A Life in the Day
It’s time to go to work. 10:13 a.m. on a Tuesday is as good as any I guess. I personally prefer to work during the day unlike my peers who like to ply their trade in the dark of night. Maybe it has to do with their mindset or the knowledge that what we do is supposed to be wrong and it affects how/when they work. Not me. I have no preconceived notions about what I do. I do it for the money. I throw my laptop into the car and head for a neighboring township full of juicy targets. You see, I am a hacker with a specialty just like any other professional.
I prey on doctors, lawyers, and accountants. I break into their networks, encrypt their data and hold them for ransom. I chose these targets for two reasons. One, I know their insurance will pay for it and two most don’t want the negative publicity nor the attention of certain government entities and would rather just pay to make their problem go away. The other thing I like about them is they are conveniently clustered together around hospitals and banks. The doctors’ offices are especially tasty morsels because you can go sit in the waiting room of one for two hours and scope things out and no one seems to notice. Even if they do you just say “I am waiting for my mother” and they go away.
Now for the real reason you are reading this; the “how do I do it” part. Remember that specialty I mentioned above? Well, mine is wireless. Specifically, I can breach almost any wireless network manufactured today. I drive through the business communities I want to victimize with a program running that gathers the names, locations and levels of security of all the wireless access points in the vicinity. I look over the list the program generates, choose the sites that have either no encryption or weak encryption and then I go to work. I have programs that can crack a WEP secured network inside of 3 minutes, 10 on a bad day. WPA networks are a little harder to crack and WPA type 2 is the hardest, but by no means impossible.
Once I have access to the network via the wireless I have a multitude of options. I can encrypt their database and all their backups and make them pay me a few thousand dollars to give them the encryption key or I can copy the database and threaten to release it on Pastebin.com if they don’t pay me. Sometimes I just infect the network with a keylogger so I can get the username/password of everyone on the network and wait for the Practice Admin to access the online banking for the company and steal those credentials. Or their online EMR. Or their online insurance sites. Those types of credentials usually fetch me $2500-$4,000 on the Hackers Market with the extortion paying between $5k-$10k per office. Not bad for a couple of hours of work huh? If the office is too small for me to make any money off of I usually just install my own back door on their servers and use them to host stolen credentials, pirated movies and software and the occasional launch point for a botnet attack against another target.
If the office relies on their website as a sole way to do business I can also contact them and tell them their competitor is paying me $2,000 to take them offline for 72 hours with a denial of service attack and say if they pay me $2500 I won’t do it and I will make sure no one else in our “organization” does it to them either. You would not believe how many suckers pay up and I don’t even have to lift a finger. Do I have a botnet? Hell no. But I know where I can rent one for $130 for 24 hours if I need one. So far I have never needed one. So now on to the next topic, how do I get paid?
My first problem is not breaching a network and infecting it or encrypting the data, that’s child’s play. My problem is how to get paid without getting caught. I have two methods to avoid the graybar hotel. The first is to make the payer pay me in bitcoins. This money is unregulated and I can cash in on them from just about anywhere in the world. But, sometimes the cash has to move fast and to a place with little to no extradition or banking regulations, or where you can buy off those who do regulate the industry. For that I have a “partner” in another country. The money goes to him, he takes a 20% cut for “laundering” it for me and I get it back to an account in yet another country where a shell corporation is set up for business. I love this account as this is where I keep my cash for traveling all over the world. I use my company to buy plane tickets, rent cars and hotels, buy meals for my friends and even buy concert tickets. Every once in a while I move the money to a different bank, different business name and different country just to keep from creating a pattern that prying eyes can spot.
And, in the time it took to write this short little ditty I have broken into another Doctors office. When will people learn NOT to use the business phone number as the passcode???