Hacker Hit Men for Hire
For a mere $249, the Russian Hacker Assn. promises to destroy your "Web enemy." According to its Internet ad, the RHA will configure a robot e-mailer that can bombard your target with tens of thousands of e-mails in a single day, gumming up computer networks and interrupting normal business operations.
This ad is only the latest example of a new threat coming out of cyberspace -- the hacker mercenary. It's a tempting proposition for young adults in countries where wages are low, opportunities limited, and computer literacy is high -- places like Russia, China, and India. "These guys are all over the Net with advertising," says Bill Spernow, a security analyst for technology consultancy Gartner Group.
Fears that the incidence of industrial cyber attacks could explode are growing. "A company could seriously damage a competitor if it could shut down their systems at critical times, says IBM security expert Jeff Crume. "An unethical company willing to steal such information from a competitor could simply hire a group of hackers to do the dirty work for them."
NO QUESTIONS, NO NAMES.
According to Crume, the party paying for the attack could remain anonymous, meaning that not even the marauding hackers would know who was footing their bill. Even more troubling, contract hackers could find sanctuary in countries where authorities lack the legal teeth, or the inclination, to prosecute.
Evidence of mercenary hackers has been around for years. In a case tried two years ago, the FBI won the convictions of two men, Calvin Cantrell and Cory Lindsay, who were hired as part of the "Phonemasters" group. This international criminal gang penetrated the computer systems of MCI, Sprint, AT&T, and Equifax -- even the National Crime Information Center. Cantrell allegedly downloaded thousands of Sprint calling-card numbers and sold them to a Canadian man. The numbers eventually ended up in the possession of an Italian organized-crime syndicate.
But anecdotal evidence points to many more incidents of mercenary hacking. You won't hear this from the companies themselves, since most refuse to admit they have been hacked for fear of spooking customers and partners. Meanwhile, on the other side of the coin, Internet security companies clearly have an interest in promoting these fears in order to drum up clients.
But academics and researchers without an ax to grind fear this type of hacking will increase so long as huge income disparities remain between advanced nations and the rest of the world. "We are seeing the increased use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain," says Ronald Dick, director of the FBI's National Infrastructure Protection Center.
By the same token, some foreign companies looking to one-up their better-funded Western counterparts have taken surveillance into their own hands by hiring mercenary hackers inside the U.S. Just ask Alan Brill, who directs Internet-security operations for security firm Kroll Associates. Brill helped a Silicon Valley software outfit to fend off hacking attacks by a former employee who had been hired by a foreign competitor to access company computers and steal proprietary information. The company watched helplessly as the computer intruder outwitted security measures and continued to download highly secret files. "They couldn't block him out of the system, and they were calling in a panic," recalls Brill. "I told them to shut off the modem and power switch to the server."
But pulling the plug on these types of attacks won't be easy. More and more hacking tools appear each week, making it easier to snarl or damage the computer networks of corporations with a presence on the Net. And international treaties to address cross-border hacking have yet to be passed. For now, there is very little downside for bad guys who want to make a few bucks by hacking company networks at the bidding of competitors. For businesses on the Internet, that's very bad news.
By Dennis Blank in Orlando
Edited by Alex Salkever