Wednesday, April 3, 2013

Hacking Back: Why security is important, even for hackers committing felonies (from XyliBox)

If you are going to steal credit card numbers and offer them on your site, try and at least secure admin panel (and the overall site itself) sufficiently that so the email addresses and passwords of your users are not easily accessed. The excerpt below is from Xylibox; the full post can be found here re: VMAdumps - a huge hat tip to XyliBox.

Also, note that Cybercrime Review is merely reporting what has already been published; we in no way condoned this illegal activity, participated in it, supported it, or encouraged it. However, this is the epitome of "hacking back" and why a lot of people have recently argued for it. Our summation post on hacking back can be found here: Hacking Back - are you authorized?

Dumps = credit card dumps
Track1/Track2 = different types of CC information - Track 1 contains more information
Dumps can be written to credit cards via black market devices, and then used to commit fraud in-store
Fullz - CC data + full biographical data - can be used to complete full ID theft (filing fraudulent taxes, opening up additional credit card accounts, etc.)

The Details:

Another carder shop, similar to dumpslogs, they sell track2. -
Registrant Contact:
onofrio castaldi ()
rome, rome 00159
Creation date: 20 Sep 2012 10:20:00
Expiration date: 20 Sep 2013 07:20:00
And the goods offered on the site

Noticing lax security:

Some weird urls:

Fruits of the hack back:
Credit cards being offered:


And the kicker:
3k clients, i've broke ~55% of passwords with a simple brute force and a basic dictionary.You want a copy ? oh... ok.(link excluded)
PHP+SQL, tracks2 and credit cards are not included of courseHappy hunting.


  1. The administrator failed the moment they created an offering like this somewhere other than Tor/Freenet. Then again the NSA will be crawling them fulltime later this year in Ohio. But this schmoe was foiled by not even bothering to run passwords against a RockYou or similar wordlist, which should be a no brainer in that enterprise.

  2. Agreed, regarding using a place other than i2p, tor, Freenet, or some meshnet out there. Simple mistakes like this indicate catching the admin shouldn't be that hard - carelessness breeds more carelessness.