Scrolling through my LinkedIn feed again and I saw this!
So what is this about? Is this real?
To start my investigation, I needed to find the source where this leak was posted. Since the image is familiar and clearly looks like it’s from breached forums, I remembered that Breached has gone through many issues lately. All the Breached forums were seized by the FBI, but there is still one alive: https://breachforums.st
As expected, the leak was from there, and I was able to download a demo of the leaked data!
Based on these samples, I can confirm that the leak is genuine. There are many passports of individuals from different countries, including:
– Israel
– Saudi arabia
– Morocco
– Libya
– Iran
– Sweden
– Canda
And more …
Now, the big question is: which organization has been hacked? And from which country exactly? Is this from multiple organizations or only one?
I had many theories in mind!
Basically, in every country, there are a few organizations that can store people’s passports, such as visa providers and airports!
Possible Scenarios :
- Visa providers are using a common framework which attackers found a zero-day vulnerability to exploit, leading to mass attacks on multiple providers in different countries.
- Airports are using a common framework which attackers found a zero-day vulnerability to exploit, and they used it against multiple airports in different countries.
Before digging into one of these unconfirmed scenarios, I decided to take a deep look at the sample and I found something interesting!
If we recheck the samples carefully, we will see that most of them look like example number 1, but there’s one ‘example number 2‘ that has something special! It’s a boarding card!
For poor hackers like me who never had the opportunity to travel on a plane, a boarding card is the paper that confirms you paid for the trip to travel on a specific plane. This paper is only provided to you to present to the staff at the airport, so they let you into the waiting area for your flight!
Sometimes the staff scans your passport and they also scan this paper, which is the case here! All these details can confirm that this leak is coming from an airport, and it’s likely just one single airport.
Till now, nothing is 100% confirmed, so let’s dig more.
If we focus on the boarding document, we can see some words written in Turkish. There’s also a date, 21-2-2022, and a website: www.umur.com.tr
This means that this boarding paper is from a Turkish airline. Searching the internet for this word: ‘Biniş Kartı‘ we found this:
This confirms exactly that this person has traveled with this Turkish airline.
Now, what about this website: www.umur.com.tr ?
A little search gave me the idea that this is a company that provides thermal papers that can be used in payment machines.
I’m not sure about the relation between this company and our investigation, but having the signature of a Turkish thermal paper provider on a boarding card can only be used by Turkish airlines. There’s no way another country, like the USA or France, would use this provider instead of their local providers!
Back to our main investigation, let’s focus on the person with the boarding card. Since we have his full name and we know he is originally from Israel, I decided to do some OSINT on him!
As you know, nothing is better than social media to learn about people’s lifestyles.
The person with the passport and the boarding card did indeed travel to Turkey in 2022, and he shared this picture on his Instagram profile.
Since the date on this picture is June 10, 2022, and the one on the boarding card is 21.2.2022, we can assume that this person bought his ticket 5 months before the trip! If we look at his birthday, we can see it’s in June, so maybe he wanted to spend his birthday in Turkey.
Another proof that this leak comes from an airport in Turkey is this picture of another person from Palestine, but with a paper containing Turkish words.
At this moment, we are sure that this leak is coming from a Turkish airport, but unfortunately, we aren’t able to determine exactly which one. Honestly, I don’t want to dig more :’)
To the curious people who may ask who is behind this leak, this could be a subject for another investigation. From what we have now, there is a small indicator that the threat actor is from Russia. You can see the little words in one of the pictures he provided: ‘Выделено 1.000 объектов (872,9 МБ)‘ which means ‘1,000 items selected (872.9 MB)‘.
As I always say, this is not something you should believe as 100% confirmed. This was only a simple investigation done out of curiosity, using free resources and without touching any organization’s assets.
Special thanks to ZeroMemoryEx, 0xPwny, and C3poDay.
