Want to look at someone else’s e-mails or scan the contents of their computer? Just dial 1-800-HACK-4-ME. (I'm kidding, but finding a real hacker is nearly that simple.) At least that was the upshot of a Wall Street Journal article reporting on the open secret that is the proliferation of hacker-for-hire services.
As an example of the phenomenon, the article describes the ongoing kerfuffle between two billionaire brothers who are in a tug of war over the family business and its global holdings. To help secure his hold on the fortune, the elder brother hired a private investigator who, in turn, hired someone from a shadowy collective called the Invisible Hacking Group. The investigator, in court testimony, said he had previously retained the group’s services for security-testing of Web-based e-mail accounts.
According to the private investigator, the hackers used social engineering to get the younger brother’s e-mail password. After the older brother sent the group information including the target's e-mail address, the names of friends and colleagues, and examples of topics that interested him, the hackers sent an e-mail to the target that seemed as if it had come from an acquaintance. But the message actually installed keylogger software that let the hackers capture the target's e-mail password.
How much did the older brother pay to gain an advantage in the battle over hundreds of millions of dollars? The private investigator says he forked over the princely sum of £256 (roughly U.S. $400)
The younger brother’s lawyer said his client "was horrified to discover the privacy of his e-mail accounts had been compromised."
Though the Invisible Hacking Group has since gone underground and few traces of the group exist, the investigator revealed that he was told to send payment to Chengdu, China. Message-board posts from 2004 indicate that it was in the business of online spying. One message read: "Do you want to know what your business competitors are doing online everyday?"
"It's not hard to find hackers," Mikko Hyppönen of computer-security firm F-Secure Corp., told the Wall Street Journal. Computer specialists interviewed for the article also noted the easy accessibility of tools that help do-it-yourselfers hack into someone's e-mail.
Though computer security experts say these companies have operated in the open, the spotlight shone on them in the wake of the Journal article may be causing them to scurry back behind the walls, so to speak. One example is hiretohack.net, a self-described group of technology students based in Europe, the U.S. and Asia. The service, which boasted that it could crack passwords for major e-mail services in less than 48 hours, is now down. But there’s obviously nothing to prevent the group from reappearing under another name.
Just how big is the hacker-for-hire industry? According to the WSJ article:
“A U.K. government report took a shot at putting numbers to the problem last year: It estimated that computer-related industrial espionage cost U.K. businesses about £7.6 billion (or about $11.8 billion) annually in loss of information that could hurt a company's chances of winning open tenders, and loss of merger-related information. Cyber intellectual-property theft cost business an additional £9.2 billion annually, it estimated.”
But these numbers are likely on the conservative side because many firms, in an attempt to protect their reputations and prevent customers from fleeing, fail to report such attacks.