So you're thinking about becoming an illegal hacker – what's your business plan?
Some insights from the HBO hack and bomb threat claims
It's something every aspiring crook needs to consider before they attempt to break into the world of cyber-crime: what's the business plan?
Fortunately this week, a couple of pointers have emerged thanks to miscreants who broke into production company HBO, and the ongoing US federal case against Michael Kadar, who allegedly made nearly 250 threatening calls and bomb threats to Jewish community centers in America.
First up, as with any new business, you need to assess market needs and how your current job skills fit within them. Plus, of course, the resources you have at hand.
In Kadar's case, the 18-year-old's hacking skills were, according to the FBI, pretty poor and his resources limited. So he had to start small. And that means lots of little, short-term contracts that give you enough to survive on until you can build up your business.
And so he settled for a very reasonable $30 for an email bomb threat – with a premium option of framing the threat on someone else for an additional $15, according to court files unsealed this week. On the dark-web souk AlphaBay, Kadar offered bulk-buying threats and offered to refund any unsuccessful bomb threats, the Feds claim:
- Emailed Bomb Threat to a School – $30.00
- Emailed Bomb Threat to a School + Framing Someone for it – $45.00
- Emailed Bomb Threat to a School District\Multiple Schools – $60.00
- Emailed Bomb Threat to School Districts\Multiple Schools + Framing Someone for it – $90.00
This is quick and easy money, but it does carry with it a high risk of exposure. In large part because the FBI tends to take bomb threats very seriously and is pretty good at investigating them.
Despite the fact that he was subsequently collared by Israeli police in March, and charged by US prosecutors in April, Kadar did make a couple of early smart decisions: he found a decent marketplace and he didn't over-promise, apparently.
"There is no guarantee that the police will question or arrest the framed person," he allegedly explained about the popular $15 premium framing fee, "I just add the person's name to the email."
And he was upfront about the risks in doing so. Kadar, an Israeli-American citizen, allegedly told punters on AlphaBay: "In addition, my experience of doing bomb threats putting someone's name in the emailed threat will reduce the chance of the threat being successful. But it's up to you if you would like me to frame someone."
Clearly demonstrating his expertise and giving fair warning of the service that can be expected, it's no wonder that Kadar allegedly built a solid reputation for low-key hacking, and received some good user reviews, the Feds claim. He also made it easy for people to order a bomb threat, providing a template for people to fill in, according to the g-men.
"Amazing on time and on target," reported one AlphaBay user. "We got evacuated and got the day cut short."
While the FBI claims Michael Kadar did an excellent job breaking into the low-cost bomb threat market, if he is found guilty by a Georgia district court, he would still be a world away from high-end hacking, which comes with much greater rewards but also requires a steadier hand and much more preparation.
The hackers behind the HBO assault, reported last month, take an entirely different tack: aiming at high-value clients and spending significant time working on a single account for greater gains.
As the criminals themselves noted, it took a good six months to break into the US cable channel's computers – and that's six months potentially without pay. Not for the faint hearted or those with a mortgage to pay who don't have savings to fall back on.
Aside from the time taken, there is also a high cost of tools at the hacking top-end. According to the ransom note sent to HBO's president, the team has a $500,000 annual budget for purchasing exploits for zero-day holes in systems in order to break in in the first place. In other words, the HBO hackers spend half a million bucks a year buying tools from shady developers to compromise corporate networks before security patches are available to address the leveraged bugs, it is claimed.
Those are significant upfront capital costs with no guarantee of success – so be sure to know what you are getting into before you start out on your hacking career. A wise move would be to team up with others to spread both the workload and the financial risks.
With this type of work, the real effort only begins once you have broken into a system. The hard part, which requires a good understanding of your client's needs, comes with the ransom. If you get that part wrong, you are likely to not only have the authorities chasing you, but also wave goodbye to a payday. Get it right, however, and it can be extremely profitable.
In the HBO case, the crims asked for between $6m and $7.5m to return all the documents and files they had grabbed – something they said represented their expected annual income divided into two (because of the six-month project length).
Obviously any studio is likely to baulk at such a high price point, so the team pointed out that HBO spent $12m on market research and $5m on adverts for its signature show – Game of Thrones – alone. "Consider us another budget for your advertisements!" was the pitch.
Of course as we now know, things didn't work out in this case and HBO refused to hand over demanded sum – it did, apparently, offer just $250,000 – resulting in the hackers leaking online 3.4GB of stuff including confidential documents, administrator passwords, internal computer network topologies, some Game of Thrones scripts, some episodes of Room 104 and Ballers, TV stars' email addresses and cellphone numbers, and emails from a top executive.
Having tried and failed to pull off a similar big deal with Sony Pictures, the instigators in this case attempted to introduce a tiered business model by releasing only some of the data they had and going back to the client to ask for a smaller sum to prevent the release of more information.
This is an untested business model and doesn't seem to have worked in this case. But it does show the importance of remaining flexible in your billing practices if you wish to succeed in the high-end hacking market.
To our mind, the error in this case was the failure to offer flexibility at the start of contract negotiations. The initial pitch email was titled: "Our demand is clear and Non-Negotiable." It's not clear that such a rigid first approach is the right way to go when you are asking for such a significant investment.
And then, of course, the price may simply have been too high. While in this case, as with Sony, the HBO breakdown in negotiations could serve as a useful case study for future clients, it's always best to get paid whenever you can. The spec game can be a tough one.
Which leads us to standard practices.
Obviously, using pseudonyms is a must. Changing them frequently is also an excellent idea, even though it may entail additional work on your part. Keeping them separate from each other and your real identity is vital.
One critical and often overlooked aspect of business is the bookkeeping. It may be boring, but it is essential to the healthy running of your organization.
There are two schools of thought here: keep everything but lock it away carefully; or get rid of anything that isn't immediately necessary. Keeping good records can help you out of a jam and allow you to analyze your business' progress, but of course it can prove troublesome if discovered by the authorities.
Michael Kadar, for example, allegedly kept all his logs and his activities on a thumb drive that was discovered by Israeli police when they raided his house. That may undermine any chance he had of arguing his way out of his activities, plus it gave the FBI the opportunity to dig further into his business. Agents, for example, were granted permission to raid his Bitcoin accounts. All that work, allegedly, calling and emailing schools and threatening to blow them up for nothing.
So far the HBO raiders have fared better and appear to be investing more time and resources into ensuring their own security – easy to say, of course, if you have the resources – but still something that even a hacker on a budget needs to account for.
So, to recap, if you are going to ditch that desk job and shoot for your dream job as a freelance hacker, you need to consider:
- Your skill level
- Your expected income in the first year
- Upfront investment in tools and exploits
- The costs of security around your activities
- The market to aim for
Good luck! ®