Recently, my colleague asked me if I have ever been involved in Red Team’ing? I replied that “Yes”, but did not say anything specific. At the beginning of writing this article, I would like to mention that everything that you will see below does not have a call to action and is only for informational purposes. Any theft – of data, money or intellectual property – is criminalized.
A little bit about yourself. I am a cyber security engineer (blue team). I do not do professional hacking, but only study the behavior of the enemy in order to get to know him better. As a hacker, I am a full blown, this must be understood, since there is simply no time and tasks for hacking. I’m just the “Mamkin Hacker”. And the purpose of this article is to show that even a mother’s hacker can be potentially dangerous. This is just one of the cases of my hacking practice, which clearly shows that in order to steal data, minimal knowledge and ingenuity is enough.
In this article, there will be nothing about pentest and descriptions of various hacking utilities. Social engineering only. This is where social engineering plays a very important role. Go! First of all, I went to the modern darknet, aka Telegram, and downloaded the leaked database. This base turned out to be the database of the tecwallet.com website. This site is a platform for selling author’s courses in various areas. This base was merged in September 2021. It was around this time that I downloaded it. Opening it, I saw something like this:
Passwords are encrypted … or not? 32 characters, no special characters, everything became clear – most likely this is md5 hashing. The decryptor confirmed my guesses. After decrypting the passwords, the next question was – how can I test all these accounts? The file contains over 4000 records. I noticed that in addition to common mail services, the user login also contains the tecwallet.com domain accounts.
It is these accounts that are of greater interest to the attacker, since they can contain sensitive data or useful information for the bad guys.
My goal was to see what useful things an attacker could steal. Logging in under these accounts, I found a lot of potentially useful information. Let’s take a look at one of these examples.
Once on the main page, I saw that this character can study the profile, read his messages, and also see in the left menu what the “victim” has.
Exploring the profile
After examining the profile, I noticed that I was logged in under the account of a certain IT Trainer. “There will be something to profit from” – I thought.
Reading private messages
We see a lot of unread messages. I do not read personal correspondence, but the attacker may not be as principled as me and get possibly useful information from private messages.
Theft of intellectual property
Well, since the dude is an IT trainer, he probably has author’s courses on IT. Bingo!
An attacker can simply download all his works, thereby reducing his efforts to zero. Or he can look at it himself and gain experience 😊 In addition, there are coupons for the acquisition of his courses
Unfortunately, information about the proceeds from the sold courses and access to the wallet itself is also available from your personal account.
Here we see that there is information about the available funds in the amount of $ 181, and they can be withdrawn in one click.
In addition to the above information, there was other information, but I considered that it was not useful to the attacker and did not display it in the article.
With this example, I just wanted to show that information security plays an important role in modern realities, and in order to steal data, sometimes it is enough to be an ordinary “mother’s hacker” who does not need programming knowledge to write smart scripts, does not require knowledge and experience with specialized utilities for cracking and even a banal brute force is not required to use. Downloading the “leak” or buying it will be enough.
Hundreds of terabytes of information are leaked to the public every year. Either Linkedin gets hacked, or Yandex has an internal data leak, and there are hundreds or even thousands of such cases every year. I do not know exactly how this database leaked to the public. Was it a hack using sql injection, or penetration into the organization and hacking the database server from the inside, or maybe a banal insider drain by an administrator who has access to the database, but I would like to share basic advice with the reader and novice information security specialists:
Store data encrypted so that it is difficult to decrypt in the event of a data leak
Don’t give all admins access to the database. Create an individual account for each admin to make it easier to investigate the incident when it occurs
SIEM is the foundation of any SOC and our eyes and ears. SIEM is a must have for every large organization that has an information security department.
PAM (privileged access management) is a class of solutions that allows you to monitor and manage privileged users.