MagBO Black Market Hacking Site, Caught Selling 3,000 Website Login Credentials

Flashpoint, a cyber threat research firm has exposed MagBO as a black market site that is used as a central source for unauthorized access to 3,000 hacked websites. The new kid on the block when it comes to selling illegal access, MagBO directly competes with contemporaries: Mal4All, Nulled, HackForum and Exploit.in.

From MagBO’s menu of items for sale are:

1. SQL Database Access
2. Admin panel Access
3. File Transfer Protocol Access
4. Secure Socket Shell Access
5. Domain Control Access
6. Hosting Control Access
7. PHP Shell Access

MagBo’s role is to provide malicious Russian hackers a supply of access credentials of websites that were already hacked earlier. “Essentially, the breached websites host some sort of backdoor that would enable buyers to log in to them. We believe many breaches that are linked to Magecart e-commerce credit card compromises were multi-layered and required another set of actors that procured the initial access to the breached websites before their custom Javascript credit card sniffing script was deployed. In this sense, it is possible Magecart actors were procuring high-value accesses through MagBo or its breach website sellers directly since they originate from the same Russian-language underground ecosystem,” said Vitali Kremez, Flashpoint’s Director of Research.

The 3,000 breached sites involved in the access sale were priced dissimilarly. Depending on its value proposition, cost range from fifty cents to a thousand US dollars. “Illicit access to compromised or backdoored sites and databases are used by criminals for a number of activities, ranging from spam campaigns to fraud, or cryptocurrency mining. These compromises have also been used to gain access to corporate networks. This could potentially allow actors to access proprietary internal documents or resources, as well as entry points through which they can drop various malicious payloads. The types of vulnerabilities present and the ways in which they can be exploited depending on the threat actor’s specific capability, motivation, targeting, and goals,” Kremez further explained.

MagBO’s website access for sale scheme comes with different access levels:

1. Full Access permission
2. Edit Access permission
3. Insert new content permission

As of this writing, there is still no news if a takedown can be done against MagBO’s web servers. It is current target customers belong to the Russian cyber hacking market. The cost of website access credentials is most likely based on its traffic and how well the site is hosted and managed by the website administrator. A hacked website hosted on a much premium hosting service and with a more knowledgeable web admin may issue corrections, hence the sold user account is already disabled before being sold. The higher cost of user login credential is also based on how well the site is known.

“In addition to access to breached websites, this particular market also sells stolen photocopies of national documents for identity fraud, breached payment wallet access, compromised social media accounts, and Bitcoin mixer or tumbler services. High-value targets would obviously fetch a higher price and capabilities to inject payment card sniffers or other tools for deeper network penetration. Sites with a lower ranking and a lesser perceived value are more likely to be abused for cryptocurrency mining or spam delivery,” concluded Kremez.