By Matt Hines
Zero Day Security
February 04, 2008
Teenagers, including children as young as eleven and twelve years old,
are increasingly becoming involved in serious cyber-criminal activity
that exposes themselves and the users they target to a full range of
According to Chris Boyd -- a well-known security researcher who works
for FaceTime Communications and was in Washington D.C. last week
presenting at the Anti-Spyware Coalition's latest confab -- he and other
white hat hackers are coming across a growing number of underground
malware distribution forums wholly populated and operated by teens under
the age of 16.
When the security industry meets for the annual RSA Security conference
in April, Boyd plans to share more of his research into the topic.
And while these groups of younger hackers may be less experienced, the
fruits of their labors are often just as nefarious as the schemes being
run by older professionals. The teen-run forum sites are rife with the
same types of malware exploits and stolen credit card data that adult
cyber-criminals use to ply their trades, Boyd said.
One of the biggest problems with the scenario, he said, is that many of
the teen hackers don't appear to understand the seriousness of the
activity that they're getting involved in.
Even worse, most aren't going to great lengths to disguise their
real-life identities, which could lead to them being arrested or taken
advantage of by more experienced hackers looking for victims, he said.
"Most have absolutely no idea of what getting they're into, they're
swapping stolen credit card data using their real names and photos,
they're committing real crimes and leaving huge paper trails back to
their real identities," said Boyd, who also goes by the name
"Paperghost" in conducting his underground research.
"The scary thing is that these are kids with very strong coding skills
who have also already mastered the social engineering techniques needed
to trick other people -- who are often times the other kids using these
sites, into falling for all sorts of attacks," he said. "You even have
kids putting up tribute sites with their real names bragging about all
the crimes they've committed, selling t-shirts about it, and when you
talk to them they don't have a clue of how much trouble they might be
Boyd has spent a significant amount of his energies of late infiltrating
the underground "kiddie" sites and trying to show the youngsters the
errors of their ways by pointing out how easily they can be caught, and
how simple it is to trace their activity back to their real-world lives.
In many cases, said the researcher, the young hackers are pointing
directly from their underground malware activity to their personal pages
on sites like MySpace, which could make it easy for law enforcement
agencies tasked with investigating their exploits to find them and
pursue them in court.
Added to any legal trouble the younger hackers might get themselves into
is the fact that there are also older, more experienced hackers trolling
the teen underground forums to recruit the youngsters as functionaries
for their own more-advanced malware schemes.
The adult hackers know they can find willing accomplices who are easily
misled into committing more serious crimes than they realize, and who
will eventually be the ones caught holding the bag when investigators
begin piecing any charges together, he said.
Boyd said that many of the teen hacking forums are based around the
culture of online video games, and that the malicious activity often
grows out of the hacking of player accounts, or the sharing of programs
that can be used to cheat at the applications.
It doesn't take much for teen hackers -- most of whom appear to be based
in affluent western countries like the U.S. and U.K. -- to segue from
cheating at games to stealing credit card information, said Boyd.
"It's amazing that these are sites being run by kids; you go in and
there is an endless supply of stolen credit card data, and they've got
sophisticated cross-site scripting tools and professional phishing kits
that they're using to get even more data," he said. "And on the same
sites they're posting all their real personal data and lists of sites
that they've hacked."
In an interesting social twist, some of the young hackers also appear to
have decided to take the law into their own hands to shut down any
shadowy domains they come across online, including child pornography
However, despite the noble aspirations, the endgame is a situation where
you have children coming into direct contact with people controlling the
sites, saving illegal content to their computers, and potentially making
it harder for real world investigators to go after the same individuals.
"You have these more self-righteous kids trying to deface child porn
sites, and not only are they being exposed to the content, but they're
saving images and the like that could get them into legal trouble, and
it makes it harder for the police by destroying evidence, it's a bad
situation by anyone's guess," Boyd said. "You have the idea that some of
the people running the sites could figure out who these kids are, it all
gets very dangerous very quickly."
While the researcher has been trying to work with online hosting
companies to help shut down the underground kiddie hacking forums, Boyd
said that the firms remain a major obstacle, refusing to intervene
unless they absolutely have to, even when there's evidence of
significant criminal activity.
As a result, the expert said that the most effective manner for
convincing those teens involved to stop is by calling them out by name
and showing them how easily their real identities can be uncovered.
"Typically you don't want to give clues to forum operators why they're
being taken down, but in this case we're trying to communicate with them
directly, to show them that we know who they are and what they are
doing, and that the cops could do the same thing," Boyd said. "If you
hit them hard and fast and take down their sites and shame them, at
least in some cases it seems like they're getting scared off."
In the best case scenario, Boyd said, several of the aspiring
technophiles have been converted into white hats and convinced to begin
helping security researchers infiltrate their ranks and take down other
teens' malware campaigns. The researcher said he has at least one such
teen working directly under his supervision contributing to an
It's worth noting of course that many of the white hat hackers you run
across today -- people in their thirties who present at conferences, who
are running their own security software companies or working for major
industry names -- admit that they got their start acting as script
kiddies who thrilled in the defacement of public sites before going
For our sake, hopefully a lot of the younger hackers of today will grow
into the researchers of tomorrow. It sounds like we're going to need the
Subscribe to InfoSec News