Access to over 3,000 compromised sites sold on Russian black marketplace MagBo
20.9.2018 securityaffairs
Incindent

Security experts at Flashpoint discovered the availability of the access to over 3,000 compromised sites sold on Russian black marketplace MagBo
A new report published by researchers at Flashpoint revealed the availability on an underground hacking forum for Russian-speaking users of access to over 3,000 breached websites.

“Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of the sites is selling for as low as 50 cents (USD).” reads the report published by Flashpoint.

The earliest advertisements for the MagBo black marketplace were posted in March to a top-tier Russian-language hacking and malware forum. According to the advertising, sellers are offering access to websites that were breached via, PHP shell access, Hosting control access, Domain control access, File Transfer Protocol (FTP) access, Secure Socket Shell (SSH) access, Admin panel access, and Database or Structured Query Language (SQL) access.

Most of the compromised websites are e-commerce sites, but crooks also offered access to websites of organizations in healthcare, legal, education and insurance industries and belonging to government agencies.

According to the experts, most of the compromised servers are from U.S., Russian, or German hosting services. The company reported its findings to law enforcement that are notifying victims.

Magbo compromised servers

Experts found a dozen of vendors on the MagBo black marketplace and hundreds of buyers participate in auctions in order to gain access to breached sites, databases, and administrator panels.

Accesses to compromised websites are precious commodities in the cybercrime underground, crooks can use them to carry out a broad range of illicit activities.

“Illicit access to compromised or backdoored sites and databases is used by criminals for a number of activities, ranging from spam campaigns, to fraud, or cryptocurrency mining.” continues the report.

“These compromises have also been used to gain access to corporate networks. This could potentially allow actors to access proprietary internal documents or resources, as well as entry points through which they can drop various malicious payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.”

Sellers are also offering different privilege levels, in some cases they provide “full access permissions” to the compromised sites, other levels are “abilities to edit content,” and “add your content.”

The prices for compromised websites range from $0.50 USD up to $1,000 USD per access, depending on a website ranking listing various host parameters.

Magbo compromised servers prices.png

High-value targets would have higher prices, for example, to inject payment card sniffers, lower ranking sites are usually used for cryptocurrency mining or spam campaign.

The sellers also offer stolen photocopies of national documents for identity fraud, breached payment wallet access, compromised social media accounts, and Bitcoin mixer or tumbler services.