commissions.
Hacker on hacker crime is rampant on underground hacking forums
Three top Russian hacking forums were recently hacked within three weeks, according to the security journalist, Brian Krebs.
Similarly, Darknode was hacked in 2017 immediately after launching, while OGUSERS was compromised twice in 2019 and 2020.
Hacker on hacker cybercrime is a popular method of stifling competition from rival gangs offering similar services. It could also be an easy way to obtain gigabytes of stolen data for free or improve the hacker’s reputation.
However, it increases the risk on the victims when their data falls in the hands of more criminals. Contrarily, it could lead to the arrest of cybercriminals by tracing their IP and email addresses.
Although IP information could allow law enforcement agencies to determine the cybercriminals’ location information, most hackers use VPN services to hide their real internet addresses. Additionally, hackers use untraceable email addresses from providers such as Mailinator to register on hacking sites. However, novice hackers are likely to err by logging in using their real IP addresses or registering on the carding hacking sites using real email addresses.
Unfortunately, the cost and resources required to track, arrest, and prosecute cyber criminals fall beyond governments’ abilities.
Commenting on the compromise of the illegal carding site, Ilia Kolochenko, Founder and Chief Architect at ImmuniWeb, says: “Most of the compromised accounts have fake data and IPs from anonymous VPNs or proxies that are not likely to bring much actionable evidence to law enforcement agencies for investigation. Moreover, even the Western law enforcement agencies are currently underequipped to investigate and prosecute cybercrime on a large scale, and will probably not initiate investigatory operations after the leak.”
However, he suggests that the stolen information, especially the private messages, could be useful if carefully analyzed.
“Many beginners carelessly expose sensitive technical, personal and other details there. Even a simple analysis of the unencrypted messages can paint a broad picture of the underground marketplace and shed light on the true identities of wrongdoers and their clients. Cybercriminals will probably not exploit the stolen information in an aggressive manner except for some rival gangs aiming to stiff competition.”
Kolochenko suggests that the breach originated from a zero-day vulnerability on the software used to build the carding site.
“It would be interesting to learn about the origins of the hack, but mostly it will have stemmed from a 0day in forum web software, compromised admin’s machine, or maybe even a password reuse attack. We will probably not get a forensic report and may just observe how the situation develops.”