What if you wanted to hack someone’s account or you needed to buy a new exploit? How would you do this? This is a task that would stump most of us. But how about looking on eBay Inc. (Nasdaq: EBAY)? After all, the online auction house is a place where almost anything is sold and bought. Curious, I decided to check it out.
From eBay's homepage, I typed “exploit” in the search box and back came approximately 20 results, the following among them: Phish and Hack Unlimited MySpace Accounts – New Exploit. For $25, this auction offers the means to phish or hack any MySpace account. Initially, the person sold a phishing or hacking toolkit, but now the black-hat is offering a service to break into accounts of the buyer’s choice.
The seller shows an adept familiarity with methods used to detect phishing techniques. For instance, if the alias for the link indicates a different location than a link itself, it is already suspicious. The seller circumvents such protection by hosting the kit on MySpace itself. This means that both the link and the alias could point to the same location, and unless the user has Webmaster skills, the end user would have difficulties differentiating between this creation and the legitimate MySpace application.
Admittedly, the seller’s feedback count is relatively low, which means that eBay does a reasonably good job of closing down such accounts. Otherwise the feedback would have been much higher. It would be no surprise if by the time of publishing, the item would be closed and the user deregistered by eBay authorities. [Ed. note: The item is no longer available on eBay.]
This is just one more example of the bad guys’ ability to offer products and services to anyone in the world without boundaries and limitations. It continues to work to the great advantage of many legitimate businesses, and at the same time, the same principle helps the online shadow economy flourish.
It is known that there are underground auctions trading zero-day exploits much more dangerous and for more money than the example above. However, by taking more proactive measures, end users and companies can help diminish the potential of the online shadow economy and its hacker exploits. For example:
Vigilance is key: Be extra cautious when choosing whom to trust. For example, the exploit above depends on the user’s willingness to accept Web applications that are not trustworthy. Look for signs of malicious behavior and analyze the application. For instance, check for incorrect spelling within the description of the Web application; question whether friends or colleagues would recommend the application; ask yourself if you really need the Web application; and decide whether the Website appears to be trustworthy and professional.
Economics are the secret weapon: Use economics to hurt the bad guys. After all, if it weren't for our money, they would be struggling to stay in business. Buy goods only from trustworthy shops that you know to have a long-established reputation. Buy goods that were legally imported into the country. Spend time researching the shop or individual with which you are planning to do business. Never, under any circumstances, spend money with a business when it does not feel right.
Safety first: Develop a habitual sense of security when browsing the Internet. There are many sites like GetSafeOnline.org that offer valuable security advice on dos and don'ts for using the Internet. Become familiar with them as you would basic traffic code.
The solution is not always simple, as the problem is quite complex. Just as it is nearly impossible to bring down the world global economy, such is the case with the Internet’s shadow economy. Nevertheless, using common sense is the best way for end users to protect themselves.
— Maksym Schipka, Senior Architect, MessageLabs