Access to over 3,000 backdoored sites sold on Russian hacking forum

Researchers blow the lid on MagBO, a marketplace for selling access to hacked sites

Hackers are selling access to over 3,000 breached websites on an underground hacking forum for Russian-speaking users, according to a new report shared with ZDNet today by threat intel firm Flashpoint.

The forum is named MagBO and is a relative newcomer on the hacking scene, where other services HackForum, Exploit.in, xDedic, Nulled, or Mal4All have already made a name for themselves.

Also: Lyft will offer discounted rides to voters during midterm elections CNET

But according to Flashpoint, this forum has its own niche, and that niche is in selling web shells to already-hacked websites.

magbo.png

MaBO frontpage

ZDNet

"Essentially, the breached websites host some sort of backdoor that would enable buyers to log in to them," Vitali Kremez, Director of Research at Flashpoint, told ZDNet in an email today.

Access to hacked sites was done on different levels, depending on the web shell (backdoor) the sellers managed to implant on the breached site. According to MagBO's filters, a customer could buy access to:

  • PHP shell access
  • Hosting control access
  • Domain control access
  • File Transfer Protocol (FTP) access
  • Secure Socket Shell (SSH) access
  • Admin panel access
  • Database or Structured Query Language (SQL) access

Kremez says his company identified over 3,000 hacked sites on sale on MagBO, varying in price from a meager $0.5 to a whopping $1,000.

Prices were determined dynamically at purchase time based on details ranging from traffic rankings to hosting parameters. The better the ranking and the broader the access to the hosting environment, the higher the price.

Also: How political campaigns use big data to get out the vote TechRepublic

MagBO appears to have been around since the start of the year, and its owners or affiliates have also promoted it on other hacking-related portals.

magbo-ad.png

MagBO ad on HackForum

ZDNet

While Flashpoint was not able to find clear evidence connecting sites sold on MagBOo with the recent Magecart campaigns [Ticketmaster, British Airways, Feedify, ABS-CBN, Newegg], Kremez doesn't exclude that some of the yet-to-be-known Magecart hacks might have involved Magecart crews purchasing access to hacked sites via MagBO.

"We believe many breaches that are linked to Magecart e-commerce credit card compromises were multi-layered and required another set of actors that procured the initial access to the breached websites before their custom Javascript credit card sniffing script was deployed," Kremez told ZDNet. "In this sense, it is possible Magecart actors were procuring high-value accesses through MagBo or its breach website sellers directly since they originate from the same Russian-language underground ecosystem."

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories: