May 18, 2010

Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.

The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

Ironically, the anonymous authors of the e-zine said they were able to compromise the criminal forum because its operators had been sloppy with security. Specifically, they claimed, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise. From the e-zine’s opening salvo:

Many of you guys may have noticed  this breeding German  “underground” shit called carders.cc.  For those who don’t: Carders is a marketplace full of everything  that is illegal and bad.  Carding,  fraud,  drugs, weapons and tons of kiddies.  They used to be only a small forum,  but after we erased  1337-crew  they got  more  power.  The rats  left the sinking  ship.  The voices  told us to own them  since carders is  our fault and we had to fix our flaw. So we did.

During  the  ownage  they  also  gave  us  lulz  by  showing off their ridiculous  configuration skills which had a specific  impact on their security.  They actually managed to chmod and chown nearly  everything to 777 and www-user readable. Including their /root directory.

On the surface, it’s tempting to grin at the misfortune of these fraudsters. Still, the leaked database contains no small amount of password and banking information for many innocent victims. In addition, these types of vigilante attacks typically come with hidden costs: For one thing, while it may be true that law enforcement officials could use some of this information to locate people engaged in computer trespass, and buying or selling stolen personal and financial data, the public release of this information could just as easily prompt those individuals to abandon those accounts and Internet addresses, and even potentially jeopardize ongoing investigations.


44 thoughts on “Fraud Bazaar Carders.cc Hacked

  1. Carl "SAI" Mitchell

    “…the leaked database contains no small amount of password and banking information for many innocent victims.” Which was already known to many criminals. Having it known that anyone can check to see if their info is there is much better than having it known only to criminals who are going to use it.

    1. Kevin

      Indeed. I look forward to the credit card companies using this list to cancel the listed cards, and to notify their listed customers, and provide them with new cards.

      When can we expect this to happen?

      1. ~cat~

        “When can we expect this to happen?”
        Unlikely until they are pushed into a corner by publicity like this.

        Hopefully this didn’t disrupt any legit investigations by LE.

      2. ali

        i need reguler cc add me please….i want to work with you….

  2. Ellie K

    It is more than “tempting to grin at the misfortune of these fraudsters”. Yes, vigilante acts often have negative consequences, but this is one instance with minimal downside risk. I wish the stolen consumer credit card data hadn’t been released onto Rapidshare, but that obviously wasn’t going to be sifted out and scrubbed by the vigilante group.

    I wonder if there will be a second issue of “Owned and Exposed”? This was nice reporting by Krebs, particularly the ASCII art image! I considered this Digg-worthy, and acted accordingly!

  3. BK

    Reminds you of the will-hack-for-boobs defacements and hacks of late 90’s early 2ks

    1. BrianKrebs Post author

      Yes, it’s very retro. I guess we are supposed to think this is an old greybeard hacking group trying to teach the young’uns a thing or two (like slapping them around with a large trout)

      1. TPF

        This definately smacks of late 90’s hacktivism, when people used to deface for bragging rights.

        Ahh, the good old days 🙂

  4. Sensible

    It’s interesting this coincides with the new Robin Hood movie coming out.

    1. Joshua

      Off topic, but I will boycott any movie that has been released previously. I’m sick of non-original content. The movie and recording industry get extremely bent over piracy, but when it comes to lazy remakes they can’t get enough.

    1. BrianKrebs Post author

      Hey Dana, welcome. It’s hard to say. The sensitive consumer stuff that’s obviously stolen is mixed in with the chatter on the board and interspersed with private messages, facebook passwords, etc. not easy to search through. If I had the thing in a real database format that might be easier, but not at the moment.

  5. Josh

    This is absolutely classic.
    Love seeing wankers like this get their comeuppance!

  6. Solaro

    Hello Community, first i have to say: Sorry for my bad english.
    Some people know me from Carders.cc i was 2nd lvl and had 400 Posts.
    I dodnt know whot you are think whot happens, the Database was ILLEGAL HACKED so why they can you it for an Evidence ?? I tell you that they cant.
    All my Hard Drives are cleaned and they cant find everything!!!
    So happy hacking, carders.cc comes back you cannot kill us with a Simple Website Hack…

    1. BattleChicken

      I hope the irony is not lost on you, because it is fantastic.

      If a group of anonymous hackers could take down your forums (your headquarters, if you will), then law enforcement is just as capable of it, and it is only a matter of time.

    2. Adam

      sorry dude, but only thermite will save you

      Check into it. Revision3 did a deal on it a while back ^^

  7. Scott

    I wonder what the PCI DSS compliance status was for Carders.cc.

    Obviously since the data was compromised, the PCI SSC will make a statement that it could not have been compliant since there never has been a data breach on a PCI DSS compliant system.

    1. AnonymousMike

      Somehow I suspect Carders.cc didn’t have routine PCI audits completed. They existed entirely to resell stolen information, so auditors aren’t much of a concern. Although, ironically they probably could have benefited from following the practices laid out in the PCI guidelines.

      1. Scott

        I checked the PCI DSS and it states “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted”, it does not distinguish between lawful or illegal storage.

        Depending on the number of credit card numbers, they may have just submitted a self assessment questionnaire. However, since they were breached they could not have been compliant.

        🙂

        (taking the tongue out of my cheek)

        1. AnonymousMike

          Ah excellent point, evidently Solaro should read up a bit on his PCI compliance. (doh!)

  8. Peter Brewster

    Something odd that Brian did not intend. A simple click on carderscc.png shows just fine. But a go-back wrongly returns to the URL prior to krebsonsecurity – not nice to do. This happens with both FF and IE. Bringing up the .png in a new tab or window has a correct Referring URL but (of course) go-back doesn’t work.

    1. Andy

      Don’t go back. Just close the simulated pop up with the image in it.

  9. gregory

    I would love to have a copy of those files, even sanitized and without password or credit card information, but they seem were taken down from Rapidshare. Since they purportedly contain negotiations, I’m curious how those criminals trust each other when dealing between them. Also, were they using german, english or a jumble or Est-European languages when communicating ? If Solaro is indeed one of them, he hardly seems bilingual…

  10. Peter

    About 90% of the forum is german, the rest english.

    “I’m curious how those criminals trust each other when dealing between them.”

    There is little to no trust, there were are a lot of rippers. Only some selected users are trusted. Most of them have a vendor title which must be paid for.

  11. j0rd4n14n

    looks like the vulnerably was in the ipz.php file, i think they get into that website through RFL 0d4y ( published exploit but old one ), as long they don’t secure on them filesystem, was good enough to pwn them xD…

  12. pisco

    Hey
    where can i find the original ezine?

    greeting and I thank you in advance

  13. mclulz

    hacking that site was useless, since you can easily read the entire forums via google cache no problem

    1. streetmedic

      even better than google is way back machine “the internet archive”

  14. samir

    hi everyone i need uk cc iam regular buyer i need a seller that is a verified cc seller thanks

  15. carding-forum

    About 90% of the forum is german, the rest english.

    “I’m curious how those criminals trust each other when dealing between them.”

    There is little to no trust, there were are a lot of rippers. Only some selected users are trusted. Most of them have a vendor title which must be paid for.

  16. john

    Escrow1 thank you for the stuffs..it work 100% but only one was low balance…THANK YOU

  17. Zhiqi

    Unlimited Special Service From Big Hacker Group
    (Cw,Tarck1/2,Bank Trf.)

    About Us:

    We are hackers and here to help not make money, we only charge because of the cost,time and effort involved in the services and products we offer.

    Original Card Dumps For Sale:

    Verified dealers, vendors and sellers only. Get card dumps from the first hand.

    And We Have Good Service For Bank Transfering For You .
    And Our Service Is Very Fast And Safe And immediate .

    First hand tracks for sale
    My databases are updated 3 times a week. Check it out now!

    For more information vist my website; http://www.unlimitedservice4you.webs.com..And we hope to give you the best service 🙂

Comments are closed.