Tuesday, July 13, 2010

Cybercriminals SQL Inject Cybercrime-friendly Proxies Service

Cybercrime ecosystem irony, at its best. Why the irony? Because the cybercrime-friendly proxies service TOS explicitly states that its users cannot launch XSS/SQL injection attacks through it.

A relatively low profile cybercriminal has managed to exploit a remote SQL injection within a popular proxies service, offering access to compromised hosts across the globe for any kind of malicious activities. Based on the video released, he was able to access everyone's password as MD5 hash, next to the emulating of the users of the service, using a trivial flaw in the online.cgi script.

Although his intentions, based on the note left in a readme.txt file featured in the video, was to allow others to use the paid service freely, the potential for undermining the OPSEC of cybercriminals using the service is enormous, as it not only logs their financial transactions, keeps records of their IPs, but most interestingly, allows the "manual feeding" of proxy lists (compromised and freely accessible hosts) within the database.

The service itself, has been in operation since 2004, operating under different brands, with prices starting from $20 to $90 for access to 150, and 1500 hosts on a monthly basis. Some interesting facts from a threat intell/social network analysis perspective, including screenshots (on purposely blurred in order to prevent the ruining of important OSINT sources) of the service obtained from its help file.
  • The gang/hacking/script kiddies team operates different business operations online
  • They maintain a traffic purchasing program monetizing traffic through cybercrime-friendly search engines
  • Whether they are lazy, or just don't care, 4 currently active adult web sites share the same infrastructure as the service itself
  • Although the original owners are Russian, they appear to be franchising since once of their brands is offering their services in Indonesian, including a banner for what looks like a Indonesian security conference.
  • One of the Indonesian franchisers is known to have been offering root accounts and shells at compromised servers for sale, back in 2007

For years, compromised malware hosts has been widely abused for anything, from direct spamming, to hosting spam/phishing and malware campaigns, but most importantly - to engineer cyber warfare tensions by directly forwarding the responsibility for the malicious actions of the cybercriminal/cyber spy to the host/network/country in question.

Not only do these tactics undermine the currently implemented data retention regulations -- how can you data retain something from a compromised ecosystem that keeps no logs -- but also, they offer a safe heaven for the execution of each and every cybercriminal practice there is.

Related posts:
Should a targeted country strike back at the cyber attackers? 
Malware Infected Hosts as Stepping Stones 
The Cost of Anonymizing a Cybercriminal's Internet Activities 
The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.