A policy change at a seemingly innocuous website could make it more difficult to stop hackers, according to information security experts who track malicious software in the wild.
Pastebin, a repository where users can post and share raw text files, said on Wednesday it has discontinued a service that charged users a $50 one-time fee to search the site for new data.
Researchers had used the scraping API to scour Pastebin for cybercriminal activity, as hackers frequently posted stolen personal data and malicious code to the site. Pastebin hosts many legitimate submissions, including posts about software tests and blocks of banal code meant for cryptographic network protocols. The malicious activity makes up a fraction of the content, and is difficult to identify without scraping capabilities because of the construction of the site.
A number of Twitter feeds, like @ScumBots and @leak_scavenger, were dedicated to catching malicious uploads early, and then distributing details early so that security practitioners could proactively fend off a hacking tool.
“This was used … to filter for malicious payloads that had been uploaded, or in some cases where criminals have uploaded people’s data,” said James Hemmings, a penetration tester. “I, for example, used it to filter for my own personal identifiers to detect leaked/breached personal data. So … it is now more difficult to research cybercrime or use it for open-source intelligence gathering.”
Pastebin said it updated the terms and conditions because of “active abuse by third parties for commercial purposes.” That’s an apparent reference to services like Intelligence X, which charges subscribers to search a number of services, including Pastebin. Intelligence X continued to advertise its access to some 49 million Pastebin posts on Thursday.
The debate echoes similar criticism of the European Union’s General Data Protection Regulation. When GDPR went into effect in 2018, the privacy law made it possible for website owners to hide their identities. The rule, meant to protect web users’ personal information, inadvertently hobbled WHOIS lookups, a research tool that online investigators used to identify operators of malicious websites.
Pastebin’s decision could similarly hamper research efforts by making it harder to detect behavior, such as a recent update to the Nanocore RAT malware.
That remote access tool, highlighted by the @ScumBots feed on Monday, is a years-old hacking tool capable of stealing victims’ passwords, remote and accessing their webcams. The SHA hash code underpinning the malware flagged Monday by @ScumBots was detected by 65 of 73 security tools in the VirusTotal repository by press time Thursday.
“ScumBots would have picked that up minutes after it was posted to PasteBin,” said researcher Oliver Hough, who monitors the feed. “[Antivirus companies] would have got there eventually but ScumBots certainly helped.”
Paul Melson, who operates the ScumBots feed, said the unusual activity began on April 2. Melson manually uploaded the Nanocore sample in question on Monday, he said.
Pastebin was founded in 2002, and its interface appears to have changed very little in the nearly two decades since. Despite being generally known for hosting reams of innocuous code, the site has a long history of being blocked by countries like India and Venezuela for transmitting messages from anti-government demonstrators in those countries. North Korean hackers behind the 2014 Sony breach also posted missives on Pastebin.
The change coincides with an editorial in the national security blog Lawfare calling for more cybercrime data to aid investigations. Eileen Decker, a former U.S. attorney and the precedent of the Los Angeles Police Commission, and Mieke Eoyang, vice president of the national security program at Third Way and a former congressional staffer, called for stronger cybercrime reporting capabilities.
Pastebin did not respond to a request for comment Thursday.
Vice Motherboard first reported on the change at Pastebin.