At the time of investigation, the outlet had 13 rooted servers to be sold, with different prices, locations and technical details. Furthermore, the site is gaining a loyal customer base.
“The store seems to be quite profitable,” said Alberto Ortega, security researcher at AlienVault, in a blog. “The domain was registered on 07 April 2013 and the store website was probably made available some days after that. At the time of this research, they had around 400 customers, increasing day by day.”
At first, the site accepted Liberty Reserve for the payments, but since that hub was shut down, it accepts Perfect Money and WebMoney. It also has a sister store for selling hacked PayPal accounts and credit cards, hosted in the same server.
As for who’s behind it, the shop site is behind CloudFlare to be protected against attacks and keep the real location of the server hidden, but Ortega found evidence that the shop administrators were Russian speakers. Also, some software installed in the server was set to Russian language.
The criminals running the store have made the most of basic vulnerabilities with a toolset that AlienVault said is far from sophisticated.
“As we have been able to see, most of the rooted servers were outdated, running pretty old software,” Ortega observed. “This is a good example of what can happen to a server if it is not properly protected, or has a weak password. System administrators should know what to do to avoid this: keep unnecessary services filtered, update your software and use strong passwords (or even better, authentication keys).”
The poor security practices have allowed the hackers to use simple bruteforcing, where automated bots scan wide ranges of hosts trying weak combinations of usernames/passwords to log into remote machines. In this case, the shopkeepers are targeting user accounts for SSH and Plesk, with a word list of common combinations of usernames and passwords. Ortega said the shopkeepers are scanning wide ranges of IP addresses belonging to hosting companies, using a fast and portable port scanner named “Fever” to look for 8443 and 22 open ports.
At the time of AlienVault’s research, they were scanning the range 72.10.32.0/19, property of Media Temple, a hosting company in California.
“We have managed to get access to their tools and procedures to crack and collect servers,” Ortega said. “They were not using sophisticated methods to achieve their goals.”