http://weblog.infoworld.com/zeroday/archives/2008/02/hacking_teen_ch.html By Matt Hines Zero Day Security February 04, 2008 Teenagers, including children as young as eleven and twelve years old, are increasingly becoming involved in serious cyber-criminal activity that exposes themselves and the users they target to a full range of dangerous repercussions. According to Chris Boyd -- a well-known security researcher who works for FaceTime Communications and was in Washington D.C. last week presenting at the Anti-Spyware Coalition's latest confab -- he and other white hat hackers are coming across a growing number of underground malware distribution forums wholly populated and operated by teens under the age of 16. When the security industry meets for the annual RSA Security conference in April, Boyd plans to share more of his research into the topic. And while these groups of younger hackers may be less experienced, the fruits of their labors are often just as nefarious as the schemes being run by older professionals. The teen-run forum sites are rife with the same types of malware exploits and stolen credit card data that adult cyber-criminals use to ply their trades, Boyd said. One of the biggest problems with the scenario, he said, is that many of the teen hackers don't appear to understand the seriousness of the activity that they're getting involved in. Even worse, most aren't going to great lengths to disguise their real-life identities, which could lead to them being arrested or taken advantage of by more experienced hackers looking for victims, he said. "Most have absolutely no idea of what getting they're into, they're swapping stolen credit card data using their real names and photos, they're committing real crimes and leaving huge paper trails back to their real identities," said Boyd, who also goes by the name "Paperghost" in conducting his underground research. "The scary thing is that these are kids with very strong coding skills who have also already mastered the social engineering techniques needed to trick other people -- who are often times the other kids using these sites, into falling for all sorts of attacks," he said. "You even have kids putting up tribute sites with their real names bragging about all the crimes they've committed, selling t-shirts about it, and when you talk to them they don't have a clue of how much trouble they might be getting into." Boyd has spent a significant amount of his energies of late infiltrating the underground "kiddie" sites and trying to show the youngsters the errors of their ways by pointing out how easily they can be caught, and how simple it is to trace their activity back to their real-world lives. In many cases, said the researcher, the young hackers are pointing directly from their underground malware activity to their personal pages on sites like MySpace, which could make it easy for law enforcement agencies tasked with investigating their exploits to find them and pursue them in court. Added to any legal trouble the younger hackers might get themselves into is the fact that there are also older, more experienced hackers trolling the teen underground forums to recruit the youngsters as functionaries for their own more-advanced malware schemes. The adult hackers know they can find willing accomplices who are easily misled into committing more serious crimes than they realize, and who will eventually be the ones caught holding the bag when investigators begin piecing any charges together, he said. Boyd said that many of the teen hacking forums are based around the culture of online video games, and that the malicious activity often grows out of the hacking of player accounts, or the sharing of programs that can be used to cheat at the applications. It doesn't take much for teen hackers -- most of whom appear to be based in affluent western countries like the U.S. and U.K. -- to segue from cheating at games to stealing credit card information, said Boyd. "It's amazing that these are sites being run by kids; you go in and there is an endless supply of stolen credit card data, and they've got sophisticated cross-site scripting tools and professional phishing kits that they're using to get even more data," he said. "And on the same sites they're posting all their real personal data and lists of sites that they've hacked." In an interesting social twist, some of the young hackers also appear to have decided to take the law into their own hands to shut down any shadowy domains they come across online, including child pornography sites. However, despite the noble aspirations, the endgame is a situation where you have children coming into direct contact with people controlling the sites, saving illegal content to their computers, and potentially making it harder for real world investigators to go after the same individuals. "You have these more self-righteous kids trying to deface child porn sites, and not only are they being exposed to the content, but they're saving images and the like that could get them into legal trouble, and it makes it harder for the police by destroying evidence, it's a bad situation by anyone's guess," Boyd said. "You have the idea that some of the people running the sites could figure out who these kids are, it all gets very dangerous very quickly." While the researcher has been trying to work with online hosting companies to help shut down the underground kiddie hacking forums, Boyd said that the firms remain a major obstacle, refusing to intervene unless they absolutely have to, even when there's evidence of significant criminal activity. As a result, the expert said that the most effective manner for convincing those teens involved to stop is by calling them out by name and showing them how easily their real identities can be uncovered. "Typically you don't want to give clues to forum operators why they're being taken down, but in this case we're trying to communicate with them directly, to show them that we know who they are and what they are doing, and that the cops could do the same thing," Boyd said. "If you hit them hard and fast and take down their sites and shame them, at least in some cases it seems like they're getting scared off." In the best case scenario, Boyd said, several of the aspiring technophiles have been converted into white hats and convinced to begin helping security researchers infiltrate their ranks and take down other teens' malware campaigns. The researcher said he has at least one such teen working directly under his supervision contributing to an anti-hacking project. It's worth noting of course that many of the white hat hackers you run across today -- people in their thirties who present at conferences, who are running their own security software companies or working for major industry names -- admit that they got their start acting as script kiddies who thrilled in the defacement of public sites before going legit. For our sake, hopefully a lot of the younger hackers of today will grow into the researchers of tomorrow. It sounds like we're going to need the help. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Feb 04 2008 - 23:23:06 PST