Sunday, July 19, 2015

FatherDeal Carding Shop

This site has been on my carding shop list. According to whois records, the site was registered: 27-mar-2012. I recently had the opportunity to revisit the site one last time. While it was still online I gained administrative access to the site and had a look at the internal workings. 

Online reviews and more recent admin support tickets of this carding shop are littered with complaints from criminal customers about this being a "ripper" shop: scammers scamming scammers.

While this shop is clearly not the work of a skilled mastermind and whatever the complaints might say, a look at the data reveals a few thousand users, plenty of stolen information, and that at one time this shop produced a bit revenue for the criminal admin running the operation.
fatherdeal.com. We sell 100% Dumps, Tools. BankLogins, Paypal verified, Credit Cards. Members Login. Create Account Forget Password. Email Address:.

Admin Panel:



2774 users
Passwords stored in plain text. Awesome.

Paypal sold


Bank logins sold


Support Tickets


PayPal   $104
Tools     $882
Dumps   $1028
CC      (1996 * ~2.50 =) ~$4990
bank logins $1517

Revenue ~$8500



Each user must select a country of origin when they register. 

Frequency of countries selected by users: 
   1442 'Russia',
    328 'United
    121 'Ghana',
     94 'Nigeria',
     47 'France',
     40 'China',
     37 'India',
     34 'Canada',
     31 'Malaysia',
     31 'Algeria',
     30 'Italy',
     29 'Afghanistan',
     28 'Pakistan',
     26 'Angola',
     25 'Albania',
     23 'Spain',
     23 'Brazil',
     22 'American
     

Shelled it



Lots of juicy database


Database names: 
xchangerfriend
ccbox.cc
softlogin
nscontra
mafiafu
ccshop
mixcc
paysafe
worldexc
swipe
ccsellz
autofair
try2buy
ccdumps
cashout
buy2real
The following A records are set to 192.64.115.10:
(http://bgp.he.net/ip/192.64.115.10#_dns)
asmarexchange.com, asmarwebhost.com, buy2real.com, ccshops.org, cvv2dumps.com, cvvhost.com,famsevent.com, fatherdeal.com, lrbuy.org, ns1.buy2real.com, ns2.buy2real.com, paysafehost.com,paysafemoney.com, softlogin.com, t2cvv.com, try2check.com, xchangerfriend.com, xperiasol.com

Notes:
$con = mysql_connect('localhost', 'fatherdc_top2', '1122334455');
mysql_select_db('fatherdc_top1', $con);

lastlog
182.191.192.248 (Pakistan)

.cpanel/contactinfo
cvvtop@yahoo.com

Tuesday, May 12, 2015

Deanonymizing Tor - TCF 2.0

TOR Carding Forums
Your Ultimate Source to the Carding and Fraud World

Hidden Address: ba6i2qxajcioadj4.onion
Real Address: 185.10.57.137

"Deanonymization is a strategy in data mining in which anonymous data is cross-referenced with other sources of data to re-identify the anonymous data source."



Step One:


Step Two:



Step Three:


Step Picard: 



TCF v2 is more than likely run by spooks. 

Have fun in jail. 

Sunday, March 29, 2015

SuperDed

This research has been sitting around on my computer for a while, I think its time to share it. Nothing too interesting...

SuperDed, 'ded' meaning dedicated server, or in this case hacked dedicated server, is a black market shop that sells access credentials to hacked servers. This shop is similar to the RDP-Shop I have posted about. but unlike the limited recycled inventory used there, SuperDed is a much more enterprising venture and has more hacked servers for bad guys to choose from. 






Screenshots of some active accounts:


Adolf13




The account assass belongs to a young man named Parwez Jabarkhil. 


assass page 2:




Jesus12


volfymac





SuperDed Admin IPs
http://pastebin.com/Gvci6wTR

SuperDed User Sample
http://pastebin.com/71zZ9Ptc

Thursday, February 19, 2015

php shells

Some shells I found along the way.


1337w0rm
cmd shell, mysql, passwd brute

c2f5875ce299d9f9a27b57875a1e0f03


RC-SHELL v2.0.2011.1009
cmd shell, mysql, portscan, mailer, process manager, ftp client

b946d1fcf71992707eef76999135767b


DefaCeR - InDonesiaN - minang.cyber.team
useless 

e4abdd676fca22e30d171fc22a2870d0


BCA Private Shell - Bangladesh Cyber Army 
useless

eb356f8da1c34b163bdb76f706b6cc94


K2LL33D SHELL
cmd shell, file uploader
be19679da51046577c02fc834225cbb0




CiH_H@CkErZ CiH99 v8.2 2014
.: Fuck All System :.
9f38f0347ef1917574f64ec040cdbf6f


Sql Manager (Indonesian word 'masuk' = login) 
JoJo Levesque - oh you little wanna be whore. 

55725dcc75738364cb58f285cf4be81e



x00x Config's Grabber By DamaneDz
MaDe in AlGeria 2013 ©
useless

ef9cafa3cb7d64726d721290fd5ee814