It's something every aspiring crook needs to consider before they attempt to break into the world of cyber-crime: what's the business plan?
Fortunately this week, a couple of pointers have emerged thanks to miscreants who broke into production company HBO, and the ongoing US federal case against Michael Kadar, who allegedly made nearly 250 threatening calls and bomb threats to Jewish community centers in America.
First up, as with any new business, you need to assess market needs and how your current job skills fit within them. Plus, of course, the resources you have at hand.
In Kadar's case, the 18-year-old's hacking skills were, according to the FBI, pretty poor and his resources limited. So he had to start small. And that means lots of little, short-term contracts that give you enough to survive on until you can build up your business.
And so he settled for a very reasonable $30 for an email bomb threat – with a premium option of framing the threat on someone else for an additional $15, according to court files unsealed this week. On the dark-web souk AlphaBay, Kadar offered bulk-buying threats and offered to refund any unsuccessful bomb threats, the Feds claim:
- Emailed Bomb Threat to a School – $30.00
- Emailed Bomb Threat to a School + Framing Someone for it – $45.00
- Emailed Bomb Threat to a School District\Multiple Schools – $60.00
- Emailed Bomb Threat to School Districts\Multiple Schools + Framing Someone for it – $90.00
This is quick and easy money, but it does carry with it a high risk of exposure. In large part because the FBI tends to take bomb threats very seriously and is pretty good at investigating them.
Despite the fact that he was subsequently collared by Israeli police in March, and charged by US prosecutors in April, Kadar did make a couple of early smart decisions: he found a decent marketplace and he didn't over-promise, apparently.
"There is no guarantee that the police will question or arrest the framed person," he allegedly explained about the popular $15 premium framing fee, "I just add the person's name to the email."
And he was upfront about the risks in doing so. Kadar, an Israeli-American citizen, allegedly told punters on AlphaBay: "In addition, my experience of doing bomb threats putting someone's name in the emailed threat will reduce the chance of the threat being successful. But it's up to you if you would like me to frame someone."
Clearly demonstrating his expertise and giving fair warning of the service that can be expected, it's no wonder that Kadar allegedly built a solid reputation for low-key hacking, and received some good user reviews, the Feds claim. He also made it easy for people to order a bomb threat, providing a template for people to fill in, according to the g-men.
"Amazing on time and on target," reported one AlphaBay user. "We got evacuated and got the day cut short."
While the FBI claims Michael Kadar did an excellent job breaking into the low-cost bomb threat market, if he is found guilty by a Georgia district court, he would still be a world away from high-end hacking, which comes with much greater rewards but also requires a steadier hand and much more preparation.
The hackers behind the HBO assault, reported last month, take an entirely different tack: aiming at high-value clients and spending significant time working on a single account for greater gains.
As the criminals themselves noted, it took a good six months to break into the US cable channel's computers – and that's six months potentially without pay. Not for the faint hearted or those with a mortgage to pay who don't have savings to fall back on.
Aside from the time taken, there is also a high cost of tools at the hacking top-end. According to the ransom note sent to HBO's president, the team has a $500,000 annual budget for purchasing exploits for zero-day holes in systems in order to break in in the first place. In other words, the HBO hackers spend half a million bucks a year buying tools from shady developers to compromise corporate networks before security patches are available to address the leveraged bugs, it is claimed.
Those are significant upfront capital costs with no guarantee of success – so be sure to know what you are getting into before you start out on your hacking career. A wise move would be to team up with others to spread both the workload and the financial risks.