Last night, a user on dread /u/ASAPgothacked gained lots of attention as he claimed that he hacked ASAP Market.
Apparently after hacking the market, he tried to extort admins demanding a 30% cut for him to not post it publicly. When he didn't heard back from the admins he posted about the attack, how he was able to extract all the data which allegedly was unencrypted such as tickets history, videos of admin panel, all transactions including admin's as well, system logs, orders history and the ip address of the server.
The user claimed to use a shell injection to exploit the server. A shell injection is a vulnerability which allows hackers to execute arbitrary os commands on the server which compromises the server completely, revealing the data and sensitive information about the server.
This would give the attacker full control over the server meaning he could manipulate with all the data. And so the user claims to be able to change all support & support-admin accounts, as well as create new accounts and give them the privileges of an admin or support.
He also said that ASAP's admin doesn't know how to stop or divert the DDOS attacks that has kept the market down for few days, and when the admin used cloudscale to stop DDOS attacks which revealed some vulnerabilities through which he was able to inject a shell and gain access.
According to the 'hacker' the data he has sums up to 95% of orders that took place on the ASAP Market and he is going to sell the information on exploit soon, for proof though he posted some screenshots that showed various orders, tickets, admin's transactions, and logs. All of it which could be accessed through a moderator's account. Within minutes of this post, Paris the co-admin of Dread said the following:
So let's take a look at this. We have another asshole trying to extort a market saying that he hacked them. Did a server shell injection (ok) that only allows him to change the support and support admin accounts (wat).
If it is truly a server shell injection he would have remote code execution. Being that it looks like the support page is attached to the same codebase he would be able to dump the whole site and database if that was the case, including pwning the server. Not just change the support and support admin accounts.
Ok so maybe he meant blind SQL injection which only effects the permissions of the users in the support area. Very convenient that is exactly what permissions a rogue support member would have. Then he goes on to say that he has all this information, it would be bad, and the server IP is going to be on sale on exploit.im. I see no post about that on the exploit.im forum there.
Even in the more private areas not a single mention of ASAP market with its IP leaked. Allow me to break it down for you guys. The in all likelihood is a rouge support member. He is not to be believed. But this post will be kept up so I can reference it from another post. But I'm going to downvote it and hope that others do that too.
The user replied to Paris
"not rogue support. never have been. never will. you are providing information to people without any proof. at least i have proof of my claim paris. Paris you need to remember that we have all piece of information of every transaction. every order. every deposit. every withdraw of this market. How you can say this market needs to be still used.
You right now are leaning on idea that we are support. we never was support. we hacked ASAP. You are saying asap is save to use (between the lines) while all use info is exposed. Nice but your breakdown is false. I have respect for you Paris. I realy do. But what you do now is dangerous. it is wrong. you are NOT right."
He attached some images as 'proof', the images though held nothing confidential that would prove his claims as the images were the same as he posted in his thread depicting transactions, tickets all of which are available to a support member of the Market.
Paris replied to his 'proof', saying:
Your "proof" is screenshots that a support moderator would have. They are not good enough proof. If you did what you said you did you would have remote code execution on the server. You would need that for the server IP leak.
But you don't have that. It is shown from your message that you can only "control and change all support and support-admin accounts. Which is fucking crazy to even mention if you have remote code execution. Ya sure, but that's beside the point. If you said that you found an open SQL injection which allowed any account to be moved up in permissions to support level I would believe you more.
But you didn't. Which makes me say you are bullshitting, trying to extort the market, and was a support member only making FUD. Prove me wrong by leaking the source code of the market or the database. If you can do that, well then in your words that "ASAP completely compromised" would be true. Otherwise I'm calling chicken and bullshit as will be marking this as FUD.
Paris soon made a post regarding the FUD & false claims of his post stating:
A person claims to have hacked a market gaining access to the server IP and the permissions of support area accounts. This is in all likelihood false. A ploy to trick people and make people think that there is a problem with a market.
There is a problem with the market but it doesn't deal with the security but with the staff. Specifically a specific support moderator. Look at my comments there for some good break downs about why you shouldn't blindly believe. It's important to know for both market admins and users need to make precautions to protect themselves from these assholes.
Admins, Keep it in the family, monitor your fucking staff, record all staff interactions, only show what is needed for their job and nothing more. Pay the people keeping your operation alive a fair wage. Trust is both bought and earned.
Users, Don't ever, ever, ever, ever, ever, send your information in the clear. PGP encrypt always. You don't know who is watching. Just because they are staff doesn't mean you should trust them. Be kind but smart. This isn't a normal area of the web. If you get scammed here you got no recourse.
It's not as easy as you might think. But it's also not that hard. You just got to prepare for the worse.
Two hours later, The admin of ASAP Market /u/Aseanmarket made a statement accounting the 'hacker':
With natural growth of the market we have experienced a higher volume in tickets and order disputes. In order to continue to provide good quality service we have hired new support staff member to help us resolve tickets faster. Soon after we experienced strong DDOS attack, which new member admitted of doing as part of extortion process. Extortion process involved demanding access to the server and wallet system which we strongly declined.
Second request was to include him in percentage of the market (up to 30%) which, again we declined. No money was paid to the attacker. We strongly encourage everyone else found themselves in extortion process to do the same. In a desperate attempt to extort us, rogue member took numerous screenshots of the basic moderation panel and some information of the buyers threatening to publish it to the public. We do not only actively discourage such behavior, but strongly condemn this pure act of doxing. Member also admitted of attacking other markets such as Darkfox, Versus, Neptune, World, Dread and planning on hitting Hydra next.
Since member acted deceitfully in order to gain trust and came forward immediately, we acted swiftly and removed his account from accessing moderation panel. No database and IP was leaked nor there is a sign of presence of any rogue files on the server (remote shells, etc.). We are admitting a mistake of hiring unvetted members which we will own. As a token of trust we will be offering coupons of $5(ASAP5USD) and $10(pm modmail) in total amount of $1000 to the community. Also, we are thankful to Dread community for standing with us in this moment of crisis and offer personal thank you to /u/Paris for stepping in.
Like many times before, he helped us again and exercised his expertise in situation handling. This is why we will offer rogue member's promised first pay as a donation to Dread and it's community in the amount of $2000. As continuing act of pettiness, rogue member is continuing DDOS attack against our mirrors. We will continue working hard to make access to our market more stable with time to counter this issue. We proved to be safe platform again and we are looking forward to welcome you as our users.
And so it seems that the 'hacker' who failed to provide any actual proof that would testify his claims, turned out to be a new support member the market hired to handle tickets.
The ex-member confessed to be the one involved in taking down the market in an attempt to extort the members demanding access to server, wallet system as well as a 30% share of the profits all of which were declined by the Admin, and then he tried to threaten them by creating a dox which included various screenshots of basic support panel and some information of clients.
The admin also verified that there were no shell injection, no data breach all of which he claimed to have. His attempts of doxxing and extortion failed inevitably, the Admin removed provoked his access which was just a support account.