Tweener virtual worlds: Training grounds for tomorrow's cyberschnooks
Perp
"Helgi B"

Status
Scared straight (or so we hope)

Dossier
If you need proof that youth and innocence don't necessarily go together, you need look no further than the woeful tale of a 13-year-old sociopathic script kiddie who, for reasons of privacy, we'll refer to only by his "handle," Helgi B.

[ Find out where hackers, crackers, and phishers rank on our Top 10 reasons to be paranoid ]

Helgi B has already learned the fine art of theft of online account information through social engineering. While even moderately sophisticated adults can easily see through his clumsily crafted scams, impressionable kids have already fallen victim. His target: Habbo Hotel game account information.

If you're not a Western European middle-schooler who plays online games, then you probably don't know that Habbo Hotel is an incredibly popular online environment, a kind of blocky, pixelated, isometric Second Life designed for Euro tweens. It's not so much a game as a hangout spot, one where you can have your own "room" and decorate it with furniture (or, in Habbo lingo, "furni") you buy using the in-game currency, "coins," which you obtain using real money through Habbo Hotel's online shopping page.

Helgi B's scam is to connive other Habbo players into giving him their account information, or paying him for dodgy "hacking" programs or for what he claims are discounted coins in bulk, at impossibly low prices. Of course, anyone with your account details can log in to your account and transfer your coins or furni to an accomplice, just as if someone with your bank account information logged in and transferred your entire balance to an untraceable account in Hackistan.

When security researcher Chris "Paperghost" Boyd began digging into Helgi B's online shenanigans, he had no idea where it would lead: YouTube videos demonstrating so-called game-hacking tools; downloadable phishing kits; archives full of stolen passwords and commercial software license keys; remote access Trojans he claims to have created; and worst of all, forum posts where he brags about his 1337 h4x0r skilz.

"When did we become so jaded that we didn't just tolerate anonymous punks hacking us but gave a green light to 13-year-olds screwing us over and doing it in full view?" Boyd writes on his blog at Vitalsecurity.org. "Sigh. These kids are openly and wantonly peddling their leet hacking tools across all manner of websites -- worse, they don't even bother to do it anonymously anymore."

So Boyd took it to the next level: He began, as he describes it, "14+ solid hours of non-stop beatdowns" on all of Helgi B's Web sites that peddle illegal goods. One after another, Boyd contacted the various Web hosting providers and ISPs where Helgi had set up shop, providing them with documentary evidence, including screenshots, detailing the broad scope of illegal activities the forum was engaging in.

The only glitch: One of the service providers hosting Helgi B's stolen-passwords/license-keys forum seems reluctant to take down the site. It goes down for an hour or two and then comes back online. Four days later, the Web host finally pulls the plug permanently -- but only after Boyd threatens to report the hosting company to law enforcement.

Lessons learned
Just because you may not have reached puberty doesn't mean you can't be arrested and prosecuted for cybercrimes. It just means your parents might go to jail also/instead, or have to pay a huge fine, and then who's going to drive you to band practice or soccer games? Remember: Going to jail is like being grounded ... in a jail cell. And for you Web hosts out there: Getting another $5 or $10 from some message board operator isn't worth having your head-end ISP pull the plug on you for violating their terms of service, so turn off those illegal sites when someone reports them. Fast.

Andrew Brandt loves doing play-by-play of a good cybercriminal beatdown when he's not terminating malware with extreme prejudice at his day job.

[ Stupid juvy hacker home ]

Related articles
Stupid hacker tricks
Looking to enter a life of cybercrime? Beware the boneheaded miscues of these infamous cyberschnooks
How to think like an online con artist
An enterprise is only as secure as the weakest human link. Here's how to use social engineering to test security defenses
More stupider user tricks: IT horror stories redux
Idiot-proof your enterprise with these 10 hard-luck lessons of boneheaded IT miscues
Stupid user tricks: Eleven IT horror stories
A long-suffering consultant and InfoWorld contributor recounts his tales of user catastrophe and lessons learned -- and shares astounding stories from readers, too
Top 10 reasons to be paranoid
Every bit of your virtual existence is being monitored -- get scared accordingly
The 7 dirtiest jobs in IT
Somebody's got to do them -- and hopefully that somebody isn't you
Test your geek IQ
If you truly want to know how smart you are when it counts, then InfoWorld's Geek IQ test is the puzzler for you
Test your network security IQ
So you think you know something about security? Not so fast, smart guy. We've got a hunch you might not know as much as you think