Back in April of this year I wrote about the AdultFriendFinder data breach: Hacked! How safe is your data on Adult Sites? I did not mention the name of the hacked site because I was worried that I could potentially face legal repercussions. So, I sat on a leaked database of almost 3.9 million unique email addresses that exposed age, gender, race, sexual preferences, and more — until the British TV station, Channel 4 revealed the breach in May.
After the media attention settled down, my Darknet life took a strange turn. But, before we go there — we need to revisit the:
Darknet Hell forum timeline
May 2015: Meandering Through the Darknets
To Hell and Back
The defunct Olympus Hacking Forum is now the Hell forum. It may have been something else prior to Olympus, but I can’t recall the original forum name. If you have not heard of Ping or Hell — Ping is a perfect example of generic pseudonymity concealed within the sleeve of anonymity — this is one character that will continue to elude the Feds, that is — until the cows come home.
The Hell forum crawls with an assortment of clever hackers and noobs. To become a member [an elitist with the admins] of the hell crew you must:
- Hack a website(s) that is designated for you to hack (they choose).
- Take the oath of an outlaw.
- Steal from the rich and give to the poor.
Though membership criteria (listed above) smacks of Robin-Hood-type-stuff — or a Sons of Anarchy rebellion, they appear to be quite serious regarding the first inclusion prerequisite.
Other Hell-related Stuff
Recently Infosec Institute wrote about Hacking Communities in the Deep Web, and the only disappointment (from Hell) was that their forum was introduced alongside rent-a-hacker websites. Not that they mind media exposure (they love it) — but, there is a lot of negative connotations on the Darknet lately regarding hackers-for- hire.
Though the anonymity and pseudonymity of the Darknet offers a cyber-criminal the means to delve much deeper into criminal activities, like any real-life criminal, getting busted is not the name of the game.
June 2015: Exploring the dark recesses of the web
Hell is Hot
The hell forum appears to be growing rapidly and this may be due in part to all the media attention from the fake OPM hack, as well as the media blast it received last month [CNN, Mashable, Motherboard] when the popular site adult FriendFinder’s approximately 3.9 million users discovered that their private data was hacked and posted on the forum.
Change is in the Air
Hell plans to make major forum changes beginning July 1. Fire and brimstone is destined to deluge Hells infernal regions where lethargic and secret profiles tend to lurk. All lurkers, zero posters, introverts, LE’s (law enforcement) and media hounds (that only utilize PMs) will be deleted.
Goodbye, adios and good riddance appears to be the emerging theme from forum members – where there was mention of removing open registration and limiting new members to invite only status.
PING is MIA
Hells main character “ping” appears to have recently left the pit. It’s been over a week (as of this writing) since I’ve jabbered with him. During our last jabber session I mentioned that I thought that his forum was full of LE. (I also entertained vague flip-side thoughts that the forum was possibly contrived by LE).
If only, I could keep my jabbers to myself. Either way, Hell is a hotbed.
“ping” has been missing in action since June 16 and some members are voicing fears that he may have been arrested. There is also speculation that he is in the forum and conceivably using a different pseudonym.
Motherboard
Last week PING initially scheduled a Jabber session with Vice Motherboard writer Lorenzo Franceschi-Bicchierai for June 18 – but on Thursday he never logged in and did not respond to Lorenzo’s email.
It is interesting to note that during a prior Jabber session, he told Lorenzo: “if I’m gone for over a day it means that I have been arrested.”
The last email I received from PING was dated Wednesday, June 10. PING’s email appeared somewhat troubled, stating that he planned to regroup due to problems that had risen, that placed him and others at risk. He said that he would keep in touch and let me know how it all played out in the end.
Hell’s Data for Sale
TOX ransomware source code is up for sale – though there is disagreement among cybercriminals if the crime-ware actually works.
In the carding forum CharlesAnderson is selling Wells Faro Bank logins. He allows escrow payments and provides a test account for the leery-minded. All orders are processed within 24 hours, though special requests may take up to 48 hours.
Price For One Account | Account Value |
$40 | $1000+ |
$80 | $2000+ |
$150 | $4000+ |
$300 | $7000+ |
$500 | $15000+ |
Anderson also claims to have accounts that hold balances as high as $500,000, so all you Lexus buyers need to arrange this type of sale via PM (private message). The seller explicitly states in the forum that he has worked with Wells Fargo Banks for a long time and that the bank is easy to login to with a good VPN.
All information is delivered to the buyer in the following format:
Vulns
Near the end of May, King420 posted 120 shelled WordPress sites. Sad to say that many of the hacked sites still have an outdated Apache web server, outdated WordPress core, or both.
The hacked sites run the gamut from a development corporation, a professional speaker, a fishmeal factory, a roofing contractor, a national market research company, a realtor, and a health and wellness site that is currently infected with SEO spam.
Though I did not have time to recheck all of the sites, I sampled 10 sites and 4 are still dirty.
MIT hack
Though the recent June 12 MIT (Massachusetts Institute of Technology) data breach netted the Hell Forum a mini-hack of 932 users – Anthony M. Freed reminded me that even mini-hacks can have back doors.
Once again, I ran into the problem of finding no point of contact at MIT to report a data breach. So I did the next best thing and contacted the webmaster. It took MIT until the 14th to patch the hole, but their departmental server is still a mess.
Ironically I found an old Microsoft Darknet paper on the msl1.mit.edu web server:
“There is evidence that the Darknet will continue to exist and provide low cost, high quality service to a large group of consumers.”
Abstract excerpt: The Darknet genie will not be put back into the bottle…
July 2015: Down the Darknet Rabbit Hole Again
Hell Remodels Itself
The Hell forum recently switched to invite-only mode. Current members who would like to invite friends to the forum must request an invite key from a mod. High ranking data dumps and breaches have been removed from the main forum and secreted away into the innermost fissures of Hell.
Remnants of a prior conversation regarding the AFF data leak has been removed, and the only snippet left is:
Jamal666: “Where can I get the entire AFF-Database?”
Ping: “ROR sold it, he kept back some of the goodies…”
One Forum: Two Hell’s:
- The main Hell forum: This is where you get to hang out with LE, journalists, noobs, and the untrustworthy. It is here that you can expect to be misled and toyed with.
- The private Hell forum: This is the new home for the elite and trusted cybercriminals who have proven their hacking skills to the Hell crew.
The most profound modification to the forum has been the removal of all timestamps; including personal messaging and search.
Main Characters Resurface
On July 2 both ROR[RG] and PING resurfaced within 30 minutes of each other — but, you won’t find their recent posts in the main forum. For a very short time ROR[RG] was a busy little beaver as he moved all his posts to the hidden (private) section of the forum.
PING (who may not be the real PING) appeared for a few minutes to rescript his I’m back dialogue (after a 16 day hiatus). Shortly after posting his surprise re-entrance post, he declared that he would be on vacation until August.
More Hell Banter
Hackerjon requested an exclusive place where only users that are known to have committed felonies can access. Hackerjon states in the main forum:
For instance, a single discussion thread that only users that have openly dumped a site, carded, or something like that can read…there are things, plans, and questions that I keep to myself because there is simply nowhere to share ideas with proven motherf##kers (at least in the forum format).
He further elaborates that he has been doing all kinds of shit recently:
But since you closed the barn door after the cows have already left, or in this case LE is already in, I won’t participate in that thread.
Next on stage is Botis. He posits that the future of the credit card industry in the U.S. is important because:
In the next year all the majors will start introducing technologies that are being used in Europe and Canada, EVM and NFC. I have acquired the equipment for producing cards in both as that is the future, and I want to be doing this for a while. Of the two NFC (Near Field Communications) is the one that interests me most.
You do not need a pin for this, just simply “tap your card” on a POS terminal and the payment is made. He also acquired a new tech toy:
I recently picked up a bluetooth key-chain sized scanner that if within 8 or 10 inches of a person’s card will send a signal to wake up the card and then record the information it beams-over … right to my cellphone. On a recent trip visiting Canada I managed to beam off the information of 6 people while hanging at a Starbucks “trying to decide” on what to have on my first attempt.
Drumroll f0r Botis’s get-out-of-jail-free card:
I could carry around a cellphone with hundreds of cards and yet have no physical evidence linking me to criminal act, such as a fake credit card. In fact if you are carrying your own phone with your credit card installed, you could just claim it was a weird aspect of the system , a glitch.
How cool is that? Next on his agenda is to locate an app/software that can run orbot to capture the beam over, organize it based on usage and date, and have it work like Tap2Pay technology works.
Since it does not exist in U.S. markets yet, if the Canadian and European carders do not have “such a thing” Botis is very interested in helping to develop this technology for the U.S. market.
As you can see, cybercriminals are busy writing a new chapter while paying due diligence to new technologies in order to support their efforts.
UPDATE July 10 2015:
Hell Forum: AFF link to download files pinned to hacked data section are in the main forum now. Other hacked data dumps [also pinned] include:
- Ping’s database for hacked data
- Hacking Team
- mSpy Data Dump
- OPM DB sample [not the real OPM hack]
The Aftermath
There is so much more to this story. It has not been written yet because I needed a Darknet break. Now, that three months has passed I am going to reopen the logs, chat sessions, screenshots, Darknet threats, and more. Keep your eye on Tripwire’s State of Security blog — the final chapter is about to be written. . .
January 11, 2015 Update: The final chapter will be written over at the Tripwire blog later this month.
Leave a Reply