nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

After selling his site for millions, founder hacked it for a second payday

Rigzone founder sentenced for data duplication scheme

By Thomas Claburn, 7 Oct 2017

"Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kent's plan to build the membership of his oil and gas industry networking site Oilpro.com.

Court documents indicate that Kent, 41, of Spring, Texas, USA, had a buyer in mind: DHI Group, the employment data biz that in 2010, when known as Dice Holdings, had purchased an oil and gas industry networking site he had founded a decade earlier, Rigzone.com, for $51 million.

Kent wanted more and hoped to get it by growing Oilpro.com – a site he founded around October 2013, shortly after the expiration of the non-compete agreement that followed from the Rigzone sale – into an attractive acquisition target.

By January 2016, Oilpro's membership database had grown to at least 500,000 members. It would have been an impressive feat of marketing but for the fact that Kent hacked Rigzone to obtain the email addresses he would use to build membership at Oilpro.

His sales pitch to the DHI Group attributed the site's growth to reaching out to the contacts of Oilpro members, traditional marketing techniques, and "network effects."

Had DHI Group gone through with the deal – at a suggested cost of $20 million or more – it would have bought data it already had.

But as it happened, a spam complaint alerted the company that something was wrong. A Rigzone member contacted customer support to complain about receiving a solicitation from Oilpro despite having never submitted any information there.

Honeypot

Court documents describe how Rigzone.com, after finding no evidence that anyone from Oilpro had accessed its database, set up a honeypot: two fake accounts in its database with no public facing profiles.

Lo and behold, those accounts each received email solicitations to create profiles on Oilpro.com. Eventually, Rigzone figured out what was going on.

Between 2013 and 2016, Kent and at least one of his Oilpro employees accessed Rigzone's database several times without authorization, coming away with more than 700,000 customer accounts.

The attack method varied. Court documents describe the first round of hacks, which took place more or less between October 17, 2013 and April 15, 2014, as little more than GET requests enabled by inside knowledge.

"The Get Resume Command was crafted to exploit a piece of source code unique to [Rigzone] known only to a few individuals, including David W. Kent, the defendant," the complaint says.

In a transcript of Kent's acknowledgement of his wrongdoing, he explained to the judge that he didn't abuse anyone's password. "The web pages I accessed didn't necessarily have a log-in feature but I do believe I accessed those web pages without authorization," he said.

The US Department of Justice did not immediately respond to a request to provide further details about the specifics of what it refers to as hacking.

Exploit

A subsequent attack, which took place between June 17, 2015 and August 2, 2015, or thereabouts, relied on exploiting a file on Rigzone.com called "resume_writer.asp."

Knowledge of that file allowed Kent to extract some 700,000 resumes in a short period of time, according to the complaint.

Kent and at least one Oilpro.com employee also found a way to access or infer Google Analytics data from Rigzone.com, which they used for competitive intelligence related to landing page traffic.

Kent was arrested in March, 2016, and pled guilty in December of that year.

"David Kent admitted to hacking into a competitor's computer network and stealing client data to boost the value of Oilpro, a company he founded," said Acting Manhattan U.S. Attorney Joon H. Kim in a statement. "Kent then attempted to sell Oilpro – a company he grew using the stolen information – to the very company he had hacked."

On Friday, in a New York City court, Kent was sentenced to a year and day in prison, followed by three years of supervised release, for intentionally accessing a computer without authorization. The charge carries a maximum penalty of five years.

That's substantially less than Kent could have faced had he been convicted as initially charged. Following his arrest in April last year, in addition to the computer hacking charge, he faced a wire fraud charge, which could have resulted in as much as 20 years in prison.

DHI Group through a spokesperson declined to comment. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing