On Thursday morning, at this year's RSA conference in San Francisco, Chris Boyd of Facetime and I will present a talk "How to Adapt to the Echo Generation's Social Media Hacking Game." The following is a preview of that talk, presented in three parts. On Tuesday we learned who the Echo Generation are. Wednesday we saw how they use online social media for hacks. Today, we'll see how Chris uses features of social networks and Web 2.0 to shut these kids down.
Known as the Sherlock Holmes of France, famed criminologist Edmond Locard once said that every contact between two items leaves a trace, and that's also true when talking about online crimes. IP addresses are left behind with every site we visit. Posts to newsgroups remain accessible via Google long after the initial discussion has ceased to have relevance. And there's also that embarrassing MySpace page that was started but abandoned years ago that's still active. So when a person suddenly decides to commit an online crime, all that prior online history follows them, and that's a good thing for Chris Boyd, director of malware research at Facetime Security Labs.
Boyd says that using these little bits and pieces from social data and forums really does pay off. He says his research into Echo Boomer hacker sites is almost stream of consciousness as he drifts from one Web page to another until he finds something really interesting.
My name is Ribut
In one of his investigations, Boyd ran across a 20-year-old girl from Malaysia. On a forum he was surfing, she mentioned in a post that in a past life her online name was Ribut. (He said she uses a different name now.) So he started looking around for Ribut, and quickly found a MySpace phishing page.
Boyd got the one MySpace phishing page taken down, but that only lead him to find more pages by Ribut. To speed the process, he says he created a Google search string that ferreted out obvious phishing pages--looking for "ribut/myspace.php," for example, will produce a number of MySpace-related phishing pages. After running the search, he found more pages associated with Ribut on one server. Boyd says that when they took down this server, they also took down several other phishing pages as well.
YouTube as an investigative tool
From the MySpace phishing pages he took offline, Boyd says he had more unique usernames that he could use to trace back to the forums, social network profiles, and e-mail accounts set up for hacking and cracking. He then began the process of getting all those sites shut down as well. Often his work turns into an investigative maze of associations that lead him to nascent online criminals.
The site Hacking Hotmail Passwords is another example where Boyd was able to arrange strange bits of data to track down users. It's a fake Hotmail hacking program site with a YouTube video. Boyd says he wasn't interested in the video, or the contents of the video. Instead he clicked down to a feature of YouTube that reveals sites linking to the video. It's a list of referrers, showing anyone who embeds a video on their page. "If you start looking around any of these hacking and cracking videos," says Boyd, "instead of paying attention to the content, see what links are associated with the video, and you can unlock many hacking sites and forums, even hacker home pages.
John of Hartford aka YoGangsta50
(Credit: FaceTime Security Labs) Hunt for YoGangsta50
Wednesday we talked about YoGangsta50, who posted a virus-laden URL on a YouTube video. A lot of people fake information in their YouTube accounts, but Boyd decided to take the information available on the Hood Life GTA mod as fact: someone named "YoGangsta50" had uploaded the file.
Comments to the post mention that the person using the name YoGangsta50 had previously hacked the 50 Cent forum, but soon had a falling out with the forum. It's from these forum posts that Boyd discovered a geographic location for YoGangsta50: Hartford, Conn. In reviewing other online postings, Boyd uncovered a reoccurring theme with YoGangsta50: an obsession with the comic strip and cartoon The Boondocks. Elsewhere Boyd learned a first name--John--and that John may be black.
Gotcha
Using a different search engine, Boyd next found a Bolt.com profile page, then a Xanga.com profile, the latter containing a reference to yet another social-networking page going up soon. On all of these pages there were references to The Boondocks, age 19, and Connecticut--consistent with the details Boyd had learned elsewhere. He concluded in one of his VitalSecurity.org blog posts: "How many black youths do you think are aged between 16 and 19, are living in Hartford, Conn., with a supposed real name of 'John,' are into The Boondocks (and spend every other moment telling you about it online), and also just happen to be called YoGangsta50?"
Apparently YoGangsta50 was reading Boyd's blog posts. In his own blog post, YoGangsta50 wrote, "you all can say goodbye to me. maybe the internet was not for me! I Dont want to do this anymore. Somebody help me!" He goes on to explain how to remove the virus he created--go into Safe Mode in Windows, find C:\\Program Files\GTA Hoodlife, then click and run the Unins000 file to delete the virus." He further pulled the video and further attempted to erase his existence from the Internet.
Running Skype search on "hacker"
(Credit: FaceTime Security Labs)Using Skype
In addition to Google and YouTube, Boyd uses Skype. He says there's a recent feature that allows you to hook your Skype account off to your MySpace site and it essentially changes your Skype display picture to the one used on your MySpace page. It's fairly innocent. But if you do a search for people in Skype, as Boyd does, it also returns a bunch of MySpace pages, which can be very useful.
For example, when Boyd uses the Skype feature to look for the keyword "hacker," he finds several MySpace pages created by supposed hackers. He also searches for "spyware" and "phishing" and other key words. That's valuable, Boyd says, because you might recognize a name you've seen on a hacker forum page, and now you have more information about that individual.
Shame
As with the case of YoGangsta50, the individuals themselves shut down their operations on their own, sparing Boyd the difficultly of tracking down their service provider. "I use the process of public attention," Boyd says. John from Hartford (YoGangsta50) in his goodbye to the Internet wrote, "How does it feel to see your name all over the Internet!!!! i could not sleep for 2 days. i have been crying all day. am so sorry that i did those things. i learned my lesson." Boyd hopes that's true.
For many still in the prime of their youthful hacking abilities, however, it isn't so easy. A few have already figured out which hosts to work with, and if they get their friends to open up reseller hosting accounts, they may remain online for a long time. But more often, though, they are sloppy, and sometimes they expose their former criminal identities within a unrelated forum post (as with Ribut) or their YouTube profile (as with Hackerboy, aka Balloon boy).
Limited time
Unfortunately the real-world law enforcement doesn't yet know what to make of online crimes or their perpetrators. "The police are overstretched already," says Boyd, "so you can't expect them to do an awful lot with something like this." The Connecticut police declined to investigate John from Hartford any further. "Since some of these people are too young to prosecute," Boyd says, "this method of publicly tracking them down, it does actually work and it does get results."
So Boyd stays at it. "You got a limited time span if they get going at age 12 or 13," says Boyd. "Based on the evidence I've seen on these kids' activities in forums, you've got until they are probably 15 or 16, before they start to think that using this username, or putting my photographs online is not a good idea."
On Thursday morning, at this year's RSA Conference in San Francisco, Chris Boyd of Facetime and I will present a talk called "How to Adapt to the Echo Generation's Social-Media Hacking Game." The following is a preview of that talk, presented in three parts. Yesterday, we saw who the Echo Generation are. Today, we're looking at how they use online social media for hacks. Tomorrow, we'll see how Chris uses features of social networks and Web 2.0 to shut these kids down.
For the last few years, Chris Boyd, director of malware research at Facetime Security Labs, has been researching how the Echo Boomers use the Internet and how a certain subset of that generation has gotten into computer hacking. Yesterday, we looked at the generation in particular, trends and the possible motivations behind some of these kids. Today, we'll look at what these kids are doing online.
Boyd sees a lot of forum posts from 11- and 12-year-olds, bragging about their own phishing kits and botnet kits, but mostly game mods. He says a lot of the programs on the sites themselves are fake, a mere lure to get people to check out the site. Once there, there are usually music CDs with stolen music creation software. Boyd says one kid was even selling T-shirts with his (online) name on them. The forums used to promote these sites are interesting too; often, they're run by teenagers.
Dubious hosts
Boyd says it's common for him to see 11- or 12-year-old kids running their own reseller Web-hosting accounts. The sites typically feature completely fake data, providing no contact details on the Web site. And yet people are signing up for these things. "This growing trend for young kids running reseller accounts--those seem to be on the increase, from what I see."
They get word of mouth from the older kids, the places to go, the places to host your site. And the Echo Boom hackers tend to gravitate toward specific Web hosts that they know people will have trouble getting taken down. Some aren't very smart, and they'll host all over the place. A lot of those sites can be taken down quite easily. "One thing I have seen is that a lot these kids that run their own forums will attempt to phish their own forum members, which is quite bizarre."
If you're not phished, then you run the risk of "crapflooding." Crapflodding is the practice of disrupting discussions on forums with nonsensical postings, such as repeating you are hacker god over and over. It takes a little bit of knowledge, since many sites have Captcha systems designed to prevent automated scripts.
Helgib
Although most aren't, some of these kids are making quite a bit of cash. One example is the Helgib kid, based in Iceland. According to Boyd, he was selling his own music and videos, and he had his own store that is happily advertised in his MySpace profile. Helgib was quite shameless, too, Boyd says, noting that the boy's photographs were all over the place.
Boyd says Helgib managed to stay in business for a while because he found a safe harbor with an incredibly dubious Web host based in the United States. Every time Boyd got Helgib's site shut down, it would just come back to life elsewhere.
Helgib is fascinated with Helgib. On YouTube, his profile read, "I'm a computer nerd, programmer, musician, and a famous hacker." At one point, Boyd says, Helgib tried to write his personal details onto the Wikipedia entry for famous hackers. Boyd, despite being challenged, thought it was all quite humorous.
YoGangasta revealed
(Credit: FaceTime Security Labs)
The fall of YoGangsta50
Last summer, Boyd found another example on YouTube. The video (no longer available) promotes a mod called Hood Life for the popular game Grand Theft Auto. The malicious content didn't involve the actual YouTube video itself; it's the URL at the end that's the problem. The site contained a malicious file, and if you linked to it, the file would download onto your desktop.
Boyd, an avid gamer, was livid that 54 people did, or had the potential to, download the malicious file after viewing the video, and in his blog, he railed against the inferior graphics and the overall shoddy work. But there are armies of fanboys who are completely obsessed with these characters, who spend at lot of time crawling, crawling up to them, trying to get in favor with them. There's a definite structure at work.
Boyd likens what is going on online to real-world street gangs, in which you have older boys enlisting the younger ones to do their dirty work. If the younger kids get caught, so be it; they're juveniles and most likely will be set free. Meanwhile, the older kids are free to recruit others.
Hackerboy a.k.a. "Balloon boy"
(Credit: FaceTime Security Labs)
The strange double life of Hackerboy
Then there's the secret double life of a notorious teenage hacker. By day, he's "Hackerboy," but, as Boyd discovered, he's also "balloon boy" in an embarrassing YouTube video. Boyd says he stumbled across this post from a guy who claimed to be a "leet" hacker, a "h4xor god." He's so good that he posted screenshots of his anonymous ownership of a few school networks. Not so anonymous, is he? Not too bright, Boyd says.
The boy, Hackerboy, even bothered to put a photo of himself on the forum profile page with the supposedly anonymous hacks. So Boyd wondered what other profile pages this kid might have. And that's when he found the YouTube video of HackerBoy sucking helium out of a balloon and running around his local town square being, well, a very silly little kid.
Boyd says Hackerboy tried to delete the video from YouTube but, Boyd writes in his blog, "I already had it open and have decided never to close the page down. In this way, my laptop will serve as an eternal monument of shame and lulz for all time."
But the fall of Balloon wasn't yet complete. Boyd went on to write, "Take one Balloon boy. Throw in a pinch of hacked sites, a smattering of photographs, and a dash of complete stupidity. Bring to the boil, then throw in a dozen or so e-mails from a number of people located in various parts of the globe to his school," and the kid is suddenly offline.
Boyd suspects that the kid did get busted and will soon erase all evidence of himself from the various forums and sites. At the least the YouTube video is finally gone.
Real-world gaming connection
In one of his investigations, Boyd found an example where the online world reached out to the real world. In this case, a scam involving World of Warcraft operated like this: In the real world, to access a multiplayer game, you need to purchase a time card. The scammers would go into electronics stores, where the time cards weren't sealed, and insert a fake beta trail card.
He said that in the United Kingdom, they're sealed with plastic wrap but that certain stores in the United States do not seal them. He said they'd wait until the shop clerks weren't looking, then slip the fake cards into the time cards.
When you get home, the card would fall out and invite you to sign up for a free 15-day trial for World of Warcraft or whatever. On the site, you type in all your login details for your real account, credit card, and phone numbers. And you've just been phished.
Boyd says he was able to warn Electronics Boutique in the U.S. that this activity was going on. He doesn't know if any action was taken, but when he went back to the scammer's forum page, the topic no longer existed; it had been pulled down.
Dangerous game
There are also sites where kids are asked to "show your latest hack." One kid, says Boyd, had a Trojan horse sitting on a desktop somewhere in the world and could see what the desktop owner was looking at on his screen. It so happened that the owner was viewing child pornography. So the kid, says Boyd, thinking this is cool, takes a screenshot of it and posts it on the "show us your" forum for all to see.
Boyd said, "The kid's probably thinking ha, ha, we got a pedophile looking at child porn," but now he's put child porn on all the desktops that are viewing the "show us your" forum--which isn't very smart, should law enforcement look at the browser cache or hard drive of any of those viewers' desktops. Then again, some of these pedophile sites are run by people Boyd says you really don't want to be tangling with. "You start having these dialogues with complete psychopaths, and you don't really know who they are or what they're capable of."
Boyd says that if he had a site full of illegal material and found that it was suddenly splashed across some hacker forum, he'd be tempted to start looking in the real world for them. "They could pretend to be the same age of the kids," Boyd says. "There's a whole wealth of weird and creepy scenarios that could come out of such a thing."
Tomorrow, we'll look at how Chris uses features of social networks and Web 2.0 to shut these kids down.
On Thursday morning, at this year's RSA Conference in San Francisco, Chris Boyd of Facetime and I will present a talk, "How to Adapt to the Echo Generation's Social Media Hacking Game." The following is a preview of that talk, presented in three parts. On Tuesday, we're looking at who are the Echo Generation hackers. Wednesday , we'll look at how they use online social media for hacks. And on Thursday, we'll talk about how Chris uses features of social networks and Web 2.0 to shut these kids down.
It's a world of fake hacks and stolen Habbo Hotel and World of Warcraft gaming accounts. Sometimes there's money associated with it, but most often the scams and the pranks are just for prestige.
Welcome to the next generation of computer hackers, the teenybopper edition, where the kids, ages 11 to 16, don't consider YouTube, MySpace.com, Facebook, and Xanga to be social-networking sites. They call them "social engineering sites."
They're the geek subset of the so-called Echo Boomers, a generation defined as children born between 1982 and 1995; they are also sometimes called "Generation Y" or "Millennials." The Echo Boomer name is a direct reference to the Baby Boomers, born some 30 years before, and many in fact children of Baby Boomers. According to CBS News, Echo Boomers already spend $170 billion a year of their own and their parents' money, so from a marketing perspective they're significant.
They're the first generation to experience the growth of the Internet at a very early age. Some are early adopters of cutting-edge Web 2.0 applications and services such as video streaming and social networking. Some of these kids have begun to dabble in computer hacking, but unlike previous generations of computer hackers, it's not about discovery, it's all about them.
Neo hackers
According to Chris Boyd, director of malware research at Facetime Security Labs, Echo Boomer computer hackers "don't seem to be as wise to the risks as older generations were." They leap from social-networking site to social-networking site. And they are quite happy to post photographs of themselves on sites selling stolen credit cards. They're non-anonymous on the Internet, he says, often keeping the same username, which makes them easy to shut down.
But keeping one username in particular is behavior that is not necessarily true of all mainstream teenage users, suggests Danah Boyd (no relation to Chris Boyd). As a Ph.D. candidate at the University of California at Berkeley and a fellow at Harvard Law School's Berkman Center for Internet and Society, her graduate work has focused on how people manage their presentation of self in online environments. Her subsequent research has found anecdotal evidence of teenagers who create a throw-away e-mail account for the sole purpose of creating a new social site page. Then, over time, if they lose their password to the site or to the e-mail account, they simply create a new account and a new profile page.
Where the teens are
In January 2007, the Pew Internet & American Life Project released a study of 935 mainstream U.S.-based youth aged 12 to 17 years old. Overall, 41 percent of the youths aged 12 to 13 had social site profiles, while 61 percent of the youths aged 14 to 17 did. But by gender, the differences are clear. Seventy percent of girls aged 15 to 17 have a social site profile compared with only 50 percent for boys the same age.
In the study, the mainstream teens said the social network they updated most was MySpace (85 percent), with Facebook (7 percent) and Xanga (1 percent) far behind. A quarter of the teens surveyed said they visited their site once a day, with another 20 percent saying they visited more often. Another 20 percent said they visit once every two weeks. Not surprisingly, use of the social-network site changed with computer access. Youths who accessed the Internet at home accessed social sites more often--58 percent as opposed to 42 percent who accessed the Internet from school or some other public terminal.
The importance of these social-network profile sites in the lives of mainstream Echo Boomers varied among those surveyed. Ninety percent said they use the sites to stay in touch with friends they see often, and 82 percent said they stay in touch with those they do not see as often. A majority use the sites for making social plans. But when it comes to making new friends, the teens were evenly split. And as for flirting, 83 percent (male and female) said they did not do that. Sixty percent of the youths surveyed reported limiting access to their site profiles.
Why they're online
In one paper, Danah Boyd likens online social networks to radio and mass media in past generations, except that social networks allow interaction as opposed to being fed information from the mass media. Echo Boomers may be the first generation to interactively define who they are. She adds, "this is highly beneficial for marginalized youth, but its effect on mainstream youth is unknown."
"Because the digital world requires people to write themselves into being," she writes, "profiles provide an opportunity to craft the intended expression through language, imagery and media. Explicit reactions to their online presence offers valuable feedback. The goal is to look cool and receive peer validation."
She added, "for those seeking attention, writing comments and being visible on popular people's pages is very important and this can be a motivation to comment on others' profiles."
Same name
This is consistent with Chris Boyd's research into Echo Boomer hackers that create one username and see how it plays on the social networks. "This is more of a lifestyle statement to a lot of these kids. A lot of it is about fame and fortune," he said.
Teenage hackers are using YouTube.
(Credit: FaceTime Security Labs)He said in his research that he sees kids starting between the ages of 11 and 13 on online gaming sites. "A lot of these kids mature on to Habbo Hotel,.Runescape, and things like that. From there they start to learn about the basic hacks and cracks and patches." Some start to run their own forums. That's when, he said, they start to get a bit more adventurous; then they start looking into the phish pages, the fake account stealer programs that you get for Runescape. He said there's a strong link between gaming communities and teenage computer hacking although he doesn't know if anyone's ever actually set down some hard statistics.
One example
He cites an example of a kid on a forum who posted that his YouTube account had been shut down. The kid wanted others on the forum to launch a campaign to get his username reinstated. "Rather than recreate the username with a one or a two on the end," Boyd said, "he was so obsessed with his own particular username, with the uniqueness of it and all that, that, in his own words, he'd rather retire from the hacking scene than lose his username."
Additional research suggests that teens of a certain age have "settled," and are therefore much more protective of their nascent identities online. They're individuating from their parents; they're trying a version of themselves out in the real world, so their usernames take on additional value and weight. So when they cross the line into criminal hacking, in many ways it is just as personal as though they themselves were engaged in petty crime on the streets. And that is an important intersection for teenagers who dabble in writing malicious software.
Gotcha
By keeping the same username across Xanga, Facebook, and MySpace, Chris Boyd expects to find a paper trail online. And he does. He has tracked many offenders across numerous sites, some going back a few years, and done so in about 10 minutes or less using Google. "It's weird," he says. "Now when you hear about hackers it's all profit motivated--they're not doing it for hacking kudos anymore; they're not in it for the fame; they're in it for the money. There was a time when (hacking) was all about exploration, being notorious or well-known or a famous hacker. It's almost that a lot of these kids have reverted back to that way of thinking."
Except they don't see any reason to hide.
Boyd goes on to say a lot of what he's seen online is like an American Idol sort of hacker fame. Rather than having any sort of real standing of fame within the hacking community, a lot of the hacks are quite facile--a lot are fleeting. "It's because they haven't got a concept of the consequences of it all. It's almost like a fad--and it's a pretty dangerous fad, I think."
On Wednesday, we'll look at exactly what these Echo Boomer hackers are doing online.
- prev
- 1
- next
