The end of the “era of carding forums”?

[Tomcat]

Table of contents:​

• Introduction
• One of the most authoritative carding forums today
• MazaFaka
• Verified
• Exploit
• Crdclub
• Possible reasons
• Why are people talking about the end of the “era of forums”?

Introduction​

Over the past few weeks, four well-known Russian-language forums inhabited by cybercriminals have been hacked. Three out of four attacks allowed the attackers to obtain data from forum users. Personal information of MazaFaka forum users, including usernames, email addresses, account passwords and social networking IDs (ICQ, Skype, AIM, MSN and Yahoo) were published on the Internet. Participants on all three forums are concerned that the incident could reveal the real identities of visitors and link profiles of the same users across multiple forums.

One of the most authoritative carding forums today​

Although the MazaFaka forum is not as well known to ordinary people, it is one of the oldest, if not the oldest, active cybercriminal forums.

The carding forum, which was launched back in 2003, served for nearly two decades not only as a place to exchange stolen card data, but also functioned as a marketplace where services such as e-commerce fraud, bank account hacking, and cash out were advertised to others.

Access to the forum has always been limited to a select few.

Registration on the carding forum requires a large upfront payment, as well as several vouchers from current forum users who are in good standing on the forum and who accept financial responsibility for the person invited in case of disputes.

Due to this strict registration policy, disputes over money are extremely rare compared to most other forums. As a result, only established members of the hacking underworld can gain access to it.

But according to threat intelligence from Recorded Future, the carding forum's activity has declined in recent years, and new major bank card leaks or POS terminal malware are rarely published on the site.

Today, the Maza forum primarily serves as a reputation index for top cybercriminals, many of whom use their Maza profiles to validate their reputation.

As a result, any information about Maza users leaked online could help crack decades-old cybercrime cases and identify some of the oldest and longest-standing members who pose the greatest threat.

Links to the hacked Mazafaka carding forum database have been posted online in the last 48 hours.

MazaFaka​

Maza, originally called Mazafaka, is an elite Russian-language invite-only carding forum that is known to have started operating back in 2003, serving as an exclusive online space where attackers can exchange services.

On March 3, 2021, unknown persons posted thousands of user data:

• usernames;
• email addresses
• passwords

For more than a decade, the carding forum has been a haven for Russia's most sophisticated and notorious cybercriminals.

Flashpoint researchers noted that the Russian sentences on the Maza forum page may have been translated using an online translator, but added that it was unclear whether this implied the involvement of a non-Russian hacker or whether it was deliberately used to mislead.

At the top of the leaked 35-page PDF is a private encryption key allegedly used by Maza administrators. The database also includes the ICQ numbers of many users. ICQ was the instant messaging platform trusted by the earliest members of the old carding forums before its use fell out of fashion in favor of more private messengers such as Jabber and Telegram.

This is notable because ICQ numbers associated with specific accounts are often a starting point that cybersecurity officials can use to link multiple accounts of the same user across many carding forums, even with different aliases.

Cyberintelligence firm Intel 471 believes that the Maza database leak actually happened and was not a fake.

“The file includes more than 3,000 lines containing usernames, partially encrypted password hashes, email addresses and other contact information,” Intel 471 said, noting that visitors to the Maza carding forum are now redirected to a page announcing the hack. “Initial analysis of the leaked data indicated its likely authenticity, as at least a portion of the leaked user records were correlated with our own databases.”

Verified​

The attack on Mazafaka occurred a short period of time after another major carding forum was hacked. On January 20, a longtime administrator of the Russian-language carding forum Verified reported that the community's domain registrar had been hacked and that the site's domain had been redirected to an Internet server controlled by attackers.

A message from a verified carding administrator about his registrar being hacked in January.

“Our [bitcoin] wallet was hacked. Fortunately, we didn't keep large amounts of money in it, but it was still an unpleasant incident. Once the circumstances became clear, the administrator suggested that THEORETICALLY all forum accounts could be compromised (the probability is small, but it is there). In our business, it's better to play it safe. So, we decided to reset all the codes. There's nothing wrong with that. Just write them down and use them from now on.”

The perpetrator of the attack demanded access to the entire database on another popular forum called Raid Forums, in addition to transferring $150,000 worth of cryptocurrency from Verified's Bitcoin wallet to his own.

Some time later, the administrator updated his post, saying:

“We are receiving reports that the carding forum's databases were stolen when the carding forum was hacked. All account passwords have been forcibly reset. Pass this information on to your friends. The carding forum was hacked through a domain registrar. First the registrar was hacked, then the domain name servers were changed and the traffic was intercepted.”

On February 15, the administrator published a message purporting to be sent on behalf of attackers who claimed to have hacked the Verified domain registrar between January 16 and January 20.

“By now it should be clear that the carding forum administration has not done the necessary work to ensure security,” the attacker explained. “Most likely, due to laziness or incompetence, they abandoned all this. But the main surprise for us was that they saved all user data, including cookies, referral sources, IP addresses of first registrations, login analytics and everything else.”

Other sources indicate that tens of thousands of private messages between trusted users were stolen, including transaction information as well as personal Jabber contacts.

Exploit​

These cases have caused many members of the cybercriminal community to worry that their true identities may be exposed. Exploit, the next largest and most popular Russian hacking forum after Verified, also came under pressure in early March.

According to Intel Report 471, on March 1, 2021, an administrator of the Exploit hacking forum stated that the proxy server used by the hacking forum to protect against DDoS attacks may have been hacked by unknown individuals. The administrator stated that on February 27, 2021, the monitoring system detected unauthorized access to the server and an attempt to unload network traffic.

Some hacking forum supporters have suggested that these recent attacks appear to be the work of some kind of government agency.

“Only intelligence agencies or people who know where the servers are located can do such things,” mused one Exploit admin. “Three forums in a month is just strange. I don't think they were ordinary hackers. Someone is purposefully breaking hacking forums.”

Others wonder aloud which hacking forum will be taken over next, and lament the loss of trust among users, which could be bad for business.

“Perhaps they work according to the following logic,” wrote one Exploit user. “There will be no hacking forums, no trust between users, less collaboration, harder to find partners - fewer attacks.”

Crdclub​

Intel 471 also reports that a fourth carding forum was recently attacked. From a blog post they published about these events: “In February, the administrator of another popular carding forum, Crdclub, announced that the forum had suffered an attack that resulted in the administrator's account being compromised. The organizer of the attack was able to assure forum visitors that using the money transfer service was safe, since the forum administrators allegedly vouched for it. This was a lie and the scam resulted in an unknown amount of money being stolen from users. The forum administrators promised to reimburse the expenses of those deceived. No other information could have been compromised as a result of the attack.”

Possible reasons​

There is no consensus on the issue of hacking forums. Experts at the moment can only speculate why they might have been hacked.

Since cybercrime is a global phenomenon, this could be an act of eliminating competitors. Hackers can also fight criminals using their own methods. Law enforcement agencies do not use a public method to combat the disclosure of data of all users.

It cannot be ruled out that this could be revenge from users who were not paid for work performed, or due to internal conflicts in the forum administration. If the goal was to obtain benefits, then it would be more logical to extort money from the administration so that the information received would not be disclosed.

Security experts have a theory that this could have been an order to collect specific data from the information databases of their own colleagues.

It could also be a response to a hacker operation. They carried out a large-scale and effective attack on cybersecurity companies. The hackers pretended to be information security consultants. They created a website for a fictitious company, started running a YouTube channel with training, and lured cybersecurity experts into a trap. They asked their subscribers and clients to install special software on their computers to search for exploits. Naturally, the users' computers were infected.

This way, hackers learned what software cybersecurity specialists used and obtained important initial data, which would allow them to bypass the protection of specific companies.

This could be a retaliatory strike from information security employees to understand how attackers carry out their attacks and what tools they use.

Why are people talking about the end of the “era of carding forums”?​

Threat intelligence company Flashpoint, which also spotted the Maza hack, said in a blog post that several members of the cybercriminal community are now discussing stopping the use of email as a means of registering profiles, since they can be easily tracked and real identities can be established.

In Telegram channels, several respectable attackers are calling for an end to the “era of carding forums.”

These calls came after several major resources suffered similar security breaches over the past few months in 2021. List of victims:

• Joker's Stash - recently closed after four proxy servers were seized by the FBI and Interpol in December 2020.
• Verified - was temporarily hacked and disabled after hackers tricked the carding forum's domain registrar into handing over control of the site's domain to an attacker.
• Exploit - Not long ago there was a security breach after hackers broke into one of their DDoS attack mitigation solutions.

But among all this, Maza stands head and shoulders above the rest, mainly because of the severity of the hack, but also because of its long-standing reputation in the Russian-speaking cybercrime world.