[ISN] Big trouble with teen hackers

From: InfoSec News (alerts@private)
Date: Mon Feb 04 2008 - 23:18:26 PST


http://weblog.infoworld.com/zeroday/archives/2008/02/hacking_teen_ch.html

By Matt Hines
Zero Day Security
February 04, 2008

Teenagers, including children as young as eleven and twelve years old, 
are increasingly becoming involved in serious cyber-criminal activity 
that exposes themselves and the users they target to a full range of 
dangerous repercussions.

According to Chris Boyd -- a well-known security researcher who works 
for FaceTime Communications and was in Washington D.C. last week 
presenting at the Anti-Spyware Coalition's latest confab -- he and other 
white hat hackers are coming across a growing number of underground 
malware distribution forums wholly populated and operated by teens under 
the age of 16.

When the security industry meets for the annual RSA Security conference 
in April, Boyd plans to share more of his research into the topic.

And while these groups of younger hackers may be less experienced, the 
fruits of their labors are often just as nefarious as the schemes being 
run by older professionals. The teen-run forum sites are rife with the 
same types of malware exploits and stolen credit card data that adult 
cyber-criminals use to ply their trades, Boyd said.

One of the biggest problems with the scenario, he said, is that many of 
the teen hackers don't appear to understand the seriousness of the 
activity that they're getting involved in.

Even worse, most aren't going to great lengths to disguise their 
real-life identities, which could lead to them being arrested or taken 
advantage of by more experienced hackers looking for victims, he said.

"Most have absolutely no idea of what getting they're into, they're 
swapping stolen credit card data using their real names and photos, 
they're committing real crimes and leaving huge paper trails back to 
their real identities," said Boyd, who also goes by the name 
"Paperghost" in conducting his underground research.

"The scary thing is that these are kids with very strong coding skills 
who have also already mastered the social engineering techniques needed 
to trick other people -- who are often times the other kids using these 
sites, into falling for all sorts of attacks," he said. "You even have 
kids putting up tribute sites with their real names bragging about all 
the crimes they've committed, selling t-shirts about it, and when you 
talk to them they don't have a clue of how much trouble they might be 
getting into."

Boyd has spent a significant amount of his energies of late infiltrating 
the underground "kiddie" sites and trying to show the youngsters the 
errors of their ways by pointing out how easily they can be caught, and 
how simple it is to trace their activity back to their real-world lives.

In many cases, said the researcher, the young hackers are pointing 
directly from their underground malware activity to their personal pages 
on sites like MySpace, which could make it easy for law enforcement 
agencies tasked with investigating their exploits to find them and 
pursue them in court.

Added to any legal trouble the younger hackers might get themselves into 
is the fact that there are also older, more experienced hackers trolling 
the teen underground forums to recruit the youngsters as functionaries 
for their own more-advanced malware schemes.

The adult hackers know they can find willing accomplices who are easily 
misled into committing more serious crimes than they realize, and who 
will eventually be the ones caught holding the bag when investigators 
begin piecing any charges together, he said.

Boyd said that many of the teen hacking forums are based around the 
culture of online video games, and that the malicious activity often 
grows out of the hacking of player accounts, or the sharing of programs 
that can be used to cheat at the applications.

It doesn't take much for teen hackers -- most of whom appear to be based 
in affluent western countries like the U.S. and U.K. -- to segue from 
cheating at games to stealing credit card information, said Boyd.

"It's amazing that these are sites being run by kids; you go in and 
there is an endless supply of stolen credit card data, and they've got 
sophisticated cross-site scripting tools and professional phishing kits 
that they're using to get even more data," he said. "And on the same 
sites they're posting all their real personal data and lists of sites 
that they've hacked."

In an interesting social twist, some of the young hackers also appear to 
have decided to take the law into their own hands to shut down any 
shadowy domains they come across online, including child pornography 
sites.

However, despite the noble aspirations, the endgame is a situation where 
you have children coming into direct contact with people controlling the 
sites, saving illegal content to their computers, and potentially making 
it harder for real world investigators to go after the same individuals.

"You have these more self-righteous kids trying to deface child porn 
sites, and not only are they being exposed to the content, but they're 
saving images and the like that could get them into legal trouble, and 
it makes it harder for the police by destroying evidence, it's a bad 
situation by anyone's guess," Boyd said. "You have the idea that some of 
the people running the sites could figure out who these kids are, it all 
gets very dangerous very quickly."

While the researcher has been trying to work with online hosting 
companies to help shut down the underground kiddie hacking forums, Boyd 
said that the firms remain a major obstacle, refusing to intervene 
unless they absolutely have to, even when there's evidence of 
significant criminal activity.

As a result, the expert said that the most effective manner for 
convincing those teens involved to stop is by calling them out by name 
and showing them how easily their real identities can be uncovered.

"Typically you don't want to give clues to forum operators why they're 
being taken down, but in this case we're trying to communicate with them 
directly, to show them that we know who they are and what they are 
doing, and that the cops could do the same thing," Boyd said. "If you 
hit them hard and fast and take down their sites and shame them, at 
least in some cases it seems like they're getting scared off."

In the best case scenario, Boyd said, several of the aspiring 
technophiles have been converted into white hats and convinced to begin 
helping security researchers infiltrate their ranks and take down other 
teens' malware campaigns. The researcher said he has at least one such 
teen working directly under his supervision contributing to an 
anti-hacking project.

It's worth noting of course that many of the white hat hackers you run 
across today -- people in their thirties who present at conferences, who 
are running their own security software companies or working for major 
industry names -- admit that they got their start acting as script 
kiddies who thrilled in the defacement of public sites before going 
legit.

For our sake, hopefully a lot of the younger hackers of today will grow 
into the researchers of tomorrow. It sounds like we're going to need the 
help.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Feb 04 2008 - 23:23:06 PST