BackConnect founder in vDOS database

Some additional data regarding Brian Krebs’s latest article.

BackConnect founder Tucker Preston, self-appointed “DDoS mitigation guru”, paid for the vDOS account that was used to conduct hundreds of DDoS attacks in 2015 and 2016.

The booter allows users to enter any email address without confirming it but email addresses of Paypal transactions aren’t spoofable.

Extract from the vDOS database dump:

CREATE TABLE `payments` (
`userid` varchar(100) NOT NULL,
`package` varchar(100) NOT NULL,
`paypalemail` varchar(100) NOT NULL,
`transaction_id` varchar(100) NOT NULL,
`amount` varchar(100) NOT NULL,
`Date` varchar(100) NOT NULL,
`ID` int(100) NOT NULL AUTO_INCREMENT,
`IP` varchar(100) NOT NULL,
`username` varchar(100) NOT NULL,
`destination` varchar(100) NOT NULL,
`api_key` int(4) NOT NULL,
`refunded` int(1) NOT NULL,
`high_risk` int(1) NOT NULL,
`ref` varchar(255) NOT NULL,
`type` int(1) NOT NULL,
`timestamp` int(14) NOT NULL,
PRIMARY KEY (`ID`)
) ENGINE=MyISAM AUTO_INCREMENT=71374 DEFAULT CHARSET=latin1;


INSERT INTO `payments` VALUES

('21606','1 Month Bronze','tucker@gnu.so','2P456702F5318430K','18.99','25-03-2015 01:55',15861,'10.90.255.254','pp4l','jack@v-email.org',0,0,0,'',0,0),
('21606','1 Month Bronze','tucker@gnu.so','6WD289035J3050133','18.99','26-04-2015 02:28',27321,'10.164.199.7','pp4l','alvin@v-email.org',11,0,0,'',0,0),
('21606','1 Month Bronze','tucker@gnu.so','78W478652V2176331','18.99','26-04-2015 07:05',27431,'10.228.29.57','pp4l','matthew21@v-email.org',31,0,0,'',0,0),
('21606','1 Month Bronze','tucker@gnu.so','6VE81821M72362836','18.99','16-06-2015 16:53',43741,'10.35.197.202','pp4l','Itibg@v-email.org',1131,0,0,'',0,0),
('21606','1 Month Bronze','tucker@gnu.so','98101320YN835670F','29.99','29-07-2015 03:16',59351,'10.95.222.114','pp4l','microrobotrblx+b@gmail.com',2941,0,0,'',0,0),
('21606','1 Month VIP','1DhaStWbCWxBL4Kz8KExakwbrSo7wCyaCc','41045bf4754472d1d3484f3c856e1666062a55f83ca94015560155228ccc9213','179.99','01-08-2015 13:50',60201,'10.169.229.148','pp4l','NULL',0,0,0,'',0,0),
('21606','1 Month VIP','1NgSdtfRy8ChrVo7sx66zhTZfeoWfAdbhQ','','199.99','18-10-2015 18:57',67075,'54.175.255.218','pp4l','NULL',0,0,0,'',0,0),
('21606','1 Month VIP','1F6JAegUMiDLu5nnPgKMbfhUdLbDz4VQQ7','','139.99','27-11-2015 15:09',67704,'54.175.255.199','pp4l','NULL',0,0,0,'',0,0),
('21606','1 Month VIP','1NPrwZzMmPNbzwquhrtLzzyydrtxBjjac5','','199.99','30-12-2015 19:57',68234,'54.175.255.210','pp4l','NULL',0,0,0,'',0,0),
('373525','1 Month VIP','186XAeZHJFB1UXhSszgt1A5a6Wu6WB6yqC','ff4fde9bb7176be35d4fc21c8496b8641b0021cc582803624517114b1bfcea6a','199.99','08-02-2016 19:28',68847,'54.175.255.199','pp4l2','NULL',0,0,0,'',0,0),
('373525','1 Month VIP','1D34uYabVTYgQuunHfz98cQwJjRUpoVH1P','','199.99','15-03-2016 02:03',69296,'54.175.255.208','pp4l2','NULL',0,0,0,'',0,0),
('373525','1 Month VIP','1bDqYB1BEjUiYyL4CuHFkNsNWN9JJMeWV','','199.99','18-04-2016 23:07',69769,'54.175.255.208','pp4l2','NULL',0,0,0,'Direct',0,1461035241),
('373525','1 Month Bronze','1MXjpNabxYhTDPbYeLsieXhP2hHntUcg4d','','19.99','11-06-2016 03:35',70398,'54.175.255.204','pp4l2','NULL',0,0,0,'Direct',0,1465630508),
('373525','1 Month Bronze','1QA7DmMkKj77aSdZVys39DqPuGs52JGrDX','','19.99','17-07-2016 01:13',70825,'54.175.255.208','pp4l2','NULL',0,0,0,'hackforums.net',0,1468732401),
('373525','1 Month VIP','15XUA6KwmJUK49uzkcnppphVfWHC4ZKuCX','','199.99','06-08-2016 19:13',71058,'54.175.255.198','pp4l2','NULL',0,0,0,'Direct',0,1470525193),

It looks like Bitcoin payments were stored in the same table as Paypal payments.

Accounts “pp4l” and “pp4l2” were accessed from several IP addresses located in Georgia, matching Tucker Preston’s bio on LinkedIn and other sites. He has used the email address tucker@gnu.so on many occasions e.g. in domain registrations.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s