A Dark Web Vendor Is Selling Millions of Hacked Cam Girl Site Tokens

The hacker claims to be a former employee of MyFreeCams.com.

|
Nov 27 2015, 2:15pm

Screenshot of the dark web site claiming to sell exploited MFC tokens

MyFreeCams (MFC), one of the most popular cam girl sites on the internet, can't catch a break at the moment with its security. After Motherboard reported that the site deployed truly terrible password security for both its models and users, we've now found out that someone is advertising hacked "tokens" for MFC on the dark web. These tokens are usually purchased directly from MFC, but the hacker is claiming to sell hundreds of thousands of dollars worth at a major discount.

MFC is your run-of-the-mill cam site, where models carry out shows for site visitors. As the name suggests, some of those shows are free, but users can purchase tokens to pay for private shows or tip models.

Potentially millions of these tokens are being advertised for sale on a dark web site, by someone who claims to be a former employee of the company.

"We are two ex-developers that worked for ActiveSoft and got laid off almost two years ago," the owner of the site selling the hacked tokens, who used the handle "mfccredithack," told Motherboard in an email. ActiveSoft is the company name that appears on a customer's bank statement after making a purchase on MFC.

The hacker claims that MFC's owners "used to care for the platform's security when we were building it, but it came to a point where it didn't really matter to them."

"Long story short, when we got wind that ActiveSoft was laying people off, my partner and I decided to add a flaw that added tokens to some admin accounts that we still own. From there, we can transfer the tokens in any accounts that we like," mfccredithack claimed.

Buying tokens from MFC usually costs a user $19.99 for 200 tokens, $49.99 for 550, or $74.99 for 900. Meanwhile, the hacker is advertising 100,000 tokens for 3 BTC ($975), or 1 million tokens for 9 BTC ($2900); that's around a 90 percent discount for those willing to take that many.

Screenshot of the dark web site claiming to sell exploited MFC tokens

Mfccredithack shared a screenshot with Motherboard that appeared to show access to an "Administrator" account with millions of available tokens. The hacker also sent a small number of tokens to the holder of an MFC account contacted by Motherboard, to further prove he was in possession of at least some tokens, though it is impossible to know if these were hacked. Motherboard cannot confirm mfccredithack's claim that he or she is an ex-employee of MFC.

An MFC spokesperson told Motherboard that "Websites saying that they are selling tokens are fake and simply phishing." The spokesperson then linked to two pages on the site's Wiki that detail scams to steal customers' usernames and passwords, and also examples of malware that is designed to siphon off users' info.

However, this dark web site only asks for a customer's username, not their password, and there was no indication of a malware download upon accessing the site. If the site is a scam, it could simply be to relieve MFC users of their bitcoins.

Earlier this month, Motherboard reported that MFC had awful password security, even deliberately undermining strong passwords created by its users. If a password contains upper and lower case characters or punctuation, it can be bypassed by simply typing the password in lowercase and omitting any special characters. For example, if a model's password is "!!!PASSword???", simply typing in "password" would access the account. Several sources also confirmed to Motherboard that when users forget passwords, MFC sends them in plain text emails.

"Most of our clients are in fact models"

As for this latest news, the hackers say that at first they "wanted to sell [their] tokens to anyone for a cheap price and become popular and basically destroy MFC because it would generate a good amount of debt." Every time a model is sent a token, they receive $0.05, so if these tokens were generated with no actual purchase, MFC would lose out.

But the hackers also realised they could also sell the tokens at a discount to models themselves.

"We actually spoke with a woman that [owned] a studio in the Philippines and she explained that it would be great if she could inject tokens in those poor women's accounts so that they could be able to live. Since then, we realized that we could do something good with this 'hack,'" mfccredithack claimed. Models can sign up to MFC either independently or as part of a studio, which will take a cut of their pay in return for handling administration, marketing and financial matters.

"Most of our clients are in fact models, which is totally ok for us," mfccredithack said.

"At first I did it because I was mad, but the thought of helping people with it came almost a year later."