Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hacking for profit.
Posted by: stuckinphp
Date: April 05, 2010 08:37PM

Note, I do not condone carrying out illegal acts for personal gain I just want to understand some more about the 'biz'.

Hacking for profit.

Do you do it?

What are the safest ways to monetize your operation without leaving a money/paper trail?

Are money/paper trails avoidable?

I've basically been looking for a way to do it 'safely' and the only thing I can come up with is live somewhere that ends in 'tonia' or spend your websec career hacking gambling sites and other such things that cause payouts to the customer.

Other possibilities like IP theft etc, usually leave some way to get caught out - esp when it comes to pay day.

There is always the conventional ways to monetize it, usually through legal hacking like how the many web sec consults out there do it currently.

Options: ReplyQuote
Re: Hacking for profit.
Posted by: thornmaker
Date: April 06, 2010 12:23AM

There are obviously plenty of other ways, but this method described by Krebs seems rather popular at the moment (or at least it is getting a lot of media attention). The setup for it all seems rather complex which makes me think it would be hard to do as a lone person. However, the criminals seem to go through great measures to cut off paper trails by "hiring"/conning money mules and such. Krebs has several other interesting posts on real tactics being used by cyber criminals too like card skimmers, botnets, etc.

Options: ReplyQuote
Re: Hacking for profit.
Posted by: stuckinphp
Date: April 07, 2010 02:23AM

Wow thanks for the info. Good stuff. I'm quite amazed, I really just figured the guys doing this stuff just did it with bank accounts in their own name and dodged, read bribed, cops in what ever corrupt nation they reside.. (possibly anywhere in reality but just using it to illustrate the point)

Thanks.

Options: ReplyQuote
Re: Hacking for profit.
Posted by: Skyphire
Date: April 08, 2010 04:35AM

thornmaker:
Quote

The setup for it all seems rather complex which makes me think it would be hard to do as a lone person

That's the problem, we -as a security research community- over theorize most attacks. If you were a real criminal you'd go for the easiest way possible. You don't sit around all night and day trying to reverse engineer something when you can brute-force into something. You could social engineer everyone in a bank, but you can also grab an Uzi and storm the cashier. Most robberies irl are done in a fluke of emotion, not a product months of meticulous planning, since those robberies are very rare and usually perpetrated by sophisticated groups of criminals.

And thus phishing for example is popular, since it doesn't require a lot of technical knowledge. If you could phish someone's bank credentials, why wouldn't you? It's simply an economics issue. The objective is not creating the most sophisticated attack and gain fame or recognition, but to monetize your time as quickly as possible.

In my opinion the cyber attack monetizing surface mostly consists of;

USER - LONE: Low level attacks (common)
- phishing
- trojanized/backdoored software
- password guessing
- brute forcing access.

CORPORATE - GROUP: High level attacks; (rare)
- SQLi, spreading malware. (extended from low level attacks)
- Hijacking mirrors.
- DNS attacks.

GOVERNMENT - ORGANIZATION: Extreme level attacks (very rare, governments, political)
- Persistent subversion
- custom 0day exploits
- inside network knowledge/access
- ISP attacks.



Edited 1 time(s). Last edit at 04/08/2010 04:37AM by Skyphire.

Options: ReplyQuote


Sorry, only registered users may post in this forum.