On Thursday morning, at this year's RSA conference in San Francisco, Chris Boyd of Facetime and I will present a talk "How to Adapt to the Echo Generation's Social Media Hacking Game." The following is a preview of that talk, presented in three parts. On Tuesday we learned who the Echo Generation are. Wednesday we saw how they use online social media for hacks. Today, we'll see how Chris uses features of social networks and Web 2.0 to shut these kids down.
Known as the Sherlock Holmes of France, famed criminologist Edmond Locard once said that every contact between two items leaves a trace, and that's also true when talking about online crimes. IP addresses are left behind with every site we visit. Posts to newsgroups remain accessible via Google long after the initial discussion has ceased to have relevance. And there's also that embarrassing MySpace page that was started but abandoned years ago that's still active. So when a person suddenly decides to commit an online crime, all that prior online history follows them, and that's a good thing for Chris Boyd, director of malware research at Facetime Security Labs.
Boyd says that using these little bits and pieces from social data and forums really does pay off. He says his research into Echo Boomer hacker sites is almost stream of consciousness as he drifts from one Web page to another until he finds something really interesting.
My name is Ribut
In one of his investigations, Boyd ran across a 20-year-old girl from Malaysia. On a forum he was surfing, she mentioned in a post that in a past life her online name was Ribut. (He said she uses a different name now.) So he started looking around for Ribut, and quickly found a MySpace phishing page.
Boyd got the one MySpace phishing page taken down, but that only lead him to find more pages by Ribut. To speed the process, he says he created a Google search string that ferreted out obvious phishing pages--looking for "ribut/myspace.php," for example, will produce a number of MySpace-related phishing pages. After running the search, he found more pages associated with Ribut on one server. Boyd says that when they took down this server, they also took down several other phishing pages as well.
YouTube as an investigative tool
From the MySpace phishing pages he took offline, Boyd says he had more unique usernames that he could use to trace back to the forums, social network profiles, and e-mail accounts set up for hacking and cracking. He then began the process of getting all those sites shut down as well. Often his work turns into an investigative maze of associations that lead him to nascent online criminals.
The site Hacking Hotmail Passwords is another example where Boyd was able to arrange strange bits of data to track down users. It's a fake Hotmail hacking program site with a YouTube video. Boyd says he wasn't interested in the video, or the contents of the video. Instead he clicked down to a feature of YouTube that reveals sites linking to the video. It's a list of referrers, showing anyone who embeds a video on their page. "If you start looking around any of these hacking and cracking videos," says Boyd, "instead of paying attention to the content, see what links are associated with the video, and you can unlock many hacking sites and forums, even hacker home pages.
Hunt for YoGangsta50
Wednesday we talked about YoGangsta50, who posted a virus-laden URL on a YouTube video. A lot of people fake information in their YouTube accounts, but Boyd decided to take the information available on the Hood Life GTA mod as fact: someone named "YoGangsta50" had uploaded the file.
Comments to the post mention that the person using the name YoGangsta50 had previously hacked the 50 Cent forum, but soon had a falling out with the forum. It's from these forum posts that Boyd discovered a geographic location for YoGangsta50: Hartford, Conn. In reviewing other online postings, Boyd uncovered a reoccurring theme with YoGangsta50: an obsession with the comic strip and cartoon The Boondocks. Elsewhere Boyd learned a first name--John--and that John may be black.
Using a different search engine, Boyd next found a Bolt.com profile page, then a Xanga.com profile, the latter containing a reference to yet another social-networking page going up soon. On all of these pages there were references to The Boondocks, age 19, and Connecticut--consistent with the details Boyd had learned elsewhere. He concluded in one of his VitalSecurity.org blog posts: "How many black youths do you think are aged between 16 and 19, are living in Hartford, Conn., with a supposed real name of 'John,' are into The Boondocks (and spend every other moment telling you about it online), and also just happen to be called YoGangsta50?"
Apparently YoGangsta50 was reading Boyd's blog posts. In his own blog post, YoGangsta50 wrote, "you all can say goodbye to me. maybe the internet was not for me! I Dont want to do this anymore. Somebody help me!" He goes on to explain how to remove the virus he created--go into Safe Mode in Windows, find C:\\Program Files\GTA Hoodlife, then click and run the Unins000 file to delete the virus." He further pulled the video and further attempted to erase his existence from the Internet.
In addition to Google and YouTube, Boyd uses Skype. He says there's a recent feature that allows you to hook your Skype account off to your MySpace site and it essentially changes your Skype display picture to the one used on your MySpace page. It's fairly innocent. But if you do a search for people in Skype, as Boyd does, it also returns a bunch of MySpace pages, which can be very useful.
For example, when Boyd uses the Skype feature to look for the keyword "hacker," he finds several MySpace pages created by supposed hackers. He also searches for "spyware" and "phishing" and other key words. That's valuable, Boyd says, because you might recognize a name you've seen on a hacker forum page, and now you have more information about that individual.
As with the case of YoGangsta50, the individuals themselves shut down their operations on their own, sparing Boyd the difficultly of tracking down their service provider. "I use the process of public attention," Boyd says. John from Hartford (YoGangsta50) in his goodbye to the Internet wrote, "How does it feel to see your name all over the Internet!!!! i could not sleep for 2 days. i have been crying all day. am so sorry that i did those things. i learned my lesson." Boyd hopes that's true.
For many still in the prime of their youthful hacking abilities, however, it isn't so easy. A few have already figured out which hosts to work with, and if they get their friends to open up reseller hosting accounts, they may remain online for a long time. But more often, though, they are sloppy, and sometimes they expose their former criminal identities within a unrelated forum post (as with Ribut) or their YouTube profile (as with Hackerboy, aka Balloon boy).
Unfortunately the real-world law enforcement doesn't yet know what to make of online crimes or their perpetrators. "The police are overstretched already," says Boyd, "so you can't expect them to do an awful lot with something like this." The Connecticut police declined to investigate John from Hartford any further. "Since some of these people are too young to prosecute," Boyd says, "this method of publicly tracking them down, it does actually work and it does get results."
So Boyd stays at it. "You got a limited time span if they get going at age 12 or 13," says Boyd. "Based on the evidence I've seen on these kids' activities in forums, you've got until they are probably 15 or 16, before they start to think that using this username, or putting my photographs online is not a good idea."