Russian Cybercrime Forum 'Maza' Suffers Data BreachUnknown Attacker Dumps Member Data Online, Following a Wave of Other Forum Breaches
Maza, a Russian carding and fraud discussion forum, has been breached, and hackers have leaked users' email addresses and forum credentials, security firms report.
The breach occurred Wednesday evening, experts say, and led to many types of information being exposed: user IDs; usernames; email addresses; passwords in both hashed and obfuscated form; Yahoo, MSN and Skype credentials; and other data that could help identify individuals.
A 35-page PDF file leaked on the dark web, with 3,000 rows of data, includes alleged user information, experts say. Exposed data includes ICQ numbers, which could be used to connect multiple accounts to the same user across many forums and different nicknames over time, threat intelligence firm Flashpoint reports.
"The unknown attackers compromised the forum and posted a warning message that reads 'Your data has been leaked' and 'This forum has been hacked' to members of the forum," Flashpoint says. "The Russian sentences on the warning page were likely translated using an online translator. It is unclear if this automated translation indicates a non-Russian speaking actor is responsible or if this service was used as a misdirection technique."
The hackers involved could, in theory, be forum members or even members of a law enforcement agency, Flashpoint says. "We have recently seen some law enforcement successes in this space, and it is possible that the recent increase in broader criminal activity in the cyber landscape gave them an opportunity to conduct this operation against Maza," Thomas Hofmann, Flashpoint's vice president of intelligence, tells Information Security Media Group.
"Threats to Maza users are that their contact details are now exposed," he adds. "This will enable investigators to initiate or further any investigations targeting their illicit activity and removes a layer of anonymity that these forums have traditionally afforded."
But threat intelligence firm Intel 471 says in a blog post that while it "does not know who is responsible for the hacks ... due to their public nature, we think it is unlikely that this is a law enforcement operation."
At least some of the exposed information does appear to be legitimate. "Our initial analysis found that a portion of the leaked data correlated with our previous research findings, which confirms that at least some of Maza's databases was breached," Intel 471 says.
Forums for Fraud and Malware
Maza, an invitation-only cybercrime forum, has been active since 2009. Sophisticated financial fraudsters have used it to discuss and conduct illegal activities related to carding - buying and selling stolen credit card details - and other fraud topics as well as malware, according to Flashpoint.
At one time, Maza ranked as one of the more prestigious hacking forums, but it has been fading and is now well past its prime, says Alex Holden, CISO of Hold Security, which monitors underground sources for data breach intelligence.
Nonetheless, Maza's breach is a big blow for the cybercrime community since the data may provide insight into which actors were behind older breaches and attacks, he says.
"There is a breadcrumb trail for investigators to follow and get more information," he says.
For example, the backend data in forums may hold records such as when a user changes an online nickname, he says. The data may contain email addresses and instant messaging handles, all of which can illuminate the activities of a person on a forum.
Holden says IP logs may also help triangulate if a person, for example, who is on the forum with two nicknames is actually one and the same. Also, Maza's data includes password hashes.
Some of those hashes could potentially be cracked. But even if they don't get cracked, the hashes themselves can be compared with hashes used on other sites, to see if the same person was using the same password across different accounts, Holden says.
Cybercrime Forum Disruption
Maza is the latest forum or cybercriminal group to sustain a hack - or potentially, to be disrupted by a law enforcement agency.
In January, an international police operation, coordinated the EU law enforcement intelligence agency Europol, disrupted the damaging Emotet botnet operation by seizing control of the gang's infrastructure (see: Law Enforcement Operation Disrupts Notorious Emotet Botnet).
The same month, the notorious Joker's Stash underground marketplace, which specialized in the sale of stolen payment card data, announced it would shut down its operations Feb. 15 (see: Joker's Stash Reportedly Shutting Down Operations).
Also in January, an individual claimed on Russian-language forum Raid Forums that they'd stolen the entire database for another such forum, called Verified, Intel 417 says. The stolen database, being sold for $100,000, "allegedly contained information on all registered users and their private messages, hashed passwords, posts and threads." The attacker also claimed to have transferred "$150,000 worth of cryptocurrency from Verified's wallet to his own wallet."
In February, Verified announced an abrupt takeover of the site by new administrators, who began to de-anonymize the previous administrators, Flashpoint reports.
Also in February, popular cybercrime forum Crdclub reported that one of its administrator's accounts had been hacked and used to target users. "The actor behind the attack was able to lure forum customers to use a money-transfer service that was allegedly vouched for by the forum's admins," Intel 471 reports. "That was a lie, and resulted in an unknown amount of money being diverted from the forum. The forum's admins promised to reimburse those who were defrauded. No other information looked to be compromised in the attack."
Maza Breach Fallout
In the wake of the Maza breach, apparently fearing that it might trace to law enforcement, some Maza members have been switching to other forums, such as Exploit, that do not require email-based registration, Flashpoint says.
"Flashpoint is monitoring other discussions across the cybercriminal ecosystem commenting on the recent disruptions to many elite services and communities," the security firm notes. "Users on Exploit are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Some actors are claiming that the database leak is a new tactic by law enforcement to shut down cybercriminal activity and degrade trust across forums."
Even the popular Exploit forum, however, is not immune to potential disruptions. Earlier this week, Exploit's administrator "announced that a monitoring system detected an unauthorized secure shell (SSH) access to a proxy server used for protection from distributed denial-of-service (DDoS) attacks, as well as an attempt to dump network traffic," Intel 471 reports.
"Further investigation led to the admin banning a known bulletproof hosting provider due to their alleged role in the attack, but admins eventually ended up restoring the account on Wednesday," the firm says. "It's unclear who was actually responsible for the attack."
Executive Editors Jeremy Kirk and Mathew Schwartz contributed to this report.