In 2013, a pair of private investigators in the Bay Area embarked on a fairly run-of-the-mill case surrounding poached employees. But according to a federal indictment unsealed in February, their tactics sounded less like a California noir and something more like sci-fi: To spy on the clients' adversaries, prosecutors say, they hired a pair of hackers.
Nathan Moser and Peter Siragusa were working on behalf of Internet marketing company ViSalus to investigate a competitor, which ViSalus had sued for poaching some of its former employees. Next, the government alleges, Moser and Siragusa—a retired, 29-year veteran of the San Francisco police department—recruited two hackers to break into the email and Skype accounts of the competing firm. To cover their tracks, they communicated by leaving messages in the draft folder of the Gmail account "krowten.a.lortnoc"—"control a network" in reverse, according to the indictment.
Federal prosecutors did not specify how the defendants found their hackers, but an email address apparently belonging to one of the hackers, Sumit Gupta of Jabalpur, India, was also used last year on the freelancer message board WorkingBase by someone seeking software that could compromise computers running Windows and Microsoft Office. The poster, who was offering $250 to $750, wrote, "Code should be FUD," meaning fully undetectable, "and fully working. Looking a cheap cost."
Clients span from executives hoping to gain an edge over their competitors to spurned lovers hoping to spy on their exes.
The California case sheds light on a burgeoning cybercrime market, where freelance hackers, both on public forums and in black markets, cater to everyone from cheating students and jealous boyfriends to law firms and executives, according to Jeffrey Carr, president of Seattle-based security firm Taia Global. He calls the industry "espionage as a service."
While it is difficult to verify the legitimacy or the quality of the hacker postings on a half-dozen online exchanges that Fast Companyexamined, some sites boast eBay-like feedback mechanisms that let users vouch for reliable sellers and warn each other of scams. Carr describes a range of expertise, from amateur teenagers wielding off-the-shelf spyware who may charge up to $300 for a single operation, to sophisticated industrial espionage services that make tens of thousands of dollars or more smuggling intellectual property across international lines. "The threat landscape is very complex," he says. "A hacker group will sell to whoever wants to pay."
At Hackers List, for instance, hackers bid on projects in a manner similar to other contract-work marketplaces like Elance. Those in the market for hackers can post jobs for free, or pay extra to have their listings displayed more prominently. Hackers generally pay a $3 fee to bid on projects, and users are also charged for sending messages. The site provides an escrow mechanism to ensure vendors get paid only when the hacking's done.
While Hackers List says it's intended only for "legal and ethical use" like recovering lost passwords, it boasts about a dozen job listings a day, in some cases to anyone capable of hacking into private websites, social media accounts, and online games.
The basic methods of intrusion are often the same: the age-old technique of tricking a target into installing malware by opening an email attachment or a malicious website. "It just works."
In a report released in March, Europol, the European Union's law enforcement arm, predicts online networking sites and anonymous cash-transfer mechanisms like cryptocurrencies will continue to contribute to the growth of "crime as a service" and to criminals who "work on a freelance basis . . . facilitated by social networking online with its ability to provide a relatively secure environment to easily and anonymously communicate."
The environment isn't always secure. Earlier this month, one security sleuth unmasked the apparent owner of Hackers List as Charles Tendell, a Denver-based security expert. Soon after, Stanford legal scholar Jonathan Mayer crawled the site's data, revealing the identities of thousands of the site's visitors and their requests for hacks.
Mayer found only 21 satisfied requests, including "i need hack account facebook of my girlfriend," completed for $90 in January, "need access to a g mail account," finished for $350 in February, and "I need [a database hacked] because I need it for doxing," done for $350 in April. A majority of requests on the service involve compromising Facebook (expressly referenced in 23% of projects) and Google (14%), and are sparked by a business dispute, jilted romance, or the desire to artificially improve grades, with targets including the University of California, UConn, and the City College of New York.
While most requests "are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal," Mayer wrote on his blog, the requests were a "fair cross-section of the hacks that ordinary Internet users might seek out." Still, he wrote, Hackers List "certainly isn't representative of the market for high-end, bespoke attacks."
Whatever the software or however expert the hackers, the basic methods of intrusion are often the same: the age-old technique of tricking a target into installing malware by opening an email attachment or a malicious website. "It's like we still use gasoline in gasoline-driven engines," says Carr, "'cause it just works."
A Silk Road For Hackers
On the message board site HackForums.net, users openly post ads offering to hack into computers and online accounts, knock servers offline with denial-of-service attacks, and track down strangers' personal information, all for a fee. Hackers are ranked through a rating system, and high-reputation users even offer"middleman" services, holding cryptocurrency payments in escrow until sellers deliver what they've promised.
I dont aks them anything... because I don't care I just give them a warning that using R.A.T.s for iligal purpeses can get them to jail...
"I will Hunt someone for you and get you all the informations of the person. ( emails, IMs, Social accounts, location, phone number, Home address etc)," says one post on the site, which is registered in the Cayman Islands. "I will hack someone for you and get you all the files, key logs, webcam videos, anything from his system. on your need, i can transfer them on your rat/botnet, so you can play with him." A RAT is aremote administration trojan: a piece of software that, once surreptitiously installed on your target's computer, tablet, or phone, allows you to read files, intercept keystrokes, and generally take control of the machine's operations.
One forum user named Hax0r818 said in a Skype chat that his service, which mentors neophyte RAT users, has had about 300 customers in roughly a year. "I just help them get started because R.A.T.s are not for hacking they were made for parents to check what there children are looking on the net," he wrote. "I dont aks them anything I dont because I don't care I just give them a warning that using R.A.T.s for iligal purpeses can get them to jail and I let them agree to my Terms."
Hax0r818, who would say only that he is under 21 and based in Australia, charges $5 a month in exchange for training RAT novices in using the tools and providing a testbed virtual machine for them to practice on.
In addition to websites accessible through the web, a dozen deep web markets—with names like Hell, Agora, Outlaw, and Nucleus, and only reachable through the Tor browser—offer menus of RATs and other hacking software and services, with transactions conducted in Bitcoin.
"Hacking and social engineering is my business since i was 16 years old, never had a real job so i had the time to get really good at hacking and i made a good amount of money last +-20 years," writes the owner of Hacker for Hire, a dark web site that charges 200 euros for small jobs and up to 500 euros for larger ones, including "ruining people, espionage, website hacking." "I have worked for other people before, now im also offering my services for everyone with enough cash here."
Typical prices for RATs—with names like darkcomet, cybergate, predator pain, and Dark DDoser—range from $20 to $50, according to a December Dell SecureWorks report. This represents a significant drop from the previous year, when the tools typically sold for between $50 and $250. (The price drop may have resulted from the recent leak of some RATs source code.) The price for hacking into a website has also dropped, from a high of $300 to $200, according to the Dell report.
Comments
Post a Comment