Fraudsters e-mail addresses : carders.cc case

Yesterday, Brian Krebs published the story of a carding forum, carders.cc, which has been compromised.

In brief, a carding forum is an Internet-based forum where carders are getting in touch, doing fraudulent business, exchanging stolen credit card/credentials, information, tools … One could think that such dark places would be hidden deeply on Internet, but some are very visible. You could also think that such forums would be highly secured, but sometimes they’re not. Well, carders.cc was as visible as vulnerable, it seems.

Anyway, back to our story. The hackers, naming themselves "happy ninjas" (and we all know ninjas are stronger than pirates...), managed to get access to all the data from carders.cc. Amongst these data were stolen banking credentials and credit card numbers from victims, but also, what interested me most, data about the carders themselves. They published some of these data on a public server. (I caught it just by reading some tweets…)

Numerous articles have already been published about the case, but I didn’t see any about the specific point of interest for me: the 3726 unique e-mail addresses of the members of the forum.

Seeing all these complete e-mail addresses, I asked myself some questions :

• Do the fraudsters have favorite e-mail services?

• Do the fraudsters use more gTLDs or ccTLDs?

• Do the fraudsters use only generic webmail providers, or do they also use specific providers? Maybe even corporate addresses?

I quickly started to parse and analyze the data, and the first results were there.

domains.PNG

TOP 20 DOMAINS USED BY THE CYBERCRIMINALS (click the image to zoom)



domains-tab.PNG

From the 3726 unique e-mail addresses, there were 349 unique providers.

Carders.Cc is a German forum. Therefore, it is not surprising to see three German domains (web.de, gmx.de, hotmail.de) as being the most used provider. We can assume that if these people use a German e-mail address on an e-mail forum, using sometimes German nicknames, chances are that these cybercriminals don’t use proxies and browse the forum using their real IP address. This supposition has been confirmed by the happy ninjas :

“Sure, some of you maybe always used a proxy... Most of the administrators and moderators didn't. Did you?”

The first anonymous e-mail address provider is mail.3dl.am, ranked 12. This website garantees that your IP addresses are never logged when using their services. Sounds like a bulletproof webmail system.

Immediately following 3dl.am is owlpic.com, a temporary e-mail system. This allows people to register on the forum using a one-time e-mail address.

The 300 domains after the TOP 50 have been used less than 5 times, and 230 domains have been used in a single way. Some corporate companies are used. They are probably compromised accounts. This is interesting, but you will have to find them by yourself : for confidentiality purposes, I am not copying them in this document.

Now about the TLDs used:

tld.PNG

TOP 8 TLDs used by the fraudsters (click the image to zoom)



tld-tab.PNG

We see .de is almost twice as much used as its follower, .com. Then it decreases quite fast.

Amongst the TLDs there are some ccTLDs which are quite surprising to witness here : .AM (Armenia) , .AI (Anguilla), and .MU (Mauritius)

.AM appears 67 times. The reason is the use of a mail.3dl.am free anonymous e-mail service in german language.

.AI appears 27 times, being used for hush.ai service.

.MU has been used 18 times for the domain kuh.mu, currently down.

I stop my little analysis right here, since I have already spent too much time on it yesterday night ;-)

Let me finish with some axes of researches:

• IP addresses. There are thousands of IP addresses linked to the fraudsters. It would be very interesting to have some statistics on these.

• Passwords. Cracking the passwords could provide us with funny statistics about most common passwords used, their length, their geekness, and so on… ;-)

Have fun ! :-)

Commentaires

1. Le jeudi 20 mai 2010, 13:48 par pello

Hello,

Combien de délinquants en IPv6 dans le lot? :)

@+

2. Le jeudi 20 mai 2010, 22:23 par Ron

Working on cracking the passwords. :) -- watch me on twitter @iagox86, I'll post when I have something to post. Because they're salted, though, it'll be a slow process.

3. Le mardi 25 mai 2010, 23:49 par Laki

Great writeup. I did some initial work on the Ip address analysis which can be found at
http://reusablesec.blogspot.com/201...

Surprisingly, most of the carders didn't use Tor. I'm just starting to work on the password cracking side of things.

4. Le mercredi 26 mai 2010, 08:13 par Cedric Pernet

@pello: no comment :-p

@Ron: thank you for your comment. Following you on Twitter ;-) (mine is easy : @cedricpernet)

@Laki : This is very interesting. Thank you for your article ! About your problems finding this blog : well, it's mostly french... ;-) ... About your blog : I'll link you permanently when I have time to update my favorite links ;-)

5. Le lundi 12 juillet 2010, 15:37 par Marc Ruef

Hello,

Great article. I took the data of this security breach and compared the password length of the crackers with common users. The results are available here:

http://www.scip.ch/?labs.20100709

Regards,

Marc

6. Le mardi 13 juillet 2010, 16:37 par Cédric Pernet

Hey thank you Marc for the link, nice work you've done, although it's written in german ;-)

Cheers,

C.

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

La discussion continue ailleurs

URL de rétrolien : http://bl0g.cedricpernet.net/trackback/101

Fil des commentaires de ce billet