Interview With A Blackhat (Part 1) 127 Replies [This interview openly discusses criminal activities from the perspective of an admitted criminal. Interview With A Blackhat (Part 1) 127 Replies [This interview openly discusses criminal activities from the perspective of an admitted criminal. You may find this content distressing, even offensive, but what is described in this interview is real. We know from personal experience is that these activities are happening on websites everywhere, everyday, and perhaps even on your websites. WhiteHat Security brings this information to light for the sole purpose of assisting those who want to protect themselves on their online business.] Over the last few years, I have made myself available to be an ear for the ‘blackhat community.’ The blackhat community, often referred to as the internet underground, is a label describing those participating on the other side of the [cyber] law, who willingly break online terms of service and software licensing agreements, who may trade in warez, exploits, botnets, credit card numbers, social security numbers, stolen account credentials, and so on. For these individuals, or groups of them, there is often a profit motive, but certainly not always. Most of the time, the people I speak with in the information security industry understand the usefulness of engaging in dialog with the underground — even if it’s not something they feel comfortable doing themselves. However, I occasionally get questioned as to the rationale — the implication being that if you play with pigs you start to stink. People sometimes even begin to insinuate that one must be bad to know bad people. I think it is incredibly important for security experts to have open dialogues with the blackhat community. It’s not at all dissimilar to police officers talking with drug dealers on a regular basis as part of their job: if you don’t know your adversary you are almost certainly doomed to failure. One ‘blackhat,’ who asked to be called Adam, that I have spoken to a lot has recently said he’s decided to go legit. During this life-changing transition, he offered to give an interview so that the rest of the security community could learn from his point of view. Not every blackhat wants to talk, for obvious reasons, so this is a rare opportunity to see the world through his eyes, even if we’re unable to verify any of the claims made. Hopefully by learning how Adam and other blackhats like him think, how they communicate, people can devise better solutions, abandon failed technologies, and fix the most glaring issues. Maybe people reading this can find more effective punishments to deter the criminal behavior before it happens, or ruin the incentives, disable the markets, or find ways to keep people from the allure of criminal activity in the first place. A great deal can be unearthed by examining Adam’s words and those of other blackhats like him. Or maybe we can entice some of them, like this individual, to leave the blackhat life behind completely. Adam’s interview took place over a few days, and required a lot of back and forth. Due to the way in which this interview had to take place, a lot of editing was required to make it readable, but primarily to spelling, capitalization and punctuation. In every meaningful sense, these are Adam’s unaltered words. (Note that when Adam refers to “whitehats,” he is referring to legitimate hackers in general, and that this should not be confused with WhiteHat Security the business.) This is the first of our three-part interview. The next post will be tomorrow. Q: Can you describe what you think your hacking/security related skills are? A: My personal expertise and area of knowledge is in social engineering. I think it is pretty obvious I’m a blackhat, so I social engineer to card. Another area of “hacking” (I use the ” as DDoS isn’t really hacking) is botnet building and takedown orders. This is where most money in my opinion is made — where one day can bring in several thousand dollars. The whole blackhat market has moved from manual spreading to fully automated software. In addition, many sites are targeted in malware/info leaks by using some really common and easy methods. These include SQLi, basic and advanced XSS, CSRF, and DNS cache poisoning. Although SQLi is still a big player, XSS has taken over the market. I estimate about 50-60% of the attacks my crew did last year (Jan 1st-Jan 1st) were XSS. I also learned several programming languages — Python, Perl, C, C++, C#, Ruby, SQL, PHP, ASP, just to name a few. Q: Can you describe the first time you remember deliberately breaking a computer-related law? Why did you do it and how did you justify it? A: Hmmmmm. That was many years ago. The first time I remember was when I was in school (aged about 14). The admins were pretty good at security (for school admins, bear in mind). I was in the library one day and I knew that the admins had remote access to every PC. I also knew the librarian did. The library just so happened to be the place where they marked our exam papers and entered the grades. I was never the genius at school but I was getting mediocre grades. What if I could get ‘A’s and ‘A+’s and not do half the work? So I started to read around. I eventually came across keyloggers. It seemed strange and amazing that a program I could make (with a little research) could get me the top grades. So I did it. I installed the keylogger onto the librarian’s PC and then used the remote administration program to download the file onto the other PCs. I was suspended for two weeks. Q: Where did you learn the bulk of your skills? A: Books, Google, and the people I began speaking with on irc/forums. Unlike today’s 1337 haxorz (lol) we all shared, spoke, and helped each other. There wasn’t a sense of being mocked because you didn’t know. Q: What attracted you to the blackhat way of life? A: Money. I found it funny how watching tv and typing on my laptop would earn me a hard worker’s monthly wage in a few hours. [It was] too easy in fact. Q: Can you recall a tipping point at which you started considering yourself a blackhat? What was the nature of the event? A: It’s difficult really. I and the guys/girls I hung with never called ourselves blackhats, I don’t know, it was just too James Bond like. We just saw ourselves as people who found a way to make money. We didn’t care about what category we were in. It was just easy and funny. Although saying that, I first realized I might be branded a blackhat when my “real life” friend became a victim of credit card fraud. That’s when I realized my actions had real victims and not just numbers that were worth money. Q: How many machines do you think you directly controlled at the peak of your botnet activity? A: Erm, depends. I had two separate botnets (although some bots cross over). The DDoS botnet contained the bots which were public computers or computers that were in offices. [There were] two reasons I did that. Either: 1. they are on for the majority of the day and have good connection speeds or 2. people weren’t stupid enough to do their banking on them (if you were I’d let a script kiddy have it). Then there was my carding botnet, definitely the most valuable. These were PCs of banks, estate agents, supermarkets and obviously home PCs. I preferred to target PCs where an employee would enter customer data, i.e. banks (yes banks are super easy to bot). This gave me a constant supply of credit cards and a never-ending amount of spam ammo. DDoS botnet has about 60-70k bots at the moment, most in the west. Carding botnet had a lot less at around 5-10k, most in Asia. 570k is the biggest I’ve controlled. Q: How much money do you think you made after expenses per year at your peak doing blackhat activities? A: I can’t really go into specifics but when 9/11 happened we were making millions. Q: And how much do you think you made last year? A: Off the top of my head? Around about 400-500k. Last year was kind of shit. People became wiser, patches became more frequent. This year we have 3/4 of that amount already. Q: When you started, did you have a goal in mind to make a certain amount of money or achieve a certain goal? A: I get asked this a lot by new people on the forums. I never set myself goals until probably in the last 4 years. I started it out just for easy laughs, bragging rights (lol) and easy, very easy money. Q: Can you describe the process that you use to make money with your botnet? A: Making money with a botnet is easier than brushing your teeth, especially if you’re in the automated industry. Any crew has several members. The bot master, researcher, reverse engineer, spreader, social engineer, sales man and fudder*. The people who sell 0-days are solely selling 0-days half the time. The buyers are bot masters without a crew. Our crew developed a tool that checks the bot’s cache for Facebook/twitter accounts then checks their Facebook interests (e.g. justin bieber), then age, name, location. So for example bot no. 2 is signed into Facebook. The account likes Justin Bieber, aged 14, female, and lives in America (important to get correct language). Then automatically it selects a pre made list of links and for example would choose the ‘Justin bieber sex tape video’. Using zero days to compromise a website, then insert an iframe is kinda old, boring and sometimes doesn’t bring in the best results — unless of course you’re hijacking a high Alexa rating; then it’s worth it. Combining 0-days to deface the website and then a 0-day in e.g. java to hijack with a drive by is a lot more effective than tracking the user into downloading a file. What a lot of people don’t realize is that emails easily available on their Facebook profile can be sold for spam. Again, this makes more money automatically. * A fudder can be a tool that binds to a virus and makes it more difficult for antivirus to detect, or a person specializing in such a tool. Q: How easy is it for you to compromise a website and take control over it? A: For beginners you can simply Google inurl:money.php?id= — go ahead try it. But most of them will be cancelled or dried up. So, now you target bigger websites. I like to watch the news; especially the financial side of it. Say if a target just started up and it suddenly sky rocketed in online sales that’ll become a target. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys think. This leaves them hugely vulnerable. They patch SQL but choose a DNS that is vulnerable to DNS cache poisoning. You can break in and be gone within an hour. Q: How easy is it for you to take over the ownership of an account via whois information or other publicly available information? A: Whois used to be crucial to gaining information. Now people spew it on Facebook, twitter, etc. Companies like Amazon only require name, address and email on the account to add another credit card. You then hang up. Ring the password reset department and tell them as verification the name, address, email and the credit card number you just added (it doesn’t even have to work (lol), just use fakenamegenerator.com) and then you are in. You can now see the ‘legit’ credit card’s last 4 digits. Now you can get an email password reset and you’re in. Amazon says they patched this two years ago but I use this method all the time. Seriously Amazon, train your staff. Q: What is your favorite kind of website to compromise? Or are your hack attempts entirely untargeted? What are the easiest sites to monetize? A: Most of the time un-targeted but once a company (which I won’t name) pissed me off for not giving me discount in a sale so we leaked every single credit card number online. One type of company I love to target is Internet security, i.e. anti virus companies. There is nothing better than a clothing store at the summer sales (except porn websites). These are in my personal opinion the easiest and most successful targets to breach. I’ll talk about clothes stores first. Clothing websites are SO easy because of two main types of attacks. 1. The admins never ever have two-step authentication. I don’t know why, but I have never seen one admin have it (and I’ve done it thousands of times). 2. The ‘admin’ usually works there behind the tills or in the offices. They have no clue what they’re doing: they just employ someone to make the website then they run it. They never ever have HTTPS, [so they have] huge SQLi vulnerabilities (e.g.. inurl:product.php?id=). Once you have the SQLi vulnerability you can go two routes or both. Route one: steal the credit card info and leave. Route two: deface the website, keep the original HTML code but install an iframe that redirects to a drive by download of a banking Trojan. Now to discuss my personal favourite: porn sites. One reason why this is so easy: The admins don’t check to see what the adverts redirect to. Upload an ad of a well-endowed girl typing on Facebook, someone clicks, it does a drive by download again. But this is where it’s different: if you want extra details (for extortion if they’re a business man) you can use SET to get the actual Facebook details which, again, can be used in social engineering. Q: What is your favorite/most effective exploit against websites and why? A: If it’s a 0-day, that obviously ranks at the top. But below that is XSS. It’s really well known but no one patches it. I suppose DDoS isn’t really classed as an exploit but that can bring in monthly ‘rent’ for our ‘protection’. But over all 0-days are the greatest exploits. Q: How do you monetize DDoS? A: People buy accounts so for example you rent 1k bots and have a DDoS time limit of 30 mins. Some people buy one-offs. Black mail is a huge part of it. Take the website down for an hour. Email them or call them and say they pay 200 dollars or it stays offline for good. They usually pay up. If they don’t, they lose days, weeks, months of business. Q: How do you pick targets to DDoS when you are attempting to extort them? A: Hmmm. It depends. If there is a big sporting event, e.g. the Super Bowl, I can guarantee 95% of bookies have been extorted. I knew of one group who took down cancer research website and extorted them after their race for life donation process was meant to start. They got their money, kinda sad really. Q: What kind of people tend to want to buy access to your botnet and/or what do you think they use it for? A: Some people say governments use it, rivals in business. To be honest, I don’t care. If you pay you get a service. Simple. Continue Reading Part 2 This entry was posted in Web Application Security on May 21, 2013 by Robert Hansen. About Robert Hansen Robert Hansen is the Vice President of WhiteHat Labs at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Mr. Hansen has co-authored "XSS Exploits" by Syngress publishing and wrote the eBook, "Detecting Malice." Robert is a member of WASC, APWG, IACSP, ISSA, APWG and contributed to several OWASP projects, including originating the XSS Cheat Sheet. He is also a mentor at TechStars. His passion is breaking web technologies to make them better. Robert can be found on Twitter @RSnake. View all posts by Robert Hansen → Post navigation ← InfoSec Europe WrapupInterview With A Blackhat (Part 2) → Profile Sign in with TwitterSign in with Facebook or Name Email Not published Website Comment • 127 Replies • 7 Comments • 100 Tweets • 8 Facebook • 8 Pingbacks last reply was 5 months ago 1. @RSnake May 21, 2013 First of three parts: “Interview with a Blackhat” http://t.co/Sabk1fZViZ ... and 15 more reply 2. @cgrahamseven May 21, 2013 “@RSnake: First of three parts: “Interview with a Blackhat” http://t.co/yrbaZb1eQc” < great post reply 3. @mikegracen May 21, 2013 Fascinating: Interview with a Black Hat Part 1 http://t.co/bg2TFRo8d2 reply 4. @jeremiahg May 21, 2013 “I estimate about 50-60% of the attacks my crew did last year (Jan 1st-Jan 1st) were XSS” – Adam (a blackhat) http://t.co/lxnr9HHXqE reply 5. @ITSecurityPty May 21, 2013 RT @virusbtn: Both interesting and distressing: an interview with a blackhat hackerhttp://t.co/asK67aKlA7 (HT @gollmann) reply 6. @basaranalper May 21, 2013 Düşmanı tanı: bir blackhat ile yapılan röportaj. http://t.co/LfA57Bdr8H reply 7. @basaranalper May 21, 2013 İnterview with a blackhat hacker http://t.co/LfA57Bdr8H reply 8. @g4dbn May 21, 2013 RT @jeremiahg: @RSnake interviews a “blackhat” who is supposedly is turning “good”http://t.co/lxnr9HHXqE relevant http://t.co/nrGKl3ssmZ reply 50. Anssi Porttikivi May 23, 2013 http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/#.UZ5R3WQayc0Wanna make a lot of money, fast? reply 51. Interview with a BlackHat May 23, 2013 […] interesting: Interview With A Blackhat (Part 1) | WhiteHat Security Blog Quote […] reply 52. Deviant Globalization May 23, 2013 “If you play with pigs you start to stink”: an interview series with a blackhat hacker:http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/ reply 53. Christopher Pappas May 23, 2013 http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/#.UZ7bNSugnl0 reply 54. @vikiugu May 23, 2013 Interview with a Blackhat (In 3 parts): https://t.co/stOI9gJD4b https://t.co/pG0smwR7XT https://t.co/pneHMlwmoi reply 55. @nadwanjohi May 24, 2013 @calvinebarongo it may be better this way https://t.co/EOEIPWmfqm reply 56. @tsmethlie May 24, 2013 Fascinating interview with a blackhat by @whitehatsec :http://t.co/zg6btNcVcG reply 57. @IanHumph May 24, 2013 Interesting read on how vulnerable we are – http://t.co/JfmcNHPXwU reply 58. Ian Humphreys May 24, 2013 Interesting read on how vulnerable we are from a black hat’s POV –http://blog.whitehatsec.com/interview-with-a-blackhat-part-1 … reply 59. @iamchrisrutter May 24, 2013 Wow, just read through an interview with a blackhat. I implore people to read it.http://t.co/yNwq7VompX reply 60. @Dahuuu May 24, 2013 RT @cristiansans: Interview with a blackhat (3 parts) http://t.co/Xv0T7kZTAJ reply 61. Interview With A Blackhat (Part 3) | Cyber security labs by Cipher Net AB May 24, 2013 […] appear to be deterring the crimes. If you missed the previous parts you can see them here: part 1 and part […] reply 62. @mivesto May 25, 2013 3 part interview with a blackhat: http://t.co/uDVrxUbsPu #webapp #security #admin #social #engineering reply 63. Making Money from Hacking ‘Easier Than Brushing Your Teeth’ « Tony Rocha Official Blog May 28, 2013 […] hacker told Robert Hansen, Director of Product Management at WhiteHat Security, as reported in his two-part interview. The hacker said it amazed him he was able to make as much money as the average monthly industrial […] reply 64. VoIP May 30, 2013 Hard to believe this guy is going to stop his blackhat activities when he is makeing this much money. reply 65. Cyril June 10, 2013 A big interview ! Like the other comment, it’s hard to believe that a “good” black hat will stop his activies. When you win so much money so “easily”, changing your life is a big choice to take ! reply 66. Nix Guy June 20, 2013 Thanks for posting this interview. Pretty interesting stuff. reply 67. Bryan June 24, 2013 Good article, interesting insights to blackhats. reply 68. Interview With A Blackhat | senk9@wp November 10, 2013 […] Read More […] reply 69. Aurélien Debord December 8, 2013 A very instructive paper. Thank you for this interesting interview. reply 70. John Smith December 16, 2013 Hi, It is really important to keep our network secure as now a day data of any organization is mostly accessible through the network and to make the work efficient and all those data are precious to the organization so it important to protect them and no one can explain the network security concept better than a black hat hacker it is very informative article for a network enthusiast. Thanks reply 71. Interview d’un BlackHat par Robert Hansen 8 months ago […] une interview de Robert Hansen du site Whitehatsec a été publié sur son blog. Il y interview un hacker de la communauté « Black Hat » ayant une […] reply 72. Alisa 5 months ago What an insightful interview with “Adam”. The skill set possessed by hackers is priceless and cybersecurity experts should take a cue form them then figure out how to hire these guys – I would. Great interview. reply https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/ Interview With A Blackhat (Part 2) 61 Replies [Please note that this series of posts discusses criminal activities from the perspective of the criminal. This may be distressing to some readers; please exercise caution.] This is part 2/3 of my interview with “Adam” – a blackhat who has decided to go legit. During this part of the interview we discuss, among other things, some of the specifics on why defenses aren’t working, things that do help make a dent, and how the underground is dominated by organized crime. If you missed the previous part you can can see it here: part 1. Q: Is there something that websites do to try to defend themselves from guys like you that they always get wrong? A: I could re-write Shakespeare here. I’ll pick three things. 1. Hire stupid admins who have never been a bad guy, just fed with a silver spoon all their lives and went to Uni on mummy and daddies money. If I were the CEO of a company I’d much rather employ someone who has a criminal record for hacking than a Uni graduate any day of the week. The guy who has the criminal record has gained the knowledge of how a bad guy would go about getting in. and not just what a text book says. 2. They allow untrained, young, dumb, Saturday workers to operate the phones. 3. Companies don’t purchase DDoS protection. Cloudflare for example offers incredibly strong DDoS protection for 200 dollars a month (also its harder to jack a cloudflare domain). If I extort you for 200-1000 dollars for 1 day why not make yourself immune for the minimal fee? Q: What types of security devices/services/techniques legitimately make your life harder as a blackhat? Any that you think are a complete waste of money? A: Hmmmm, DDoS protection is a serious knock back, although as many groups have proven before it’s easy to bypass – e.g. cloudflare resolver before they changed the protection method (almost bypassable lol). Things that are a waste of money… Hmm, anti-virus is completely useless — yes it may protect you from skids using non-fud files but that’s it. Every botnet that gets sold comes fud as default. People do it for free, it’s that easy. Anti-spam software (except CAPTCHAs, although that has a reputation for bad customer reviews). The thing you have to remember is the black hat world is 10 steps ahead of what’s commercially available. When a 0-day is released blackhats have used it for months. Two-step authorization is a pain and sometimes yes, it does stop a hack completely especially in social engineering, but just as Cosmo (a 15 year old UGNazi member) proved, it’s bypassable. It’s like buying a game. When it’s first released it gets patched a lot, it’ll take a long time before it makes any sort of major impact. Q: Which types of browsers tend to be the most vulnerable? Why do you think that is? A: if you asked me this a few years ago I’d’ve said almost 100% was IE. That is still hugely vulnerable but now people have taken to the better, faster browsers such as Chrome and Firefox. IE still dominates the market at about 52% but Chrome is the majority of the rest. I think IE is dominating the market because the vast majority of people feel comfortable with it. Unless you actually read into vulnerabilities etc., you don’t know how dangerous IE is, so why do you need to change? Chrome already forced it to be better. One thing that did hugely affect bot infection rates was the mass removal of Java. When news of a java 0-day gets published people panic (rightly so) and un-install it or patch but as we all know java never stays secure for long. Q: How do you keep yourself anonymous given that you have to deal with buyers? A: I use bots to talk. Not like routing my traffic through them to create ‘proxies’ but actually coding a PC to take orders. The buyer gets the buyer bot code from the market, installs it, then types in what he wants; then without his knowledge his PC joins my IRC, which gives me the order and payment method. But obviously I don’t know this happens. Q: Is there anything that you consider emerging technology that could be disruptive to the black markets? A: No, not at all. A market never stays on a domain for more than a week, if it does it’s a fed market. Q: Is there any line you personally wouldn’t have crossed as a blackhat? Any types of crime that were outside of what you wanted to get involved with, despite the money? A: I refuse to allow my botnet to be used to attack charities or soldier memorial pages. Apart from that it’s fair game. I get asked a lot about what if my botnet gets used to target ‘rival’ pedophile sites? Well the fact is, pedos have their own botnets. But if someone wants to attack a pedo site I’ll most of the time do it for free. Revenge porn is another thing I let people attack for free. See, we aren’t always mean. Q: Who, in your opinion, are the most dangerous people in the underground and why? A: By far the drug lords. Any hacker who is respected will refuse to help them. They are brutal. One quite well known guy who became well known for his ‘anti drug’ attacks was tracked down and killed. Apparently they killed his family as well but that isn’t my business to divulge. Q: How do you think those dangerous people (cartels and so on) are shaping the rest of the underground and its tactics? Are they making the average blackhat’s job easier or harder? A: Ahh, drug cartels. They try to extort you with death threats etc. so you just post their personal information. Everyone hates them but its the underground so it’s ok I suppose. Can’t complain to the Feds haha. Q: How did you gain the trust of the people to get access to join these forums? A: Make a name for yourself in one of the IRC’s or create botnets for free or cheaply and they’ll start talking. Until then it’s an iron door you’re banging on. Q: What do you consider to be your personal ethics? How do you perceive the owners of the websites you compromise and the victims of the machines that your botnet infects? A: I kinda feel sorry for the people who become victims of CC fraud, although if you’re stupid enough to click a link you probably deserved it. For the admins, I hate them. If you can’t patch an SQLi or XSS you really shouldn’t be handling people’s CC. It’s just dangerous, stupid and laughable. This entry was posted in Web Application Security on May 22, 2013 by Robert Hansen. About Robert Hansen Robert Hansen is the Vice President of WhiteHat Labs at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Mr. Hansen has co-authored "XSS Exploits" by Syngress publishing and wrote the eBook, "Detecting Malice." Robert is a member of WASC, APWG, IACSP, ISSA, APWG and contributed to several OWASP projects, including originating the XSS Cheat Sheet. He is also a mentor at TechStars. His passion is breaking web technologies to make them better. Robert can be found on Twitter @RSnake. View all posts by Robert Hansen → Post navigation ← Interview With A Blackhat (Part 1)Interview With A Blackhat (Part 3) → Profile Sign in with TwitterSign in with Facebook or Name Email Not published Website Comment • 61 Replies • 0 Comments • 33 Tweets • 1 Facebook • 2 Pingbacks last reply was may 23, 2013 1. @RSnake May 22, 2013 Second of three parts: “Interview with a Blackhat” https://t.co/KBaBIRNCd4 reply 2. Interview With A Blackhat (Part 1) | WhiteHat Security Blog May 22, 2013 […] Continue Reading Part 2 […] reply 3. @mikegracen May 22, 2013 Get the popcorn: Interview With A Blackhat (Part 2) http://t.co/vsa79ITI8I #blackhat #hacking #security reply 4. @whitehatsec May 22, 2013 “Adam” – a Blackhat has decided to go legit. Here’s part 2 of 3 in “Interview with a Blackhat” blog series by @RSnake http://t.co/yD8J3kVXTQ reply 5. @mattjay May 22, 2013 A Blackhat has decided to go legit. Part 2 in “Interview with a Blackhat” series by @RSnake http://t.co/LSkN7rrMMN (via @whitehatsec) reply 6. @CISecurity May 22, 2013 Interview With A Blackhat (Part 2) @whitehatsec http://t.co/7sSaprI7pK reply 7. @Ishiro May 22, 2013 Interview With A Blackhat (Part 2) | WhiteHat Security Blog http://t.co/EpiFSfDHhmvia @whitehatsec reply 8. @jseidl May 22, 2013 Interview With A Blackhat (Part 2) http://t.co/aRLTBI3bLq < interesting point of view of (in)security reply 9. @csec May 22, 2013 Interview With A Blackhat (Part 2): [http://t.co/AVXTwbbT7P] [Please note that this series of posts discusses… http://t.co/2FfhfbzURR reply 10. @hackfest_ca May 22, 2013 Part 2 de l’interview du black hat: https://t.co/yW99AaadaD reply 11. @startpablo May 22, 2013 Interview With A Blackhat (Part 2) | WhiteHat Security Blog https://t.co/r3FdFz1jlA via @whitehatsec reply 12. @kisasondi May 22, 2013 RT @jeremiahg: “One thing that did hugely affect bot infection rates was the mass removal of Java.” -Adam (a black hat) http://t.co/vip0xd3… ... and 4 more reply 13. @kisasondi May 22, 2013 RT @jeremiahg: “AV is completely useless — yes it may protect you from skids using non-fud files but that’s it” -Adam (a blackhat) http://t… reply 14. @_SteveBrown May 22, 2013 RT @jeremiahg: “If you cant patch an SQLi or XSS you really shouldn’t be handling people’s CC.” Adam (a black hat) http://t.co/vip0xd3crq reply 15. @fernando_cezar May 22, 2013 Interview With A Blackhat (Part 2) | WhiteHat Security Blog http://t.co/iqpqnc8IPp reply 16. @kehleo May 22, 2013 Another proof that most SEOs are unlikeable:“I refuse to allow my botnet to be used to attack soldier memorial pages” http://t.co/fn4uDzHWOR reply 17. @fatrat May 22, 2013 Interview with a blackhat, part 2 http://t.co/oewobKoBWS reply 18. @tmakkonen May 22, 2013 Interview With A Blackhat (Part 2) http://t.co/cqoewSK1eD reply 19. @JHeguia May 22, 2013 “A market never stays on a domain for more than a week, if it does it’s a fed market.” Entrevista con un black hat. http://t.co/asgkbbyjwi reply 20. @whitehatsec May 22, 2013 Part 2 of 3 in @RSnake’s “Interview with a Blackhat” blog series published earlier today http://t.co/yD8J3kVXTQ Final post tomorrow! reply 21. @marcelliotnet May 22, 2013 Interview With A Blackhat (Part 2) | WhiteHat Security Blog https://t.co/sGcpo8GsFBvia @whitehatsec reply 22. Interview With A Blackhat (Part 1) | Cyber security labs by Cipher Net AB May 22, 2013 […] Continue Reading Part 2 […] reply 23. @sullyer May 23, 2013 WhiteHat Security Blog – Interview With A Blackhat (Part 2) http://t.co/DNwf53vm7C reply 24. @pap3rtig3rs May 23, 2013 “Unless you actually read into vulnerabilities etc., you don’t know how dangerous IE is” – hacker, on safe browsers http://t.co/ZIZqQcU6Wr reply 25. @Nbblrr May 23, 2013 RT @RSnake Second of three parts: “Interview with a Blackhat”https://t.co/dLW9GMRJbj reply 26. @lizkuzma May 23, 2013 Don’t miss this fascinating read – Interview with a BlackHat Part 1 of blog series by @RSnake with @whitehatsec: http://t.co/L76RAu7FST reply 27. @lizkuzma May 23, 2013 RT @whitehatsec: Part 2 of 3 in @RSnake’s “Interview with a Blackhat” blog serieshttp://t.co/L76RAu7FST reply 28. @DJM1968 May 23, 2013 Interview With A Blackhat (Part 2) https://t.co/4hNTXh7GIT reply 29. @localpcguy May 23, 2013 Fascinating – Interview With A Blackhat Hacker (3 Part) – 1-http://t.co/vuD6YqBSIH, 2-http://t.co/N4Ly2g6gkg, 3-http://t.co/8KRkiQbQOU reply 30. Jay Turley May 23, 2013 Interview With a Blackhat: fantastic (and it’s gonna scare you). Part 2: https://blog.whitehatsec.com/interview-with-a-blackhat-part-2/ part 3: http://blog.whitehatsec.com/interview-with-a-blackhat-part-3/ reply 31. @zinyando May 23, 2013 Interview With A Blackhat (Part 2) https://t.co/rA1rv78JFh reply https://blog.whitehatsec.com/interview-with-a-blackhat-part-2/ Interview With A Blackhat (Part 3) 47 Replies [Please note that this series of posts discusses criminal activities from the perspective of the criminal. This may be distressing to some readers; please exercise caution.] This is part 3/3 of my interview with “Adam” – a blackhat (hacker engaging in criminal activity) who has decided to go legit. During this part of the interview we discuss, among other things, the rationale behind Adam’s desire to go legit, how he and others in the community see “whitehats” (legitimate hackers in general – not a specific reference to WhiteHat Security!) and why the punishment doesn’t appear to be deterring the crimes. If you missed the previous parts you can see them here: part 1 and part 2. Q: How do you perceive the risk involved in going to jail? Why isn’t the punishment deterring the crime? A: I’ve thought about it, for about 10. Suppose it could be a bad thing. Wonder if the staff do banking in jail? Hmmm. Also, people ask, ‘doesn’t the jail term scare you? Losing the money?’ If the Feds can find 100 dollars I’ll give them all of it. You see, working in the underground everyone has hundreds of names, passports, etc. If the Feds can find one they can have them all. You use fake identities and then you give the money to a cafe you own then they feed to through into a bank. It all looks legit. Doesn’t have to be a cafe — can be nightclubs etc. Or you can provide a service to a legit business and they feed it through. It’s super hard to gather evidence for the crime, and even so the money is impossible to find. Ten or eleven mil over 10-13 years for a 10-15 year sentence. I can’t really say what it’d be like without freedom as I’ve always had it so I can’t imagine losing it. Q: What’s the difference, in your opinion, between a talented blackhat and a script kiddy? How would you rank yourself? A: Everyone starts somewhere it just depends on if you move on. A script kiddy will never get on the legit underground as the elders make anyone who even tries to get into the ug develop botnets, viruses, worms etc. — like a right of passage. Skids are used as the door matt. Am I a skid? I hope not, would have been a waste of time making the first automated server infection botnet. Lol. Q: How many hours a week do you think you dedicate to your blackhat activities? A: When I fancy a new venture – e.g. a new 0-day is released — anything up to two days non stop. 8-9 hours sleep then two days again. But on average about 8-10 hours a day. It is a job after all. Q: What were the job prospects in your area for someone with your skill sets and background prior to going into criminal activity? How much money could you make if you hadn’t gone into criminal activity? A: I got offered a job to work as a cyber security specialist for a rather large company. For the money? I’d earn in a year at that job what I would in about a fortnight black hatting. Q: What do you think the biggest misperceptions are of the blackhat world by the security community? A: That we’re all tied to the mafia, we want the world to burn and we are all Russian. For example 90% of the carders I know donate huge amounts to charities (80-90k a year) I know of carders who went to Africa and bought thousands of mosquito nets. Just because we found a way to make super fast money doesn’t mean we want the world to go bankrupt, people to die, people to go homeless. It’s a lot like business. If someone is dying of cancer and you hold the cure I bet you’d make them pay — it’s the same mentality, exploiting someone’s case for my own good. We are good people. Q: What made you decide to want to go legitimate? A: They’re only so many credit cards in the world. Also, I suppose getting paid to find 0-days, hack systems and do it legally is more appealing. Q: How much stress do you think being a Blackhat has been on you, worrying about being caught? A: Being caught has always been a concern, if I wasn’t concerned about being caught I’d be stupid. Sometimes I go days and nights with no sleep wondering when I’d get raided. Sometimes I took it to the extreme and slept during the day and hacked on at night. I felt more comfortable knowing if I was to be raided at least I’d be awake. Q: What do you think other blackhat friends will say once they find out you have gone legit? Is there any cause for concern or do you believe they’ll let you do what you want? A: No I think they’ll be fine with my decision. I asked several of the guys I’m close to and all seemed ok with the prospect of me turning white [legit]. There really isn’t a hatred of whitehats from the blackhats. In fact, quite the opposite. If we stayed with viruses from 2000 because we were never challenged we’d be so out-dated and not capable of making a tenth of the amount of money we make currently. Most blackhats love whitehats for that reason. Q: What do you plan to do now that you are legitimate? A: I’ve had and have many ideas on things I’d like to do. I’d like to do some research into the time it takes from when blackhats find 0-days to [when] whitehats find them. That’s always being an interest to me. I’m also planning on releasing the exploits + patches I commonly used and further develop 0-Day research to compete with the blackhats. Q: Do you worry that your past will come back to haunt you in the future? A: It’s a worry, if someone can find the evidence; if not, it’s just an advantage I posses This entry was posted in Web Application Security on May 23, 2013 by Robert Hansen. About Robert Hansen Robert Hansen is the Vice President of WhiteHat Labs at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Mr. Hansen has co-authored "XSS Exploits" by Syngress publishing and wrote the eBook, "Detecting Malice." Robert is a member of WASC, APWG, IACSP, ISSA, APWG and contributed to several OWASP projects, including originating the XSS Cheat Sheet. He is also a mentor at TechStars. His passion is breaking web technologies to make them better. Robert can be found on Twitter @RSnake. View all posts by Robert Hansen → Post navigation ← Interview With A Blackhat (Part 2)Web Storage Security → Profile Sign in with TwitterSign in with Facebook or Name Email Not published Website Comment • 47 Replies • 1 Comment • 37 Tweets • 2 Facebook • 1 Pingback last reply was may 24, 2013 1. @hackfest_ca May 23, 2013 Partie 3 : Interview du black hat https://t.co/kKaQxYTlMq reply 2. @CISecurity May 23, 2013 Interview With A Blackhat (Part 3) @WhiteHatSec http://t.co/WyjB5xu90A reply 3. @osxreverser May 23, 2013 Robin Hood is back! Carders giving stolen money to charities… LOLhttp://t.co/0ER3qU6LD5 reply 4. @kmheintz May 23, 2013 RT @whitehatsec: What do hackers think of security researchers? Part 3 of @RSnake’s “Interview with a Blackhat” http://t.co/FWqfWJFX1v reply 5. @_Dark_Knight_ May 23, 2013 http://t.co/a7DOeJK7Qb reply 6. @RSnake May 23, 2013 Third of three parts: “Interview with a Blackhat” http://t.co/g4AG8DUr6J reply 7. @SEO_Doctor May 23, 2013 Interview With A Blackhat (Part 3) | WhiteHat Security Blog http://t.co/F1uTdISkPe via @whitehatsec reply 8. @dunsany May 23, 2013 RT @jeremiahg: 3rd and last installment of “Interview With A Blackhat” by @RSnakehttp://t.co/GC5AZRWGtj < Fun stuff! reply 9. @josephmenn May 23, 2013 They’re only so many credit cards…getting paid to find 0-days…is more appealing.http://t.co/YGnJFb4cGq via @RSnake reply 10. @MarkAEvertz May 23, 2013 WhiteHat Security Blog https://t.co/Be6cOsiKJy via @whitehatsec #Infosec reply 11. Anssi Porttikivi May 23, 2013 http://blog.whitehatsec.com/interview-with-a-blackhat-part-1/#.UZ5R3WQayc0Wanna make a lot of money, fast? reply 12. @cybfor May 23, 2013 Interview With A Blackhat (Part 3): [http://t.co/3PRHkYfwwy] [Please note that this series of posts discusses… http://t.co/h05SQ26lev reply 13. @gatestone May 23, 2013 RT @jeremiahg: 3rd and last installment of “Interview With A Blackhat” by @RSnakehttp://t.co/qnyqtAkK9d < doesn’t disappoint! reply 14. Fernando Cezar May 23, 2013 This was the best article I’ve read so far in this blog! reply 15. @jseidl May 23, 2013 Interview With A Blackhat (Part 3) http://t.co/4mVtUsU6vx reply 16. @HackerTheArtist May 23, 2013 From HN: Interview with a Blackhat (Part 3/3) http://t.co/mUI99RG0zl reply 17. @WebStartupGroup May 23, 2013 Interview with a Blackhat (Part 3/3) http://t.co/JMpRQ5APDa #news reply 18. @VinodShintre May 23, 2013 Interview with a Blackhat (Part 3/3) http://t.co/XYsWsF2SQk #attribo reply 19. @whitehatsec May 23, 2013 Don’t miss the conclusion of @RSnake’s “Interview with a Blackhat” blog series. Do hackers fear getting caught? http://t.co/FWqfWJFX1v reply 20. @UTstartup May 23, 2013 RT @WebStartupGroup: Interview with a Blackhat (Part 3/3) http://t.co/z5sWhjqjRA#news #UTstartup reply 21. @MoonLightRSS1 May 23, 2013 Interview with a Blackhat (Part 3/3) http://t.co/qOIRcR2met reply 22. @jake_m_rogers May 23, 2013 http://t.co/qSlBnQ2yGj – Mad legit “interview with a blackhat”, can’t stop laughing. reply 23. @PseudoIO May 23, 2013 Interview With A Blackhat (Part 3) | WhiteHat Security Blog | http://t.co/Q5t71sUCP4 reply 24. @sadasant May 23, 2013 Interview With A Blackhat (Part 3) | WhiteHat Security Blog http://t.co/jXKAllCuYP vía @whitehatsec reply 25. @djbigdaddy May 23, 2013 3 part interview with black hat hacker http://t.co/7VxsDdjD0B http://t.co/FyBJO2F48Fhttp://t.co/Bss5pW1uhW reply 26. Jay Turley May 23, 2013 Interview With a Blackhat: fantastic (and it’s gonna scare you). Part 2: https://blog.whitehatsec.com/interview-with-a-blackhat-part-2/ part 3: http://blog.whitehatsec.com/interview-with-a-blackhat-part-3/ reply 27. @basaranalper May 23, 2013 Hacker’la röportaj 3. bölüm http://t.co/SGHOr4sclP reply 28. @vreeman May 23, 2013 Interview With A Blackhat (Part 3) | WhiteHat Security Blog http://t.co/6X4IayFMvX reply 29. @epokmedia_labs May 23, 2013 Interview with a Blackhat (Part 3/3) → http://t.co/drcBFLmnCx(http://t.co/XeHWlA8XAj) reply 30. M-A-O-L » Interview With A Blackhat May 24, 2013 […] Interview With A Blackhat (Part 1) Interview With A Blackhat (Part 2) Interview With A Blackhat (Part 3) […] reply https://blog.whitehatsec.com/interview-with-a-blackhat-part-3/