Ah, youth. Ready to take on the world, today's generation of dynamic, tech-immersed youngsters have grown up alongside the Internet. Firsthand, and sometimes single-handedly, they have advanced some of today's hottest technology trends, from peer-to-peer networking, to massively multiplayer online games, to social networks and instant messaging. And along the way, a small, sociopathic number of them have behaved very, very badly.
[ For further tales of bone-headed cyberschnookery, see the original "Stupid hacker tricks" story ]
Even the very definition of poor online behavior has been advanced by these cyberschnooks. Armed with broadband and lots of unsupervised free time in front of the computer, shielded by the relative anonymity of the Web, they've managed to transform themselves from Those Neighborhood Kids Who Set Fires and Torture Small Animals into international menaces who destroy online communities, damage the reputation and utility of online services, and steal anything worth taking from the Net -- all while mangling the English language as thoroughly as possible.
Fortunately for the rest of us, while using the Net's multiplier effect to their nefarious benefit, most are as sloppy and egotistical as we've come to expect from the young and delinquent, leaving a bread-crumb trail a mile wide for authorities to follow. And when they cross the line, as many of these tech-savvy Nelson Muntzes eventually do, it's with more than a little schadenfreude that white-hat vigilantes posse up to take them down.
It is to these ne'er-do-wells that this latest installment of "Stupid hacker tricks" is dedicated. Call it Portrait of the Stupid Hacker as a Young Man.
[ Stupid juvy hacker trick No. 1: You got Rbot in Mytob, you Zlob ]
You got Rbot in Mytob, you Zlob
Farid "Diab10" Essebar
Currently a guest of the Moroccan prison system. His prison sentence is scheduled to end later this year.
In 2005, at the ripe old age of 18, Farid Essebar probably thought he was untouchable. Working with accomplices in his home country of Morocco and in Turkey, the Russian-born Essebar wrote and distributed the Mytob, Rbot, and Zotob botnet Trojans. The malware infected thousands of computers at large corporations, U.S. government departments, and media companies and was built to log keystrokes and steal financial and personal data.
Among the targets reported to have major outbreaks on Aug. 15, 2005, were Daimler Chrysler, ABC News, CNN, The New York Times, the U.S. Senate, the Centers for Disease Control and Prevention, and Immigration and Customs Enforcement. Affected computers typically got into a cycle where they rebooted constantly, spread the malware to other computers on the network, then provided remote access to infected computers to a bot herder. The Zotob variant spread rapidly, taking advantage of unpatched Windows computers using a vulnerability disclosed only days earlier.
Essebar also fell prey to the braggadocio bug, a common ailment. When University of Pennsylvania security researcher David Taylor deliberately infected a computer with Zotob, and stumbled into one of Essebar's botnet IRC channels, he struck up a conversation with him. Surprisingly, Essebar responded, gloating that he earned substantial sums using his bot to install adware on infected computers.
But within seven days, the FBI, working in concert with local law enforcement and Microsoft employees, sent teams of computer experts to Rabat, Morocco, and Ankara, Turkey. On Aug. 25, less than two weeks after the outbreak began, authorities arrested Essebar, as well as then-20-year-old Achraf Bahloul in Rabat. The team in Ankara paid a visit to, and arrested, then-21-year-old Atilla "Coder" Ekici, alleging that he paid Essebar to write the Zotob variant. A bit more than a year after the initial arrest, Moroccan authorities convicted Essebar of illegal access to computer systems, theft, credit card fraud, and conspiracy, and sentenced him to two years in prison.
Authorities were able to clearly identify Essebar as the author of the worm; not only had he signed it with the words "by Diabl0" buried in the source code, but he'd written the worm using Microsoft's Visual Studio, which embeds information about the computer on which the code is written into the compiled program -- in this case, the directory path "C:\Documents and Settings\Farid." D'oh!
When Moroccan cops seized his computer, Essebar had formatted the hard drive. Forensic specialists helped recover the source code, which had not been completely wiped clean from the drive. In contrast, Turkish authorities had a more difficult time establishing evidence against Ekici because he'd physically removed and thrown out his hard drive days earlier.
If you don't want to draw attention to yourself, avoid targeting major media organizations with your poorly designed malware attacks. Always throw out your hard drive that contains all the source code and evidence of your criminal malware creations before the cops arrive. Name your account on your malware creation computer something innocuous, like "user." Also, neither Turkish nor Moroccan prisons are places you want to be. Ever.
[ Stupid juvy hacker home | Stupid juvy hacker trick No. 2: When the DDoS ain't stoppin' expect the cops to come knockin' ]
When the DDoS ain't stoppin' expect the cops to come knockin'
Ivan Maksakov, Alexander Petrov, and Denis Stepanov
All three are guests of the Russian penal system, sentenced to eight years at hard labor and a 100,000 ruble fine
Looking to make a little extra money while at college in 2003, Ivan Maksakov, then 22, devised an inventive, entrepreneurial scheme that probably sounded good at the time: He created a botnet to engage in DDoS (distributed denial-of-service) attacks and then blackmailed online gambling sites based in the U.K., threatening to take the sites down during major sporting events.
[ Don't think you're a security sieve? Prove it by mastering our Security IQ test ]
However, Maksakov -- a student at the Balakov Institute of Engineering, Technology, and Management -- couldn't anticipate that the Russian government, looking to demonstrate its resolve in dealing with cybercriminals, would make an example of him.
The botnet, based in Houston, was directed to launch DDoS attacks against the U.K.-based bookmaking Web sites and online casinos only if Maksakov's demands weren't met. According to Russian news reports, Maksakov, along with co-conspirators Alexander Petrov and Denis Stepanov, attacked nine Web sites from the fall of 2003 until spring 2004. The sites were initially attacked for a short time, before a ransom demand was e-mailed.
In one example, the attacks crippled a site run by Canbet Sports Bookmakers during the Breeders' Cup horse races, costing the firm $200,000 for each day it was offline. But even when the firm paid a $40,000 ransom to a Western Union account in Riga, Latvia, the attacks continued.
Authorities allege that the attacks for which the trio were convicted cost the U.K.-based Web site operators upward of $4 million, not including an additional $80 million the companies paid out for additional bandwidth and security hardware designed to thwart DDoS attacks. Charges weren't filed for 54 similar attacks the group is alleged to have engaged in, affecting companies in 30 other countries.
Britain's intelligence services tracked the IP address used to send commands to the botnet to Maksakov's home computer. When the British government provided the information to the Russian Federation's Interior Ministry, the three were arrested. Authorities say at least 13 others who have not been arrested were involved in the scheme, including 10 people working as "money mules" in Riga, two other cyberattackers in Kazakhstan, and one more in Russia.
Russia's a terrible place to base your operations for a criminal enterprise, unless you like taking long vacations in Siberia. Kazakhstan and Latvia seem to be much more agreeable. Also, if someone sends you 40 large, don't wait: Turn off the damn DDoS before MI-5 gets involved.
Punked over a prank
Currently employed as a software engineer with a medical data company.
One of the hottest technology topics of 2003 was how election systems were vulnerable. With the first presidential election since the Bush v. Gore fiasco coming up the following year, technologists were up in arms about the unreliability and untrustworthiness of electronic balloting systems, and were eager to prove their point.
[ Learn how to guard your network against social engineering hacks by thinking like an online con-artist ]
Enter Shawn Nematbakhsh, computer science undergraduate at the University of California, Riverside. Was he eager -- perhaps a bit too eager -- to make a point about the electronic balloting system that the university employed to hold student council elections, when he cast 800 votes for a fictitious candidate named American Ninja? Sadly, no.
"I really wasn't making any point at all," Nematbakhsh admits, debunking news reports to the contrary. "It was a senior prank, a silly thing."
The student council elections were held over the Web. Students could log in to a special page and cast their ballots for student council members and student body president. Unfortunately, the election system suffered from a serious internal weakness: "There was some input that was not bounds-checked, so using certain input you could vote as anyone," Nematbakhsh explains. "I wrote a script that would log in, cast a vote, log out, then log in again, cast another vote, and so on."
But seriously, American Ninja? "That year I remember watching that really stupid movie and talking about it with my friends, and it was the first thing that came [to mind]," he said.
Nematbakhsh says the jig was up when campus police called him in to discuss the incident. He'd told some friends about the vulnerability he had discovered in the voting system, and his name had eventually surfaced in the investigation. When asked, Nematbakhsh immediately admitted his involvement in the prank.
"I confessed to doing it, thinking it wasn't such a big deal. I thought they might fine me, or suspend me for a quarter or something," he says. That did happen, but a month later, he also faced criminal charges that could have landed him prison time.
In the end, he arranged a deal to accept a misdemeanor charge. His sentence: "I had to pick up trash on the weekends for three or four months, and pay back the cost of the election -- a couple thousand dollars."
"Getting caught was kind of a wake-up call, that the Internet was not some kind of playground and I couldn't do what I wanted to all the time. I had to obey the law. The prank was not well received by a lot of people at the school."
Nematbakhsh's advice to potential election pranksters: "Things like that seem funny when you're doing them, but when you get caught, it's not much fun. I'd caution against silly pranks like the one I did."
The worst paid cybercriminal in federal prison
Moore is currently a guest of the federal prison system and will remain so until 2009.
As one of the oldest members of this youthful brigade of miscreants, Robert Moore, 23, was involved in crimes that caused among the greatest financial losses to his victims of anyone featured in this rogue roundup -- though he didn't reap many financial rewards himself.
[ Prove your tech chops by acing our fun-filled IT IQ test ]
Federal agents claim in court papers that Moore, and the ringleader of the scheme Edwin Pena, defrauded at least 15 VoIP phone companies to the tune of more than $300,000 each in broadband service charges by hacking into the VoIP companies' networks and then reselling stolen phone call minutes at a deep discount.
Pena, who lacked the technical skills to pull off the scam alone, recruited Moore to do his hacker thing, which he accomplished with aplomb. But while Moore did manage to pull off the scam for nearly two years before getting caught, his success wasn't due to any superior hacking skills on his part.
In an interview Moore gave just before his incarceration began, he explained that his job was made all the easier by system administrators who never changed the passwords on their Cisco routers and Quintum Tenor VoIP gateways from the default factory settings. Moore threw together an application that scanned IP address ranges for vulnerable boxes and then used those routers to send the call traffic through the busiest hacked networks, which masked the large amounts of data.
Pena made well over $1 million reselling the more than 10 million stolen minutes; Moore was reported to have been paid just $20,000 by Pena for his part in the scheme. With his ill-gotten proceeds, Pena bought houses in six states, luxury cars (including two BMWs and a Cadillac Escalade), and a 40-foot Sea Ray MerCruiser yacht. Moore reportedly is more annoyed that he cannot use a computer than the fact that he was sentenced to two years in federal pokey.
"It's so easy, a caveman can do it," Moore said in the interview. Cavemen were reportedly pissed at, once again, being presented in a negative light by a guy who himself got shafted -- twice -- by his partner in crime.
Moore ended up surrendering when federal agents showed up at his door. When Pena was arrested, the mother of Pena's girlfriend put up two of her properties as collateral on Pena's bail; once out of jail, Pena promptly fled the country and is believed to be in Venezuela, leaving everyone high and dry.
If your partner in your massive criminal enterprise is making 50 times what you're making, but you're both sharing an equal risk of prosecution, look for a better-paying job in another criminal enterprise. Also, if you're the mastermind's girlfriend (or her mom), and you've paid for his bail with your house, for the love of god hide his passport.
[ Stupid juvy hacker home | Stupid juvy hacker trick No. 5: Tweener virtual worlds: Training grounds for tomorrow's cyberschnooks ]
Tweener virtual worlds: Training grounds for tomorrow's cyberschnooks
Scared straight (or so we hope)
If you need proof that youth and innocence don't necessarily go together, you need look no further than the woeful tale of a 13-year-old sociopathic script kiddie who, for reasons of privacy, we'll refer to only by his "handle," Helgi B.
[ Find out where hackers, crackers, and phishers rank on our Top 10 reasons to be paranoid ]
Helgi B has already learned the fine art of theft of online account information through social engineering. While even moderately sophisticated adults can easily see through his clumsily crafted scams, impressionable kids have already fallen victim. His target: Habbo Hotel game account information.
If you're not a Western European middle-schooler who plays online games, then you probably don't know that Habbo Hotel is an incredibly popular online environment, a kind of blocky, pixelated, isometric Second Life designed for Euro tweens. It's not so much a game as a hangout spot, one where you can have your own "room" and decorate it with furniture (or, in Habbo lingo, "furni") you buy using the in-game currency, "coins," which you obtain using real money through Habbo Hotel's online shopping page.
Helgi B's scam is to connive other Habbo players into giving him their account information, or paying him for dodgy "hacking" programs or for what he claims are discounted coins in bulk, at impossibly low prices. Of course, anyone with your account details can log in to your account and transfer your coins or furni to an accomplice, just as if someone with your bank account information logged in and transferred your entire balance to an untraceable account in Hackistan.
When security researcher Chris "Paperghost" Boyd began digging into Helgi B's online shenanigans, he had no idea where it would lead: YouTube videos demonstrating so-called game-hacking tools; downloadable phishing kits; archives full of stolen passwords and commercial software license keys; remote access Trojans he claims to have created; and worst of all, forum posts where he brags about his 1337 h4x0r skilz.
"When did we become so jaded that we didn't just tolerate anonymous punks hacking us but gave a green light to 13-year-olds screwing us over and doing it in full view?" Boyd writes on his blog at Vitalsecurity.org. "Sigh. These kids are openly and wantonly peddling their leet hacking tools across all manner of websites -- worse, they don't even bother to do it anonymously anymore."
So Boyd took it to the next level: He began, as he describes it, "14+ solid hours of non-stop beatdowns" on all of Helgi B's Web sites that peddle illegal goods. One after another, Boyd contacted the various Web hosting providers and ISPs where Helgi had set up shop, providing them with documentary evidence, including screenshots, detailing the broad scope of illegal activities the forum was engaging in.
The only glitch: One of the service providers hosting Helgi B's stolen-passwords/license-keys forum seems reluctant to take down the site. It goes down for an hour or two and then comes back online. Four days later, the Web host finally pulls the plug permanently -- but only after Boyd threatens to report the hosting company to law enforcement.
Just because you may not have reached puberty doesn't mean you can't be arrested and prosecuted for cybercrimes. It just means your parents might go to jail also/instead, or have to pay a huge fine, and then who's going to drive you to band practice or soccer games? Remember: Going to jail is like being grounded ... in a jail cell. And for you Web hosts out there: Getting another $5 or $10 from some message board operator isn't worth having your head-end ISP pull the plug on you for violating their terms of service, so turn off those illegal sites when someone reports them. Fast.
Andrew Brandt loves doing play-by-play of a good cybercriminal beatdown when he's not terminating malware with extreme prejudice at his day job.
Stupid hacker tricks
Looking to enter a life of cybercrime? Beware the boneheaded miscues of these infamous cyberschnooks
How to think like an online con artist
An enterprise is only as secure as the weakest human link. Here's how to use social engineering to test security defenses
More stupider user tricks: IT horror stories redux
Idiot-proof your enterprise with these 10 hard-luck lessons of boneheaded IT miscues
Stupid user tricks: Eleven IT horror stories
A long-suffering consultant and InfoWorld contributor recounts his tales of user catastrophe and lessons learned -- and shares astounding stories from readers, too
Top 10 reasons to be paranoid
Every bit of your virtual existence is being monitored -- get scared accordingly
The 7 dirtiest jobs in IT
Somebody's got to do them -- and hopefully that somebody isn't you
Test your geek IQ
If you truly want to know how smart you are when it counts, then InfoWorld's Geek IQ test is the puzzler for you
Test your network security IQ
So you think you know something about security? Not so fast, smart guy. We've got a hunch you might not know as much as you think