It all started with a score that needed to be settled. A couple of weeks ago, I wrote up some news about how various, high-profile sites in Pakistan and Romania were getting defaced by hackers. I did a little digging around to see who might have been behind the events, and then wrote that up in the posts.
Apparently, I didn’t dig deep enough to get the whole story. Over the weekend, someone called eboz, the
same name as the hacker behind the Pakistan spate of attacks, got in touch. He wanted me to know, first and foremost, that he wasn’t responsible for 3,000 site hacks; but closer to 90,000, most performed under a different name, KriptekS, with more listed here (this latter group he calls his “special-0wn4geZ”). “Try not to be stupid next time, Ingrid,” he advised.
As long as I had his ear, I decided to see if he would talk to me a bit more. He agreed, as long as I promised to keep his personal information off the site; keep in confidence some of the links he sent me; and keep the conversation to instant messages only. So that’s what we did. I would send him a message and he’d message back, explaining a bit about his skills, modus operandi, and personality.
Eboz is a self-styled hacker’s hacker and focuses mostly on gaining root access to servers and sometimes defacing them. He is young, full of braggadocio, and seems to be the real deal. We attempted, as best we could, to confirm his identity and he even defaced a site in my name, which was a charming if off-putting experience. He showed, in short, that web security is laughable and that a 21-year-old from Turkey can, with a bit of work, take down some of the biggest sites on the web.
Extended excerpts from the interview follow below. He told me that defacements were only a part of what he does. He claims also to have access to 21 more Google country sites, as well as a zero-day exploits for Gmail, root access to NICs for several countries’ domain registries and more. He claims to have hacked into sites, taken data, and sold it on to others. He may be 17, or he may be 21. (He told me one age and then told me he was actually older.) He mainly works alone, but sometimes with friends. He has a lot of disdain for “script-kiddies” or “skiddies” – lightweight hackers.
So I have some proof and confidence in connecting this guy to the defacements. Verifying the bigger hacking claims, however, has been a little more problematic, and may be entirely untrue.
On Monday morning, he told me he had some attacks planned for Google, and maybe others. Whether it was a coincidence or not, later that day Google did experience some problems, and so did Facebook.
But we’ve run some of his claims by other engineers and coders, and have had mixed responses — some dismissing him, and one giving him credit. Facebook itself told us its problems on Monday didn’t have to do with hacking. Google also attributes its issue to load-balancing software. In short, both have provided technical explanations of the internal issues. [Update: He’s also defaced at least one more page since this story was published, the Nepal local site for USAID, which he warned me he would do in advance. He also told me that he’s going next to tackle the porn industry.]
Why does he hack, or claim to hack? Different reasons, it seems. Because he can; because he can make some money; and because he likes to show others the holes in the system. He gives me various explanations depending on the context of the question. The conversation is a revealing look into how at least one hacker thinks and works.
I’ve kept his writing style just as he typed it.
Why do you deface? Why do you hack? Why those sites? Lots of speculation about why you chose Pakistan and others. Can you tell me why in your own words why you do this?
Pakistan? As you know, Pakistani hackers are claiming to be ‘worlds best hackers’, some of their hackers include zombie_ksa, a script-kiddie, who has hacked Google a few times with the help of a different hacker, i do this to show them they are not only ones hacking big targets on the planet… i also gained access to NADRA & FIA pakistan, NADRA which holds every information on every citizen in pakistan, and FIA which has every record of crime in pakistan, pretty good compilation huh?
How do you get access?
I get access by different methods, pakistan isnt so secure as they claim to be, SQLi (SQL Injection) can be used to inject and spawn shell/backdoors.
What do you think of Anonymous, and are you associated with the group at all?
anonymous? they are pathetic, have no web-hacking skill, mainly expertise at TCP/UDP DDoS attacks or botnets. anonymous are something, which i would like to call, ‘freedom for the skiddies’. i have had bad-relations with anonymous in the past.
Do you work alone?
Yes, I work alone
Do you ever do more than deface? Can you actually hack into sites too?
hacking & defacing is the same thing, you first hack into the site to deface. sometimes i do more than deface, i hack if any important-information is needed, for extracting some confidental information off the site’s database. i managed to hack into a server of ebay a few months ago, but they recovered pretty fast.
Are you planning to deface next or hack? What’s the reason you choose one or another?
i might play to hack today, but deface when i’ve extraced out the info. reasons, sometime for political reasons, or maybe just for fun? but, the reasons for targetting pakistan, i told them to you
What info do you extract? Do you ever sell on the information that you are able to access?
i extract serveral confidental information, mostly linked with my own personal reasons, and sometimes, i sell them to underground-forums under a high price. Most information include, which you probably didn’t want to hear, ‘credit cards’, ‘bank accounts’, and ‘social-accounts’, and others… and i’ve hacked NASA a few times, tried getting evidence of UFOs.
Have you ever been convicted? Or close to being discovered? And again because you could be anyone at all, how do you prove to me that you’ve done this? Is this how you earn a living?
yes, this is how i earn my living. i’ve been raided by turkish police in 2010. but was out after 15-minutes
How do you prove to me you’re not just making this up? (being cynical, i could theoretically create a profile called eboz and claim to be you)
yes, i agree with u. [He also suggests going to a site called mindhackerz but in fact it’s down when I visit. So he explains:] mindhackerz was a turkish/poland underground forum, mainly credit cards/private info was being sold there. mindhackerz were responsible for founding the hotmail 0day in the past, but too bad, they were 0wn3d by me in 5min less.
oh and want more proof? here’s the bug that I used to hack pakistan: [a link i’ve left out here] i have more bugs in the site. [Later by email he sent me a link to another site he doesn’t mind me posting listing other scripts]
Why have you decided to contact me? Are you talking to other journalists too?
no, i am not. only you because i was quite angry [again: i didn’t give him full credit for what he’s done]
Can you estimate how much money you have made from these activities?
how much i earn? that is personal
Mainly. Have you ever thought of working for a company to help protect against hackers?
no.
Why not?
when you can earn more money by doing a diff thing, why choose the lame-way? whitehat-hackers seem to have no living
What about good and bad? Legal and illegal?
as long i keep my eyes open and be careful, there will be no knock at my door
How did you manage to keep out of the eyes of authorities for this long, and why did the Turkish police release you so quickly?
i’m a expert of all web-vulnerability holes, and of course, if u manage to hack a large organization, there will be treasure for u. the turkish police thought that i’m someone-else. a friend managed to betray me
Do you worry that you are doing ‘bad’ things?
I never worry
Can you estimate how much money you have made?
I will not be specific, but i can say, near $10,000
So what else do you do for a living? That doesn’t sound like enough to live on in Turkey? How old are you? (Do you need to earn a living or are you younger than that?)
I am not a adult but i dont really earn for a living. why do you want to know?
I am still not convinced you are not a hoax.
1. this is not a hoax; 2. im the real eboz; 3. ive proved it to u; 4. and why would i lie, so, u want me to add ur name on the deface next time i hack?
OK, when are you planning to hack next?
It could be anything. Keep ur eyes open. It “MIGHT” be GOOGLE again.
I want to ask about the 0day for Gmail. What are you planning to do with this?
i am not so sure about time, but it could be anything. Gmail 0days are a part of my hacking.
Have you ever hacked into gmail before?
twice.
Oh, and what have you done when you’ve done that? Was this reported?
i reported when i first found a serious bug in 2008. But they ignored. After that, I never reported. i discovered the gmail 0day in 2012 august.
And you’ve used it before? Or the hacking came before then?
i’ve used it a few times. I use it when it’s mostly needed, hacking email accounts of the admin and resetting pws
What have you taken from Gmail? Have you hacked mass accounts or are you saying individual people for specific passwords?
i have hacked mass-accs, and thousands of fb accounts with this 0day. altho, i sold the facebook-accounts on some forums
Can you please send me a link to the forums? i would like to make sure my name is not on there. ;-)
[link he asked me to remove] and some underground forums in the TOR Network also known as ‘Deep Web’.
also here’s a pic, of chase.com being shelled: http://img63.imageshack.us/img63/5140/shellg.jpg
wwwq3.chase.com yesterday [Monday]. wwwq3.chase.com hast been updated since YEARS. see the pic [the files and kernels date from 2009] altho, http://www.chase.com is updated daily
wwwq3.chase.com isn’t.
wwwq3.chase.com is used as a gateby tho which makes wwwq3.chase.com more important.
i am going to remove u due to some reasons
Why? What happened?
are u reporting me to feds?
No, not at all. I’ve been sitting in a conference. What’s happened?
Nothing, just thought u might have been passing on some info
In Romania would you have called that a hack? (i think you were uninvolved)
i was not involved, and no, that was not even a hack, and it was done by 3 people i already had gained access to romania a day before the attack. i will not call that person a hacker, but i will call him ‘clever’.
Can you tell me your actual age?
hm. i am 17 [later he told me it was 21]
What do you think about the accusation that you’re just a kid trying to get attention?
i am not a kid trying to get attention, just showing how the world’s biggest companies fails in security.
oh and ingrid. let me tell you something. want to hear it? something, which u regular internet-users dont really know.
Yes please tell me something us regular users don’t really know.
you, regular-users, just go on, use antiviruses, and security-providing companies, thinking ur 100% secure. and trust me, there are such underground forums & communities in the deep web. deep web, is not accessed by regular users. also known as, the “Unknown Internet”. there are being 0days sold in there also, hotmail 0days, yahoo 0days, facebook 0days and exploits to hack social-accounts. also, botnets are being sold there.
people are selling PC’s (infected PCS known as victims) 10,000,000 infected victims in one package, and even, the creator of duqu/flame/stuxnet virus, the guy who made the iran’s network get on it’s knees. i know him. hes russian. and also access to the FBI, interpol, NASA is being sold there.
mails & db’s, documents of the us army. the most important part this, even, rexoworm is being sold there. heard of reXoworm? rexoworm, is a virus/browser exploit. once u click a simple link, ur pc is 0wn3d. even ur antivirus can’t save u from the disaster. thats all i have to say.
[Later, on Tuesday, I ask him to tell me how he went after Google and Facebook. Again, Facebook has said it was not hacked on Monday.]
it’s this: “i did abit of malfunctioning in the gmail just to prove something to a security-researcher (who though that I did have any exploitable vulnerability on gmail). oh and, i’ll try to explain in the easiest way as possible.
yes, facebook has been 0wn3d. i managed to get accesss to a few DNS/NS servers of facebook, which include the following;
[a list of DNS addresses he’s asked me to leave out]
if you pinged facebook at the time of facebook disrupted, it would’ve showed a different DNS and a different IP. i tried to hijack facebook, with the same method like I did on google pakistan, but this time, no hacking of domain-hosting/NIC’s were involved.
although, i tried to redirect facebook to my defaced-page, and then all facebook-users can how facebook fails. facebook recovered pretty fast, altho, the redirection must’ve worked, but failed.
although, a facebook spokeswoman who said ““We detected and resolved the issue quickly, and we are now back to 100 percent.” – i would not really say 100 percent, since your website does have a bunch of bugs, and mark my words, you will get 0wn3d someday without no FAILURE.
it’s pretty hilarious to see how these facebook changed their DNS-infrastructure and servers, just because of my hijack.
and facebook is trying to hide the fact that they were 0wn3d. trust me, security doesn’t exist. and i have proved it.