So, What’s New with the Hackers?
Public resources for keeping up with the folks after your dataBy Elijah Woodward | Dec 13, 2016
[Publisher’s Note: Criminal hackers are constantly evolving their practices to evade detection. Although the information in this article is still applicable, with time it will lose relevance as hackers discover new channels. That’s the nature of the challenge, so keep learning and keep in touch!]
If you’re interested in learning more about the current events in the hacker community, check out the various “paste” sites. One of the most well known is pastebin.com. Pastebin was originally started as a place for coders to post helpful and interesting tips and code. Sadly, it has devolved in to a social place for underground and nefarious actors to post information, in addition to some very good information. If you visit pastebin.com/trends you can get a look at some of the most popular “pastes” that have been posted recently.
As of this writing, it appears that a website, Bitcointalk.org, was breached and someone is selling off the database of usernames, passwords, and associated emails. These breaches are always helpful and lead to bigger breaches since password reuse across websites is so common. A classic example of this was the recent full disclosure of the 2012 LinkedIn breach, which resulted in several high-profile personalities having their social media accounts hijacked because, even though the passwords were four years old, these high-profile people were still using the same passwords.
These sites (including Skidpaste, Ghostbin, and Doxbin) have also become repositories of “doxes,” or full informational account of certain people. These have also included law enforcement personnel’s information (credit cards, SSNs, etc.) and the passwords of breached law enforcement accounts. (Remember the breach of the FBI LEAP portal last year? This is where that info shows up.)
Many of these websites are easily searched, and you don’t even have to visit them to get info. Using special Google terms like inurl:pastebin.com “police” “dox” would return all pages on pastebin.com where the term “dox” and “police” show up.
Since these websites are so easily located, one of the new trends has been websites like Cryptobin and Ghostbin, which are not so easily found through internet searches. However, one need merely look where they also appear: social media!
By searching sources like Facebook and Twitter, we can find new posts all the time from these sites that are difficult to locate otherwise. For example, searching “ghostbin” on Facebook and looking at the most recent posts finds a lot of interesting information, like Michelle Obama’s, Donald Trump’s, and Hillary Clinton’s personal details, including their SSNs.
Clicking the link for the ghostbin page post pulls this up:
You can find Cryptobin in a similar fashion, except when you hit the Cryptonbin website you will get a screen full of random text because it’s encrypted and you must enter the password to decrypt and read the information.
In this example, I searched for Cryptonbin on Twitter and found someone auctioning off the database to a foreign government database. Here, “pass: easy” means the password is the word “easy.”
Once you enter the password “easy” and click “unbin it!” you can see a sample of the database details that the seller is showing to prove the validity of the data breach.
There are also ways you can automate all of these searches through various Facebook and Twitter tools that will send you notifications whenever terms of interest show up on your preferred social media platform.
This sort of monitoring can allow you to maintain a cyber ear to the ground to stay in the know about what’s going on, and see if your organization has been affected as well (checking “Yourpd” and “Ghostbin” would be one way). By cross-referencing these sites with other terms of interest, you can find out if you are showing up on any of these paste or bin sites.