Hackers are selling access to over 3,000 breached websites on an underground hacking forum for Russian-speaking users, according to a new report shared with ZDNet today by threat intel firm Flashpoint.
The forum is named MagBO and is a relative newcomer on the hacking scene, where other services HackForum, Exploit.in, xDedic, Nulled, or Mal4All have already made a name for themselves.
But according to Flashpoint, this forum has its own niche, and that niche is in selling web shells to already-hacked websites.
"Essentially, the breached websites host some sort of backdoor that would enable buyers to log in to them," Vitali Kremez, Director of Research at Flashpoint, told ZDNet in an email today.
Access to hacked sites was done on different levels, depending on the web shell (backdoor) the sellers managed to implant on the breached site. According to MagBO's filters, a customer could buy access to:
- PHP shell access
- Hosting control access
- Domain control access
- File Transfer Protocol (FTP) access
- Secure Socket Shell (SSH) access
- Admin panel access
- Database or Structured Query Language (SQL) access
Kremez says his company identified over 3,000 hacked sites on sale on MagBO, varying in price from a meager $0.5 to a whopping $1,000.
Prices were determined dynamically at purchase time based on details ranging from traffic rankings to hosting parameters. The better the ranking and the broader the access to the hosting environment, the higher the price.
MagBO appears to have been around since the start of the year, and its owners or affiliates have also promoted it on other hacking-related portals.
While Flashpoint was not able to find clear evidence connecting sites sold on MagBOo with the recent Magecart campaigns [Ticketmaster, British Airways, Feedify, ABS-CBN, Newegg], Kremez doesn't exclude that some of the yet-to-be-known Magecart hacks might have involved Magecart crews purchasing access to hacked sites via MagBO.