Echo Boom hackers: A dangerous game

On Thursday morning, at this year's RSA Conference in San Francisco, Chris Boyd of Facetime and I will present a talk called "How to Adapt to the Echo Generation's Social-Media Hacking Game." The following is a preview of that talk, presented in three parts. Yesterday, we saw who the Echo Generation are. Today, we're looking at how they use online social media for hacks. Tomorrow, we'll see how Chris uses features of social networks and Web 2.0 to shut these kids down.

For the last few years, Chris Boyd, director of malware research at Facetime Security Labs, has been researching how the Echo Boomers use the Internet and how a certain subset of that generation has gotten into computer hacking. Yesterday, we looked at the generation in particular, trends and the possible motivations behind some of these kids. Today, we'll look at what these kids are doing online.

Boyd sees a lot of forum posts from 11- and 12-year-olds, bragging about their own phishing kits and botnet kits, but mostly game mods. He says a lot of the programs on the sites themselves are fake, a mere lure to get people to check out the site. Once there, there are usually music CDs with stolen music creation software. Boyd says one kid was even selling T-shirts with his (online) name on them. The forums used to promote these sites are interesting too; often, they're run by teenagers.

Dubious hosts
Boyd says it's common for him to see 11- or 12-year-old kids running their own reseller Web-hosting accounts. The sites typically feature completely fake data, providing no contact details on the Web site. And yet people are signing up for these things. "This growing trend for young kids running reseller accounts--those seem to be on the increase, from what I see."

They get word of mouth from the older kids, the places to go, the places to host your site. And the Echo Boom hackers tend to gravitate toward specific Web hosts that they know people will have trouble getting taken down. Some aren't very smart, and they'll host all over the place. A lot of those sites can be taken down quite easily. "One thing I have seen is that a lot these kids that run their own forums will attempt to phish their own forum members, which is quite bizarre."

If you're not phished, then you run the risk of "crapflooding." Crapflodding is the practice of disrupting discussions on forums with nonsensical postings, such as repeating you are hacker god over and over. It takes a little bit of knowledge, since many sites have Captcha systems designed to prevent automated scripts.

Helgib
Although most aren't, some of these kids are making quite a bit of cash. One example is the Helgib kid, based in Iceland. According to Boyd, he was selling his own music and videos, and he had his own store that is happily advertised in his MySpace profile. Helgib was quite shameless, too, Boyd says, noting that the boy's photographs were all over the place.

Boyd says Helgib managed to stay in business for a while because he found a safe harbor with an incredibly dubious Web host based in the United States. Every time Boyd got Helgib's site shut down, it would just come back to life elsewhere.

Helgib is fascinated with Helgib. On YouTube, his profile read, "I'm a computer nerd, programmer, musician, and a famous hacker." At one point, Boyd says, Helgib tried to write his personal details onto the Wikipedia entry for famous hackers. Boyd, despite being challenged, thought it was all quite humorous.

The fall of YoGangsta50
Last summer, Boyd found another example on YouTube. The video (no longer available) promotes a mod called Hood Life for the popular game Grand Theft Auto. The malicious content didn't involve the actual YouTube video itself; it's the URL at the end that's the problem. The site contained a malicious file, and if you linked to it, the file would download onto your desktop.

Boyd, an avid gamer, was livid that 54 people did, or had the potential to, download the malicious file after viewing the video, and in his blog, he railed against the inferior graphics and the overall shoddy work. But there are armies of fanboys who are completely obsessed with these characters, who spend at lot of time crawling, crawling up to them, trying to get in favor with them. There's a definite structure at work.

Boyd likens what is going on online to real-world street gangs, in which you have older boys enlisting the younger ones to do their dirty work. If the younger kids get caught, so be it; they're juveniles and most likely will be set free. Meanwhile, the older kids are free to recruit others.

The strange double life of Hackerboy
Then there's the secret double life of a notorious teenage hacker. By day, he's "Hackerboy," but, as Boyd discovered, he's also "balloon boy" in an embarrassing YouTube video. Boyd says he stumbled across this post from a guy who claimed to be a "leet" hacker, a "h4xor god." He's so good that he posted screenshots of his anonymous ownership of a few school networks. Not so anonymous, is he? Not too bright, Boyd says.

The boy, Hackerboy, even bothered to put a photo of himself on the forum profile page with the supposedly anonymous hacks. So Boyd wondered what other profile pages this kid might have. And that's when he found the YouTube video of HackerBoy sucking helium out of a balloon and running around his local town square being, well, a very silly little kid.

Boyd says Hackerboy tried to delete the video from YouTube but, Boyd writes in his blog, "I already had it open and have decided never to close the page down. In this way, my laptop will serve as an eternal monument of shame and lulz for all time."

But the fall of Balloon wasn't yet complete. Boyd went on to write, "Take one Balloon boy. Throw in a pinch of hacked sites, a smattering of photographs, and a dash of complete stupidity. Bring to the boil, then throw in a dozen or so e-mails from a number of people located in various parts of the globe to his school," and the kid is suddenly offline.

Boyd suspects that the kid did get busted and will soon erase all evidence of himself from the various forums and sites. At the least the YouTube video is finally gone.

Real-world gaming connection
In one of his investigations, Boyd found an example where the online world reached out to the real world. In this case, a scam involving World of Warcraft operated like this: In the real world, to access a multiplayer game, you need to purchase a time card. The scammers would go into electronics stores, where the time cards weren't sealed, and insert a fake beta trail card.

He said that in the United Kingdom, they're sealed with plastic wrap but that certain stores in the United States do not seal them. He said they'd wait until the shop clerks weren't looking, then slip the fake cards into the time cards.

When you get home, the card would fall out and invite you to sign up for a free 15-day trial for World of Warcraft or whatever. On the site, you type in all your login details for your real account, credit card, and phone numbers. And you've just been phished.

Boyd says he was able to warn Electronics Boutique in the U.S. that this activity was going on. He doesn't know if any action was taken, but when he went back to the scammer's forum page, the topic no longer existed; it had been pulled down.

Dangerous game
There are also sites where kids are asked to "show your latest hack." One kid, says Boyd, had a Trojan horse sitting on a desktop somewhere in the world and could see what the desktop owner was looking at on his screen. It so happened that the owner was viewing child pornography. So the kid, says Boyd, thinking this is cool, takes a screenshot of it and posts it on the "show us your" forum for all to see.

Boyd said, "The kid's probably thinking ha, ha, we got a pedophile looking at child porn," but now he's put child porn on all the desktops that are viewing the "show us your" forum--which isn't very smart, should law enforcement look at the browser cache or hard drive of any of those viewers' desktops. Then again, some of these pedophile sites are run by people Boyd says you really don't want to be tangling with. "You start having these dialogues with complete psychopaths, and you don't really know who they are or what they're capable of."

Boyd says that if he had a site full of illegal material and found that it was suddenly splashed across some hacker forum, he'd be tempted to start looking in the real world for them. "They could pretend to be the same age of the kids," Boyd says. "There's a whole wealth of weird and creepy scenarios that could come out of such a thing."

Tomorrow, we'll look at how Chris uses features of social networks and Web 2.0 to shut these kids down.

Click here for more stories on RSA 2008.