HACKONOMICS 2010
Serge
Truth
Smashwords
Edition
Copyright 2010 Serge Truth
Smashwords Edition, License Notes
This ebook is licensed for your personal enjoyment only. This ebook may not be re-sold or given away to other people. If you would like to share this book with another person, please purchase an additional copy for each recipient. If you’re reading this book and did not purchase it, or it was not purchased for your use only, then please return to Smashwords.com and purchase your own copy. Thank you for respecting the hard work of this author.
Table of Contents
Introduction
Services
VPN - Virtual Private Networking
SEO - Search Engine Optimization
Jobs
Exploit Packs
Security
* * * * *
INTRODUCTION
About Hackonomics
1000 hits of traffic cost 1$. A free public exploit pack with a 10% hit rate can get around 100 bots out of those 1000 hits. That means that each bot costs approximately one cent. Each bot has the potential to yield at least one set of credit card information. Each set of credit card information is worth at least 50 cents. Let's say out of those 100 bots, 50% log credit card information. That means that those 100 bots may produce 50 sets of credit card information. 50 sets of credit card information worth 50 cents means 25$. The cost of traffic is 1$, and free bots and exploit packs can be used. With these prices, a botnet operator may have 25$ return from a 1$ investment, which means a 2000+% profit margin*.
Welcome to hackonomics.
*Using the hacking techniques in this book based on this book may result in getting caught. The author takes no responsibility for your actions. The objective of this book is to raise security awareness of Internet users.
About This Book
This book is mostly in layman's terms, but there is technical information inside. The technical information is usually given as examples, so it is not important to understand all of it to get the main ideas of this book.
The information in this book is time-sensitive, because information security advances very quickly. To get the book in print fast, superflous details have been sacrificed. For this reason the book may appear somewhat unusual in terms of formatting.
About Macs and Linux
Even though all the same techniques can work on Macs, there are so few Mac users out there, that mac-hacking is simply not being practiced on a hackonomically meaningful scale. The same goes for Linux.
Trust
Trust and identity are key ideas in information security. A lot of information security revolves around establishing trust. The hackonomic solution to trust management is very elegant. Trust in hackonomics is based on reputation.
Typically, a person makes an account on a forum and the posts and files posted by the person serve as the foundation of their reputation. Because the files and posts are publicly available, anyone can review them and estimate the value of this information using their own standards. The peer review assures that there is little or no cheating. A person that posts a lot of high value files but little information is suspicious, and therefore not trustworthy. A person that makes a new account and makes a lot of posts quickly is suspicious, and therefore does not have a good reputation. Earning a good reputation is a process that takes time and work. While it is possible to artificially inflate reputation or steal an identity, that identity will be permanently ruined after cheating only a few people. Cheating is punished very strictly, so it is usually unprofitable. The price paid by the people that do get cheated is a small price for the community to rid itself of members that don't contribute much.
What is elegant about this is that an identity may have trust without being linked to any specific person. It is considered bad manners to reveal someone's human identity. Nobody cares if multiple people use the same identity, so long as the quality of service is good. There has been much effort in the information security community to link an identity to a human to assure trust, even to the point of using biometrics and RFID, while a much more efficient solution exists in plain view.
Perhaps better information security is in the hands of the hackers themselves.
Users
The bulk of attacks rely on some form of user interaction. The technological aspect of hacking is used mostly to minimize the amount of user interaction required to carry out an attack. Fully automated hacking is mostly used to carry out unsophisticated attacks, such as password guessing. Significant changes on the infosec landscape are not going to happen until users start taking responsibility for their own security.
One of the security responsibilities of the user is keeping the software up-to-date. When each piece of software needs to be updated individually, a lot of software is left unpatched for a long time. Outdated software often has well-known holes. Hackers can use these known holes to exploit computers.
Another responsibility of the user is the understanding of at least some security basics, including understanding the threats. Common threats in 2010 are explained in this book.
What Happens
When someone gets carded, this is what happens to him or her:
Phone Call - they get a phone call from the bank telling them of unauthorized activity.
Card Locked – the compromised card is locked, so that it cannot be used to make purchases or to withdraw funds.
Refund - the money is refunded.
Temporary Card - upon checking in at a bank branch, a temporary card is issued if it's a Debit card. The temporary card is usually good for one month.
Affidavit - an affidavit arrives in the mail. An affidavit is a piece of paper that has to be signed and sent back to the bank within a couple of weeks. It is possible to go to a bank branch and have them fax the signed affidavit to their office. The affidavit is a document that says that the person did not authorize the suspicious activity.
New Card - a new permanent card arrives to the person's mailing address.
Public Vs. Private
One of the key ideas in hackonomics is public vs. private. The term “public” means resources and tools that are available for public and anonymous use. The term “private” means resources and tools that are available to some specific people. Here are some defining characteristics:
Public
Free - the biggest advantage of public stuff is that it is free. There might be some reputation-based restrictions on who can access public stuff, but these restrictions get lower very quickly as public stuff is spread out over the Internet.
Old - public stuff is often older versions of private stuff.
Detected - because public stuff is often used by many people and is old to begin with, it is usually detected by anti-viruses.
Cannot be resold - public stuff cannot be resold because it is available for free. Attempts to sell public stuff are looked down upon.
Anonymous - public stuff can usually be procured anonymously.
Private
Costs money - private stuff is usually worth some money and is typically bought and sold, though it may be traded for other things of value, or shared for free between partners.
New - private stuff is new, often coming directly from the person who produces it.
Undetected - private stuff is typically either so new it is undetected by anti-viruses or crypted to become undetected.
Can be resold - private stuff can be resold for money, however there are often license restrictions on who is authorized to sell private stuff. These restrictions are strictly enforced.
Limited access - private stuff is typically traded between people with reputation, though sometimes it is traded anonymously.
The terms public and private are used very frequently in hackonomic activity.
Botnet
A bot is a computer that has a malware installed that allows remote control. A network of remotely controlled computers is called a botnet.
Botnet malware used to be custom written by teams of hackers for personal use. One of these botnet packages went commercial and became the industry standard, this botnet is called "Zeus".
A Zeus botnet is controlled through a web site. Zeus bots connect to a Zeus control panel. When bots connect to the control panel they send logs to the panel and get commands from it.
Zeus has the following functionality:
Log information submitted in web forms - that means logging all financial information used for shopping on-line.
Log stored passwords - passwords stored by some popular applications are logged and sent to the control panel.
Inject code into the web browser - this is useful for making it look like the person clicks on ads. Advertising services pay per click on the Internet ads.
SOCKS Proxy - proxies allow one computer to connect to the network through another computer. This is useful for hiding the source of the connection. Many web sites allow only several failed login attempts, for example five. If a person uses 1000 proxies, he may be able to make up to 5000 failed login attempts. Therefore proxies are useful for guessing passwords.
DDoS - a Zeus bot can be instructed to flood another computer on the network. When lots of bots do this, the target computer can be disconnected from the network for the duration of the attack.
VNC Remote Desktop - the botnet operator can watch what a person is doing on their computer and click around at their leisure. While this feature sounds intimidating it is probably the least used in practice. Someone that controls >10000 bots probably isn't going to be checking out the desktops of many of them.
Take Screenshots - Zeus can take screenshots of the user’s desktop..
Stealth - Zeus doesn't show up in "Task Manager". New versions of Zeus sacrificed some stealth to be able to work in Windows 7. Zeus hides inside other programs when it is running, so it is easiest to detect it by checking the place where it starts itself. Zeus v2 starts itself from a registry key located in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that looks like {12341234123-1234-1234-3211-1234123412}.
Zeus is being rapidly developed. A current version of Zeus costs between 1000-10000$. Old versions are free on the Internet. There is also a fake version of Zeus – Zeus v3 is fake and is basically a cheap Chinese counterfeit.
Zeus is not the only botnet. Zeus is not the most sophisticated botnet in terms of technology. Good documentation, technical support, pragmatic approach to functionality, and ease of use are some of the reasons for its popularity. The other botnets usually implement some of the same functionality but have better stealth.
Other botnet solutions exist. Some of them are direct competition to Zeus. Some are made for a specific purpose and don't have all the functionality that Zeus has. Some botnet software is written for personal use by teams.
A typical personal botnet is made of 1000-5000 bots. The largest recorded commercial botnets are Mariposa at approximately twelve million bots, and TDSS at approximately sixteen million bots.
Exploit Pack
An exploit is a glitch in software code that can be used to run custom code. When an exploit is found, the software vendor usually releases a patch to fix it soon afterwards. Not everyone installs that patch, so some computers are still affected by the exploit. Different computers have different unpatched software installed. To maximize the likelihood of at least one exploit working, exploits are bundled into exploit packs. An exploit pack is a bundle of exploits that are executed sequentially.
Exploits can be used to run custom code. That custom code is called "shellcode". The term "shellcode" is related to the twentieth century term "spawning a shell", which means running a command line. In the twentieth century, exploits were often used to open a command line interface so that a hacker could send commands to a target computer remotely. Today, the term "shellcode" is not technically accurate, but it's still around. Another word that means pretty much the same thing is "payload". A typical modern payload downloads a program from the Internet and runs it.
The value of an exploit depends on several factors:
Age - the newer the exploit, the fewer computers are patched against it.
Vulnerable software - the more popular the vulnerable software is, the more computers are vulnerable.
Reliability - exploits are not 100% effective, the more reliable an exploit, the more valuable it is. The same computer can run an exploit ten times and have it work only a couple of times. Good reliability is seven out of ten or more.
When new exploits come out, there are often no patches for them yet. These new exploits are called "0day" exploits. The term "0day" is related to the term Day 0, meaning the day of some planned event. In the twentieth century, hackers would sometimes write an exploit in secret and prepare an attack. The day of the attack was Day 0. The exploit was the "0day" exploit. Because the "0day" exploit was written in secret for a planned attack, there was no patch available and the exploit was very effective. When a patch is released, a 0day exploit becomes a "1day" exploit. The term "1day" simply means that it is no longer 0day. 0day exploits are very valuable, sometimes costing as much as 50000$. 1day exploits are still effective and most exploits in exploit packs are 1day. 1day exploits are usually free.
0day exploits used to be something that is very valuable and private. Once a patch was released, the exploit drastically lost value and leaked out to the public. These days, there is killer 0day coming out about once every two months. This means that the overall commercial success of hackonomics has attracted more resources.
The most commonly exploited software is:
Adobe Acrobat/Reader
Adobe Flash
Oracle Java
Microsoft Internet Explorer
Microsoft Office
When an exploit is executed, the browser often crashes. Sometimes a window of some sort will appear and disappear quickly. Sometimes the computer will be very slow for a couple of seconds. Sometimes an error message may appear.
The typical effectiveness rate of exploit packs is 10%. 0day can bring that effectiveness up a lot for some time, until it becomes 1day.
Example:
A computer has patched Office, patched Flash, no Java, Internet Explorer is not used, but Acrobat is not patched. A crypted exploit pack has exploits for Office, Flash, Java, IE (Internet Explorer), and Acrobat. The payload downloads and executed a crypted Zeus bot. When the computer runs the exploit pack, the Office exploit fails, the Flash exploit fails, the Java exploit fails, the IE exploit is not sent (because the exploit pack can detect that IE is not being used), but the Acrobat exploit runs the payload and the computer becomes a bot in a botnet. The user sees the browser crash and for about a second the computer is very slow. The user doesn't think much about it and goes back to browsing. Now if that computer is used to do online shopping or banking, the bot will send financial information to the Zeus control panel.
Comments to the example above:
If the exploit pack didn't have an Acrobat exploit, then the exploit pack would be less effective. If an installed anti-virus detected any of the exploits or the bot, the anti-virus would have probably prevented the payload from running and alerted the user. A lot of users don’t know what to do with that warning and just go about their business.
An anti-virus may detect an exploit pack if it has a signature for it. To get the signature, the anti-virus company has to get a copy of a file from the exploit pack. A botnet operator checks if the exploit pack or the bot is detected approximately once a week, but it typically takes a couple of weeks for a bot or an exploit pack to be detected. When an exploit pack is detected by one of the major anti-viruses, the botnet operator crypts the exploit pack to make it undetected again. This is why an anti-virus is not an effective defense against botnets.
An exploit pack costs between 500-1500$.
Crypt
Crypt means making a piece of software undetectable by anti-viruses. The term "crypt" is related to the word "encrypt", though that is not technically accurate, since crypt doesn't always encrypt the software.
Crypt is typically applied to bots and to exploit packs. Botnet operators typically crypt their bots and exploit packs weekly. This is why anti-virus software is not a practical defense against bots and exploit packs. A crypt usually lasts a couple of weeks until it becomes detected.
Crypting a bot usually means encrypting it and attaching a "stub". When the file is executed, the stub decrypts the bot and runs it. Crypting an exploit pack means changing pieces of exploit pack code until it becomes undetectable.
Crypt can be either a product or a service. Some people sell "crypters", which can encrypt unlimited amount of bots until the stub becomes detected by anti-viruses. Crypters for exploit packs are relatively rare. A manual crypt is considered more effective. There are people that specialize in crypting. Some amount of crypting is often included in the purchase of a licensed exploit pack or bot as a part of technical support.
Crypt usually costs around 50$.
Denial of Service
DoS means "Denial of Service". Denial of Service is when an attacker makes some technological service unavailable. Typical example of DoS are crashing a computer or shutting down a web site. DoS are mostly nuisance attacks and do not usually cause physical damage.
There are several types of Denial of Service attacks: crash DoS, flood, SYN flood, and DDoS.
Crash DoS
Crash DoS is an exploit that makes a target computer or program crash. This is not very practical or popular. Back in the 20th century, it took a long time for patches to be deployed, so there were a lot of computers vulnerable to crash DoS attacks. Young people carried out these attacks for the entertainment value of annoying people by making their computers crash. This type of attack has almost no hackonomic value and is now very rare in practice. Patches come out very quickly now, which makes it impractical to write crash exploits - by the time they reach their intended audience of people who think crashing computers is funny, they become obsolete.
Flood DoS
Flood DoS means sending as much information as possible to a target computer to make the target computer slow. Flood DoS is one of the oldest types of DoS and most modern DoS attacks are variations on flood DoS. One of the earliest flood DoS attacks is called "ping of death". There is a computer program called ping, which sends a small piece of information to a target computer (that piece of information says "PING"). The target computer replies by sending the same piece of information back. The ping program can be used to send a custom piece of information and to keep doing it repetitively. Back in the 20th century, many computers would crash if someone kept pinging them with large pieces of information. The crashes don't happen anymore, though the attack still works if someone with a fast connection floods someone with a slow connection - in that case the attacker with a fast connection uses up the target's bandwidth and the target's Internet experience becomes slow. Plain flood attacks are not popular anymore because many people have broadband, so plain flood attacks often have a negligible effect.
Because the attacker is not interested in receiving information back from the target during a flood attack, the origin of the flood attack can be easily spoofed, that is the origin of the flood attack may be set to any arbitrary address on the Internet. It may still be possible to track the attack down to its real source, but this is expensive.
SYN Flood DoS
A syn flood attack is a specific type of a flood attack. The syn attack sends pieces of information that require the target computer to take some action, therefore if enough syn packets are sent, the target computer will be slowed down both because it has to take some action and because its network bandwidth is being filled with junk. In this regard, syn flood is sort of a hybrid between flood DoS and crash DoS. There are mitigation measures, but there is no real protection from the syn flood attack, just like there is no protection from the flood attack. The origin of a syn flood attack can be spoofed.
DDoS
DDoS means “Distributed Denial of Service”. DDoS is any DoS attack that is carried out simultaneously by multiple computers. A DDoS is typically carried out by a botnet. If a group of people use their computers to DoS a target at the same time - that is technically a DDoS. DDoS is the most common modern type of DoS attacks and is usually carried out by botnets. DDoS is very effective, because it uses resources of many computers against the resources of a few computers. The result of DDoS is usually that the target has no Internet access for the duration of the attack. DDoS is sold as a service and costs 30-50$/day. The demand for DDoS is low, because shutting things down does is generally not profitable. DDoS sounds intimidating, but it’s really small time.
Bruters
Bruters are used to guess passwords. The term "bruter" is related to the term "brute force attack", but is not technically accurate. A "brute force attack" is an attempt to guess a password by trying all possible combinations. By contrast, a "dictionary attack" uses a list of possible passwords to see if one of them is the password. The list of possible passwords is called a "dictionary". The term "dictionary" probably originated when someone decided to use all the words in the dictionary to guess passwords. Bruters usually apply a "dictionary attack" with a pretty short list of possible passwords. Bruters typically use a dictionary to guess passwords of network servers.
A dictionary is also known as a word-list. Bruters usually come with a bundled wordlist or two. There are many wordlists floating around the Internet. There are some that are based on English language dictionaries. There are wordlists for other languages. There are lists of most common passwords based on statistical analysis of previously cracked passwords. A hacker typically has a bunch of wordlists kicking around. There is no shortage of wordlists and choosing them is a matter of personal taste and practice.
There are two common types of bruters:
RDP Bruter - RDP bruter is used to guess passwords of Windows Remote Desktop servers. The intended targets are usually corporate servers running Windows Server operating systems. Remote Desktop is a feature of Windows that allows using the desktop remotely. If the password is guessed, the attacker can use the server almost the same as if he was using it in person. Remote Desktop is graphical and for Windows.
SSH Bruter - SSH bruter is used to guess passwords of Secure Shell servers. The intended targets are usually corporate servers running Linux or some other UN*X-like operating systems. Secure Shell is a service that allows using a command line interface remotely. SSH is command-line and for Linux.
RDP bruters are more practical and bruted Windows servers are usually more useful than bruted Linux servers.
Both SSH and RDP allow only a limited amount of failed login attempts before rejecting the connection. To overcome this, proxies are used. A proxy is a computer that allows another computer to connect through it. The purpose of the proxy is that the connections appear to be coming from the proxy. There are many public proxies available for free. Zeus bots can also be used as proxies. If a server has a limit of five failed logins, a bruter with 1000 proxies can try 5000 password guesses. 5000 guesses are not enough to try all possible passwords, but it is enough to try a list of several thousand common passwords.
The objective of bruting is to guess passwords for as many servers as possible. A bruter typically takes a list of targets, a list of proxies, a list of possible passwords, and starts guessing passwords. The list of targets is produced by a network scan. A network scan checks IP addresses to see if RDP or SSH servers are running on them. Most computers with direct Internet IPs (not behind a router) are scanned about every ten-fifteen minutes. IP addresses are numbers that are written in the form 111.111.111.111 for convenience. In reality, an IP address is actually a very large number and does not have to be written in the form of 111.111.111.111. To scan a lot of IP addresses, two IP numbers are chosen and every IP number in between them is scanned - these IP addresses are called an IP range. Defining IP ranges is standard practice for many IT tasks, so there is shorthand for writing IP ranges. Network scanners are used to scan IP ranges for RDP and SSH servers and produce a list of targets for bruters. The list of targets allows automatically bruting multiple targets.
Password guessing attacks are low cost, require little skill, and yield a high return on investment. Password guessing attacks are very popular.
Web2.0 Hacking
SQL Injection
SQL Injection means sending commands directly to the database. Web applications often include a database. For example, a web store keeps inventory, orders, and price information in a database. SQL is a database language. The web pages have scripts in them that interact with the database using SQL. If the scripts have errors in them, they may allow an attacker to send custom SQL commands to the database. SQL Injection attacks are frequently carried out by adding SQL commands to the address bar. Sometimes SQL commands may be inserted into the text boxes of the web page. If an attacker can send custom commands to the database, he may be able to take over the web page and to read all the information in the database. If the database stores financial information, the attacker may be able to get that information using an SQL injection attack.
XSS
XSS means Cross-Site Scripting. Cross-Site Scripting attacks are not as serious as SQL injection attacks. Cross-Site Scripting attacks rarely if ever allow taking full control of a web site. Cross-Site Scripting applies to web pages that allow users to add content, such as comments in blogs or social networking web sites. In a XSS scenario, an attacker leaves a comment with a script in it. When another computer loads the comment, it executes the script. The script may be able to do some of the things that a logged in user can do on the affected web site, such as add users as friends, send messages, post comments, etc. In the extreme case, an attack may be able to take over the logged-in user's session.
The technique for taking over another user's session using XSS is called "stealing the cookie". Web sites that have user accounts typically use cookies to keep track of users - each user is given a unique number, which is stored as a cookie by the web browser. An XSS attack may send a user's cookie to an attacker. The attacker can then install this cookie in his web browser and the web site will think that he is the user whose cookie was stolen.
XSS exploits are very limited, but they are very common. In terms of hackonomics, XSS is rarely more than a nuisance.
Password Guessing Takeover
Password guessing is an obvious and common technique for taking over a web site. Typically a "bruter" is used as described in one of the earlier sections. In addition to RDP and SSH bruters, there are bruters made specifically for taking over web sites. A list of common or probable passwords is used to guess the password for some administrative component of the web site. Because most web sites limit the amount of guesses per IP, proxies are used to make a large amount of guesses. If a web site has a limit of five failed log-on attempts, a list of 1000 proxies allows an attacker to make up to 5000 guesses.
E-Mail Recovery Takeover
E-mail recovery takeover means taking over an account by having the password sent to an e-mail address. Many web sites offer to send the password to an account by e-mail in the event a user forgets his password. The e-mail address that the password is sent to is usually specified when making a web site account. In order for the e-mail recovery take-over to succeed, an attacker has to first take over the e-mail address of the user. The e-mail address has to be the one that was used to make the account on the target web site. One common way to take over an e-mail address is password guessing. Sometimes an e-mail account is deleted and another person can make an account with the same address.
Some of the implications of taking over an e-mail address are obvious. In addition to being able to read the person's private e-mail and being able to impersonate the person, an attacker may be able to take over a web site account that has been created using the target e-mail address. In the event that this user account has full control over a web site, the e-mail recovery attack allows taking over the web site.
Many people use the same password for many things, so once an attacker has one or two of a person's passwords, and their e-mail address, the attacker can then go on to take over many of the person's on-line accounts and resources. The hackonomic value of taking over e-mail addresses and social networking accounts is low; the value of taking over a web site is much higher.
Credential Stealing Takeover
A web site may be taken over when a bot logs the username and password. A Zeus bot logs information that the user enters into web site forms. The botnet operator gets a lot of these logs and looks through them at his leisure or sells them to someone else. In the event that the logs contain information for administering a web site, the web site can be taken over.
Sometimes the files on a web site are managed using FTP. FTP is a program for transferring files. A Zeus bot logs ftp accounts. FTP is an old program, so when someone is using it, a lot of the time it is to manage files on a web site. FTP accounts may be worth a couple of dollars each.
Web Shell
A web shell is software that is used for controlling a web site. When a web site is cracked, a web shell is uploaded to control it. Different web shells have different functionality, but they usually allow managing files and sometimes running system commands on the web site server.
IFrame
An iframe is a piece of code that loads a web page into a web page. "Iframe" means inline frame, and is basically a small window with a web page in it that can be placed into another web page. An iframe can be made very small or invisible to avoid detection.
Iframes are used to make legitimate web pages load exploit packs on the visiting computers. The iframing process goes like this: an exploit pack is installed somewhere on the Internet, a piece of iframe code is generated to load the exploit pack, and the iframe code is inserted into multiple compromised web sites. Whenever a computer loads the compromised web site, the iframe loads the exploit pack, the exploit pack runs on the visiting computer, and if any of the exploits are successful, shellcode is executed, which downloads a loader, which downloads and installs a bot on the visiting computer.
Iframe can be used as a verb. To iframe a web page means to add an iframe code to it. Example: "Some hacker iframed the company web page with an exploit pack".
Loader
A loader is software that downloads and installs another software. A loader is usually used in the following fashion: exploit pack downloads and runs a loader; a loader downloads and installs a bot. The reason for using a loader is that a loader makes the installation process more reliable. The circumstances during exploitation are sketchy at best - the exploit might not work correctly, the application being exploited might crash, an anti-virus or a firewall might interfere, the user might notice that something suspicious is going on and shut down the computer, etc. A loader is optimized for running under such circumstances, so it is more likely to run correctly than a bot. Loaders often include technologies for bypassing firewalls and anti-viruses.
Skimmers
Skimmers are physical modifications to ATM machines that send card information to an attacker. Skimmers are not limited to ATM machines and may be installed at gas stations and other places where cards are read. An attacker makes a clone of the card reader slot from the target machine, puts his own reader in there, and replaces the reader on the target machine with his own. The original machine's card reader is left in place, so the original machine still works. The cover of the card reader is what is replaced. Sometimes a video camera is installed near the screen to record the pin number being entered.
Skimmers are physical and require the attacker to be physically located near-by. The skimmer records the bankcard information and sends it to a receiver via radio. The recorded financial information is sold over the Internet to a carder.
Skimmers are sometimes sold on-line. A skimmer with a video camera costs around 900$.
Skimmers are out there and they are pretty difficult to spot. Some ATMs have anti-skimmer features, which are basically alarms that go off when parts of the ATM are removed.
* * * * *
SERVICES
Cards
DESCRIPTION:
Credit card information is one of the commodities traded on the Internet in bulk. Credit card information comes from many different sources, such as botnet logs, compromised servers, and skimmers. Click here for more information. Just kidding.
Bots record financial information when the user enters it into a web site form. Bots periodically send collected information to the botnet control panel. The botnet operator can download the collected logs from the botnet control panel. The botnet operator can search the botnet logs for credit card information and put it in a separate file. The credit card information can then be sold on the Internet.
Some database servers store credit card information. Web sites use SQL to access information in databases. An attacker may be able to get access to sensitive information in the database by using an SQL Injection technique. An SQL injection technique means sending SQL commands through the web site. A web site is supposed to have security measures that prevent SQL Injection attacks, but this is still a very common vulnerability.
Skimmers are physical modifications to ATM machines that send financial information to an attacker when the ATM is being used.
PURPOSE:
Cards are lists of credit card information being sold to people that use them to get the money out somehow.
PRICES:
1 Card ~ 0.8$
3 Cards ~ 2$
10 Cards ~ 5$
100 Cards ~ 50$
Money Laundering
DESCRIPTION:
Money laundering means transferring money from a suspicious account to the launderer, and then the launderer sends most of that money to the customer.
PURPOSE:
The purpose of money laundering is to make hackonomic income look like some other type of income.
PRICE:
???
Password Cracking
DESCRIPTION:
The password cracking service means breaking the password for an on-line account of some sort, such as e-mail. Usually, password guessing attacks are used, but sometimes weaknesses in the web site are used instead. This service is not very common and is not always effective. The password cracking service sounds very powerful, but it is a very small part of hackonomics. Hackonomics are based on low-cost, large-scale attacks. A password cracking attack is small-scale and relatively high-cost, and that makes it unpopular.
PURPOSE:
The purpose of password cracking is usually to take over an e-mail account to read the person's e-mail and to impersonate them. One reason to crack an e-mail account is to do an e-mail recovery take-over of a web site. An e-mail recovery take-over means getting the password to some on-line resource sent to the e-mail account. Many sites offer to send a password if the user forgets it to the user's e-mail account. If an attacker takes over the user's e-mail, the attacker may be able to retrieve the password.
PRICE:
~50$
Malware/Hackware
DESCRIPTION:
Malware is a term that means malicious software. The term "malware" is used by information security professionals, but not in the hackonomics at large, because it has a very negative connotation. The term being coined in this book is hackware, as a middle ground between the underground and the academic. In the hackonomic circles, the neutral and ambiguous term "software" is used, together with one of the names that specify the type of software. The commonly traded hackware types are: loader, crypter, bot/trojan/rat, exploit pack, iframer, bruter, and some more exotic types. These technologies have separate chapters dedicated to them.
PRICE:
Loader - ???
Cryper ~ 50$
Bot/Trojan/Rat ~ 500-10000$ (Trojan and rat are other names for a bot. RAT means Remote Administration Tool)
Exploit Pack ~ 500-1500$
Iframer ~ 20-50$
Bruter - ???
Crypt
DESCRIPTION:
Crypt means making hackware undetectable by antiviruses. Crypt is typically applied to bots and exploit packs. Botnet operators typically crypt their bots and exploit packs weekly. This is why anti-virus software is not an effective defense against bots and exploit packs. A crypt usually lasts a couple of weeks until it becomes detected.
Crypting a bot usually means encrypting it and attaching a "stub". When the file is executed, the stub decrypts the bot and runs it. Crypting an exploit pack means changing pieces of exploit pack code until it becomes undetectable.
Crypt can be either a product or a service. Some people sell "crypters", which can encrypt unlimited amount of bots until the stub becomes detected by anti-viruses. Crypters for exploit packs are relatively rare. A manual crypt is considered more effective. There are people that specialize in crypting. Some amount of crypting is often included in the purchase of a licensed exploit pack or bot as a part of technical support.
PURPOSE:
Crypt is used to make hackware undetectable by antiviruses. A decent botnet operator uses crypt approximately once a week. This is why anti-virus software is not a practical defense against bots and exploit packs. A crypt usually lasts a couple of weeks until it becomes detected. Therefore, anti-viruses in general are usually a couple of weeks behind. When a bot is installed, it may update itself with a new crypted version periodically.
PRICE:
30-50$/crypt.
Denial of Service
DESCRIPTION:
Denial of Service means slowing down or crashing target computer(s). The DoS service that is being actively sold is usually DDoS carried out by botnets. DDoS means distributed denial of service. DDoS is when multiple computers are attacking the same target(s). The industry standard is DDoS syn flood carried out by thousands of computers simultaneously. Some botnets exist entirely for the purpose of carrying out DDoS attacks. DDoS are not known to cause physical damage. The effect of DDoS is usually disconnecting the target from the Internet.
PURPOSE:
The purpose of DDoS attacks is to disconnect target computer(s) from the Internet for some period of time. Sometimes DDoS is used to fight competition. Sometimes DDoS is used to annoy video game players. Sometimes hacker groups use DDoS against each other. DDoS has been used to extort money from businesses that rely on continuous web presence, but that business model has proven to not be hackonomically viable. DDoS is not very profitable, but it is easy to do, so it is a readily available service.
PRICE:
30-50$/day.
Bulletproof Hosting
DESCRIPTION:
Bulletproof hosting means offering to host a web site or a web application that is not supposed to come down even if someone tries to take it down. For example, even if investigators find that a web site is used to host a botnet, a bulletproof hosting provider won't take it down when investigators ask them to. The bulletproof hosting providers are spread out geographically in a way that makes it difficult to take action against them. Bulletproof hosting providers optimize their services to resist DDoS attacks.
PURPOSE:
Bulletproof hosting is often used for serving botnet control panels and exploit packs. There are two main threats to hosting: "abuse" and "DDoS". DDoS is when a botnet floods a web server with information. Basically, DDoS can shut down a web site for the duration of the attack. "Abuse" is when someone writes a letter to the hosting provider saying that a web site is "abusing" the terms of service. Most regular hosting providers will respond to that by shutting down the web site, often even if the "abuse" letter is fake. A bulletproof service provider will ignore "abuse" letters. Resistance to "abuse" and "DDoS" are the two basic distinctions between bulletproof web hosting and regular web hosting.
PRICES:
Web Hosting ~ 50$/month
Web hosting is a place to put a web page on the Internet. For basic web hosting, many web sites share the same IP address.
Virtual Private Servers ~ 150$/month
A virtual private server is a type of hosting where a web page gets its own IP address.
Dedicated Servers ~ 400$/month
A dedicated server is an actual separate physical server with its own IP address, dedicated to hosting a web page.
VPN - Virtual Private Networking
DESCRIPTION:
VPN is an encrypted tunnel to a VPN server. All connections going through VPN appear to be coming from the VPN server. A VPN service provider typically offers a choice of servers in different countries.
PURPOSE:
VPN is used for hiding the IP address on the Internet and the Internet traffic from the Internet Service Provider. The original use of VPN is to encrypt traffic on the Internet when connecting to a company or personal network remotely.
PRICE:
~1$/day
~30$/month
Dedicated Servers
DESCRIPTION:
Dedicated servers are computers that are on-line for a long time and usually are not in use by a person physically. A dedicated server is usually a computer that sits in a data center somewhere. Because few people exercise physical access to dedicated servers, they usually use some kind of remote control software, such as RDP or SSH. RDP and SSH bruters are used to guess passwords of the dedicated servers. The successfully guessed passwords may then be sold. Dedicated servers are a popular commodity.
PURPOSE:
Dedicated servers are used to launch attacks. Even if an attack was traced back past proxies and VPN, it would appear to originate from the dedicated server. Dedicated servers can also be used to host botnets and to send spam.
PRICE:
1-5$/server.
Yes, full access to your company’s server is only worth 1-5$ to a hacker.
Traffic
DESCRIPTION:
Purchasing traffic means paying to have a web site loaded by web browsers. When a web site is cracked, it can be iframed with the customer's web site of choice. Usually, an intermediate web site is used to count the amount of traffic sent to the customer. Traffic is sold by thousands of hits.
PURPOSE:
The purpose of purchasing traffic is to load an exploit pack on as many computers as possible to make bots as fast as possible.
PRICE:
1$/1000 hits.
Installs
DESCRIPTION:
Buying installs means paying to have the customers software installed. Selling installs means taking money to install software on some amount of computers. The process for installs is the same as installing bots, except instead of bots; the customer's software is installed. The customer’s software is usually bots, so selling installs usually means installing someone else’s bots.
PURPOSE:
The purpose of buying installs is usually to install spyware or adware on people's computers. It may be possible to buy installs to make a botnet.
PRICE:
70$/1000 installs.
E-Mail Lists
DESCRIPTION:
E-mail lists are sometimes traded on the Internet.
PURPOSE:
E-mail lists are sold for the purpose of sending spam to them. A spammer gets paid for sending messages to a certain amount of e-mails. The more valid e-mail addresses a spammer has, the more money he makes. The hackonomic value of spam has been rapidly declining, but it still exists.
Some of the most common sources of e-mail lists are on-line dating sites.
PRICE:
???
Spam
DESCRIPTION:
Spam means sending lots of advertisements. Spam is usually sent over e-mail. Anyone who has used e-mail for a while knows what spam is. Spam used to be big, but its share of hackonomic activity is dwindling.
PURPOSE:
The purpose of spam is to send lots of advertisements. The logic is that some of the people that get the advertisement will make a purchase, so the more spam, the more purchases, and therefore the bigger profit.
Spam is also popular with scammers. The idea is that some of the people that get the scam letter will fall for it, so the more spam, the more victims, and therefore the bigger profit.
PRICE:
???
SEO - Search Engine Optimization
DESCRIPTION:
SEO means making a web site easier to find with search engines. The objective is usually to make the web site to appear higher in the list returned by search engines for certain key words. One approach to SEO is to spam links to a web site on different forums and blogs. Modern search engines consider web sites that have a lot of links pointing to them important. Another approach is to create lots of web sites that have links to the customer's web site. SEO involves a lot of techniques and technologies. SEO is a large part of hackonomic activity.
PURPOSE:
The purpose of SEO is to increase traffic to a web site. Generally speaking, more traffic means more money on the web.
PRICE:
???
* * * * *
JOBS
Botnet Operators
A botnet operator is a person that controls a botnet. Botnet operators are probably the most interesting type of hackers (besides the legit information security types). The duties of a botnet operator include: installing bots, managing bots, crypt, and collecting logs.
INSTALLING BOTS
Installing bots usually means iframing a web site with an exploit pack.
MANAGING BOTS
Managing bots means making sure the bots remain operational. One of the biggest parts of managing bots is making sure they are not detected, because once a person knows they have a bot on their computer, the person will probably get rid of it somehow. Therefore, crypt is one of the biggest parts of managing a botnet.
Other bot management tasks include checking the control panel to see how many bots there are, issuing bot commands via the control panel, updating bot configuration files as needed, and making sure the botnet as a whole is not detected.
CRYPT
Bots periodically become detected by anti-viruses - this is because bots are spread on many computers and eventually a user may send a suspicious file in to the anti-virus companies. An anti-virus company may share this information with other anti-virus companies. Once this happens, all the identical bots are subject to being removed by anti-viruses. To prevent this, botnet operators crypt their bots faster than they are detected and send commands to the existing bots to update to new, crypted versions. The frequency of crypt is different for different operators, but it's something like once a week on average. It takes approximately two weeks for a bot to be detected.
COLLECTING LOGS
Most of hackonomic value of bots comes from collecting logs. Logs are usernames and passwords recorded by bots. An average user has multiple usernames and passwords that he uses for multiple things, so each bot typically yields multiple usernames and passwords, together with what the web site or the application that these credentials are for. A botnet of thousands of bots then yields many thousands of usernames and passwords. Even if the bot is detected after a couple of days, it has collected some logs by that time already. Most users don't change all their passwords when their anti-virus finds a bot, however over time passwords do tend to change, so the quality of logs depends largely on their freshness. Logs can be traded raw, but then they are not worth that much. Logs can include things like cards (financial information), passwords to dedicated servers, passwords to web sites, and passwords for video game accounts. A botnet operator will often look through the logs to see if he has logged anything of value to sell.
DDoS
Botnets can be used to perform DDoS attacks. Botnet operators may sell DDoS services or use DDoS for personal reasons. The effect of DDoS is usually that a web site is not available for the duration of the attack. Because there are many botnets out there and the demand for DDoS is small, the cost of DDoS is low. DDoS sounds intimidating, but it’s very small-time. The main motivation for hacker activity is profit and collecting logs is safer and more profitable.
There has now been hype about hackers shutting down electricity or other services. The computers that control infrastructure are not connected to the Internet and are therefore immune to DDoS. There is no good reason to connect a computer that controls infrastructure to the Internet. Stories about hackers shutting down infrastructure are hype and fear mongering.
BOTNET OPERATOR SKILLS
Botnet Management
Web Site Administration
Parsing Logs
Trading Hackonomic Commodities
BOTNET OPERATOR INPUT
Exploit Packs
Botnet Hackware
Crypt
Dedicated Servers
Cracked Web Sites
Traffic
Iframes
BOTNET OPERATOR OUTPUT
Logs
Cards
Botnets
Cracked Web Sites
Cracked Dedicated Servers
DDoS
Spam
Installs
BOTNET OPERATOR PROFIT
Botnet operators sell different services to different people:
DDoS to someone who wants to take out the competition
Cards to carders
Dedicated servers to spammers and crackers
Installs to spyware companies and other botnet operators
Crackers
Crackers are a kind of dry bread. Crackers are also people who break into web sites and computers. Crackers use different methods for cracking and often specialize in some specific method. One of the most common methods is automated password guessing, also known as bruting. A more sophisticated method is SQL injection, which allows taking over a web site. Both bruting and SQL Injection are described in the Technology section of this book. SQL Injection is a web exploitation technique.