Sunday, July 19, 2015

FatherDeal Carding Shop

This site has been on my carding shop list. According to whois records, the site was registered: 27-mar-2012. I recently had the opportunity to revisit the site one last time. While it was still online I gained administrative access to the site and had a look at the internal workings. 

Online reviews and more recent admin support tickets of this carding shop are littered with complaints from criminal customers about this being a "ripper" shop: scammers scamming scammers.

While this shop is clearly not the work of a skilled mastermind and whatever the complaints might say, a look at the data reveals a few thousand users, plenty of stolen information, and that at one time this shop produced a bit revenue for the criminal admin running the operation. We sell 100% Dumps, Tools. BankLogins, Paypal verified, Credit Cards. Members Login. Create Account Forget Password. Email Address:.

Admin Panel:

2774 users
Passwords stored in plain text. Awesome.

Paypal sold

Bank logins sold

Support Tickets

PayPal   $104
Tools     $882
Dumps   $1028
CC      (1996 * ~2.50 =) ~$4990
bank logins $1517

Revenue ~$8500

Each user must select a country of origin when they register. 

Frequency of countries selected by users: 
   1442 'Russia',
    328 'United
    121 'Ghana',
     94 'Nigeria',
     47 'France',
     40 'China',
     37 'India',
     34 'Canada',
     31 'Malaysia',
     31 'Algeria',
     30 'Italy',
     29 'Afghanistan',
     28 'Pakistan',
     26 'Angola',
     25 'Albania',
     23 'Spain',
     23 'Brazil',
     22 'American

Shelled it

Lots of juicy database

Database names: 
The following A records are set to

$con = mysql_connect('localhost', 'fatherdc_top2', '1122334455');
mysql_select_db('fatherdc_top1', $con);

lastlog (Pakistan)


Tuesday, May 12, 2015

Deanonymizing Tor - TCF 2.0

TOR Carding Forums
Your Ultimate Source to the Carding and Fraud World

Hidden Address: ba6i2qxajcioadj4.onion
Real Address:

"Deanonymization is a strategy in data mining in which anonymous data is cross-referenced with other sources of data to re-identify the anonymous data source."

Step One:

Step Two:

Step Three:

Step Picard: 

TCF v2 is more than likely run by spooks. 

Have fun in jail. 

Sunday, March 29, 2015


This research has been sitting around on my computer for a while, I think its time to share it. Nothing too interesting...

SuperDed, 'ded' meaning dedicated server, or in this case hacked dedicated server, is a black market shop that sells access credentials to hacked servers. This shop is similar to the RDP-Shop I have posted about. but unlike the limited recycled inventory used there, SuperDed is a much more enterprising venture and has more hacked servers for bad guys to choose from. 

Screenshots of some active accounts:


The account assass belongs to a young man named Parwez Jabarkhil. 

assass page 2:



SuperDed Admin IPs

SuperDed User Sample

Thursday, February 19, 2015

php shells

Some shells I found along the way.

cmd shell, mysql, passwd brute


RC-SHELL v2.0.2011.1009
cmd shell, mysql, portscan, mailer, process manager, ftp client


DefaCeR - InDonesiaN -


BCA Private Shell - Bangladesh Cyber Army 


cmd shell, file uploader

CiH_H@CkErZ CiH99 v8.2 2014
.: Fuck All System :.

Sql Manager (Indonesian word 'masuk' = login) 
JoJo Levesque - oh you little wanna be whore. 


x00x Config's Grabber By DamaneDz
MaDe in AlGeria 2013 ©


Tuesday, November 11, 2014

Torrentlocker (Crytolocker) Ransomware Campaign - Oct/Nov 2014

Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.

In mid October, 2014, a ransomware campaign using a new variant of CryptoLocker was launched. At the time of this post, the campaign is still active.

Once a user has unknowingly downloaded and run the malware, all files on their local disk and network drives are encrypted. The user is then presented with the following screen (below), which demands that the victim visit a hidden server to purchase the decryption key using Bitcoin.

This new Crypto-variant appears to be offered as a service to any criminal individual or gang who wants to get involved in the ransomware extortion business.

The malware appears to be delivered via spam e-mail.

We have encrypted your files with CryptoLocker

"Buy decryption software and get all your files back"

Victim landing page demanding ransom payment in Bitcoin to decrypt files.

There are at least 10 active campaigns (ransomware 'botnets') utilizing this particular command and control server. From the structure and contents of the directories, it appears to be provided to other criminal individuals or gangs, as a "Ransomware-As-A-Service". The creators of the service provide the server and the malware to criminal clients so they can then run their own ransomware campaigns utilizing the infrastructure and software provided.

Each criminal customer of this ransomware extortion service has its own individual numbered botnets folder, which contains email lists to spam, SMTP servers to spam from, and logs of payments, feedback, etc. from the victims of the operation.

Every individual campaign would be responsible for distributing the ransom malware (spam) and managing user complaints, payments, etc.

Inside one of the individual botnet containers, the directories of this #11 campaign. 

Lists of email addresses to spam and attempt to infect new victims.

Some of the more "successful" campaigns have a feedback directory. This is where the victims can send messages to the crooks, asking for more time before the ransom for their files increases, or asking when they will get their files back.

The 'feedback' directory contains log files for payments and questions. 

Feedback from victims:

Feedback from ransomware victims asking for more time before the ransom increases on their files. 

More "feedback"  from victims: (campaign #13)

[2014-10-15 09:45:52] [6475,] 
I payed, but when I enter the transaction detail, tyour page says it already has been used for a payment! How is that possible? 
[2014-10-15 11:35:33] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,

We made a payment of 1364 bitcoins with transaction nr. 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2
If I enter this on your webpage, it tells me that this has already been used, which is not.
Can you please send me the instruction to quickly solve this problem?
With kind regards,
Dennis Huisman
[2014-10-15 11:44:02] [6393, dennis.huis@**REDACTED**.nl] 
Dear Sirs,
We have paid 1.364 bitcoins with transaction id 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2.
If I enter this id, the site tells me this has already been used, which is not!
Please tell me what I can do to fix this.
With kind regards, 
Dennis Huisman
[2014-10-15 13:32:22] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,
We made a payment of 1.364 with tranaction ID 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2. When I fill this in on your webpage, it gives a warning that this has already been used, which isn't.

Can you please tell me what to do?

Thanks in advance for your answer.
Dennis Huisman
[2014-10-17 21:07:34] [8679, muratkazan55@**REDACTED**.com] 
I'm studying at the university. I have homeworks in my pc. Please help me to save them. I need them too much to complete my education. Thank you for your understanding. 
[2014-10-18 14:35:45] [8916, gokhan@**REDACTED**.tc] 
dosyalarımın ÅŸifresini çözmek istiyorum. AÄŸdan 3 adet makinama bulaÅŸtı 1200 tl den daha aÅŸağı olmaz mı? 
[2014-10-18 16:43:03] [8749, mbeykozlu@**REDACTED**.com] 
bitcoin için limit veriyor
ödemeyi yapamıyorum
zaten durumum iyi değil işim gücüm sıkıntıya girdi bittim
bana bi yol söyleyin 1200 tl borç harç göndericem

[2014-10-20 05:32:00] [8371, kelly@**REDACTED**] 
We have deposited the money just waiting for the transfer.
Payment received
Your deposit has been received, your coin transfer will be carried out shortly.
Reference Number 12008
Amount in AUD 752.60
Amount in Bitcons 1.45200000
Email kelly@**REDACTED**
Wallet Address 1K3Z8tEDyo5FHtsGmxTZ4tbeuJdMMjEE72
We will keep you updated with the progress of the order.

[2014-10-20 09:04:23] [8544, erdogankeklik_88@**REDACTED**.com] 
Öncelikle merhaba benim bilgisayarımda dosyalar ÅŸifrelendi. Yedeklerimin hepsi var. Sadece 1 2 günlük belgeler lazım. Fiyatınız çok yüksek. Yardımcı olur musunuz? 
[2014-10-20 13:38:09] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 13:38:10] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 17:05:12] [8557, adorelguvenlik@**REDACTED**.com] 
aşağıdaki ıd numarası ile ilgili işlem yaptık lütfen sizde gerekeni yaparmısınız lütfen
[2014-10-21 08:03:42] [6207, practicombit@**REDACTED**.com] 

Last week i paid you for the decrypter software $ 500,- when i have run the software i see that only a few files where decrypted. I paid it whith url: but when i look into my files and folders and click another decrypted_instuctions.html i see that it have another url: maybe thats why not al my files could decrypted. When i click buy i see that you want me to pay $ 1000. Could you send me a file to decrypt my other files because i already have made a payment for it. I hope you can help. I'm not happy to have not al my files back. Hope i get a reply very soon.

The bitcointransaction id is 230dfaa00246c04ca528fb29003542d0eef47c6f5399292f1ed2fffef8b853fa

Hope so you can help.

Yesterday you send me a mail to wait 1-2 hours but did not hear anything from you.
Greetings Mark 
[2014-10-22 07:17:20] [9540, coin.accont@**REDACTED**.com] 
I have made the payment but it keeps coming up with transaction ID already used.


What can we do now? 
[2014-10-22 09:59:19] [9089, ozansevimligul@**REDACTED**.com] 
merhaba bu yazılım 2 bilgisayarimi etkiledi ve bu kadar param yok odeme yapicak lütfen bana daha uygun bir tutar cikarin ödeyebilmeye gucumun yeticegi bir tutar ve işlemler bir bilgisayar için diyor benim diğer bilgisayarimda Windows xp yuklu onda nasil sifreleri acicam?

Admin Templates:

Templates for criminal admins to manage their campaign. 

Template payments page that victims will be directed to:

Custom ransom pages template uploader:

Settings template:

 Statistics template:

Technical Details:


(This particular sample belongs to campaign #14)



C&C Server: 
inetnum: -
netname: KolosokIvan-net
descr: Net for customer ID 12510
country: RU

someone left a note

Monday, November 3, 2014

Perpetrator Profile - Parwez Jabarkhil (Kabul, Afghanistan)

Parwez Jabarkhil

One of the first 20 members of RDP-Shop.RU (joined in 2013 and never used according to logs) a shop selling access to hacked servers. He is however a prolific customer of, another shop selling illegal access to hacked servers for customers to use for shady activities, see below.

,('assass', 'c7296bcf3fcb2aa4f37c89561fd37633', '123456', '', '', '2013-03-09 16:10:42', '2013-03-09 16:10:51', '0', '0.00', '0', '', '0', '0', '0', '0')

Kabul, Afghanistan
(Home DSL connectivity)
inetnum: -
netname:        INSTA-KBL-AF
descr:             DSL
country:         AF


An ugly car

Selfies Account:
Username: assass - A shop selling access to hacked servers, aka "dedicated" or "dedikov" or "dedy"

Purchased access to hacked servers. 

Also he was a registered member of the defunct '' - which used to sell, you guessed it...hacked server access.