Talk of hacking, both in respect to the usual cybercrime victims and anything related to the US presidential election, dominated news headlines for months. Since then, the mainstream media quieted down—a bit—regarding election hacking or cyber-espionage. Those investigations themselves grew more interesting once the mainstream media slowed election news; the United States indicted four in connection with suspected election hacking. However, the usual victims like forums and healthcare organizations seemingly grew at an exponential rate. Forum databases in particular keep landing on the darknet.
Earlier this year, HackRead reported that an entity under the Twitter username “crimeagency” claimed responsibility for exploiting a bug in outdated vBulletin software. The but granted an unauthorized party full—or nearly full—access to the servers. The hacker (or hackers) accessed vulnerable forums and stole information tied to 819,977 user accounts. HackRead explained that the stolen data consisted of “email addresses, hashed passwords, and 1681 unique IP addresses while the email count based on domains is Gmail: 219,324 accounts, Outlook: 11,070 accounts, Yahoo: 108,777 accounts and Hotmail: 121,507 accounts.”
Last year, the same outdated version of the popular forum platform resulted in an attack of the same sort. At that time, the database thefts attracted attention based on the specific hacked forum’s content. Many victims found their databases for sale on darknet marketplaces. Hackers or data brokers listed the famed porn site, Brazzers; the uTorrent forum dump; the BitcoinTalk forum; the “Clash of Clans” forums; and the massive Dropbox dump that actually sparked MSM coverage.
The forum platform’s developers issued a fix in the form of a critical security update:
“A security issue was reported to us that affects vBulletin 4. We have released security patches for vBulletin 4.2.2 & 4.2.3 to account for this vulnerability. The issue could potentially allow attackers to perform SQL Injection attacks via the included Forumrunner add-on. It is recommended that all users update as soon as possible. If you’re using a version of vBulletin four older than 4.2.2, it is recommended that you upgrade to the latest version as soon as possible.”
In 2017, hackers used the same vulnerabilities as a free pathway to forum databases. Other information too. The quality or value of the additional information often remains unknown to the public. The Twitter entity @crimeagency listed 819,977 accounts and Hacked-DB verified the contents of the dump. Well, they verified that the information come from hacked forums in early 2017 and indeed resembled a new batch of stolen data and not recycled data from old attacks.
Despite the warnings issued by the vBulletin developers in June, 2016, some forums still failed to update in a timely manner.
We recently covered the most recent hack of 640,000 Playstation accounts. The vendor, SunTzu583, never made it clear where the dump came from. However, he explained that they came from non-Sony servers. Given the number of video game forums exploited in the previous round of chaos, a similar forum operating an outdated vBulletin Software, likely suffered the same way. Note that SunTzu583 never clarified this and neither did any credible researcher. But based on most, if not all SunTzu583’s previous Iistings, the vBulletin angle is likely.
And now “Cfnt,” another darknet marketplace vendor, listed another set of forum databases for sale. This time, some of the dumps came from new or unusual targets compared to some of the previous attacks. Categories ranged from fitness forums to cell phone discussion boards. The entity—hacker, data broker, vendor, or other—listed 25 forum databases. The prices raced from between $100–$500 for a database, depending on known and unknown qualifiers.
HackRead compiled a list of all websites with a forum involved the incident:
“Subagames, jefit, giaiphapexcel, mangafox.me, rappersin, botinfo, cashcrate, codingforums, dcemu, asia-team, forum.gsmhosting, gsmforum., dbforums, forums.3dtotal, aarinfantasy, digital-kaos, forum.phun, forum.p30world, symbianize, gpsunderground, overclockzone, forums.socialpointgames, psucom, mrexcel, and forum.daemon-tools.”