Credit Card Autoshop Self-Signed SSL Cert Leaks IP

Scammers Number: N/A Website Only (1 Telegram Phone Number Leaked).
Domains Used: http://tigerccshop.me & http://tigerccshop.cc
Extra Info: Data Includes Server Info.

Website Name: Tiger CC Shop
IP: 147.135.79.249 (Works as a Website… Redirects to the login portal).
Operating System: Debian x64
Hosting Company: OVH SAS
Location: Reston, VA, USA
SSL Status: Untrusted. Self-Signed
Page Status: 200
Creation Date: 2021-01-10
Registry Expiry Date: 2023-01-10
Name Server: ERIC.NS.CLOUDFLARE.COM
Name Server: FATIMA.NS.CLOUDFLARE.COM
Open Ports: 22, 80, 123, 443
Web Tech: Django, Python, Bootstrap
ASN: AS16276

22/SSH (TCP)

OpenBSD OpenSSH Version7.9
Debian Linux: 10.2

80/HTTP (TCP)

nginx:
http:// 147.135.79.249 (Separated due to weird Embed Problems).
Request GET /login/
Protocol HTTP/1.1
Status Code = 200
Status Reason OK
Body Hash sha1:4b41a953e1b89f9712a52ee2f047319c98931774

123/NTP (UDP)

Time Header

Version: 3
Mode: 4
Stratum: 2
Poll: 3
Precision -24
Reference ID: �l�

443/HTTP (TCP)

https:// 147.135.79.249
Request GET /login/
Protocol: HTTP/1.1/
Status Code: 200
Status Reason: OK
Body Hash: sha1:6a461a1989e17150d551526a4d7cda3adf6cd0bf

TLS:

JARM: 2ad2ad16d2ad2ad22c2ad2ad2ad2add02b8cc6626b25ebf05ea1651e2438d3
Handshake:
Version Selected: TLSv1_2
Cipher Selected: LS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Leaf Certificate:
29f07d93231aabfa7044256da8a8c56b6afc7fe5b7e8465458a83c459c963554
emailAddress = [email protected], C=RU, ST=new maxico, L=niomon, O=Bouncy Castles, Inc., CN = tigerccshop.me

emailAddress = [email protected]

emailAddres s= [email protected], C=RU, ST=new maxico, L=niomon, O=Bouncy Castles, Inc., CN = tigerccshop.me,

emailAddress = [email protected]

38.6583, -77.2481

Telegram Accounts:
@pinfern0
@Tiktokk
@Tiktokk
@gomoraccv
@Tornado0cc
@sputnik706
@RRockCC
@OrcAdipdivcc
@goldboyCC - Phone Number used with account is: +1 760 350 7760

Telegram Invite: Telegram: Join Group Chat
Tor Hidden Service:
http://ld3hfzxcr4dib3v3kaetaiqym2xnhppxot3l6nyv2fw3zx5oldvdwdad.onion

Will Attempt to do more info gathering, Website and All info has been passed to US Law Enforcement. Just Thought I’d provide this lovely gem.

No Vulnerabilities have been found thus far.

2 Audio Samples from Telegram showing this operation has Millions in stolen assets (Files Hosted on Discord until I upload to a safer sharing location).

$300,000 Credit Card Balance Check. No Personal Data.
$107,000+ Balance Check. No Personal Info. OGG File

Both were provided in May and June respectively.
I Don’t condone nor Support this website or the trades.

I Will be using Python to scrape data such as names, Cities and Addresses to help victims know their credit card info has been stolen. If You’re able to provide some support it might ruin the site before it’s taken down. This Would help Law Enforcement and Banks Majorly as it would prevent further theft.

UPDATE: SCREENSHOTS ADDED + PROOF OF OWNERSHIP

The Site is Massive, I Have left out names to prevent problems. The Values are acquired from the fraudsters calling the bank listed after hours to avoid a real person from answering.

Just some estimates of Value exceed into the Millions without a doubt, We’ve provided $107,000 and $369,000 Balance Check in the format of an .ogg in the original post. With these 2 Values known and what you’re about to see, Will showcase that this this a large scale business costing banks and people Billions.



Proof of Ownership of one of the telegram accounts. They didn’t hide their Phone. It’s a Landline and it’s a fake one. Anyone with enough time could waltz right into the account without a fucking problem. Rookie mistake I suppose.

Given this is more data, Please Urge the Federal Government take down this site.

use https://ic3.gov/
and OVH

to file reports.

Update to the website:

I Have an Additional Laugh, Originally I Posted the 1 screenshot… Well, All 3 domains are down, Someone smacked the IP of the server with a DDoS Attack and All 3 services went down. I don’t know who did but you’re breaking the law yet saving Millions of dollars by doing so.

tigerccshop.me tigerccshop.cc and the onion page are 100% offline

TIGER CC SHOP .ME DOMAIN

TIGER CC SHOP .CC DOMAIN

TIGER CC SHOP .ONION DOMAIN

The Telegram of some of the sellers are inactive. I’m unaware as too why possible bust? Who knows.

Site has been DDoSed for a few days now, They’re aware of their site being posted to the forum. I contacted them around 5+ days after I found the IP and I Posted this 4 days ago. I Knew of the site for nearly 10 months and I had the IP for 3 Weeks and it was reported around 2 weeks ago.

The telegrams of multiple sellers are gone, Notably Ram, Tiktokk and others are gone. Which means they’re gone for good.

Update 1: I Removed the “Final update” From the post above.
update 2: Seems these fuckers don’t get the point…

November 10, 2021 @ 11:37 PM MSK the telegram group/channels spit this message out.

Tiger CC Shop:
We working hard and the site will back as soon as possible please be patient everything will back like the past

I Know the site is going to be exposed again, so I’ll post about that soon. Law Enforcement has been notified yet the pipeline of fraudsters continues to see another day. The Website is still down and i’m sure the Database is seized by now. Not 100% sure but, I’m going to say Law Enforcement and OVH Have shut the site down. If you reported the site, please DM me on discord so I can properly say thanks for the assist:

My Username: An Unknown Plauge#7742

Round 2

I thought it was all over but the crying but nobody is crying but me… (Except it’s tears of Joy).

http://fmicvwwbe33t4txpcy6iwthwkzuevrehxavi6iu4oiepfuzkhk5algqd.onion
New Onion Domain ready for abusing, Keep it legal find an exploit that doesn’t require authorization or other things that would break the law. If You want to break the law that’s on you.

I’ll keep this thread going until Interpol, Europol or US-LEAs Get this shit done with.

They’re supposed to be announcing new clear net domains, As Many know Tor is Now illegal in my country. It doesn’t stop me from using Proxies, VPNs and Virtual Servers to access the Tor Network. Tor is working hard to stop the censorship, If you wish to please run some servers for Tor.

I’ll Add a new “post” When the domains come online.

They’ll be more cautious this time.

Tiger CC Shop (Via Telegram)
Hi guys
We apologize for this delay to reopen the site it was very hard circumstances last month so the work was slowly , don’t believe any buddy saying we exited or hacked everything ok, our wallet , sellers and data all is ok , just we got some problems with the server provider and we solved it , and now we will be more cautious and powerful about all details which maybe do any affect to the site in future ‘god willing’ , we have added some updates and new domains and it just some hours to back for work , and again we sorry for any buddy got scammed because of sellers changing their telegram id’s and we hope we will compensate them next days , we working hard to keep our customers trusting and give more quality data’s please be safe and careful from any scammers , every time take attention for new notevication and updates in this channel and be ready for next hours ,
With our greetings
Tigerccshop team.

Given this notice, I’ll suspect they’ll attempt to hide there services and Avoid SSL Errors doesn’t mean they’re not bright. I’ve Noticed Websites like xss.is & briankrebs.cm do not have a WAF (Web Application Firewall) Enabled, NGINX “Reverse Proxy” Fails to protect their site as well.

This shouldn’t be hard, Finding real IPs of origin servers behind CloudFlare or Tor here’s a good link to read up on when dealing with CloudFlare and Tor Hidden Services Orgin Locations. Remember that sometimes you can Identify locations via other key hints. Given that the clearnet domains will not be ran in UTC Time they’re server is suceptable to Time zone Checks. Given there’s a few countries in these locations The simplest explanation is often the best answer. (occam’s razor) Currently as I Write this it’s 8:55 AM MSK. So Assuming they’re in the same timezone of MSK Then assume it’s Hosted in Russia, Romania, Moldova or Ukraine. Now you can test the language of the site via many things.

Keep a look out for many things and help expose these idiots.

(post deleted by author)