Kids turned cybercriminals
You might know this kid. He's as young as 12 or 13, not all that popular in school. He spends a lot of time online. You figure he's playing World of Warcraft, constantly refining his MySpace pages, or maybe hanging out in Habbo, a virtual world popular with kids. But he may also be wreaking havoc on social networking sites, selling a veritable supermarket full of his own malware, and creating packages of phishing tools.
"These kids are obsessed with phishing," said Chris Boyd, director of malware research for Facetime Communications during a presentation at the RSA Conference, here in San Francisco. They don't see phishing as a problem, Boyd says, because they typically start out stealing large numbers of MySpace pages, then move on to stealing a few PayPal accounts—but for a lot more money.
Today's young hackers consider themselves stars of the cyberworld, not aware or not caring that what they're doing is illegal. "For these kids, it's a game, a hacker version of American Idol," Boyd said. "But the TV show they're really on is America's Most Wanted."
"A lot of these kids in five years time are going to be creating all kinds of problems," Boyd added. An example: A kid whose online name was YoGangsta50 designed his own version of Grand Theft Auto (GTA) called Hood Life. He advertised the game on YouTube, conveniently providing a download link. Once interested parties picked up GTA Hood Life, they got this message in a dialog box: "GTA Virus You're Infected Ha Ha Ha!!!!!!" The victims' mouse and keyboard drivers were suddenly useless, and their computers wouldn't boot.
Another group of young phishers printed high-quality, glossy pamphlets asking World of Warcraft players for their credit information in exchange for an offer for game-related products. He slipped these into boxes for time cards (buying minutes to play the game) already on retail shelves. The boxes had no seals on them at the time.
Have we come full circle here, back to the days of old-school hackers like Kevin Mitnick, who in the 1990s was convicted of hacking into a number of corporate computer systems? Not exactly, according to Boyd. Where Kevin Mitnick performed his activities in secret, hidden from view and knowing what he did was wrong, the kids engaged in phishing and other cybercrime activities today do so in a very public way.
Although the kids' real names are generally hidden, their true identities are not all that difficult to uncover, Boyd has found. When he finds out who they are, he pulls the plug on their YouTube videos, their social networking pages, and their Web sites. In doing so, he finds he can often stop a whole network of kids who are working together.
Many such miscreants have been scared out of their wits at being caught, as they themselves admit. One hacker who called himself the Punisher sent an e-mail saying he'd been caught, he had 100 felony charges against him, and he was scared.
But Boyd's goal isn't to frighten these kids. After stopping their illegal activities he tries to take the next step to rehabilitating them. "I change some of the circuitry, if you will," he said. "After they’ve had this huge smackdown, I offer them a way back. A lot of them now operate under my wing and under my care."
So maybe we have come full circle. Even Kevin Mitnick ultimately became a security consultant.
—Donna Tapellini
Comments