Sunday, May 23, 2010

Carders.cc Hacked - Initial Analysis of IP addresses

As the title says, Carders.cc, a German forum for the buying and selling of stolen credit cards was hacked and a ton of information was posted publicly online. For a more detailed description, I highly recommend reading the always excellent Brian Krebs writeup on the incident.

I'm going to skip right past my feelings on the subject. The short version is, while part of me is laughing inside, I tend to think such vigilante justice is often counter-productive. I just wish people like that could work with the system because by doing so you can sometimes achieve spectacular results.

Instead I'm going to focus on the data itself and what it can tell us from a research perspective. So far I've managed to download the writeup of the attack, which also includes IP addresses, usernames, e-mail addresses, and password hashes. I'm also currently in the process of downloading what I think is the listing of all the private messages, though it may just turn out to be viruses and fail. BTW, that's why I love VMWare. Edit: It's legit, and wow. It's going to take me a while to sort through/make sense of that data. Expect a post on that later. Google translate, don't fail me now!

As a word of warning, just about everything in this post falls into the category of WAG. While I try to create these guesses with the data I have available, please take everything I say here with a grain of salt. The uncertainty level is HIGH.

First of all, here is a picture of the writeup so you can all enjoy the ASCII art:



So what do we know? From the file timestamps in the writeup, the site was probably compromised sometime around May 5th, (though of course the initial attack could have occurred earlier.) The pastebin copy I downloaded was uploaded on May 18th, so this gives us a general timeframe which will be useful when we start talking about the password cracking that went on.

Question: Does anyone know where/how the attack was initially publicized? Was it a site defacement, posting in a rival forum, etc?

Before I get sidetracked talking about password cracking the hackers did, let's look at those IP addresses collected from the various users of the forum. These IP addresses were only collected for the users who logged on to carders.cc between May 11th and 12th. Starting out, the simplest thing to do was to run a basic GOIP lookup on the countries associated with them. The results can be viewed in the following graph:


As you can see, it really was a mostly German based forum. Not a big surprise I know, but it's nice to see where everyone is coming from. The next thing I wanted to look into was how many duplicate IP addresses there were. This would imply a forum goer was using multiple usernames, or a common proxy that several of the carders were connecting through.

Of the 960 published IP addresses:
  • 819 of them were unique
  • 25 of them were associated with two user accounts
  • 10 of them were associated with three user accounts
  • 3 of them were associated with four user accounts
  • 2 of them were associated with five user accounts
  • 1 of them was associated with seven user accounts
  • 1 was associated with eight user accounts
  • 1 was associated with eleven user accounts
  • 1 was associated with thirteen user accounts
Thirteen user accounts to one IP address? As the Germans would say: "That's a Bingo". The IP address in question, 92.241.164.47, has been previously detected by Project Honeypot as a prolific Russian based Mail, and Blog spam sever. It's on most IP blacklists by now, so I guess they also use it as an anonymous proxy sever to keep their revenue stream up. The other heavily used IP addresses showed similar characteristics. What I found particularly interesting was the following pastebin link I stumbled across when Google searching those IP addresses. It was posted on February 28th, and contained three of the proxy servers that the carders used.

The IP address I have the most questions about though was 193.105.134.54, which is a Swedish IP where eight of the users connected from. I couldn't find any past abuse originating from that site. When looking at the user-accounts/e-mail addresses associated with those IP addresses, another interesting thing popped up. The user "Risking", didn't have an associated password hash/user account listed in the writeup. My guess is that the hackers dumped the hashes fairly early on, (probably around May 5th), but didn't figure out how to grab the IP logs until May 11th. In that time the user Risking probably created a new account.

So we know some of the users were smart enough to use proxy servers. How about Tor? Downloading a list of all of the known Tor routers was fairly easy, so all that remained was to compare them to the IP addresses in the writeup. All in all, there were 20 unique IP addresses that matched known Tor IP addresses. That's actually a lot lower than I expected. Of course the question then is, how were a majority of users connecting to the site? Smaller proxy servers? Public cyber-cafes? Starbucks? Their neighbors wireless? Were they really dumb enough to connect from their home accounts? I don't know the answer to that, but hopefully someone with more experience investigating blackhat forums will post their analysis/experiences on the subject.

So that about does it for IP addresses today. The database containing all of the downloaded messages looks like it also contains IP addresses too so I might revisit this subject soon. The next topic: An analysis of the hacker's password cracking attacks against carders.cc.

1 comment:

SriHarsha said...

lol! nice post. Thanks a lot reusable security. Its funny how most of them didnt use tor....! Looking forward to read the next post!