Just a little over a yr in the past, the FBI and legislation enforcement companions abroad seized WeLeakInfo[.]com, a wildly well-liked service that offered entry to greater than 12 billion usernames and passwords stolen from 1000’s of hacked web sites. In an ironic flip of occasions, a lapsed area registration tied to WeLeakInfo let somebody plunder and publish account knowledge on 24,000 clients who paid to entry the service with a bank card.
For a number of years, WeLeakInfo was the biggest of a number of companies promoting entry to hacked passwords. Prosecutors stated it had listed, searchable data from greater than 10,000 knowledge breaches containing over 12 billion listed information — together with names, electronic mail addresses, usernames, cellphone numbers, and passwords for on-line accounts.
For a small price, you would enter an electronic mail tackle and see each password ever related to that tackle in a earlier breach. Or the reverse — present me all the e-mail accounts that ever used a particular password (see screenshot above). It was a improbable software for launching focused assaults towards individuals, and that’s precisely how the service was seen by lots of its clients.
Now, practically 24,000 WeLeakInfo’s clients are discovering that the non-public and fee knowledge they shared with WeLeakInfo over its five-year-run has been leaked on-line.
In a submit on the database leaking discussion board Raidforums, an everyday contributor utilizing the deal with “pompompurin” stated he stole the WeLeakInfo fee logs and different knowledge after noticing the area wli[.]design was not listed as registered.
“Lengthy story brief: FBI let one among weleakinfo’s domains expire that they used for the emails/funds,” pompompurin wrote. “I registered that area, & was in a position to [password] reset the stripe.com account & get all of the Knowledge. [It’s] solely from those who used stripe.com to checkout. For those who used paypal or [bitcoin] ur all good.”
Cyber menace intelligence agency Flashpoint obtained a duplicate of the information leaked by pompompurin, and stated it consists of partial bank card knowledge, electronic mail addresses, full names, IP addresses, browser consumer agent string knowledge, bodily addresses, cellphone numbers, and quantity paid. One discussion board member commented that they discovered their very own fee knowledge within the logs.
In keeping with DomainTools [an advertiser on this site] Wli[.]design was registered on Aug. 24, 2016 with the area registrar Dynadot. On March 12, the area was moved to a different registrar — Namecheap.
Pompompurin launched a number of screenshots of himself logged in to the WeLeakInfo account at stripe.com, an internet fee processor. Below “administration and possession” was listed a Gerald Murphy from Fintona, U.Okay.
Shortly after WeLeakInfo’s area was seized by authorities in Jan. 2020, the U.Okay.’s Nationwide Crime Company (NCA) arrested two people in reference to the service, together with a 22-year-old from Fintona.
PLENTY OF TIME FOR OPSEC MISTAKES
It’s been a tricky few months for denizens of varied hacking boards, that are discovering themselves on the defensive finish of an ideal many assaults testing the safety of their aliases and operational safety recently. Over the previous few weeks three of the longest working and most honored Russian-language on-line boards serving 1000’s of skilled cybercriminals have been hacked.
In two of the intrusions (towards the Russian hacking boards “Mazafaka” and “Verified”) — the attackers made off with the boards’ consumer databases, together with electronic mail and Web addresses and hashed passwords.
“Members of all three boards are fearful the incidents might function a digital Rosetta Stone for connecting the real-life identities of the identical customers throughout a number of crime boards,” a current story right here defined.
An publicity of 15 years price of consumer knowledge from a discussion board like Mazafaka is an enormous threat for registrants as a result of investigators usually can use frequent registration particulars to attach particular people who might need used a number of hacker handles over time.
Lots of the domains from the e-mail addresses listed within the Maza dump date to the early 2000s, again when budding cybercriminals sometimes took fewer precautions to obfuscate or separate the myriad connections to their real-life identities on-line.
The most important potential gold mine for de-anonymizing Maza members is the leak of consumer numbers for ICQ, an immediate messaging service previously owned by AOL that was broadly utilized by cybercrime discussion board members up till round 2010. That’s about when AOL offered the platform in 2010 to Russian investor DST for $187.5 million.
Again then, individuals usually related their ICQ numbers to totally different pursuits, pursuits and commerce tied to their actual life identities. In lots of instances, these associations are on public, Russian language boards, comparable to dialogue websites on subjects like vehicles, music or programming.
In a standard inadvertent publicity, a cybercriminal occurs to make an innocuous submit 15 years in the past to a now-defunct Russian-language car discussion board.
That submit, preserved in perpetuity by websites like archive.org, consists of an ICQ quantity and says there’s a man named Sergey in Vladivostok who’s promoting his automobile. And the profile hyperlink on the auto discussion board results in one other now-defunct however still-archived private website for Sergey.
Curiously, companies like WeLeakInfo can simply as simply be used towards cybercriminals as by them. For instance, it’s probably that the database for the auto discussion board the place Sergey posted received compromised sooner or later and is on the market on websites like WeLeakInfo (there are energetic rivals).
Ditto for every other discussion board the place Sergey used the identical electronic mail tackle or password. When researchers begin discovering password re-use throughout a number of electronic mail addresses that every one observe a sample, it turns into a lot simpler to tie Sergey from Vladivostok to his cybercriminal and real-life identities.
Tags: fbi, Flashpoint, Gerald Murphy, Mazafaka, pompompurin, RaidForums, Verified, WeLeakInfo