Yesterday, Brian Krebs published the story of a carding forum, carders.cc, which has been compromised.
In brief, a carding forum is an Internet-based forum where carders are getting in touch, doing fraudulent business, exchanging stolen credit card/credentials, information, tools … One could think that such dark places would be hidden deeply on Internet, but some are very visible. You could also think that such forums would be highly secured, but sometimes they’re not. Well, carders.cc was as visible as vulnerable, it seems.
Anyway, back to our story. The hackers, naming themselves "happy ninjas" (and we all know ninjas are stronger than pirates...), managed to get access to all the data from carders.cc. Amongst these data were stolen banking credentials and credit card numbers from victims, but also, what interested me most, data about the carders themselves. They published some of these data on a public server. (I caught it just by reading some tweets…)
Numerous articles have already been published about the case, but I didn’t see any about the specific point of interest for me: the 3726 unique e-mail addresses of the members of the forum.
Seeing all these complete e-mail addresses, I asked myself some questions :
• Do the fraudsters have favorite e-mail services?
• Do the fraudsters use more gTLDs or ccTLDs?
• Do the fraudsters use only generic webmail providers, or do they also use specific providers? Maybe even corporate addresses?
I quickly started to parse and analyze the data, and the first results were there.
TOP 20 DOMAINS USED BY THE CYBERCRIMINALS (click the image to zoom)
From the 3726 unique e-mail addresses, there were 349 unique providers.
Carders.Cc is a German forum. Therefore, it is not surprising to see three German domains (web.de, gmx.de, hotmail.de) as being the most used provider. We can assume that if these people use a German e-mail address on an e-mail forum, using sometimes German nicknames, chances are that these cybercriminals don’t use proxies and browse the forum using their real IP address. This supposition has been confirmed by the happy ninjas :
“Sure, some of you maybe always used a proxy... Most of the administrators and moderators didn't. Did you?”
The first anonymous e-mail address provider is mail.3dl.am, ranked 12. This website garantees that your IP addresses are never logged when using their services. Sounds like a bulletproof webmail system.
Immediately following 3dl.am is owlpic.com, a temporary e-mail system. This allows people to register on the forum using a one-time e-mail address.
The 300 domains after the TOP 50 have been used less than 5 times, and 230 domains have been used in a single way. Some corporate companies are used. They are probably compromised accounts. This is interesting, but you will have to find them by yourself : for confidentiality purposes, I am not copying them in this document.
Now about the TLDs used:
TOP 8 TLDs used by the fraudsters (click the image to zoom)
We see .de is almost twice as much used as its follower, .com. Then it decreases quite fast.
Amongst the TLDs there are some ccTLDs which are quite surprising to witness here : .AM (Armenia) , .AI (Anguilla), and .MU (Mauritius)
.AM appears 67 times. The reason is the use of a mail.3dl.am free anonymous e-mail service in german language.
.AI appears 27 times, being used for hush.ai service.
.MU has been used 18 times for the domain kuh.mu, currently down.
I stop my little analysis right here, since I have already spent too much time on it yesterday night ;-)
Let me finish with some axes of researches:
• IP addresses. There are thousands of IP addresses linked to the fraudsters. It would be very interesting to have some statistics on these.
• Passwords. Cracking the passwords could provide us with funny statistics about most common passwords used, their length, their geekness, and so on… ;-)
Have fun ! :-)
