New Search Engine Unmasks The Hackers

Screen Shot 2014-07-18 at 6.58.36 PM looks like it could have been a Y Combinator project. With a slick design, snappy copy, and a bitcoin-based payment system, it looks unusually legit. But what the site is hiding is the produce of hundreds of hacking efforts from around the web.

I’ve left out the link because it’s unclear if the site may deliver malware now or in the future. You can type it in if you’re curious.

While the tagline “Account recovery & Consultancy made easy!” sounds innocuous, Indexeus is a database of stolen names and passwords. According to Brian Krebs, the database includes stolen passwords from the recent Adobe and Yahoo hacks. But, according to the site’s crawling file, available here, the site also indexes all of the major hacks performed against hacker forums themselves. This means that the personal data of various bands of script kiddies are also indexed here.
Screen Shot 2014-07-18 at 6.58.17 PM

I tested the site today with my own name as well as President Obama’s. I found one record that matched me – it cost 50 cents in BTC to view – and 11 records for the President. The data it found on me was useless.

Screen Shot 2014-07-18 at 7.46.41 PM

Because all of these hacked accounts are now indexed using the site, hackers themselves are getting nervous. Writes Krebs:

Such information would be very useful for those seeking to settle grudges by hijacking a rival hacker’s accounts. Unsurprisingly, a number of Hackforums users reported quickly finding many of their favorite usernames, passwords and other data on Indexeus. They began to protest against the service being marketed on Hackforums, charging that Indexeus was little more than a shakedown.

You can also pay to blacklist content that you don’t want to appear on the site, which is quite a feature. Given that the hackers have been hoisted on their own petard, it’s a delightful bit of Schadenfreude.

Krebs tracked down the creator of the index, Jason Relinquo from Lisbon, Portugal, and even asked the young man a few questions about his service. While it’s unclear how accurate this data is right now, it’s clear that a solid programmer with a little chutzpah could recreate this ad infinitum, creating multiple databases of hacked data that would pop up like hydra heads. Interestingly, Relinquo is not fixing the site to be compliant with Europe’s Right to be Forgotten laws, which, I suspect is exactly what some of the hackers he’s cataloged would appreciate.