Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Carders’ Category

ASSESSMENT: TEAM JM511

leave a comment »

Screenshot from 2014-03-14 10:04:48

JM511 Hacking since at least 2004:

There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.

Screenshot from 2014-03-14 10:31:54

To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.

JM511 Today:

JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…

Screenshot from 2014-03-14 11:47:34

Screenshot from 2014-03-14 11:31:31 Screenshot from 2014-03-14 11:31:16

JM511 aka   فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:

JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.

Screenshot from 2014-03-14 10:58:40It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (jxffh@yahoo.com) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.

UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.

Screenshot from 2014-03-14 17:12:44

Screenshot from 2014-03-14 11:36:25

Screenshot from 2014-03-14 10:30:07

Screenshot from 2014-03-14 10:48:32Screenshot from 2014-03-14 12:32:12

So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s  you and someone else’s money that will get you some jail time I suspect.

ASSESSMENT:

My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.

K.

Written by Krypt3ia

2014/03/14 at 16:32

ASSESSMENT: The Lampeduza Republic Organizational Structure

with 9 comments

Screenshot from 2014-01-24 13:17:11

The Lampeduza Republic:

The Lampeduza Republic is a collective of carders which has it’s base of founders primarily in the Baltic states. You may be familiar with this name and the group through Brian Krebs work on the Target breach of 2013. The Lampeduza came into existence circa 2011 (Creation Date: 2011-06-01T16:54:41Z) as a follow up to other sites that had shut down but with the creation of this one the creators also covered all the bases with mirrors on other servers and domain names. What makes this site different from the rest of the carder arcology is that this group is exceedingly hierarchical and structured themselves after the constructs of Roman rule. As the main player who seems to be involved per Brian has a penchant for games as well as hacking and carding, Rescator (aka Hellkern) it seems only fitting that he has a STEAM account and a love for ROME II (All Out War) It is my contention that he and others within his clan perhaps began this whole escapade after playing ROME II together and grew to love the idea of being powerful “Senatus” or dare I say even Caesars?

Screenshot from 2014-01-24 15:33:06

Organizational Structure:

The Lampeduza Republic (Lampeduza rei publicae) took it’s structure from the old Roman rule as I said above and within this classicist format they have the following categories of “citizens”

  • Сaesar — monarch of the Lampeduza Republic.
  • Consul — highest public official, the head of executive & administrative authority, the head of the Senate.
  • Senator — highest governmental authority of Lampeduza Republic Senate.
  • Praetores — highest public official, Republic arbitrator.
  • Legatus — messenger of the Republic Senate, legion leader. Senate assigns the title to the most devoted Republic warriors, shown himself to good advantage.
  • Quaestores — assistant of the Republic Senate. Treasurer, assessor, the one responsible for payments to contractors. Posts all the decisions, resolutions & laws of the Senate and Caesar ordinances.
  • Primus Pilus — ranked highest in Centurio legion. Shown himself to good advantage for a long period of time. Literally the first rank. Having the right to assign himself two assistants (Centurios).
  • Centurio — warrior, recommended himself to good advantage and decent reputation amongst collegues. Having the right to assign himself two assistants (Optios).
  • Optio — assistant of the Centurio. Chosen by Centurio among his warriors. The title can be assigned by Republic Senate, without Centurio’s petition to anyone standing out sharply against background. Having the right to assign himself one assistant (Tesserarius).
  • Tesserarius — assistant of the Optio. Obligated to organize security & password transitions. Republic of Lampeduza army career is starting with Tesserarius title.
  • Censor — title assigned by default to forum moderator, invited by Senate for observing compliance with Republic constitution. Moderator having title of the Lampeduza Republic allowed to indicate It in his status.
  • Legionarius — citizen of the Lampeduza Republic, lucky passport owner.

Whether or not the actual group functions in a strict regimental way remains to be proven but the general idea is followed through on from what I can see. In looking at it from caches of pages it seems like the inner group of progenitors consists of Consul Octavian (Caesar) , Senator Severa, Senator Tiberiy,  and Senator Flavius. The Caesar is named as “Octavian” which as it happens there is a site Octavian.su which is now a defunct site. This may account as to who was the progenitorus primus in the Lampeduza universe and to date no one has really looked at this Octavian as much as Rescator has. My question becomes who is Octavian? Is Octavian just another user ID for Rescator? Or is this someone else altogether? Additionally, you can see how Rescator has moved up the ranks in the site as time has moved on from Legatus to Praetor all from meeting notes as it were on the site itself. Additionally, the role of Tiberius Caesar seems to have it’s laurel wreath squarely upon Tiberiy, a name that to date really hasn’t been mentioned in the stories around the Target heist.

The Senate of Lampeduza:

Senate of the Lampeduza Republic: Consul Octavian, Senator Severa, Senator Tiberiy, Senator Flavius, considering petition of the Сenturio Pompei, Primus Pilus DJ CRACK, Quaestores Trayan have decided:

I. Magistrate the following:

Octavian – Ceasor pro tempore, the Consul & the head of the Republic Senate
Rescator – Praetores of the Lampeduza Republic, assign the Legatus title
Trayan – Guarantor of the Lampeduza Republic, assign the Quaestores title

II. Assign the Primus Pilus title of the Lampeduza Republic

    DJ CRACK – Primus Pilus of the Republic, province Censor
    Blaster – Primus Pilus of the Republic, province Censor

III. Assign the Сenturio title of the Lampeduza Republic

    Pompei – Сenturio of the Republic
    rfcid – Сenturio of the Republic
    goldminer – Сenturio of the Republic
    -=SGA=– – Сenturio of the Republic, province Censor
    St.Patrick – Сenturio of the Republic
    Mesr – Сenturio of the Republic
    greystone – Сenturio of the Republic
    powerseller – Сenturio of the Republic
    Search – Сenturio of the Republic
    Шаман – Сenturio of the Republic
    j.p.morgan – Сenturio of the Republic
    True Partners – Сenturio of the Republic
    alphadog – Сenturio of the Republic
    risk25 – Сenturio of the Republic

IV. Assign the Optio title of the Lampeduza Republic

    TaoBao – Optio of the Republic
    jimy – Optio of the Republic
    fff3fff – Optio of the Republic
    himik – Optio of the Republic
    PapaRed – Optio of the Republic
    Septimiy – Optio of the Republic
    Avidiy – Optio of the Republic

V. Assign the Tesserarius title of the Lampeduza Republic

    bissone – Tesserarius of the Republic
    liberral – Tesserarius of the Republic

SENATE DATA:

So the main players here are the following;

Screenshot from 2014-01-24 16:04:13Caesar Tempore Octavian

Screenshot from 2014-01-24 16:11:00Senatus Severa

Screenshot from 2014-01-24 16:15:59Senatus now Tiberius Caesar Tiberiy

Screenshot from 2014-01-24 16:31:41Senatus Flavius

Screenshot from 2014-01-24 16:34:38Praetor Rescator Legatus of the Lampeduza

ANALYSIS:

While Brian has actual screen shots of Rescator (a lover of old French films it seems about pirates) talking about the BlackPOS and the shuttling of card data there is certainly more than one player here in the Lampeduza universe. Given the love of the Roman structure of governance it actually played out a most interesting game of looking at who was in fact in charge and the overall makeup of the organization. I have not really taken any kind of real look at the other players on an OSINT level but I am sure that once that is done it will be a bit more enlightening as to who these guys are. It is my theory that they all are gamers and all played quite a bit of ROME II (Total War) and aspire to be the new Romanus Civilis of the digital age. It kind of also fits with the Russian/Ukrainian tastes as well on a societal level. The other part of the puzzle is whether or not these guys were just the procurement specialists and others actually carried out the hack or was it all of them, in their structured and regimented organization that carried off not only the hack but also the brokering of the card data, reaping all the financial rewards as a new Rome should?

Meanwhile Rescator (ala Hellkern) surely had the technical chops to code some of the software as well. In his online profile as Hellkern dates much further back with hacks and code that seems to include a worm that made the rounds circa 2009. He’s been around but so too has Ree4 who it seems for all intents and purposes was the one who modified the memory scraper tech and made it what it is today at least in a proto form. Did Rescator go the next steps and get it to be the application that bypassed AV today and was what was used on Target and the others? Ostensibly the FBI has shown as well as Brian that the software was up for sale for six thousand dollars and obviously that price was paid.  Just who made the changes? We still aren’t sure as solid evidence goes but it seems from what Brian has found concerning OPSEC failures on the part of Rescator/Hellkern he surely had something to do with it. The collective though for me is the thing..

Who else is there and who are they in real life?

K.

mlal qh xzvp ttdqdm xof fgrowuqd

Written by Krypt3ia

2014/01/24 at 21:53

ASSESSMENT: Threat Intelligence and Credit Card Fraud

with 3 comments

rescator_maltego

TARGET:

With the escape of card data and personal data from Target over the holiday season we have seen an uptick in stories about the underworld of carding. Of course Target is just one large company that has been hit with such attacks albeit this time this one hit scored over 70 million cards and their attendant PII data. As the fallout continues to get reported on the attack itself, Brian Krebs has been reporting on those behind the scenes offering up the “dumps” for the criminally inclined to buy cards and data in order to create new lines of credit or spend the ones that have been stolen. As time has worn on though, and as Target starts to release details of just how inadequate their security was on their systems that allowed this attack to happen from external access to their intranet one thing has become clear; Credit crime is not abating and the banks and credit companies are either powerless or don’t care to find ways to stop the hacks and dumps from happening in the first place. Target specifically in this instance has done a terrible job of responding to the incident with clients and the street and now that details are coming out about their internal security issues, they no doubt will be hiring PR firms by the dozen to spin a tale that this was impossible to have stopped.

CARDERS:

In reality the carders live a fairly open existence on the internet in PHP bulletin boards much like the jihadi’s do. Their OPSEC is lacking as Krebs can attest and in some cases really don’t care because they live or work in countries where the laws are not as robust and they don’t really fear prosecution. After having been on their sites and looked at caches as well as live data I can say that the OSINT that Krebs culls is not that hard to perform and that more people should be doing the same thing in order to interdict possible attacks in the future. I would assume that there are personnel tasked to do this from say Treasury or USSS but inasmuch as all of this came as such a surprise and that Krebs broke the story before anyone else says a lot about the lack of eyeballs on these forums. These guys are living large and often are not that old to begin with. We aren’t talking about old KGB guys now lurking the net and stealing credit card data to support their plans of world domination. What we are talking about are kids who play Xbox and have a revenue stream that is often times pretty robust allowing them to do pretty much whatever they want. Of course I suspect that there are ties to Mafiosi of the Russian variety (this case) as well as in other quarters because hey, this is just another piece of action right? What still amazes though is the naked operations that these guys carry out day to day that don’t even require much else than an ICQ connection and an email address that can be thrown away.

RESCATOR:

Screenshot from 2014-01-20 15:54:08

In the case of Rescator though, we have a kind of a “Senatus” as they like to call him on the sites who seems to have been at this for some time and has amassed an infrastructure to allow for the sale of not only stolen credit card data but also flooding services and other offerings. In the case of the latest Target affair, Senatus Rescator is most definitely at the forefront of the whole thing. He and others like Flavius are in charge of about 10 or so sites that are transitory at times and all bulletin boards pretty much explicitly for the trade of credit card data. Now, as to whether or not Rescator was the main operator behind this hack on target and others is a question that I cannot answer at the present time. I will say though that the conglomerate including those like Flavius and Rescator may in fact form the cabal that ordered up the hack and ex-filtration or perhaps just benefited from the dumps that came to them from the hackers. I lean towards though the idea that Rescator and Flavius and others were likely the ones who put this all together, purchased the malware, and got the hired hands to pull it off if not doing some of the work themselves. That Krebs and others have actually tracked Rescator to a single name and have his personal details shows the lack of OPSEC there and one hopes that sometime in the near future he will get a knock at the door from Interpol and the USSS/FBI but that remains to be seen.

LAMPEDUZA, RESCATOR, OCTAVIAN:

Screenshot from 2014-01-20 15:47:49

Screenshot from 2014-01-20 15:55:40

Screenshot from 2014-01-18 10:13:33

Screenshot from 2014-01-18 12:38:42

Screenshot from 2014-01-18 15:38:25

Domain ID:GMOREGISTRY-DO27434
Domain Name:RESCATOR.SO
Created On:2013-10-01T07:27:57.0Z
Last Updated On:2013-10-08T06:45:26.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18968955T
Registrant Name:Private Registration
Registrant Organization:rescator.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.so@domainsproxy.name
Admin ID:WN18968956T
Admin Name:Private Registration
Admin Organization:rescator.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.so@domainsproxy.name
Tech ID:WN18968957T
Tech Name:Private Registration
Tech Organization:rescator.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.so@domainsproxy.name
Billing ID:WN18968958T
Billing Name:Private Registration
Billing Organization:rescator.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.so@domainsproxy.name
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:GREG.NS.CLOUDFLARE.COM
Name Server:ROSE.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

Domain Information
Query: rescator.cm
Status: Active
Created: 01 Jan 2014 15:52 WAT
Modified: 10 Jan 2014 09:54 WAT
Expires: 01 Jan 2015 15:52 WAT
Name Servers:
pns4.cloudns.net
pns5.cloudns.net

Registrar Information
Registrar Name: Web Commerce Communications WebCC

Registrant:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Admin Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Technical Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Billing Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net

Domain ID:GMOREGISTRY-DO27425
Domain Name:LAMPEDUZA.SO
Created On:2013-10-01T00:58:44.0Z
Last Updated On:2014-01-16T14:55:50.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18967443T
Registrant Name:Private Registration
Registrant Organization:lampeduza.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:lampeduza.so@domainsproxy.net
Admin ID:WN18967444T
Admin Name:Private Registration
Admin Organization:lampeduza.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:lampeduza.so@domainsproxy.net
Tech ID:WN18967445T
Tech Name:Private Registration
Tech Organization:lampeduza.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:lampeduza.so@domainsproxy.net
Billing ID:WN18967446T
Billing Name:Private Registration
Billing Organization:lampeduza.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:lampeduza.so@domainsproxy.net
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:PNS4.CLOUDNS.NET
Name Server:PNS9.CLOUDNS.NET
Name Server:PNS7.CLOUDNS.NET
Name Server:PNS5.CLOUDNS.NET
Name Server:PNS8.CLOUDNS.NET
DNSSEC:Unsigned

Domain Name: LAMPEDUZA.NET
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.CLOUDNS.NET
Name Server: NS2.CLOUDNS.NET
Name Server: NS3.CLOUDNS.NET
Status: clientTransferProhibited
Updated Date: 03-oct-2013
Creation Date: 31-may-2011
Expiration Date: 31-may-2022

>>> Last update of whois database: Mon, 20 Jan 2014 20:30:53 UTC <<<

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: LAMPEDUZA.NET
Registry Domain ID:
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date:
Creation Date: 2011-05-31T11:47:48Z
Registrar Registration Expiration Date: 2022-05-31T11:47:48Z
Registrar: Internet.bs Corp.
Registrar IANA ID: 814
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone:
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name: Jeremiah Heisenberg
Registrant Organization: Offshore Hosting Solutions Ltd.
Registrant Street: Oliaji TradeCenter 1st floor
Registrant City: Victoria
Registrant State/Province:
Registrant Postal Code: 3341
Registrant Country: SC
Registrant Phone: +248.2482032827
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@offshore-hosting-service.com
Registry Admin ID:
Admin Name: Jeremiah Haselberg
Admin Organization: Offshore Hosting Solutions Ltd.
Admin Street: Oliaji TradeCenter 1st floor
Admin City: Victoria
Admin State/Province:
Admin Postal Code: 3341
Admin Country: SC
Admin Phone: +248.32724
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@offshore-hosting-service.com
Registry Tech ID:
Tech Name: Jeremiah Haselberg
Tech Organization: Offshore Hosting Solutions Ltd.
Tech Street: Oliaji TradeCenter 1st floor
Tech City: Victoria
Tech State/Province:
Tech Postal Code: 3341
Tech Country: SC
Tech Phone: +248.32724
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@offshore-hosting-service.com
Name Server: ns1.cloudns.net
Name Server: ns2.cloudns.net
Name Server: ns3.cloudns.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-01-20T11:49:26Z <<<

domain:        OCTAVIAN.SU
nserver:       jack.ns.cloudflare.com.
nserver:       leah.ns.cloudflare.com.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        fpolev@mail.ru
registrar:     RUCENTER-REG-FID
created:       2013.01.13
paid-till:     2015.01.13
free-date:     2015.02.15
source:        TCI

Last updated on 2014.01.21 00:31:35 MSK

~$ whois rescator.la
Domain ID:CNIC-DO1009346
Domain Name:RESCATOR.LA
Created On:2013-02-21T01:24:13.0Z
Last Updated On:2013-12-27T12:53:29.0Z
Expiration Date:2014-02-21T23:59:59.0Z
Status:SERVER UPDATE PROHIBITED
Status:SERVER HOLD
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:CLIENT DELETE PROHIBITED
Status:SERVER TRANSFER PROHIBITED
Registrant ID:WN18395382T
Registrant Name:Private Registration
Registrant Organization:rescator.la
Registrant Street1:Rm.804, Sino Centre, Nathan Road
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.la@domainsproxy.net
Admin ID:WN18395383T
Admin Name:Private Registration
Admin Organization:rescator.la
Admin Street1:Rm.804, Sino Centre, Nathan Road
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.la@domainsproxy.net
Tech ID:WN18395384T
Tech Name:Private Registration
Tech Organization:rescator.la
Tech Street1:Rm.804, Sino Centre, Nathan Road
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.la@domainsproxy.net
Billing ID:WN18395385T
Billing Name:Private Registration
Billing Organization:rescator.la
Billing Street1:Rm.804, Sino Centre, Nathan Road
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.la@domainsproxy.net
Sponsoring Registrar ID:H129924
Sponsoring Registrar IANA ID:460
Sponsoring Registrar Organization:Web Commerce Communications Ltd
Sponsoring Registrar Street1:Lot 2-2, Incubator 1, Technology Park Malaysia
Sponsoring Registrar Street2:Technology Park Malaysia
Sponsoring Registrar Street3:Bukit Jalil
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:57000
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+603 8996 6788
Sponsoring Registrar FAX:+603 8996 8788
Sponsoring Registrar Website:http://www.webnic.cc
Name Server:JACK.NS.CLOUDFLARE.COM
Name Server:LEAH.NS.CLOUDFLARE.COM
DNSSEC:Unsigned

The sites that Rescator and friends have set up are an arcology on the internet for underground (almost) carding forums. As at the top of the page (see maltego map) you can see that they all can be connected together either by registration data or links to one another to and from their domains. One interesting bit is the fact that a couple of the sites were registered our of the Seychelles by “Jeremiah Heisenberg” which has a checkered past with sites ranging from online poker for bitcoins to outright scams including takedown notices from MPAA. It seems that perhaps the nearest thing to a real financial entity that can be found in the intelligence gathering I did today was this company (likely a shell company) that could be a means to an end in laundering funds and cleaning them. As to whether or not Rescator and the others are a part in this or are just the mules (so to speak) is the question I still have and it will take more looking to see. In the end though this constellation of sites and their spidering out to many many others both on and off of the darkweb is the primary means for volume trafficking in stolen credit data and PII as well as bank accounts and access to financial institutions. In other words, a real and credible threat.

THREAT INTELLIGENCE AND ANALYSIS:

I have been looking into these sites and the players for a little while now and I have to say that with the lack of OPSEC I would think they would be easy targets for takedown. What has been bothering me now since I started this Odyssey is that companies like Target as well as the banks out there lack any true intelligence gathering apparatus to actually monitor these sites and get insight into what is happening. Ok, I know this may sound a little out there to some and that I am asking for companies and banks specifically to have working intelligence apparatus but really, isn’t that the only real way to have a fighting chance here? Had the banks or some firms out there been doing what Krebs has been doing perhaps this attack would have been at least prepared for a little bit if not stopped due to intelligence gathering from these fairly open sites? My analysis that stemmed from about a day’s worth of looking backstops Krebs data and even goes further and really, I did not put all that much time into it. Imagine what could be done with the proper analysis and heads up on such POS malware as was plainly for sale and talked about in these forums?

It will be some time until the Target kerfuffles dust has settled but I would like to advocate more HUMINT and OSINT like Krebs has been doing by analysts either selling this as a service or perhaps in house operations that at the very least can spend some time Googling or using Maltego to determine just what is happening out there in these not nearly opaque bulletin boards. As I write this though I am wondering whether or not the simplest answer here is that the banks just don’t care because in the end the costs will circle back to the clients in the form of fee’s. This reasoning serves the cognitive dissonance within the financial sector that says it’s not their fault, it’s not your fault, but hell there is nothing we can do about it. I should think that more proactive approaches to anti-fraud methodologies might be better but who knows what they are thinking. Overall this kind of crime will continue both big and small because the companies make it easy for the criminals to hack them (bad passwords and processes etc) as well as the lackadaisical leze fair  attitude on the part of the credit corporations and banks persist. The real loser though will be the client who has to deal with bad credit through identity theft, loss of funds that may or may not be guaranteed, and generally being the product for sale by these miscreants.

K.

Written by Krypt3ia

2014/01/20 at 21:53