A newly-discovered underground marketplace has been peddling access to more than 3,000 breached websites, catering to hackers hungry for valuable data and the ability to launch a range of attacks on unsuspecting site visitors.
Advertisements for the Russian-speaking marketplace called MagBo were first posted on a top-tier hacking forum in March, according to researchers at Flashpoint. Upon further investigation, the research team found that details for thousands of breached websites were for sale on MagBo.
“This particular market is populated by a more than a dozen vendors and hundreds of buyers who sell and take part in auctions in order to gain access to breached sites, databases and administrator panels,” said Vitali Kremez, a researcher with Flashpoint in a Wednesday post.
Kremez described access to breached sites as “an uneasy trend,” with cybercriminals hunting for backdoored websites to launch malicious activities – including spam campaigns, fraud, cryptocurrency mining, network penetration and credit-card sniffing script installations.
“This…may have manifested itself already in a few high-profile publicly disclosed incidents,” he said. “A recent well-publicized breach [at British Airways], for example, involved custom-built infrastructure, according to researchers at RiskIQ, allowing the attackers to avoid detection and compromise the data of 380,000 customers. Such an attack likely required compromised access and the ability to manipulate site content and inject code in order to steal customer data.”
Most of the compromised sites found on MagBo are e-commerce outlets, but victims in industries such as healthcare, legal, education, insurance and government were also discovered. After investigating available servers, researchers concluded that most of the breaches are from either U.S., German or Russian hosting services.
Kremez told Threatpost that he can’t name the names of the websites due to an ongoing law enforcement investigation, but many are well-known websites, he told us, and victims are being notified.
The marketplace offers breached sites for anything from 50 cents to $1,000, based on a ranking system, which shows various site host parameters – including “visits per day,” “pages in Google,” Alexa ranking and host country. The marketplace also breaks down descriptions of the privilege levels for sites, with labels such as “full access permissions,” “abilities to edit content” and “add your content.”
The most expensive breached website (going for over $1,000 in MagBo) has more than 30,000 unique visitors per day.
“These parameters allow the buyer to purchase the exact breach they need depending on the website value as determined and checked by the store,” explained Kremez. “High-value targets would obviously fetch a higher price and [offer the ability] to inject payment card sniffers or other tools for deeper network penetration. Sites with a lower ranking and a lesser perceived value are more likely to be abused for cryptocurrency mining or spam delivery.”
MogBo also sells stolen photocopies of national documents for identity fraud, breached payment-wallet access, compromised social-media accounts and Bitcoin mixer or tumbler services (for making transactions and digital assets anonymous on the blockchain), researchers said.
The marketplace hosts a dozen breach sellers with more than 200 customers, predominantly from the Russian-language underground community, Kremez told us. This could include Magecart Group, for instance, which is believed to have carried out the British Airways breach and the Newegg attack, as well as other attacks involving compromised websites.
Flashpoint found that, according to advertisements, the websites listed in MagBo were breached via access to PHP shells, hosting or domain control, FTP, SSH, SQL or admin panels.
Pre-emptive measures to protect against website exploitation include conducting audits and reviews of any externally accessible websites and their connections to any organization networks.