Although this saga might sound amusing, Krebs points out that few of the fraud shops are secure enough to keep their `stock' of stolen data from being pilfered by thieves.
“A prime example is the shop mn0g0.su – which means many in Russian. This online store, launched in January 2011, lets customers shop for stolen card data by bank issuer, victim ZIP code, and card type. A source who enjoys ruining criminal projects said he stumbled upon mn0g0.su’s back-end database by accident, as the site was backing up its cache of stolen card data to a third party server that was wide open and unencrypted”, he says in latest security posting.
“Included in the database are more than 81,000 sets of credit and debit card numbers, along with their associated expiration dates and card security code. Each listing also includes the owner’s name, address and phone number and/or email address. The social security number, mother’s maiden name and date of birth are available for some cardholders”, he adds.
Krebs goes on to say that, whilst the site does not accept credit card payments, shopper accounts are funded by deposits from virtual currencies such as WebMoney and LibertyReserve. And, he adds, it is not clear how or when these card numbers were stolen.
Fraudulent card shops, he notes, purchase data in bulk from multiple suppliers, most likely from small-time fraudsters who use automated tools to hack e-commerce stores. The data is inserted into the database in varying formats.
For example, he says, one batch of card information for sale includes email addresses in lieu of phone numbers, and all of the victim cardholders from that batch have physical addresses in the UK.
“Just for amusement, I searched for my last name, and was surprised to find four people with the last name `Krebs' whose card information was included in the database”, he said, adding that none are known relatives.
And now here's the bad news, as not only did mn0g0.su leak all of the credit and debit cards it had for sale, but it also spilled its own customer list - including the email addresses, IP addresses, ICQ numbers, user names and passwords - of more than 4,300 mn0g0.su shoppers that were included in the exposed database backup.
The customer passwords, he asserts, were better protected than the credit card numbers, as they are encrypted with a salted SHA256 hash, although the security researcher notes that a decent set of password-cracking tools could probably decipher 50-75% of the hashed passwords if given enough time.
The `going rate' for card credentials on the site seems to be $2.50 per set and, to test out the authenticity of one set, a colleague of Krebs purchased one set and then Krebs himself called the unfortunate cardholder:
“When I called her at the phone number that mn0g0.su returned in the purchase receipt, [she] confirmed the Bank of America Platinum debit card was hers. [She] said she was unaware that it had been stolen; she had not experienced any recent fraud on the account. She said that she would call her bank to cancel the card”, he said.
Interestingly, once the cardholder credentials were purchased, the details were removed from the main list on mn0g0.su – that's the good news, he says, whilst the bad news is that the site is still backing up its database to a wide-open third party server.