In what’s a case of hackers getting hacked, a prominent
underground online criminal forum by the name of Maza has been
compromised by unknown attackers, making it the fourth forum to
have been breached since the start of the year.
The intrusion is said to have occurred on March 3, with
information about the forum members — including usernames, email
addresses, and hashed passwords — publicly disclosed on a breach
notification page put up by the attackers, stating “Your data has
been leaked” and “This forum has been hacked.”
“The announcement was accompanied by a PDF file allegedly
containing a portion of forum user data. The file comprised more
than 3,000 rows, containing usernames, partially obfuscated
password hashes, email addresses and other contact details,”
cybersecurity firm Intel 471 said[1].
Originally called Mazafaka, Maza is an elite, invite-only
Russian-language cybercrime forum known to be operational as early
as 2003, acting as an exclusive online space for exploit actors to
trade ransomware-as-a-service tools and conduct other forms of
illicit cyber operations.
The development comes close on the heels of successful breaches
of other forums, including that of Verified, Crdclub, and
Exploit.
Verified is said to have been breached on January 20, 2021, with
the actor behind the attack claiming access to the entire database
on another popular forum called Raid Forums, besides transferring
$150,000 worth of cryptocurrency from Verified’s bitcoin wallet to
their own. The forum, however, staged a return[2]
last month on February 18 with a change in ownership, according to
Flashpoint.
Then again, in February, a cybercrime forum by the name of
Crdclub disclosed an attack that resulted in the compromise of an
administrator account with the goal of defrauding its members. No
other personal information appears to have been plundered.
“By doing so, the actor behind the attack was able to lure forum
customers to use a money transfer service that was allegedly
vouched for by the forum’s admins,” Intel 471 said. “That was a
lie, and resulted in an unknown amount of money being diverted from
the forum.”
Lastly, earlier this week, the Exploit cybercrime forum
sustained an attack that involved an apparent compromise of a proxy
server used for safeguarding the forum from distributed
denial-of-service (DDoS) attacks.
Details are fuzzy as to the perpetrators of the attacks, with
forum members speculating that it could be the work of a government
intelligence agency, while also distressing over the possibility
that their real-world identities could be exposed in the wake of
the leaks.
Flashpoint researchers noted[3]
that the Russian sentences on the Maza forum’s notification page
were possibly translated using an online translator, but added it’s
unclear if this implies the involvement of a non-Russian speaking
actor or if it was deliberately used to mislead attribution.
“While Intel 471 isn’t aware of anyone claiming responsibility
for the breaches, whomever is behind the actions has indirectly
given researchers an advantage,” the company concluded. “Any
information unearthed from the breaches aids in the fight against
these criminals due to the added visibility it gives security teams
who are tracking actors that populate these forums.”