Sunday, October 19, 2014

Hacked: RDP-Shop.RU

"the black online shop"

This shop was selling login credentials to hacked Windows servers (TS/RDP) . 

Criminals usually purchase access to these hacked servers and use them for shady activities such as spamming or to make online shopping purchases with stolen credit cards. It becomes clear only after gaining administrative access to and closely researching some prolific users of this particular black market, that 'traditional' internet fraud activities are being supplemented by more lucrative schemes. 

The crooked customers of this website have been observed committing identity theft, wire/bank transfer fraud, and federal and state income tax fraud by filing an income tax return online and depositing the refund to an account the thieves control. Some prefer to get their stolen refund in the form of VISA debit cards mailed to 'drops' inside the U.S. 

To the fraudsters, the value of using hacked servers in this manner is that it provides a proxy layer for the perpetrator, making it more difficult to attribute activities back to their original source. The true location of the criminal could be somewhere in Lagos or Los Angeles, but they are remotely accessing a computer in another country and using it to disguise their location. The servers are cheap and practically disposable. However, access to the hacked servers is volatile, due to the fact that the real owner of the server could (and usually does) discover the illegal activities.  

There are a handful of shops that sell hacked or stolen digital goods like this one, but they are now becoming more popular venture for enterprising mongers. This trend is likely related to the recent major data breaches that have provided the criminal underground with a wealth of personal information and this paves the way for a cascade effect of fraud and theft.

[ More developments on this research will be posted soon ] 

main login screen index page

Users of Lampeduza looking for RDP shops.

'Wino' an admin of


Ok, so after some work we now have administrative access.

Lets look around.

Bitcoin config:
// config Blockchain account
$system = "bitcoin";
$btc = 600;
$guid = 'b6b013ef-62ca-4561-811d-1aa6b2736d43';  // Blockchain account
$main_password = 'Drilonial123.'; // Blockchain pass
$second_password = 'Winoal123..'; // Blockchain pass
$rate = 600;



The back end of the shop was a MySQL database, (salted password hashes - salt = fs978 )
The database contained the login credentials and IP address for the hacked RDP servers being sold, and user information.

The picture below is a sorted list of the users with the highest balance on the shop. (Users of the shop deposit bitcoin to their shop account, allowing purchases to be made.)

select * from 'users' order by 'balance' desc

RDP-Shop.RU High Roller:


Read more about this perpetrator here.


('drilon', '925a55978b473420d3d07e40bf102941', '123456', '', '', '2011-10-01 23:03:49', '2014-09-11 06:15:40', '0', '0.00', '0', '', '5', '0', '1', '0')
,('Wino', '83275c8093a8e9ca03434bc590d2c151', '123456', '', '', '2013-03-06 14:48:07', '2014-09-24 19:27:15', '0', '0.00', '0', '', '0', '0', '1', '0')

Admin Area: 
(update 3/29/15 - forgot to post these admin screenshots)


Main Database dump:
if you have a legit need for this, email me.

Support database dump:
if you have a legit need for this, email me.

Plain text user:password list:
sorry, not sharing this data.  
ProTip: Add some code to the login form processor so that it writes the form input to a file before the hashing and voila need to crack hashed passwords ;-)

250+ email addresses from user table:

Drilon (admin) 

1 comment:

  1. THIS IS OLD , HE WAS also my parter but now removed it and his saying i hacked lol