Access to over 3,000 backdoored sites sold on Russian hacking forum

Researchers blow the lid on MagBO, a marketplace for selling access to hacked sites

Russia: Yandex to test Europe's first self-driving cab

Hackers are selling access to over 3,000 breached websites on an underground hacking forum for Russian-speaking users, according to a new report shared with ZDNet today by threat intel firm Flashpoint.

The forum is named MagBO and is a relative newcomer on the hacking scene, where other services HackForum, Exploit.in, xDedic, Nulled, or Mal4All have already made a name for themselves.

But according to Flashpoint, this forum has its own niche, and that niche is in selling web shells to already-hacked websites.

"Essentially, the breached websites host some sort of backdoor that would enable buyers to log in to them," Vitali Kremez, Director of Research at Flashpoint, told ZDNet in an email today.

Access to hacked sites was done on different levels, depending on the web shell (backdoor) the sellers managed to implant on the breached site. According to MagBO's filters, a customer could buy access to:

  • PHP shell access
  • Hosting control access
  • Domain control access
  • File Transfer Protocol (FTP) access
  • Secure Socket Shell (SSH) access
  • Admin panel access
  • Database or Structured Query Language (SQL) access

Kremez says his company identified over 3,000 hacked sites on sale on MagBO, varying in price from a meager $0.5 to a whopping $1,000.

Prices were determined dynamically at purchase time based on details ranging from traffic rankings to hosting parameters. The better the ranking and the broader the access to the hosting environment, the higher the price.

MagBO appears to have been around since the start of the year, and its owners or affiliates have also promoted it on other hacking-related portals.

magbo-ad.png

MagBO ad on a hacker forum

ZDNet

While Flashpoint was not able to find clear evidence connecting sites sold on MagBOo with the recent Magecart campaigns [Ticketmaster, British Airways, Feedify, ABS-CBN, Newegg], Kremez doesn't exclude that some of the yet-to-be-known Magecart hacks might have involved Magecart crews purchasing access to hacked sites via MagBO.

"We believe many breaches that are linked to Magecart e-commerce credit card compromises were multi-layered and required another set of actors that procured the initial access to the breached websites before their custom Javascript credit card sniffing script was deployed," Kremez told ZDNet. "In this sense, it is possible Magecart actors were procuring high-value accesses through MagBo or its breach website sellers directly since they originate from the same Russian-language underground ecosystem."