• United States



Destroy somebody’s life for just $20 per month

Aug 15, 20074 mins
Data and Information Security

I was just interviewed by a local news station about a story they were doing on daring hackers that have started advertising their abilities to destroy a person’s life for as little as $20 per month. Apparently the deal goes something like this: you make a deal with a hacker to destroy somebody’s life by signing them up online and the hacker will ensure the target can’t get a good job, can’t apply for credit cards, will be denied for loans, etc.

The interviewer wanted to know if I thought that this was really happening or if it was some kind of joke and was really that easy. I’m not in the revenge business myself, but I suspect that this is a great way for the hacker to get a little extra money for something they do anyway. Last time I checked, the going rate on the black for a “full identity” (enough information to become another person) is up to $5 in some countries. If we apply the supply and demand model that seems to mean there is a wealth of supply but lagging demand.

When an attacker steals somebody’s identity, credit card number, or other information the first thing they’ll try to do is to start a line of credit and run the bill as high as they can – a quick smash and grab type operation. This entrepreneurially minded hacker realized that he could keep doing what he’s doing, have other people hand him targets, and get paid for taking them! Sounds like a win-win situation to me.

As for the second question (it being so easy that they can do it for $20 per month.) My response is that it depends. $20 per month seems like fair compensation to a hacker that is doing this anyway. One thing that I do find interesting is that it’s a subscription model, this shows the hacker must return to the scene monthly to determine if the target’s life is still truly ruined. I wonder what the measure for such a thing would be.

Since we inadvertently leave trails of our personal data all over the internet, becoming the target for a hacker may be easier than you think. An attacker may sniff the wires or dig through caches of data left on routers if the target fails to notice the little SSL lock every time they send sensitive information over the internet. The attacker may also target less secured websites that fail to protect their users’ information properly.

What can we do as an industry to mitigate these types of risks for our users? First we need to treat sensitive information like the beast that it is – truly sensitive. Be very careful to encrypt, hash, or otherwise make sensitive information unusable to hackers. Make sure that applications are being developed with security in mind and that these systems have been properly threat modeled so you won’t be caught with your proverbial pants down. Make it clear to your users that you will never ask them for personal information outside of a properly encrypted channel such as SSL or an equivalent for your technology.

What can we do as individuals to protect ourselves? Don’t send your personal information to companies where their reputation is questionable. Be very careful to look for that SSL lock whenever you are sending that information over the wire. Finally try not to get on anybody’s bad side – you never know when the revenge hacker may strike (and I can guarantee it’ll cost more than $20 per month to clear your credit history after this guy gets done.)

–Joe Basirico

Joe Basirico - Security Analyst Joe studies security and develops tools that assist in the discovery of security vulnerabilities and general application problems. His primary responsibility at Security Innovation is to deliver security courses to software teams in need of application security expertise. He has trained developers and testers from numerous world-class organizations, including Microsoft, HP, EMC, Symantec and Joe is also responsible for participating in customer security process assessments as well as security engineering activities such as security design reviews, security code reviews, and security testing and security deployment reviews. Joe holds a B.S in Computer Science from Montana State University. John Carmichael - Security Researcher John leverages his strong lab development, programming and security process skills to deliver factual and useful training courses to testers and developers. John is a skilled software and Web developer with deep expertise in several different languages and environments. He has made many contributions to the open source software community by developing an open source structured drawing tool implemented in Python, testing several release candidates of the Sarge installer for the Debian Linux distribution, and writing a soon to be released Windows OS crash analyzer product. John has a B.S. in Computer Science and Business Administration from the University of Vermont and is currently working toward an M.S. in Computer Information System Security from Boston University.