I was just interviewed by a local news station about a story they were doing on daring hackers that have started advertising their abilities to destroy a person’s life for as little as $20 per month. Apparently the deal goes something like this: you make a deal with a hacker to destroy somebody’s life by signing them up online and the hacker will ensure the target can’t get a good job, can’t apply for credit cards, will be denied for loans, etc.
The interviewer wanted to know if I thought that this was really happening or if it was some kind of joke and was really that easy. I’m not in the revenge business myself, but I suspect that this is a great way for the hacker to get a little extra money for something they do anyway. Last time I checked, the going rate on the black for a “full identity” (enough information to become another person) is up to $5 in some countries. If we apply the supply and demand model that seems to mean there is a wealth of supply but lagging demand.
When an attacker steals somebody’s identity, credit card number, or other information the first thing they’ll try to do is to start a line of credit and run the bill as high as they can - a quick smash and grab type operation. This entrepreneurially minded hacker realized that he could keep doing what he’s doing, have other people hand him targets, and get paid for taking them! Sounds like a win-win situation to me.
As for the second question (it being so easy that they can do it for $20 per month.) My response is that it depends. $20 per month seems like fair compensation to a hacker that is doing this anyway. One thing that I do find interesting is that it’s a subscription model, this shows the hacker must return to the scene monthly to determine if the target’s life is still truly ruined. I wonder what the measure for such a thing would be.
Since we inadvertently leave trails of our personal data all over the internet, becoming the target for a hacker may be easier than you think. An attacker may sniff the wires or dig through caches of data left on routers if the target fails to notice the little SSL lock every time they send sensitive information over the internet. The attacker may also target less secured websites that fail to protect their users’ information properly.
What can we do as an industry to mitigate these types of risks for our users? First we need to treat sensitive information like the beast that it is - truly sensitive. Be very careful to encrypt, hash, or otherwise make sensitive information unusable to hackers. Make sure that applications are being developed with security in mind and that these systems have been properly threat modeled so you won’t be caught with your proverbial pants down. Make it clear to your users that you will never ask them for personal information outside of a properly encrypted channel such as SSL or an equivalent for your technology.
What can we do as individuals to protect ourselves? Don’t send your personal information to companies where their reputation is questionable. Be very careful to look for that SSL lock whenever you are sending that information over the wire. Finally try not to get on anybody’s bad side - you never know when the revenge hacker may strike (and I can guarantee it’ll cost more than $20 per month to clear your credit history after this guy gets done.)
--Joe Basirico
