Of late, there’s no lack of news about information theft and data breaches, not only in Japan but also the rest of the world. But as these incidents get more common, so are these getting more blatant in the way that these are being carried out. Whereas we used to hear of stolen information being peddled at underground forums and bulletin boards, IRC, and so on, malware authors now seem to pay no mind to keeping things under the radar.
Blowing the lid off such transactions, they conduct illicit deals in the open through well-known sites—a tendency we would like to call the popularization of cyber crimes.
Back in February, we had an entry in the Japanese version of this blog about a similar case, in which a popular Korean net auction firm called Auction, Inc. (www.auction.co.kr) confirmed that the information of 10.81 million individuals had indeed been compromised. This is a large-scale theft that, to say the least, got its users worried; some groups even contemplated filing lawsuits.
Then there is the Chinese Internet portal O2SKY, in whose free market page were posted at least two entries seemingly related to the aforementioned Korean incident: the first on March 29, the second on April 11. These say: “Naver, I can sell the IDs of Auction, Inc.” Naver is one of Korea’s famous portals. The entries include the email addresses and telephone numbers of the vendors.
Here’s a screenshot of that entry:
O2SKY is owned by Yan Fan, Inc., which is located in Jilin Province, China. While it is a Chinese company, we can assume that the said entry was posted for Korean users, due to the geographical advantage of nearby Korea.
Taking a closer look into other related entries, we also found some that are encouraging readers to try out techniques to perform site breaches, hackings, compromises. These are a kind of advertisement dangling high salaries for those equipped with such skills. These are open invitations meant to lure the malicious-minded, making no secrets of its intentions.
Here’s a screenshot of the said ad looking for those with “skillz”:
In the two cases detailed above, there are several reasons why we believe these should not be classified as professional or organized crime. One is that the malicious users are openly posting their own easily traceable information in the public forums that almost anyone can anonymously visit.
So if these are perpetrated by neither professionals nor organized crime syndicates, then who is posting such entries? The possible figures would be as follows:
- Script Kiddies – they usually use the openly available cracking tools to steal individual information and sell it to others
- “Customers” of cyber criminals – they try to sell individual information that they initially bought from the professional criminals
- People who read media reports – those pretending to sell the individual information, but do not actually have said information. Another set of readers may be the adventurous type who want to recreate the same offenses based on the information they got from the media.
The existence of the so-called script kiddies should never be ignored. As the said hack and breach techniques are made more widely available, they also become more sophisticated that there will come a time when it will be harder to distinguish between a manually conducted breach and an automated one.
As part of the protection, some companies try to hire so-called ethical hackers who can help enhance their organizational security measures. In Sun Tzu’s The Art of War, the chapter on attack by stratagem shares this bit of wisdom: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This statement is a basic principle that can be applied even—or perhaps especially—to cyber crime and our ongoing fight against it.
Updated by Mayee Corpin (Technical Communications)