A brazen hacker is selling hacked government, military and education Web sites in an underground black market and commanding anywhere from $55 to $499 a pop, database security firm Imperva has discovered.
Imperva published several redacted screenshots -- complete with typos -- showing the hacker's marketplace. The sites offered include major .gov, .mil and .edu domains in the U.S. and Europe. Some of the hacked Web sites offered for sale include university Web sites, a Department of Defense domain, a site belonging to the U.S. Army and a National Guard site.
Along with the hacked Web sites, the hacker also has for sale the administrative login credentials to hacked sites and personal data stolen from other compromised Web sites for $20 per 1,000 records, Imperva noted.
One screen shot indicates that the hacker is attempting to sell a list of University of Connecticut staff, which includes the uconn.edu e-mail address and phone numbers in the 860 area code. Another screenshot shows the hacker trying to prove his access to the sites by highlighting the admin interface of another major university.
In its blog post highlighting the hacked Web site sale-a-thon, Imperva said it is likely that SQL injection vulnerabilities were the root cause of the security holes in the victimized sites and that the hacker used some kind of a scanner to seek out specific vulnerabilities that he knew he could be exploited using automated tools.
"The victims' vulnerabilities were probably obtained by SQL injection vulnerability automatic scanner and exploited in automatic manner, as the hacker published his methods in a post in some hacker forum…," Imperva wrote.
While it appears that the hacker has accessed the sites that are up for sale, it is not 100 percent proven. Some security researchers suggest that it is part of a larger grift designed to scam the potential buyers of the hacked Web site and documents.
But Brian Krebs, security blogger and former reporter for The Washington Post, is convinced the hacks and the Web site sales are legit. In his KrebsonSecurity blog, Krebs posted an unedited version of the list of Web sites for sale by the hacker, a screenshot originally posted by Imperva with redactions.
"I've seen some of the back-end evidence of his hacks, so it doesn't seem like he's making this up," Krebs wrote of the hacker.