Web Application Security

Interview With A Blackhat (Part 2)

[Please note that this series of posts discusses criminal activities from the perspective of the criminal. This may be distressing to some readers; please exercise caution.]

This is part 2/3 of my interview with “Adam” – a blackhat who has decided to go legit. During this part of the interview we discuss, among other things, some of the specifics on why defenses aren’t working, things that do help make a dent, and how the underground is dominated by organized crime. If you missed the previous part you can can see it here: part 1.

Q: Is there something that websites do to try to defend themselves from guys like you that they always get wrong?

A: I could re-write Shakespeare here. I’ll pick three things.

1. Hire stupid admins who have never been a bad guy, just fed with a silver spoon all their lives and went to Uni on mummy and daddies money. If I were the CEO of a company I’d much rather employ someone who has a criminal record for hacking than a Uni graduate any day of the week. The guy who has the criminal record has gained the knowledge of how a bad guy would go about getting in. and not just what a text book says.

2. They allow untrained, young, dumb, Saturday workers to operate the phones.

3. Companies don’t purchase DDoS protection. Cloudflare for example offers incredibly strong DDoS protection for 200 dollars a month (also its harder to jack a cloudflare domain). If I extort you for 200-1000 dollars for 1 day why not make yourself immune for the minimal fee?

Q: What types of security devices/services/techniques legitimately make your life harder as a blackhat? Any that you think are a complete waste of money?

A: Hmmmm, DDoS protection is a serious knock back, although as many groups have proven before it’s easy to bypass – e.g. cloudflare resolver before they changed the protection method (almost bypassable lol). Things that are a waste of money… Hmm, anti-virus is completely useless — yes it may protect you from skids using non-fud files but that’s it. Every botnet that gets sold comes fud as default. People do it for free, it’s that easy. Anti-spam software (except CAPTCHAs, although that has a reputation for bad customer reviews).

The thing you have to remember is the black hat world is 10 steps ahead of what’s commercially available. When a 0-day is released blackhats have used it for months. Two-step authorization is a pain and sometimes yes, it does stop a hack completely especially in social engineering, but just as Cosmo (a 15 year old UGNazi member) proved, it’s bypassable. It’s like buying a game. When it’s first released it gets patched a lot, it’ll take a long time before it makes any sort of major impact.

Q: Which types of browsers tend to be the most vulnerable? Why do you think that is?

A: if you asked me this a few years ago I’d’ve said almost 100% was IE. That is still hugely vulnerable but now people have taken to the better, faster browsers such as Chrome and Firefox. IE still dominates the market at about 52% but Chrome is the majority of the rest. I think IE is dominating the market because the vast majority of people feel comfortable with it. Unless you actually read into vulnerabilities etc., you don’t know how dangerous IE is, so why do you need to change? Chrome already forced it to be better. One thing that did hugely affect bot infection rates was the mass removal of Java. When news of a java 0-day gets published people panic (rightly so) and un-install it or patch but as we all know java never stays secure for long.

Q: How do you keep yourself anonymous given that you have to deal with buyers?

A: I use bots to talk. Not like routing my traffic through them to create ‘proxies’ but actually coding a PC to take orders. The buyer gets the buyer bot code from the market, installs it, then types in what he wants; then without his knowledge his PC joins my IRC, which gives me the order and payment method. But obviously I don’t know this happens. 😉

Q: Is there anything that you consider emerging technology that could be disruptive to the black markets?

A: No, not at all. A market never stays on a domain for more than a week, if it does it’s a fed market.

Q: Is there any line you personally wouldn’t have crossed as a blackhat? Any types of crime that were outside of what you wanted to get involved with, despite the money?

A: I refuse to allow my botnet to be used to attack charities or soldier memorial pages. Apart from that it’s fair game. I get asked a lot about what if my botnet gets used to target ‘rival’ pedophile sites? Well the fact is, pedos have their own botnets. But if someone wants to attack a pedo site I’ll most of the time do it for free. Revenge porn is another thing I let people attack for free. See, we aren’t always mean. 😉

Q: Who, in your opinion, are the most dangerous people in the underground and why?

A: By far the drug lords. Any hacker who is respected will refuse to help them. They are brutal. One quite well known guy who became well known for his ‘anti drug’ attacks was tracked down and killed. Apparently they killed his family as well but that isn’t my business to divulge.

Q: How do you think those dangerous people (cartels and so on) are shaping the rest of the underground and its tactics? Are they making the average blackhat’s job easier or harder?

A: Ahh, drug cartels. They try to extort you with death threats etc. so you just post their personal information. Everyone hates them but its the underground so it’s ok I suppose. Can’t complain to the Feds haha.

Q: How did you gain the trust of the people to get access to join these forums?

A: Make a name for yourself in one of the IRC’s or create botnets for free or cheaply and they’ll start talking. Until then it’s an iron door you’re banging on.

Q: What do you consider to be your personal ethics? How do you perceive the owners of the websites you compromise and the victims of the machines that your botnet infects?

A: I kinda feel sorry for the people who become victims of CC fraud, although if you’re stupid enough to click a link you probably deserved it. For the admins, I hate them. If you can’t patch an SQLi or XSS you really shouldn’t be handling people’s CC. It’s just dangerous, stupid and laughable.