Nulled.IO hacking forum data breach exposes attackers in the shadows
May 17, 2016
Shah Sheikh (1172 articles)
Share

Nulled.IO hacking forum data breach exposes attackers in the shadows

There is irony in a cyberattacker hacking a hacking forum, but that is exactly what has happened to Nulled.IO, a popular board with hundreds of thousands of members who may not be sleeping well this week.

Nulled.IO is a forum used by cybercriminals to trade and purchase leaked information, stolen credentials, nulled software, hacking tools and cracks. According to RiskBased Security, the forum has at least 473,000 registered users, none of which are likely to be too happy considering the recent data breach.

The hacker forum ironically became a victim of a cyberattack which resulted in the leak of a 1.3GB compressed archive containing the full 9.45GB database copy of the forum.

On 6 May, the file went public and is still downloadable through the public, clear web.

The breach was discovered by the firm’s security team which said it is likely the breach took place due to Nulled.IO’s use of the Ip.Board community forum setup. The software has 185 recorded vulnerabilities discovered to date — many of which have not even been assigned a CVE number so are probably unpatched.

It is not surprising, then, that the forum was compromised, as so many avenues for exploit would have been available to the unknown attacker.

RiskBased Security says that the full SQL dump contains 536,064 user accounts, 800,593 user personal messages, 5,582 purchase records and 12,600 invoices “which seem to include donation records as well,” as well as usernames, email addresses, hashed passwords, registration dates and registered IP addresses, although the latter may not be traceable.

“Since it is a full dump of the forums, also included are 2.2 million posts and all of the other site related content which means that private content, links and other information from the VIP forums is now public,” the researchers say. “This means the VIP access for older content is worthless, clearly impacting nulled.IO business model. ”

This information on its own is a treasure trove for law enforcement attempting to crack down on illegal sales and those committing cyberattacks in the name of data theft. However, the file dump also contains payment methods, PayPal emails, dates and the cost of products and services sold on the forum — which can be mined for research purposes by cybersecurity specialists.

RiskBased Security itself decided to do so, and the company’s security team uncovered some interesting results.

While connecting the dots to find out who the hacker forum’s users are, they discovered that many of the emails used to register with the forum ended in .edu — suggesting students or even academic staff — as well as a number of .gov email addresses from countries including the US, Turkey, Brazil, Malaysia and Jordan.

Other popular email services used to register with Nulled.IO include Gmail, Hotmail, Yahoo and Mail.ru.

The security firm noted:

“If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums.

With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.”

The data breach, caused by software riddled with critical issues, is somewhat ironic. Those registered on the forum for nefarious purposes are no doubt wondering whether they can be tracked down, while law enforcement has been given a gift by the unknown attacker.

The lesson here? The same as always — any information you put online cannot be considered 100 percent safe, and this goes for cyberattackers, too.

Source | ZDNET