No honor among thieves

September 30, 2008

Hackers are known to target inexperienced users. And hackers are known to work in teams, with each team member using his or her particular skills to make sure a task gets accomplished. But what about hackers that don't target the users directly? There are some out there, and they're targeting inexperienced hackers to get them to unwittingly give away information that the first group of hackers can then use.1

For example they will create a website hosting PHP shells - backdoors used to break into vulnerable websites. But here's the catch with the PHP shells: they've been modified to get the URL of the vulnerable website the inexperienced hacker is trying to exploit, and collect these URL into a database. This means that the hacker who created the website gets a huge database of vulnerable websites - a database created by other hackers who did not notice (or understand) the modifications in the PHP shells they used, which often have obfuscated javascript to make it harder to detect.1

This is an eye-opening illustration of "no honor among hackers" - they're not just attacking unsuspecting users, but others of their own kind, all in the name of getting access to as many servers as possible. Incidentally, this also happens in the world of phishing.1 Hackers will write software that automatically designs "phishing" Web sites. Rather than operate the sites themselves, they sell the software to a newbie, who runs the scam. But the software is programmed to send a copy of whatever information it collects back to the author. Services that promise to check whether a stolen credit-card number is authentic operate the same way. Billy Rios, a security engineer at Microsoft, calls it phisher-on-phisher crime. And he says it will keep happening, because the barrier to entry for unscrupulous hackers is so low.2

For instance, one scam that Rios found posted on the Internet said that there was a flaw in Yahoo's systems that gave up credit-card information to anyone who sent an email to a particular address. All someone had to do was include a credit-card number and all the associated account information. Of course, the information went directly the poster's inbox. And yes, lot's of people fell for it.2

Furthermore, sites where criminals sell ill-gotten financial data and trade techniques for stealing this information operate in a pretty open way.2 Also alarming is how these criminals do not take many precautions or lack the expertise to protect the sensitivity of the information they've obtained. For example Rios found examples of hacker websites with usernames and passwords hardcoded in the web application, back-end databases with default passwords or no passwords at all, or large sample sets of data posted in forums. Essentially what this means is that a victim's identity can be stolen repeatedly by many other hackers.3

1. "Hackers hacking hackers", Viruslist Blog, September 24, 2008

2. "Now It's Phisher Against Phisher", The Wall Street Journal, August 7, 2008

3. "Bad Sushi: Beating Phishers at their Own Game", Nitesh Dhanjani & Billy Rios, BlackHat USA 2008