BBC Click paid cybercrooks to buy botnet

Your licence fees at work


BBC Click has admitted paying cybercrooks thousands of dollars to buy access to a botnet as part of a controversial cybercrime investigation, broadcast over the weekend.

In a website story accompanying the heavily-promoted report, BBC Click reporter Spencer Kelly explains how licence fee payers' money was used to buy access to virus-infected machines under the control of hackers in Russia and the Ukraine.

After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine.

The process began in chatrooms where hackers advertise their services. You have to earn their confidence, then negotiations take place in instant messaging applications.

Once a service and a price have been agreed, payment is made using a money transfer to keep both sides anonymous.

BBC Click used the botnet of 22,000 machine to send spam to webmail addresses it established and launch a denial of service attack against a test website by security firm PrevX which advised on the investigation. It then changed the wallpaper on compromised machines with a message of its own, advising affected users to clean up.

The BBC reckons its actions were legal, but specialist technology lawyers contacted by El Reg disagreed. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, said that the BBC's actions were likely to have breached the unlawful access provision of the Computer Misuse Act, the UK's anti-hacking law. He added that there was no public interest defense against CMA offences.

All parties agree that there's unlikely to be a prosecution, even if the BBC inadvertently interfered with Pentagon computers. Infected computers on US military systems are hardly unknown, and BBC Click failed to make any checks on whose computers it was hacking into - so it could well be that some of the zombie machines used during the exercise were on US military networks.

Aside from the legality of the scheme, the exercise raises troubling ethical questions. Security firms are almost unanimous in saying the behaviour of infected machines could have been illustrated without hacking into the machines of innocent victims.

Much of what BBC Click found was already common knowledge in security circles, if not to the wider public. The idea that botnets are used to send spam or run DDoS, that access to them is sold through underground forums and that control tools are growing in sophistication, have been the staples of information security stories in the technology press and reports from vendors for months.

BBC Click said the programme was six months in the making.

Many security have described the exercise as misguided, unnecessary and unethical. Kaspersky, AVG, McAfee, FaceTime, Sophos and F-Secure all agreed that the BBC had behaved badly. Over the weekend Sunbelt Software joined the attack, which Sophos has spearheaded, against the programme's tactics.

Some security firms disagree with this consensus view, most notably PrevX, which participated in the programme. CEO Mel Morris, chief exec at PrevX, suggested that security researchers and the police routinely break the law to investigate botnets in a statement (below):

Prevx's input to the BBC Click Botnet experiment saw us providing our test site as a target for their DDoS attack and giving some comment and advice on the technical implications of what they were doing. In terms of what the BBC learnt the experiment highlighted some interesting facts - not least that their Botnet reached 9,000 computers over several days before it was detected by any of the major anti-virus or Internet security products.

Because of the nature of the market we operate in, and the ever growing risks of cyber-crime, every internet security company has to understand the ways in which the enemy operates. What the BBC did with this experiment is just taking that lesson to the broader public. Every day, most security companies, and law enforcement agencies investigating botnets and information stealers break the law to investigate and uncover stolen information and techniques - It goes with the turf!

Other supporters include security firm Marshal8e6 which issued a statement to "applaud the BBC Click programme for its interesting and informative piece which hopefully will assist in raising the public’s awareness of these issues".

The BBC Click programme was broadcast on BBC 1 on Saturday morning and the BBC News Channel on both Saturday or Sunday at 11:30. Those in the UK can catch up with the show through iPlayer, via the BBC Click site here. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google location tracking to forget you were ever at that medical clinic
    Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more

    In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.

    In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.

    Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • OpenSea phishing threat after rogue insider leaks customer email addresses
    Worse, imagine someone finding out you bought one of its NFTs

    The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

    An employee of OpenSea's email delivery vendor Customer.io "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

    "If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022