Maza, a place online for fraudsters and extorters to connect to pull off their operations, has been breached by an unknown attacker, in just the latest in a series of attacks targeting elite Russian-language cybercrime forums. Members are worried that their data is being used by researchers and law enforcement to track down their true identities, a new report from Flashpoint said.
These forums are where threat actors can go to access ransomware-as-a-service tools, launder stolen money and even get advice on how to improve their crimes, Flashpoint vice president Thomas Hofmann explained to Threatpost.
“Maza is a place where one can connect to trustworthy threat actors, who have been active in the Russian-language underground anywhere between 10 to 20 years,” Hoffman said. “Ultimately, the forum serves the role of a board where one can establish initial contact with respected and trustworthy service providers.”
Membership to Maza is by invitation only and comes with a fee, he added.
Another Russian-language cybercrime forum called Verified was abruptly resurrected after sitting dormant for some time with unknown administrators and new domains, Flashpoint said. By Feb. 18t, the new forum’s new leadership started deanonymizing Verified’s former operators, raising suspicions among its user base.
Another forum, Exploit, reportedly suffered a compromise this week, and a member of the forum warned other users to “be careful with registered emails across multiple forums,” Flashpoint reported.
Cybercrime Enforcement Goldmine
Pieced together, the exfiltrated data from these cybercrime forums could provide investigators with valuable information on the true identities of some of the world’s most prolific cybercriminals.
So, Hoffman agreed there is reason for the cybercriminal members of Maza to be concerned.
“With contact details exposed, Maza users are vulnerable to being investigated on their illicit activity,” Hoffman said. “Their information, which is normally anonymous, has been leaked and could be subject to further investigation.”
Maza: A Third Dark Web Breach
Flashpoint said Maza dates back to 2003. This latest breach included attackers making off with user IDs, names, passwords, emails and more. The forum was also targeted by a previous 2011 attack.
Not much is known about the identities of the attackers, except that the Russian-language message which popped up in the Maza forum appeared to be a translation from an online translator, Flashpoint said. However, it’s not clear whether that was accidental or what Flashpoint called a “misdirection technique.”
“While the compromised data appears to be extensive, it’s worth noting that the passwords have been hashed and most other data fields included in the dump have been hashed or further obfuscated,” Flashpoint’s report added.
Hashed passwords aside, some hacker members have dismissed the leak as being too old to be a threat, while others are actively trying to figure out next steps in the wake of these breaches, Flashpoint said.
“Only intelligence services or people who know where the servers are located can pull off things like that,” one Exploit member commented, according to a report from Brian Krebs. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.”