A cybercrime store is selling access to more than 43,000 hacked servers

The MagBo portal provides access to hacked servers, with some belonging to local and state government, hospitals, and financial organizations.
Written by Catalin Cimpanu, Contributor

MagBo, a shadowy online marketplace where hackers sell and buy hacked servers, is doing better than ever and has soared in popularity to become the largest criminal marketplace of its kind since its launch in the summer of 2018.

Two years later, the MagBo portal has grown more than 14 times in size and is currently selling access to more than 43,000 hacked websites, up from the 3,000 sites listed in September 2018.

Today, MagBo has become the de-facto go-to marketplace for many cybercrime operations. Some groups register on the MagBo platform to sell hacked servers, while others are there just to buy.

Those who buy, do it either in bulk (for black-hat SEO or for malware distribution) or selectively, for intrusions at high-value target (e-commerce stores for web skimming, intranets for ransomware).

All in all, the MagBo platform cannot be ignored anymore, as it appears to be here to stay, and is placing itself at the heart of many of today's cybercrime operations.

This article is based on a report from threat intelligence firm KELA on MagBo's recent evolution. Last week, KELA provided ZDNet with access to its threat-hunting platform in order to search through MagBo's listings.

Before we delve into what KELA and ZDNet found, readers will need an intro today's cybercrime landscape and MagBo's place in the underground economy.

The current state of the cybercrime economy

The sale of hacked data has been around for decades. What most users don't know is that the underground economy has evolved in a nearly identical pattern to how modern e-commerce has evolved.

In the early days, hackers used IRC channels and instant messaging clients to peddle hacked information. Things then evolved into ads posted on forums and then criminal gangs began creating and running their own online shops.

For the past decade, the underground market has caught up with the real world, and we now have "marketplaces" similar to Amazon or eBay, where hackers register accounts to sell and buy products at the same time, fueling a supply and demand market in the process.

Today, we have marketplaces that sell access to hacked servers, marketplaces for selling access to hacked computers (compromised by botnet malware), marketplaces for stolen payment card details, and marketplaces for selling personal information stolen during data breaches -- each more professional than the next.

What is MagBo?

MagBo is today's top marketplace for hacked servers.

The site runs on the public internet, but access is restricted to approved members. You need an invitation to be able to register a profile on MagBo, and to get an invite, you need to be referred by a site member.

The site launched around June 2018, and it initially started just like any other cybercrime service -- namely, by advertising itself on various hacking forums.


Magbo ad on a hacking forum


According to several ads seen by ZDNet, the site heavily advertised itself as a portal where other cybercrime groups could buy access to web servers that were hacked and had a web shell installed on their filesystem.

Web shells are malicious programs that hackers install on web servers. They provide a visual interface that hackers can use to interact with the hacked server and its filesystem. Most web shells come with features to let hackers rename, copy, move, edit, or upload new files on a server. They can also be used to change file and directory permissions, or archive and download (steal) data from the server.

Initially, the service launched with a collection of more than 1,500 web shells; however, by September 2018, Flashpoint reported that this number had grown to 3,000 systems, as other hackers flocked to create accounts and sell their own "web shell inventory."

MagBo tried to diversify its initial web shell listings by adding support for selling other types of access -- such as access to a server's CMS account, access to a server's hosting panel account, access to a server's SSH account, and access to a site's SQL database.

However, today, web shells remain MagBo's top product, accounting for 90% of the site's listings, according to KELA.

Image: KELA

Over the years, the site has boomed, to put it lightly. Since it launched in 2018, KELA says the site has sold access to more than 150,000 sites, with 43,000 still being up for sale as of this week.

KELA product manager Raveed Laeb says they've tracked 190 different threat actors selling hacked servers on the site.

Based on historical server listings and their associated prices, Laeb believes MagBo operators might have made more than $750,000 in revenue from selling hacked servers on the site.

Image: KELA

But MagBo is not unique. Other stores like it have existed before, and are still being created and launched, with little to no success.

Laeb believes the reason that MagBo has cornered the market is that unlike many other similar marketplaces, the store doesn't hide details about the hacked servers.

While other stores hide domain names to avoid other hackers from taking over the same servers/systems, MagBo lists unredacted URLs and site titles, so buyers can get an idea of exactly what they're getting.

Image: KELA

In addition to this, MagBo also shows the level of access and permissions the web shell has, which helps other criminal gangs identity servers they can use for their particular type of operations.

For example, MagBo lists if the web shell has access to the server's mail feature, allowing spam operators to rent servers they can put to work immediately.

Further, MagBo also lists hacked servers where the web shell can edit files, a feature that web skimming (Magecart) and black-hat SEO gangs often require.

Such level of granularity is what has contributed to MagBo's rise to prominence, is what helped keep the site's customers happy, and has drawn new ones through referrals.

Everything for everyone

But KELA says the site's success can also be attributed to a steady supply of new inventory. Between 200 and 400 new sites are being added on a daily basis, with around 200 being sold off.

Most of the MagBo listings that ZDNet reviewed are from WordPress sites. Some of the WordPress sites listed on MagBo run on outdated versions and used outdated plugins, according to basic scans performed by ZDNet.

This is no surprise as old and outdated WordPress sites have been under constant attacks for years, primarily due to the WordPress CMS' popularity.

Over the past few years, there have been reports from several cyber-security firms about attacks on WordPress sites where the intruders didn't do anything. Hackers would just break into a site, leave a web shell, and then leave.

Knowing what we know now about MagBo's rise in popularity, it is very likely that some of these hacked sites were most likely listed on MagBo, waiting for a buyer.

While ZDNet could not review all MagBo listings, primarily due to the store's size, we have seen compromised websites from all types of websites. This includes official government websites, portals for education institutions, sites for small businesses, and even sites for insurance and financial institutions.

KELA says that the selling price for these sites usually varies based on the website's type. For example, a small-business website that nobody heard of would go for something as small as a few cents, while an official government ministry portal will go for up to $10,000.

Going down the xDedic path

What we're seeing here with MagBo is similar to xDedic, another cybercrime marketplace, but one specialized in selling access to hacked RDP endpoints.

Just like MagBo, xDedic grew from a small portal to ballooned at around a 85,000 inventory and become a central piece of the cybercrime landscape.

The site became widely used by ransomware gangs, which bought access to hacked RDP servers from xDedic, infiltrated corporate networks, and ransomed companies for huge sums of money.

Once xDedic became a central piece in the cybercrime world, the site was targeted by a law enforcement investigation and shut down in January 2019.

MagBo may not be as popular as xDedic, but the site is rising in popularity. Furthermore, with the rise of web skimming (Magecart) attacks and the financial losses these attacks cause to banks and consumers, sites like MagBo, which sell access to WordPress-based online stores, might soon find their way in the crosshairs of law enforcement officials.

The FBI's most wanted cybercriminals

Editorial standards