Archive for May, 2010

May 19 2010

PRC based members of carders.cc

Published by under Cyber Crime

@Jhaddix posted something that caught my attention on twitter earlier today. It mentioned that the well-known cc trading site carders.cc had been compromised and that all of the user accounts, password hashes and some IP access logs were exposed here. I thought it might be interesting to find out if there were any well-known PRC connections so I quickly wrote a script to geolocate the IP addresses and found only one China-based IP (with a .ru email tld):

7742:N-Skyline:222.73.19.174:11.May,2010,17:44:34 (Beijing)
N-Skyline:da1e1cdcc8d48037855f2ee2763b4064126fb5ea::n-skyline@qip.ru

There were some .cn email addresses too:
FinnX:01203eb70433505a23d9dbddddaa303e56f6da46::php-dev@jublo.cn
darkc0der:a5ecae753b068cf1f25b95665ad04f8f::cyberatack@w.cn
Out:ec980574500aee917c8266655cbc547d::offshore@w.cn
PWND # MESUT:7e1869df98aa93e3e5b5c473063499ca::PWNEDMESUT@w.cn
0grish:abe3eda164cb318f91cb9aefb654b56790bc7613:lol109:ogrish@w.cn

This is also interesting:

12519:bifrostilo:202.67.236.74:12.May,2010,00:00:09 (HK)
bifrostilo:4c6216cbe0ee90f22eee0bb3e7160999::renehuebner.de@gmx.de

BFD.

As an afterthought – before people start commenting, I thought I should mention that I’m aware that .cn and geoip do not necessarily mean that the person using that IP address or tld is/are physically located in the PRC. Thanks for not commenting about that.

6 responses so far