Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.
The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.
A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.
Ironically, the anonymous authors of the e-zine said they were able to compromise the criminal forum because its operators had been sloppy with security. Specifically, they claimed, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise. From the e-zine’s opening salvo:
Many of you guys may have noticed this breeding German “underground” shit called carders.cc. For those who don’t: Carders is a marketplace full of everything that is illegal and bad. Carding, fraud, drugs, weapons and tons of kiddies. They used to be only a small forum, but after we erased 1337-crew they got more power. The rats left the sinking ship. The voices told us to own them since carders is our fault and we had to fix our flaw. So we did.
During the ownage they also gave us lulz by showing off their ridiculous configuration skills which had a specific impact on their security. They actually managed to chmod and chown nearly everything to 777 and www-user readable. Including their /root directory.
On the surface, it’s tempting to grin at the misfortune of these fraudsters. Still, the leaked database contains no small amount of password and banking information for many innocent victims. In addition, these types of vigilante attacks typically come with hidden costs: For one thing, while it may be true that law enforcement officials could use some of this information to locate people engaged in computer trespass, and buying or selling stolen personal and financial data, the public release of this information could just as easily prompt those individuals to abandon those accounts and Internet addresses, and even potentially jeopardize ongoing investigations.
Tags: carders.cc, owned and exposed, rapidshare
“…the leaked database contains no small amount of password and banking information for many innocent victims.” Which was already known to many criminals. Having it known that anyone can check to see if their info is there is much better than having it known only to criminals who are going to use it.
Well-loved. Like or Dislike:
44 
4
Indeed. I look forward to the credit card companies using this list to cancel the listed cards, and to notify their listed customers, and provide them with new cards.
When can we expect this to happen?
Well-loved. Like or Dislike:
28 
2
“When can we expect this to happen?”
Unlikely until they are pushed into a corner by publicity like this.
Hopefully this didn’t disrupt any legit investigations by LE.
Well-loved. Like or Dislike:
4 
0
I will like to work with you hunn
Like or Dislike:
0 
0
i need reguler cc add me please….i want to work with you….
Like or Dislike:
0 
0
What exactlly you need pm me.. @ yahoo msg: ccblocker@ymail.com
Like or Dislike:
0 
0
It is more than “tempting to grin at the misfortune of these fraudsters”. Yes, vigilante acts often have negative consequences, but this is one instance with minimal downside risk. I wish the stolen consumer credit card data hadn’t been released onto Rapidshare, but that obviously wasn’t going to be sifted out and scrubbed by the vigilante group.
I wonder if there will be a second issue of “Owned and Exposed”? This was nice reporting by Krebs, particularly the ASCII art image! I considered this Digg-worthy, and acted accordingly!
Well-loved. Like or Dislike:
28 
3
Reminds you of the will-hack-for-boobs defacements and hacks of late 90′s early 2ks
Well-loved. Like or Dislike:
13 
6
Yes, it’s very retro. I guess we are supposed to think this is an old greybeard hacking group trying to teach the young’uns a thing or two (like slapping them around with a large trout)
Well-loved. Like or Dislike:
26 
3
This definately smacks of late 90′s hacktivism, when people used to deface for bragging rights.
Ahh, the good old days
Well-loved. Like or Dislike:
18 
4
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
6 
26
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
8 
28
Does anyone know how many CC #s and/or bank accounts were stolen?
Hot debate. What do you think?
5 
5
Hey Dana, welcome. It’s hard to say. The sensitive consumer stuff that’s obviously stolen is mixed in with the chatter on the board and interspersed with private messages, facebook passwords, etc. not easy to search through. If I had the thing in a real database format that might be easier, but not at the moment.
Like or Dislike:
4 
1
This is absolutely classic.
Love seeing wankers like this get their comeuppance!
Well-loved. Like or Dislike:
7 
3
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
8 
24
I hope the irony is not lost on you, because it is fantastic.
If a group of anonymous hackers could take down your forums (your headquarters, if you will), then law enforcement is just as capable of it, and it is only a matter of time.
Well-loved. Like or Dislike:
16 
1
sorry dude, but only thermite will save you
Check into it. Revision3 did a deal on it a while back ^^
Like or Dislike:
1 
5
I wonder what the PCI DSS compliance status was for Carders.cc.
Obviously since the data was compromised, the PCI SSC will make a statement that it could not have been compliant since there never has been a data breach on a PCI DSS compliant system.
Hot debate. What do you think?
9 
6
Somehow I suspect Carders.cc didn’t have routine PCI audits completed. They existed entirely to resell stolen information, so auditors aren’t much of a concern. Although, ironically they probably could have benefited from following the practices laid out in the PCI guidelines.
Like or Dislike:
4 
2
I checked the PCI DSS and it states “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted”, it does not distinguish between lawful or illegal storage.
Depending on the number of credit card numbers, they may have just submitted a self assessment questionnaire. However, since they were breached they could not have been compliant.
(taking the tongue out of my cheek)
Well-loved. Like or Dislike:
13 
3
Ah excellent point, evidently Solaro should read up a bit on his PCI compliance. (doh!)
Like or Dislike:
2 
1
Something odd that Brian did not intend. A simple click on carderscc.png shows just fine. But a go-back wrongly returns to the URL prior to krebsonsecurity – not nice to do. This happens with both FF and IE. Bringing up the .png in a new tab or window has a correct Referring URL but (of course) go-back doesn’t work.
Like or Dislike:
3 
3
Don’t go back. Just close the simulated pop up with the image in it.
Like or Dislike:
2 
0
I would love to have a copy of those files, even sanitized and without password or credit card information, but they seem were taken down from Rapidshare. Since they purportedly contain negotiations, I’m curious how those criminals trust each other when dealing between them. Also, were they using german, english or a jumble or Est-European languages when communicating ? If Solaro is indeed one of them, he hardly seems bilingual…
Well-loved. Like or Dislike:
5 
0
They were using a jumble. Solaro was one of them
Like or Dislike:
2 
0
About 90% of the forum is german, the rest english.
“I’m curious how those criminals trust each other when dealing between them.”
There is little to no trust, there were are a lot of rippers. Only some selected users are trusted. Most of them have a vendor title which must be paid for.
Well-loved. Like or Dislike:
4 
0
looks like the vulnerably was in the ipz.php file, i think they get into that website through RFL 0d4y ( published exploit but old one ), as long they don’t secure on them filesystem, was good enough to pwn them xD…
Like or Dislike:
1 
0
Hey
where can i find the original ezine?
greeting and I thank you in advance
Like or Dislike:
0 
0
@pisco
http://sec-r1z.com/stfu/carders/exp01.txt
Like or Dislike:
1 
0
hacking that site was useless, since you can easily read the entire forums via google cache no problem
Like or Dislike:
0 
1
even better than google is way back machine “the internet archive”
Like or Dislike:
0 
0
Spotted at BP station in Ohio
[img]http://farm2.static.flickr.com/1305/4667450260_d392ff03ce_b.jpg[/img]
http://luxemb.info/?p=23
Like or Dislike:
0 
0
Hello,
Great article. I took the data of this security breach and compared the password length of the crackers with common users. The results are available here:
http://www.scip.ch/?labs.20100709
Regards,
Marc
Like or Dislike:
0 
0
bet they couldnt hack carder.su
Like or Dislike:
0 
0