An Inventory of What Was Included in the InvestBank Data Dump

Share this…

Hacker dumps nearly 10GB of bank data online. Turkish hackers tweeted a URL yesterday pointing to a massive collection of files, which they claim belongs to UAE’s InvestBank.

The hacker group is Bozkurtlar (translated as the Grey Wolves), the same group that took responsibility for the Qatar National Bank data breach from two weeks ago.

Last December, UAE media reported that InvestBank had been hacked, and that an individual tried to blackmail the bank for $3 million / €2.83 million. After the bank didn’t pay, it was said that the hacker, known as Hacker Huba, followed through with his threats and dumped the data online, yet the links never came to light. [Check update at the end of article]

What we’re going to be looking through right now may very well be the same data posted by Huba, and only re-posted by the Bozkurtlar group. Its true origin may not come to light until InvestBank issues an official statement on this matter, or someone that has seen or still has the December data dump is able to compare the two data sets. Softpedia did not report on or was ever in possession of the first data dump.

The data dump holds almost 13,000 files, totaling 9.4 GB

Softpedia has downloaded the leaked data for research purposes. The InvestBank data is offered as a 1.5 GB ZIP file (9.4 GB unzipped) that contains 12,927 files.

Besides folders that contain the actual data, the hacker also included screenshots that appear to show him navigating through the bank’s MSSQL database.

There are seven main folders in the ZIP file’s root directory. The first folder is named “accountsPdf” and contains 3,383 PDF files. Softpedia has not opened all files, but from the sample we did look at, these files are individual account statements, like the one pictured below.

One of the account statements from the /accountsPdf folder

One of the account statements from the /accountsPdf folder

The second folder in the ZIP file’s root directory is named “Babu” and holds a lot more information.

Here Softpedia found details on some of the bank’s 2014 investors, 129 scans of IDs and documents involved in land deals, 170 passport scans for both adults and children, and contact details for 522 bank employees in various countries.

Other documents we found in this folder that were larger than a few KBs and with suggestive names included details about other bank contacts, (very few) customer credit card numbers, server passwords from the bank’s internal network, server logs, monthly expenses, and others.

A file named ALL ATM CARD HOLDER_new.XLS contained 11,741 entries of what looked to be ID codes for ATMs.

Content of the /Babu folder

Content of the /Babu folder

The third folder in the ZIP file’s root directory is named “Backup” and contains what you expect it to contain: backups! This is where most of the data is, packed in 240 files, but taking up 8.35 GB of the entire leaked dataset. All the files were placed in second folder named “,” which is the bank’s website URL, meaning the data’s source must have been from website backups.

Almost all files here contain important data, but we’re going to highlight only some of them. Softpedia found over 69,000 credit card details in a file named CARD.sql. This file contains customer names, credit card numbers, home addresses, email addresses, dates of birth, and card expiration dates. CVV numbers were not included, and the file was located in a sub-folder named ATM.

In another file named BBSD_CUSTOMERS.sql, Softpedia found a list of what looked to be InvestBank customer names. The list included nearly 47,000 names with no personal information included. Some of these names were found in the CARD.sql file, but some were not. Many of these entries were company names.

A file named IBCC_PAYMENT.sql also included details about over 163,000 bank payments, with details about account numbers, payment amounts, and a short explainer about the payment’s nature.

Most of the other documents were SQL and XLSX files related to bank transactions and Web server logs. The most recent file from this folder was dated to March 19, 2016.

Partial content of the /Backup folder

Partial content of the /Backup folder

The last four folders named “E,” “Files,” “InvestBankAmbit112,” and “Second Line Customers” also contain sensitive information.

The biggest file we found in these three folders was InvestBankAmbit112.sql, which seemed to be an entire database dump of nearly 480,000 SQL lines.

Here we found information about customers’ credit card numbers, customers’ bank account numbers, active bank loans, bank admin accounts complete with encrypted passwords, admin activity logs, bank bills, customer complaints, and customer details (roughly 16,000).

Further, the file also included data about the bank’s Web portal activity, such as customer usernames, emails, encrypted passwords, encrypted PINs, and activity logs. We discovered over 5,000 of such entries. The rest of the file contained details about over 367,000 bank transactions.

Other files found in these folders also included technical manuals for the bank’s IT network, internal procedures, application forms, staff reports, and other internal documents.

After sifting through the data, Softpedia has deleted all the files. We have reached out to InvestBank to inquire about the data’s validity, and we’ll update the article with the bank’s response if they decide to issue a public statement on this matter.

UPDATE: One of our readers has pointed us to a Daily Dot article that reported on the content of the files posted online by Hacker Huba last year. The numbers appear to be much larger than the data dumped by the Turkish group.

InvestBank data dump's content

InvestBank data dump’s content