Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Carding’ Category

ASSESSMENT: TEAM JM511

leave a comment »

Screenshot from 2014-03-14 10:04:48

JM511 Hacking since at least 2004:

There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.

Screenshot from 2014-03-14 10:31:54

To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.

JM511 Today:

JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…

Screenshot from 2014-03-14 11:47:34

Screenshot from 2014-03-14 11:31:31 Screenshot from 2014-03-14 11:31:16

JM511 aka   فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:

JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.

Screenshot from 2014-03-14 10:58:40It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (jxffh@yahoo.com) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.

UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.

Screenshot from 2014-03-14 17:12:44

Screenshot from 2014-03-14 11:36:25

Screenshot from 2014-03-14 10:30:07

Screenshot from 2014-03-14 10:48:32Screenshot from 2014-03-14 12:32:12

So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s  you and someone else’s money that will get you some jail time I suspect.

ASSESSMENT:

My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.

K.

Written by Krypt3ia

2014/03/14 at 16:32

ASSESSMENT: The Lampeduza Republic Organizational Structure

with 9 comments

Screenshot from 2014-01-24 13:17:11

The Lampeduza Republic:

The Lampeduza Republic is a collective of carders which has it’s base of founders primarily in the Baltic states. You may be familiar with this name and the group through Brian Krebs work on the Target breach of 2013. The Lampeduza came into existence circa 2011 (Creation Date: 2011-06-01T16:54:41Z) as a follow up to other sites that had shut down but with the creation of this one the creators also covered all the bases with mirrors on other servers and domain names. What makes this site different from the rest of the carder arcology is that this group is exceedingly hierarchical and structured themselves after the constructs of Roman rule. As the main player who seems to be involved per Brian has a penchant for games as well as hacking and carding, Rescator (aka Hellkern) it seems only fitting that he has a STEAM account and a love for ROME II (All Out War) It is my contention that he and others within his clan perhaps began this whole escapade after playing ROME II together and grew to love the idea of being powerful “Senatus” or dare I say even Caesars?

Screenshot from 2014-01-24 15:33:06

Organizational Structure:

The Lampeduza Republic (Lampeduza rei publicae) took it’s structure from the old Roman rule as I said above and within this classicist format they have the following categories of “citizens”

  • Сaesar — monarch of the Lampeduza Republic.
  • Consul — highest public official, the head of executive & administrative authority, the head of the Senate.
  • Senator — highest governmental authority of Lampeduza Republic Senate.
  • Praetores — highest public official, Republic arbitrator.
  • Legatus — messenger of the Republic Senate, legion leader. Senate assigns the title to the most devoted Republic warriors, shown himself to good advantage.
  • Quaestores — assistant of the Republic Senate. Treasurer, assessor, the one responsible for payments to contractors. Posts all the decisions, resolutions & laws of the Senate and Caesar ordinances.
  • Primus Pilus — ranked highest in Centurio legion. Shown himself to good advantage for a long period of time. Literally the first rank. Having the right to assign himself two assistants (Centurios).
  • Centurio — warrior, recommended himself to good advantage and decent reputation amongst collegues. Having the right to assign himself two assistants (Optios).
  • Optio — assistant of the Centurio. Chosen by Centurio among his warriors. The title can be assigned by Republic Senate, without Centurio’s petition to anyone standing out sharply against background. Having the right to assign himself one assistant (Tesserarius).
  • Tesserarius — assistant of the Optio. Obligated to organize security & password transitions. Republic of Lampeduza army career is starting with Tesserarius title.
  • Censor — title assigned by default to forum moderator, invited by Senate for observing compliance with Republic constitution. Moderator having title of the Lampeduza Republic allowed to indicate It in his status.
  • Legionarius — citizen of the Lampeduza Republic, lucky passport owner.

Whether or not the actual group functions in a strict regimental way remains to be proven but the general idea is followed through on from what I can see. In looking at it from caches of pages it seems like the inner group of progenitors consists of Consul Octavian (Caesar) , Senator Severa, Senator Tiberiy,  and Senator Flavius. The Caesar is named as “Octavian” which as it happens there is a site Octavian.su which is now a defunct site. This may account as to who was the progenitorus primus in the Lampeduza universe and to date no one has really looked at this Octavian as much as Rescator has. My question becomes who is Octavian? Is Octavian just another user ID for Rescator? Or is this someone else altogether? Additionally, you can see how Rescator has moved up the ranks in the site as time has moved on from Legatus to Praetor all from meeting notes as it were on the site itself. Additionally, the role of Tiberius Caesar seems to have it’s laurel wreath squarely upon Tiberiy, a name that to date really hasn’t been mentioned in the stories around the Target heist.

The Senate of Lampeduza:

Senate of the Lampeduza Republic: Consul Octavian, Senator Severa, Senator Tiberiy, Senator Flavius, considering petition of the Сenturio Pompei, Primus Pilus DJ CRACK, Quaestores Trayan have decided:

I. Magistrate the following:

Octavian – Ceasor pro tempore, the Consul & the head of the Republic Senate
Rescator – Praetores of the Lampeduza Republic, assign the Legatus title
Trayan – Guarantor of the Lampeduza Republic, assign the Quaestores title

II. Assign the Primus Pilus title of the Lampeduza Republic

    DJ CRACK – Primus Pilus of the Republic, province Censor
    Blaster – Primus Pilus of the Republic, province Censor

III. Assign the Сenturio title of the Lampeduza Republic

    Pompei – Сenturio of the Republic
    rfcid – Сenturio of the Republic
    goldminer – Сenturio of the Republic
    -=SGA=– – Сenturio of the Republic, province Censor
    St.Patrick – Сenturio of the Republic
    Mesr – Сenturio of the Republic
    greystone – Сenturio of the Republic
    powerseller – Сenturio of the Republic
    Search – Сenturio of the Republic
    Шаман – Сenturio of the Republic
    j.p.morgan – Сenturio of the Republic
    True Partners – Сenturio of the Republic
    alphadog – Сenturio of the Republic
    risk25 – Сenturio of the Republic

IV. Assign the Optio title of the Lampeduza Republic

    TaoBao – Optio of the Republic
    jimy – Optio of the Republic
    fff3fff – Optio of the Republic
    himik – Optio of the Republic
    PapaRed – Optio of the Republic
    Septimiy – Optio of the Republic
    Avidiy – Optio of the Republic

V. Assign the Tesserarius title of the Lampeduza Republic

    bissone – Tesserarius of the Republic
    liberral – Tesserarius of the Republic

SENATE DATA:

So the main players here are the following;

Screenshot from 2014-01-24 16:04:13Caesar Tempore Octavian

Screenshot from 2014-01-24 16:11:00Senatus Severa

Screenshot from 2014-01-24 16:15:59Senatus now Tiberius Caesar Tiberiy

Screenshot from 2014-01-24 16:31:41Senatus Flavius

Screenshot from 2014-01-24 16:34:38Praetor Rescator Legatus of the Lampeduza

ANALYSIS:

While Brian has actual screen shots of Rescator (a lover of old French films it seems about pirates) talking about the BlackPOS and the shuttling of card data there is certainly more than one player here in the Lampeduza universe. Given the love of the Roman structure of governance it actually played out a most interesting game of looking at who was in fact in charge and the overall makeup of the organization. I have not really taken any kind of real look at the other players on an OSINT level but I am sure that once that is done it will be a bit more enlightening as to who these guys are. It is my theory that they all are gamers and all played quite a bit of ROME II (Total War) and aspire to be the new Romanus Civilis of the digital age. It kind of also fits with the Russian/Ukrainian tastes as well on a societal level. The other part of the puzzle is whether or not these guys were just the procurement specialists and others actually carried out the hack or was it all of them, in their structured and regimented organization that carried off not only the hack but also the brokering of the card data, reaping all the financial rewards as a new Rome should?

Meanwhile Rescator (ala Hellkern) surely had the technical chops to code some of the software as well. In his online profile as Hellkern dates much further back with hacks and code that seems to include a worm that made the rounds circa 2009. He’s been around but so too has Ree4 who it seems for all intents and purposes was the one who modified the memory scraper tech and made it what it is today at least in a proto form. Did Rescator go the next steps and get it to be the application that bypassed AV today and was what was used on Target and the others? Ostensibly the FBI has shown as well as Brian that the software was up for sale for six thousand dollars and obviously that price was paid.  Just who made the changes? We still aren’t sure as solid evidence goes but it seems from what Brian has found concerning OPSEC failures on the part of Rescator/Hellkern he surely had something to do with it. The collective though for me is the thing..

Who else is there and who are they in real life?

K.

mlal qh xzvp ttdqdm xof fgrowuqd

Written by Krypt3ia

2014/01/24 at 21:53