[BreachExchange] Nulled.IO: Should’ve Expected The Unexpected!

Tue May 10 21:25:49 EDT 2016

https://www.riskbasedsecurity.com/2016/05/nulled-io-shouldve-expected-the-unexpected/

Last week a well known “hacker” forum became victim to the fast growing
list of over 1,076 data breaches that have occurred so far in 2016. The
Nulled.IO forum was compromised and data was leaked on May 6th consisting
of a 1.3GB tar.gz compressed archive which when expanded is a 9.45GB SQL
file named db.sql.

Nulled.IO is a hacking based forum that, according to their website,
appears to have 473,700 registered users who share, sell and buy leaked
content, stolen credentials, nulled software and software cracks.
Considering this forum promotes the sharing of these activities it makes
this breach quite ironic. Nulled.IO was running the IP.Board community
forum commonly known as IP.b or IPb.  It appears that the forum was also
running a IP.Nexus Setup for its market place as well as VIP forums among a
few other IPb plugins.   While we do not have confirmation as to how this
breach occurred at this point, there has been over 4,500 vulnerabilities to
date in 2016, and with 185 total vulnerabilities in IP.Board (92 of them do
not have a CVE by the way!) it is not hard to make a guess!  The last user
to login to the forum was on 2016-05-06 10:12:49,  providing a very good
time frame of when the breach occurred, but it still does not give any idea
who was behind this attack.

When examining the data we find that it is a full MySQL dump of a database
named nulledforumsdotcr.  As you might be able to guess contains the
complete forums database for nulled.IO which is also known as nulled.cr.
The database actually contains 536,064 user accounts with 800,593 user
personal messages, 5,582 purchase records and 12,600 invoices which seem to
include donation records as well.

The accounts compromised all contain user names, email addresses, encrypted
passwords, registration dates and registered with IP address. Other tables
such as the nexus transactions table for VIP access payments contains User
ID ( which can be matched back to users in the customers table), payment
methods, paypal emails, dates and costs.

Since it is a full dump of the forums, also included are 2.2 millions posts
and all of the other site related content which means that private content,
links and other information from the VIP forums is now public.  This means
the VIP access for older content is worthless, clearly impacting nulled.IO
business model.  Further we find API credentials for 3 payment gateways
(Paypal, Bitcoin, Paymentwall) as well as 907,162 authentication logs with
geolocation data, member id and ip addresses, and 256 user donation records
that are able to be matched to the user with member id.

One question that we receive quite often at RBS is about attribution.
People generally want to know who are the actors behind these kinds of
attacks and who is using “hacker” forums such as Nulled.IO.

We did some quick analysis of the email addresses and providers registered
to offer some insight into who is using this service.

Email statistics from Nulled.IO forum:

8 gov
3 gov.ph
2 gov.jo
2 gov.br
1 gov.my
1 gov.mo
1 gov.tr
365 .edu

Email providers with more than 10,000 matches.

gmail.com: 515,998
hotmail.com: 150,210
yahoo.com: 73,382
outlook.com: 26,090
naver.com: 11,240
mail.ru: 11,236
qq.com: 11,046
rhyta.com: 10,400
live.com: 10,262

As conversations continue about Cyber Warfare and offensive capabilities
being used and developed by nation states, it is interesting to see 19
accounts were registered with .gov based domains including the United
States, Philippines, Brazil, Turkey and others.  Further it was curious to
see that 8 of the government accounts were marked as “User Group 5”,  which
is for Banned Accounts, the rest were either activated members with posts
or awaiting activation.

So why is this leak important?

When services such as Nulled.IO are compromised and data is leaked, often
it exposes members who prefer to remain anonymous and hide behind screen
names. By simply searching by email or IP addresses, it can become evident
who might be behind various malicious deeds. As you can imagine, this can
lead to significant problems for forum users. If law enforcement obtains
this information, (which no doubt they already have) it can be used to
filter out any “suspects” under investigation for possibly conducting
illegal activities via the forums. With this being such a comprehensive
dump of data it offers up a very good set of information for matching a
member ID to the attached invoices, transactions and other content such as
member messages and posts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160510/26b02761/attachment.html>