Interview With A Blackhat (Part 1)

127 Replies

[This interview openly discusses criminal activities from the perspective of an admitted criminal. You may find this content distressing, even offensive, but what is described in this interview is real. We know from personal experience is that these activities are happening on websites everywhere, everyday, and perhaps even on your websites. WhiteHat Security brings this information to light for the sole purpose of assisting those who want to protect themselves on their online business.]

Over the last few years, I have made myself available to be an ear for the ‘blackhat community.’ The blackhat community, often referred to as the internet underground, is a label describing those participating on the other side of the [cyber] law, who willingly break online terms of service and software licensing agreements, who may trade in warez, exploits, botnets, credit card numbers, social security numbers, stolen account credentials, and so on. For these individuals, or groups of them, there is often a profit motive, but certainly not always.

Most of the time, the people I speak with in the information security industry understand the usefulness of engaging in dialog with the underground — even if it’s not something they feel comfortable doing themselves. However, I occasionally get questioned as to the rationale — the implication being that if you play with pigs you start to stink. People sometimes even begin to insinuate that one must be bad to know bad people. I think it is incredibly important for security experts to have open dialogues with the blackhat community. It’s not at all dissimilar to police officers talking with drug dealers on a regular basis as part of their job: if you don’t know your adversary you are almost certainly doomed to failure.

One ‘blackhat,’ who asked to be called Adam, that I have spoken to a lot has recently said he’s decided to go legit. During this life-changing transition, he offered to give an interview so that the rest of the security community could learn from his point of view. Not every blackhat wants to talk, for obvious reasons, so this is a rare opportunity to see the world through his eyes, even if we’re unable to verify any of the claims made.

Hopefully by learning how Adam and other blackhats like him think, how they communicate, people can devise better solutions, abandon failed technologies, and fix the most glaring issues. Maybe people reading this can find more effective punishments to deter the criminal behavior before it happens, or ruin the incentives, disable the markets, or find ways to keep people from the allure of criminal activity in the first place. A great deal can be unearthed by examining Adam’s words and those of other blackhats like him. Or maybe we can entice some of them, like this individual, to leave the blackhat life behind completely.

Adam’s interview took place over a few days, and required a lot of back and forth. Due to the way in which this interview had to take place, a lot of editing was required to make it readable, but primarily to spelling, capitalization and punctuation. In every meaningful sense, these are Adam’s unaltered words.

(Note that when Adam refers to “whitehats,” he is referring to legitimate hackers in general, and that this should not be confused with WhiteHat Security the business.)

This is the first of our three-part interview. The next post will be tomorrow.

Q: Can you describe what you think your hacking/security related skills are?

A: My personal expertise and area of knowledge is in social engineering. I think it is pretty obvious I’m a blackhat, so I social engineer to card. Another area of “hacking” (I use the ” as DDoS isn’t really hacking) is botnet building and takedown orders. This is where most money in my opinion is made — where one day can bring in several thousand dollars. The whole blackhat market has moved from manual spreading to fully automated software.

In addition, many sites are targeted in malware/info leaks by using some really common and easy methods. These include SQLi, basic and advanced XSS, CSRF, and DNS cache poisoning. Although SQLi is still a big player, XSS has taken over the market. I estimate about 50-60% of the attacks my crew did last year (Jan 1st-Jan 1st) were XSS. I also learned several programming languages — Python, Perl, C, C++, C#, Ruby, SQL, PHP, ASP, just to name a few.

Q: Can you describe the first time you remember deliberately breaking a computer-related law? Why did you do it and how did you justify it?

A: Hmmmmm. That was many years ago. The first time I remember was when I was in school (aged about 14). The admins were pretty good at security (for school admins, bear in mind). I was in the library one day and I knew that the admins had remote access to every PC. I also knew the librarian did. The library just so happened to be the place where they marked our exam papers and entered the grades. I was never the genius at school but I was getting mediocre grades. What if I could get ‘A’s and ‘A+’s and not do half the work? So I started to read around. I eventually came across keyloggers.

It seemed strange and amazing that a program I could make (with a little research) could get me the top grades. So I did it. I installed the keylogger onto the librarian’s PC and then used the remote administration program to download the file onto the other PCs. I was suspended for two weeks.

Q: Where did you learn the bulk of your skills?

A: Books, Google, and the people I began speaking with on irc/forums. Unlike today’s 1337 haxorz (lol) we all shared, spoke, and helped each other. There wasn’t a sense of being mocked because you didn’t know.

Q: What attracted you to the blackhat way of life?

A: Money. I found it funny how watching tv and typing on my laptop would earn me a hard worker’s monthly wage in a few hours. [It was] too easy in fact.

Q: Can you recall a tipping point at which you started considering yourself a blackhat? What was the nature of the event?

A: It’s difficult really. I and the guys/girls I hung with never called ourselves blackhats, I don’t know, it was just too James Bond like. We just saw ourselves as people who found a way to make money. We didn’t care about what category we were in. It was just easy and funny. Although saying that, I first realized I might be branded a blackhat when my “real life” friend became a victim of credit card fraud. That’s when I realized my actions had real victims and not just numbers that were worth money.

Q: How many machines do you think you directly controlled at the peak of your botnet activity?

A: Erm, depends. I had two separate botnets (although some bots cross over). The DDoS botnet contained the bots which were public computers or computers that were in offices. [There were] two reasons I did that.

Either: 1. they are on for the majority of the day and have good connection speeds or 2. people weren’t stupid enough to do their banking on them (if you were I’d let a script kiddy have it). :) Then there was my carding botnet, definitely the most valuable. These were PCs of banks, estate agents, supermarkets and obviously home PCs. I preferred to target PCs where an employee would enter customer data, i.e. banks (yes banks are super easy to bot). This gave me a constant supply of credit cards and a never-ending amount of spam ammo. DDoS botnet has about 60-70k bots at the moment, most in the west. Carding botnet had a lot less at around 5-10k, most in Asia. 570k is the biggest I’ve controlled.

Q: How much money do you think you made after expenses per year at your peak doing blackhat activities?

A: I can’t really go into specifics but when 9/11 happened we were making millions.

Q: And how much do you think you made last year?

A: Off the top of my head? Around about 400-500k. Last year was kind of shit. People became wiser, patches became more frequent. This year we have 3/4 of that amount already.

Q: When you started, did you have a goal in mind to make a certain amount of money or achieve a certain goal?

A: I get asked this a lot by new people on the forums. I never set myself goals until probably in the last 4 years. I started it out just for easy laughs, bragging rights (lol) and easy, very easy money.

Q: Can you describe the process that you use to make money with your botnet?

A: Making money with a botnet is easier than brushing your teeth, especially if you’re in the automated industry. Any crew has several members. The bot master, researcher, reverse engineer, spreader, social engineer, sales man and fudder*. The people who sell 0-days are solely selling 0-days half the time. The buyers are bot masters without a crew.

Our crew developed a tool that checks the bot’s cache for Facebook/twitter accounts then checks their Facebook interests (e.g. justin bieber), then age, name, location. So for example bot no. 2 is signed into Facebook. The account likes Justin Bieber, aged 14, female, and lives in America (important to get correct language). Then automatically it selects a pre made list of links and for example would choose the ‘Justin bieber sex tape video’. Using zero days to compromise a website, then insert an iframe is kinda old, boring and sometimes doesn’t bring in the best results — unless of course you’re hijacking a high Alexa rating; then it’s worth it.

Combining 0-days to deface the website and then a 0-day in e.g. java to hijack with a drive by is a lot more effective than tracking the user into downloading a file. What a lot of people don’t realize is that emails easily available on their Facebook profile can be sold for spam. Again, this makes more money automatically.

* A fudder can be a tool that binds to a virus and makes it more difficult for antivirus to detect, or a person specializing in such a tool.

Q: How easy is it for you to compromise a website and take control over it?

A: For beginners you can simply Google inurl:money.php?id= — go ahead try it. But most of them will be cancelled or dried up. So, now you target bigger websites. I like to watch the news; especially the financial side of it. Say if a target just started up and it suddenly sky rocketed in online sales that’ll become a target. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys think. This leaves them hugely vulnerable. They patch SQL but choose a DNS that is vulnerable to DNS cache poisoning. You can break in and be gone within an hour.

Q: How easy is it for you to take over the ownership of an account via whois information or other publicly available information?

A: Whois used to be crucial to gaining information. Now people spew it on Facebook, twitter, etc. Companies like Amazon only require name, address and email on the account to add another credit card. You then hang up. Ring the password reset department and tell them as verification the name, address, email and the credit card number you just added (it doesn’t even have to work (lol), just use fakenamegenerator.com) and then you are in. You can now see the ‘legit’ credit card’s last 4 digits. Now you can get an email password reset and you’re in. Amazon says they patched this two years ago but I use this method all the time. Seriously Amazon, train your staff.

Q: What is your favorite kind of website to compromise? Or are your hack attempts entirely untargeted? What are the easiest sites to monetize?

A: Most of the time un-targeted but once a company (which I won’t name) pissed me off for not giving me discount in a sale so we leaked every single credit card number online. One type of company I love to target is Internet security, i.e. anti virus companies.

There is nothing better than a clothing store at the summer sales (except porn websites). These are in my personal opinion the easiest and most successful targets to breach. I’ll talk about clothes stores first. Clothing websites are SO easy because of two main types of attacks.

1. The admins never ever have two-step authentication. I don’t know why, but I have never seen one admin have it (and I’ve done it thousands of times). 2. The ‘admin’ usually works there behind the tills or in the offices. They have no clue what they’re doing: they just employ someone to make the website then they run it. They never ever have HTTPS, [so they have] huge SQLi vulnerabilities (e.g.. inurl:product.php?id=). Once you have the SQLi vulnerability you can go two routes or both. Route one: steal the credit card info and leave. Route two: deface the website, keep the original HTML code but install an iframe that redirects to a drive by download of a banking Trojan.

Now to discuss my personal favourite: porn sites. One reason why this is so easy: The admins don’t check to see what the adverts redirect to. Upload an ad of a well-endowed girl typing on Facebook, someone clicks, it does a drive by download again. But this is where it’s different: if you want extra details (for extortion if they’re a business man) you can use SET to get the actual Facebook details which, again, can be used in social engineering.

Q: What is your favorite/most effective exploit against websites and why?

A: If it’s a 0-day, that obviously ranks at the top. But below that is XSS. It’s really well known but no one patches it. I suppose DDoS isn’t really classed as an exploit but that can bring in monthly ‘rent’ for our ‘protection’. But over all 0-days are the greatest exploits.

Q: How do you monetize DDoS?

A: People buy accounts so for example you rent 1k bots and have a DDoS time limit of 30 mins. Some people buy one-offs. Black mail is a huge part of it. Take the website down for an hour. Email them or call them and say they pay 200 dollars or it stays offline for good. They usually pay up. If they don’t, they lose days, weeks, months of business.

Q: How do you pick targets to DDoS when you are attempting to extort them?

A: Hmmm. It depends. If there is a big sporting event, e.g. the Super Bowl, I can guarantee 95% of bookies have been extorted. I knew of one group who took down cancer research website and extorted them after their race for life donation process was meant to start. They got their money, kinda sad really.

Q: What kind of people tend to want to buy access to your botnet and/or what do you think they use it for?

A: Some people say governments use it, rivals in business. To be honest, I don’t care. If you pay you get a service. Simple.

Continue Reading Part 2

This entry was posted in Web Application Security on by .

About Robert Hansen

Robert Hansen is the Vice President of WhiteHat Labs at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Mr. Hansen has co-authored "XSS Exploits" by Syngress publishing and wrote the eBook, "Detecting Malice." Robert is a member of WASC, APWG, IACSP, ISSA, APWG and contributed to several OWASP projects, including originating the XSS Cheat Sheet. He is also a mentor at TechStars. His passion is breaking web technologies to make them better. Robert can be found on Twitter @RSnake.