[SecurityRatty] tag: trojans

Myspace Cracker Steals Firefox Passwords

Tue, 26 Aug 2008 14:49:03 +0000

A "Myspace Cracking tool" has recently come to light, though if you're considering attempting to crack some Myspace accounts with this:

....then you might want to think again, on account of it not being quite what it seems. This "cracking tool" is only after one persons details: yours. Run it, and you'll see the following (somewhat bizarre) message, which should be your first clue that all is not quite right here:

At this point, your CD tray may well pop open - perhaps in tribute to the Trojans of old that did pretty much the same thing. At any rate, you're certainly not cracking any Myspace accounts, and after a faint grinding from your PC you're left to sit and stare at your desktop, wondering what went wrong. Here's a clue - have a poke around inside the EXE, and some lines of code will likely start to give the game away:

..."Firefox password grabber"? Oh dear.

The observant end-user will notice a .txt file appears on their C Drive, and itcontains all the stored passwords saved via Firefox on their computer:

Click to Enlarge

As you can see, the bad guys here seem to be exploiting a well known password recovery tool for nefarious purposes - in this case, Firepassword. You're probably wondering what happens with the stored login details at this point - well, do some more digging in the code and you'll see this:

Click to Enlarge

The stolen Firefox passwords are sent to an FTP drop set up by the hacker, and every login you had stored in Firefox at that point is immediately at risk. Of course, if you're foolish enough to play around with hacking tools then there's a good chance you're going to get burned sooner or later...

We detect this as FoxPass.

76Service - Cybercrime as a Service Going Mainstream

Wed, 13 Aug 2008 04:08:43 +0000

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.

Customer Privacy, Malware & Government Regulation

Thu, 07 Aug 2008 13:37:29 +0000

Free Webcast New breeds of malware – spyware, adware, Trojans, and viruses – are rapidly infecting networks and exposing businesses and their customers to unprecedented security risks. T...

Email Hacking Going Commercial

Wed, 23 Jul 2008 22:04:48 +0000

This email hacking as a service offering is the direct result of the public release of a DIY hacking kit consisting of each and every publicly known vulnerability for a variety of web based email service providers, with the idea to make it easier for someone to execute their attacks more efficiently. Outsource the hacking of someone's email, and receive a proof in the form of a screenshot of the inbox, next to a guarantee that you'll be able to get back in even after they've changed their passwords? Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers. The service works in 7 steps :

"1- Submit your case to one of our experts.
2- After successful submission , you will be sent a confirmation email along with your Case Reference Number (CRN) .
3- Our expert(s) will revert back to you in a few minutes with the details, the charges & the turn-around time. You may also be asked to provided additional information through a private form if required by our expert.
4- Once our expert has all the required information, you will be provided a username/password to our client area where you can view the real-time progress of your case.
5- Within a matter of hours (maximum 72 hrs), you can see the results. Our expert will provide you with proof-of-success , which you can verify and confirm.
6- Once you have verified the authenticity of success, you will be sent detailed payment instructions. You will be asked to pay using anyone of our multiple payment methods.
7- Once the payment is realized, we will provide you the requisite information"

Who's doing the actual email hacking? Independent contractors on behalf of the service as it looks like :

"Most other groups employ phishing , trojans or viruses which could damage or even alert the target. Our experts use techniques which are developed by themselves , not shared by anyone. We don't ask them how they do it, but as long as they provide us the desired results, its ok for us. Since we test their methods while they are on probation period with us, we check if the target is being alerted or not. As of now, for the past 4 years, we have NOT RECEIVED A SINGLE COMPLAINT IN THIS REGARD, which is testimonial to the ingenuity of the methods used by CSP."

How would they prove that they've managed to hack the email account before requesting the payment?

"1- Multiple screenshots of the mailbox
2- A copy of your own email which you had sent to the target
3- A copy / part of the address-book of the target mailbox."

Ironically, a hypothetical questionarry that I once speculated a private detection would require from someone interested in Outsourcing The Spying on Their Wife, in order to set the foundations for a successful social engineering attack, is being used by the email hacking group.

Smash and Grab

Tue, 22 Jul 2008 09:27:42 +0000

Ever wondered how much damage can be caused with what is likely a few handily placed keyloggers and trojans?

Well, this is probably a good (bad?) place to start.

"Also while that was happening the person who stole my GoDaddy account also stole our paypal accounts and charged several thousand dollars to us. PayPal is working to get that money back, so far about 600.00 was retrieved but we are still waiting for news on the other funds."

Ouch....

Coding Spyware and Malware for Hire

Mon, 21 Jul 2008 23:52:14 +0000

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €

FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 €

Assembler spam bases
Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates
The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts
Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords
Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV
When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default
In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber
While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats
On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections
Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances
Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen
Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta
Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +

All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence
-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me
-- Customer does not have the right to make any decompile, research, malicious modification of any three parts
-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.
-- For violating the rules - without any license denial manibekov and further conversations"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

Impersonating StopBadware.org to Serve Fake Security Warnings

Sun, 20 Jul 2008 23:30:51 +0000

Malware is known to have been hijacking search results, take for instance the rogue Antivirus XP 2008 as a recent example, but it's even more interesting to see other rogue security software impersonating Stopbadware.org in order to server fake security warnings that ultimately lead to fake security software.

stopbadware2008 .com (58.65.238.171) is one of these examples, where stopbadware2008 .com/antivirus.php redirects to infectionscanner .com and attempts to trick the user into installing download.infectionscanner.com /AntvrsInstall.exe. The message used :

"Reported Insecure Browsing: Navigation blocked. Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can result in revealing your personal information. To get full advanced real-time protection for PC and Internet activity, register Antivirus 2008. We recommend you to protect your PC now and continue safe Internet browsing."

There's in fact even more rogue software using the same IP (58.65.238.171), courtesy of HostFresh :
virus-scanner-online .com
security-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
download.antivirus-scanonline .com
topantivirus-scan .com
topvirusscan .com
virusbestscan .com
virus-detection-scanner .com
antivirus-scanner .com
infectionscanner .com
virusbestscanner .com
internet-security-antivirus .com

It would be interested to monitor whether or not the template for the fake security warning would start getting used on a large scale.

Related posts:
A Portfolio of Fake Video Codecs
Fake PestPatrol Security Software
Got Your XPShield up and Running?
Localized Fake Security Software
A Diverse Portfolio of Fake Security Software
RBN's Fake Security Software

Security Briefing: June 17th

Tue, 17 Jun 2008 07:33:11 +0000

Sleep deprivation, caffeine overload and documentation. How long till I start hallucinating? Stay tuned.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Router-hacking Trojans spotted | Web User News
The ’secret’: Banks are freaked out by security | ZDNet
Malware not man blamed in child abuse download case | The Regsiter
Security Bonuses for Vista Programmers | eWeek
PCI DSS: Section 6.6 gets teeth – finally
IM Security’s Three Kings | CSO Online
Victim of its own success | BBC News
Dacre promises new look at rules on hacking by journalists Guardian

Tags: News, Daily Links, Security Blog, Information Security, Security News

Sometimes, It Takes a Thief to Catch a Thief

Mon, 09 Jun 2008 13:00:00 +0000

News from Portfolio.com

Also on Portfolio

Time for Tech to Throw Everything Into Energy

Hollywood Frets Over Corruption Crackdown

McCaw's Back to Remake the Wireless Landscape

Subscribe to Portfolio magazine

Apollo Robbins won't say whether he's ever stolen anything in his life, but it's clear he could if he wanted to. Having grown up in Missouri with three half-brothers who were all involved in various criminal activities (one of them is in the witness protection program after testifying against former colleagues of his), the 34-year-old Robbins was indoctrinated at an early age into the finer aspects of pickpocketing and con games.

He eventually developed those skills into a successful career as a sleight-of-hand artist and performer in Las Vegas. His latest act, though, has him starring as a corporate security consultant. In this role, it is less his dexterous hands that appeals to his clients than his mastery of all aspects of criminal cons, grifts, and social-engineering ploys.

"When you're trying to steal something, you find the weakest link and work that," Robbins says. "Nowadays, as technology gets better and security systems get harder to break through, the weakest link in any system is the human running it."

Robbins founded his consulting operation, Whizmob Inc. (the name comes from the street term for a team of pickpockets working together), two years ago while still performing full-time.

After doing a show a few years back in which he pickpocketed Secret Service agents accompanying former president Jimmy Carter, the resulting publicity led several law-enforcement agencies and other groups to contact him about his techniques.

"At first, I'd refer them to security people I knew," says Robbins. "Then I realized that instead of being a referral service, I could capitalize on this."

It was a good time to get in on the act. Information security consulting, which barely existed in the mid '90s, has become an estimated $10 billion to $12 billion business as the need to protect sensitive information stored on computers and servers has become a more central concern.

Today, Robbins counts the N.F.L., TNT, and several Fortune 500 companies among his customers. He recently advised the N.F.L. on information security protection at this year's Super Bowl in Phoenix to combat the expected flow of thieves and con artists lured by all the deep-pocketed spectators coming to town.

His work included getting a major hotel to upgrade its WiFi security so that fake access programs known as Trojans couldn't extract valuable data and password information from unsuspecting guests' computers. And at the stadium where the game was held, Robbins and his team identified areas where pickpockets would most likely operate—specifically, places with lots of traffic where bumping into people would be customary, and easy access to exits for escape purposes.

Besides the shadier elements of Robbins' childhood, his father, a blind minister, instilled in him a strong sense of morality. "It was like living in two worlds," Robbins says.

In many ways, he still is living in two worlds, since he keeps in regular contact with some professional thieves he knows in order to stay abreast of the latest cons. (While he doesn't pay them, Robbins says that "a lot of these guys are really good at what they do but they can't exactly discuss it with a lot of people.") But increasingly, Robbins is spending time in the more staid settings of the corporations that hire him to vet their security systems.

"It's a good time to be in the business," he says.