Nowadays it is easy to set up a cybercriminal operation. But not all crooks are suitable for this game, some end up not only infecting their own computers but also leaving evidence of supporting infrastructure which is insecure and open to snooping.
Inexperienced cyber criminals are common, but what has changed over the years is their age, which has changed from adults to children in their early teens, making the description literal.
Different malware strains bundle all the components needed to get the “business” going, including command-and-control (C2) server code to manage operations.
These are easy to come by if you know where to look. Open-access hacker forums are full of advertisements for cheap malware, while examples are also available as open-source projects. And many hosting services can be rented for just a few dollars a month.
Script kiddies in the past
Security researchers find malware administration panels run by script kiddies (criminals with little to no experience) every day. A few years ago they looked at a dozen C2 servers every day, MalwareHunterTeam told us.
In 2016, he tweeted about a skiddie who fell victim to the malware he deployed on their victims. Evidence of this was the screenshot the keylogger took of its desktop screen, which was found in the infection logs on the C2 server.
Someone got infected again. pic.twitter.com/KAtvfvwYgM
– MalwareHunterTeam (@malwrhunterteam) April 5, 2016
Script kiddies today
Today, these tablets continue to be a common find. As numerous youngsters pose as online bad guys, they seek to try life on the other side of the law and set up small, low-cost cyber operations.
Those who don’t know how to play the game end up infecting dozens of computers, even hundreds, while failing to protect themselves from their own malware.
MrCh0can ethical hacker who scans admin panels daily for malware tweeted yesterday about an operator running the OrangeFox information stealer, which he believes is an immature tool but whose technical analysis is pending.
The researcher who is doing this work on a volunteer basis found the OrangeFox botnet panel while looking at another for PHP-based ones BlackNET botnet, available on GitHub and several hacker forums.
It turned out that the same operator was behind these two botnets and several others, one of them for the info-stealer Arkei, running on different servers.
Dealing with so many botnets may seem like the work of a cybercriminal mastermind, but not this time. A full-face image in the logs shows a dead-eyed teenager looking directly at the computer screen.
One of the panels examined by MisterCh0c showed over 180 infections, although this number may not be correct as the operator regularly clears the logs.
Access to these panels is sometimes a matter of luck as owners leave them open believing no one would find them. In other cases, access to the log files and statistics is possible due to vulnerabilities in the panel’s source code.
It’s not that juvenile cybercriminals didn’t exist before, but in this example, it seems like they’re entering the game at a younger age than before.
Reporting illegal activity is sometimes useless
MalwareHunterTeam still finds time to keep up with trends and bypasses the flimsy security fences that would-be malware operators have for their admin panels. Although he reports his findings, and some of them take minutes to process, in many cases they fall on deaf ears.
Provide information about identity theft:
Singapore: Give information to cert & police in *minutes*, bank informed.
Italy: give information @JAMESWT_MHT which forward to cert and take action soon.
And then other countries basically: “Who are you? why do you care You idiot? Why should we care?”
– MalwareHunterTeam (@malwrhunterteam) April 3, 2019
Unfortunately, this seems to be a widespread problem. MisterCh0c told us he is also contacting the authorities about these surgeries, “but in my experience they don’t care and they can/can’t do anything about it.”
In mid-December 2018, the researcher reported to authorities a French cybercriminal (named “la Baguette”) who robbed banks, but whose operations are still active to this day.
Also, reporting the C2 panels to hosting providers is not always a viable solution as the crooks may be using bulletproof hosts – hosting companies that do not take action against criminal activity on their servers.
Direct contact with the victims turned out to be a bad idea for the researcher at least once. A cryptocurrency wallet owner’s warning that their private key was stolen ended with threats from the victim.
With the reporting not doing a very good job of curbing skiddies’ activity, it shouldn’t come as a surprise that some of them are content with this life outside the law.