Sunday, July 19, 2015

FatherDeal Carding Shop

This site has been on my carding shop list. According to whois records, the site was registered: 27-mar-2012. I recently had the opportunity to revisit the site one last time. While it was still online I gained administrative access to the site and had a look at the internal workings. 

Online reviews and more recent admin support tickets of this carding shop are littered with complaints from criminal customers about this being a "ripper" shop: scammers scamming scammers.

While this shop is clearly not the work of a skilled mastermind and whatever the complaints might say, a look at the data reveals a few thousand users, plenty of stolen information, and that at one time this shop produced a bit revenue for the criminal admin running the operation.
fatherdeal.com. We sell 100% Dumps, Tools. BankLogins, Paypal verified, Credit Cards. Members Login. Create Account Forget Password. Email Address:.

Admin Panel:



2774 users
Passwords stored in plain text. Awesome.

Paypal sold


Bank logins sold


Support Tickets


PayPal   $104
Tools     $882
Dumps   $1028
CC      (1996 * ~2.50 =) ~$4990
bank logins $1517

Revenue ~$8500



Each user must select a country of origin when they register. 

Frequency of countries selected by users: 
   1442 'Russia',
    328 'United
    121 'Ghana',
     94 'Nigeria',
     47 'France',
     40 'China',
     37 'India',
     34 'Canada',
     31 'Malaysia',
     31 'Algeria',
     30 'Italy',
     29 'Afghanistan',
     28 'Pakistan',
     26 'Angola',
     25 'Albania',
     23 'Spain',
     23 'Brazil',
     22 'American
     

Shelled it



Lots of juicy database


Database names: 
xchangerfriend
ccbox.cc
softlogin
nscontra
mafiafu
ccshop
mixcc
paysafe
worldexc
swipe
ccsellz
autofair
try2buy
ccdumps
cashout
buy2real
The following A records are set to 192.64.115.10:
(http://bgp.he.net/ip/192.64.115.10#_dns)
asmarexchange.com, asmarwebhost.com, buy2real.com, ccshops.org, cvv2dumps.com, cvvhost.com,famsevent.com, fatherdeal.com, lrbuy.org, ns1.buy2real.com, ns2.buy2real.com, paysafehost.com,paysafemoney.com, softlogin.com, t2cvv.com, try2check.com, xchangerfriend.com, xperiasol.com

Notes:
$con = mysql_connect('localhost', 'fatherdc_top2', '1122334455');
mysql_select_db('fatherdc_top1', $con);

lastlog
182.191.192.248 (Pakistan)

.cpanel/contactinfo
cvvtop@yahoo.com

Tuesday, May 12, 2015

Deanonymizing Tor - TCF 2.0

TOR Carding Forums
Your Ultimate Source to the Carding and Fraud World

Hidden Address: ba6i2qxajcioadj4.onion
Real Address: 185.10.57.137

"Deanonymization is a strategy in data mining in which anonymous data is cross-referenced with other sources of data to re-identify the anonymous data source."



Step One:


Step Two:



Step Three:


Step Picard: 



TCF v2 is more than likely run by spooks. 

Have fun in jail. 

Sunday, March 29, 2015

SuperDed

This research has been sitting around on my computer for a while, I think its time to share it. Nothing too interesting...

SuperDed, 'ded' meaning dedicated server, or in this case hacked dedicated server, is a black market shop that sells access credentials to hacked servers. This shop is similar to the RDP-Shop I have posted about. but unlike the limited recycled inventory used there, SuperDed is a much more enterprising venture and has more hacked servers for bad guys to choose from. 






Screenshots of some active accounts:


Adolf13




The account assass belongs to a young man named Parwez Jabarkhil. 


assass page 2:




Jesus12


volfymac





SuperDed Admin IPs
http://pastebin.com/Gvci6wTR

SuperDed User Sample
http://pastebin.com/71zZ9Ptc

Thursday, February 19, 2015

php shells

Some shells I found along the way.


1337w0rm
cmd shell, mysql, passwd brute

c2f5875ce299d9f9a27b57875a1e0f03


RC-SHELL v2.0.2011.1009
cmd shell, mysql, portscan, mailer, process manager, ftp client

b946d1fcf71992707eef76999135767b


DefaCeR - InDonesiaN - minang.cyber.team
useless 

e4abdd676fca22e30d171fc22a2870d0


BCA Private Shell - Bangladesh Cyber Army 
useless

eb356f8da1c34b163bdb76f706b6cc94


K2LL33D SHELL
cmd shell, file uploader
be19679da51046577c02fc834225cbb0




CiH_H@CkErZ CiH99 v8.2 2014
.: Fuck All System :.
9f38f0347ef1917574f64ec040cdbf6f


Sql Manager (Indonesian word 'masuk' = login) 
JoJo Levesque - oh you little wanna be whore. 

55725dcc75738364cb58f285cf4be81e



x00x Config's Grabber By DamaneDz
MaDe in AlGeria 2013 ©
useless

ef9cafa3cb7d64726d721290fd5ee814

Tuesday, November 11, 2014

Torrentlocker (Crytolocker) Ransomware Campaign - Oct/Nov 2014


Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.

In mid October, 2014, a ransomware campaign using a new variant of CryptoLocker was launched. At the time of this post, the campaign is still active.

Once a user has unknowingly downloaded and run the malware, all files on their local disk and network drives are encrypted. The user is then presented with the following screen (below), which demands that the victim visit a hidden server to purchase the decryption key using Bitcoin.

This new Crypto-variant appears to be offered as a service to any criminal individual or gang who wants to get involved in the ransomware extortion business.

The malware appears to be delivered via spam e-mail.


WARNING
We have encrypted your files with CryptoLocker




"Buy decryption software and get all your files back"

Victim landing page demanding ransom payment in Bitcoin to decrypt files.


There are at least 10 active campaigns (ransomware 'botnets') utilizing this particular command and control server. From the structure and contents of the directories, it appears to be provided to other criminal individuals or gangs, as a "Ransomware-As-A-Service". The creators of the service provide the server and the malware to criminal clients so they can then run their own ransomware campaigns utilizing the infrastructure and software provided.

Each criminal customer of this ransomware extortion service has its own individual numbered botnets folder, which contains email lists to spam, SMTP servers to spam from, and logs of payments, feedback, etc. from the victims of the operation.

Every individual campaign would be responsible for distributing the ransom malware (spam) and managing user complaints, payments, etc.




Inside one of the individual botnet containers, the directories of this #11 campaign. 


Lists of email addresses to spam and attempt to infect new victims.


Some of the more "successful" campaigns have a feedback directory. This is where the victims can send messages to the crooks, asking for more time before the ransom for their files increases, or asking when they will get their files back.




The 'feedback' directory contains log files for payments and questions. 



Feedback from victims:


Feedback from ransomware victims asking for more time before the ransom increases on their files. 




More "feedback"  from victims: (campaign #13)

[2014-10-15 09:45:52] [6475, petvandam@x.com] 
I payed, but when I enter the transaction detail, tyour page says it already has been used for a payment! How is that possible? 
[2014-10-15 11:35:33] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,

We made a payment of 1364 bitcoins with transaction nr. 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2
If I enter this on your webpage, it tells me that this has already been used, which is not.
Can you please send me the instruction to quickly solve this problem?
With kind regards,
Dennis Huisman
[2014-10-15 11:44:02] [6393, dennis.huis@**REDACTED**.nl] 
Dear Sirs,
We have paid 1.364 bitcoins with transaction id 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2.
If I enter this id, the site tells me this has already been used, which is not!
Please tell me what I can do to fix this.
With kind regards, 
Dennis Huisman
[2014-10-15 13:32:22] [6393, dennis@**REDACTED**.nl] 
Dear Sirs,
We made a payment of 1.364 with tranaction ID 9b2a0b4fef3e711f3fbc3491666644ca85bed77a288701142a93df9866fa23c2. When I fill this in on your webpage, it gives a warning that this has already been used, which isn't.

Can you please tell me what to do?

Thanks in advance for your answer.
Dennis Huisman
[2014-10-17 21:07:34] [8679, muratkazan55@**REDACTED**.com] 
I'm studying at the university. I have homeworks in my pc. Please help me to save them. I need them too much to complete my education. Thank you for your understanding. 
[2014-10-18 14:35:45] [8916, gokhan@**REDACTED**.tc] 
dosyalarımın ÅŸifresini çözmek istiyorum. AÄŸdan 3 adet makinama bulaÅŸtı 1200 tl den daha aÅŸağı olmaz mı? 
[2014-10-18 16:43:03] [8749, mbeykozlu@**REDACTED**.com] 
bitcoin için limit veriyor
ödemeyi yapamıyorum
zaten durumum iyi değil işim gücüm sıkıntıya girdi bittim
bana bi yol söyleyin 1200 tl borç harç göndericem

[2014-10-20 05:32:00] [8371, kelly@**REDACTED**.com.au] 
Hello,
We have deposited the money just waiting for the transfer.
Payment received
Your deposit has been received, your coin transfer will be carried out shortly.
Reference Number 12008
Amount in AUD 752.60
Amount in Bitcons 1.45200000
Email kelly@**REDACTED**.com.au
Wallet Address 1K3Z8tEDyo5FHtsGmxTZ4tbeuJdMMjEE72
We will keep you updated with the progress of the order.


[2014-10-20 09:04:23] [8544, erdogankeklik_88@**REDACTED**.com] 
Öncelikle merhaba benim bilgisayarımda dosyalar ÅŸifrelendi. Yedeklerimin hepsi var. Sadece 1 2 günlük belgeler lazım. Fiyatınız çok yüksek. Yardımcı olur musunuz? 
[2014-10-20 13:38:09] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 13:38:10] [8557, adorelguvenlik@**REDACTED**.com] ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659
bu kodu sonradan öğrendim giriyorum ancak ilkini yanlış girmiÅŸiz bu konuda yardım bekliyorum 
[2014-10-20 17:05:12] [8557, adorelguvenlik@**REDACTED**.com] 
aşağıdaki ıd numarası ile ilgili işlem yaptık lütfen sizde gerekeni yaparmısınız lütfen
Id
ab39f8c79a581656b295bfa8fd87a4185f515860480a0fe72d308dacfba27659 
[2014-10-21 08:03:42] [6207, practicombit@**REDACTED**.com] 
Hi,

Last week i paid you for the decrypter software $ 500,- when i have run the software i see that only a few files where decrypted. I paid it whith url: http://3v6e2oe5y5ruimpe.tor4u.net/buy.php?a9q1vi but when i look into my files and folders and click another decrypted_instuctions.html i see that it have another url: http://3v6e2oe5y5ruimpe.tor4u.net/buy.php?a9jme9 maybe thats why not al my files could decrypted. When i click buy i see that you want me to pay $ 1000. Could you send me a file to decrypt my other files because i already have made a payment for it. I hope you can help. I'm not happy to have not al my files back. Hope i get a reply very soon.

The bitcointransaction id is 230dfaa00246c04ca528fb29003542d0eef47c6f5399292f1ed2fffef8b853fa

Hope so you can help.

Yesterday you send me a mail to wait 1-2 hours but did not hear anything from you.
Greetings Mark 
[2014-10-22 07:17:20] [9540, coin.accont@**REDACTED**.com] 
I have made the payment but it keeps coming up with transaction ID already used.

74c5b0d6641baaaf233c80ee72b6cabb57c15a669490adbc9855ca0a4b34bcf4

What can we do now? 
[2014-10-22 09:59:19] [9089, ozansevimligul@**REDACTED**.com] 
merhaba bu yazılım 2 bilgisayarimi etkiledi ve bu kadar param yok odeme yapicak lütfen bana daha uygun bir tutar cikarin ödeyebilmeye gucumun yeticegi bir tutar ve işlemler bir bilgisayar için diyor benim diğer bilgisayarimda Windows xp yuklu onda nasil sifreleri acicam?




Admin Templates:

Templates for criminal admins to manage their campaign. 




Template payments page that victims will be directed to:





Custom ransom pages template uploader:


Settings template:



 Statistics template:



Technical Details:

Sample:

(This particular sample belongs to campaign #14)

508136766c7ea2f26ef44ffd81a63bcb

https://www.virustotal.com/en/file/cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d/analysis/

https://malwr.com/analysis/MjE5MWRhMzczODdkNDk1YjhkNDE3ZDU0NmNkMTcwODg/

hxxp://lebanonwarrior.ru:8080/data/botnets/14/


C&C Server:

lebanonwarrior.ru
46.161.30.19 
inetnum: 46.161.30.0 - 46.161.30.255
netname: KolosokIvan-net
descr: Net for customer ID 12510
country: RU




someone left a note

Monday, November 3, 2014

Perpetrator Profile - Parwez Jabarkhil (Kabul, Afghanistan)

Names/Aliases:
Parwez Jabarkhil
freshfor@yahoo.com
assass

Notes:
One of the first 20 members of RDP-Shop.RU (joined in 2013 and never used according to logs) a shop selling access to hacked servers. He is however a prolific customer of SuperDED.org, another shop selling illegal access to hacked servers for customers to use for shady activities, see below.

,('assass', 'c7296bcf3fcb2aa4f37c89561fd37633', '123456', 'freshfor@yahoo.com', '175.106.52.173', '2013-03-09 16:10:42', '2013-03-09 16:10:51', '0', '0.00', '0', '175.106.52.173', '0', '0', '0', '0')

Location:
Kabul, Afghanistan
(Home DSL connectivity)
inetnum:        175.106.48.0 - 175.106.55.255
netname:        INSTA-KBL-AF
descr:             DSL
country:         AF


Facebook:

An ugly car


Selfies



SuperDED.org Account:
Username: assass


SuperDED.org - A shop selling access to hacked servers, aka "dedicated" or "dedikov" or "dedy"



Purchased access to hacked servers. 



Also he was a registered member of the defunct 'sh0p4you.com' - which used to sell, you guessed it...hacked server access.

http://archive.today/VRVZy
http://pastebin.com/raw.php?i=61VzdHCW