I am a hitman. Not the kind of hitman the movies have made so popular that men in their late 30’s wearing Ray Donovan lookalike jackets and shirts claim to be to impress girls, but an electronic hitman. I started by stealing credit card numbers, social security numbers, medical history and bank PIN numbers.
Then I saw a story about a legal case in California where a city worker was being charged with surfing pornography up to 8 hours a day and was claiming that a rival that worked in IT had hacked his computer and put all that porn on it and he NEVER went to those web sites about people dressing up like animals and simulating sexual acts. Oddly enough, his defense worked and it got me thinking. Why not actually do what he “claimed” happened to him but take it a step further and totally infiltrate the victim’s life? Surely there was a market out there for that kind of information and control over a person’s life? Turns out I was right, but first I needed to “practice” on a target to find out just how far I could take this.
My first victim was not what one would expect. I didn’t pick the police officer that gave me a speeding ticket yesterday, the IRS agent that lives at the end of the hall or Mr. Oglethorpe who lives down the street and encourages his dog to fertilize the steps to our flat every morning (although that one was tempting). I picked a sleaze ball running for public office in a different country. This is the same politician who had done 11 years in prison on a cocaine trafficking charge followed up by 4 years on a tax evasion charge but somehow managed to get on a ballot. All the polls said he would never get more than 8% of the vote and he was trending closer to 6% but I wanted to make sure he ended closer to 0%. I chose a high profile figure because I knew he would claim the “evidence” was planted, it would make headlines I could refer to when plying my trade and would bolster my standing in the hacking underground. Now I just needed to start gathering information.
The greatest part about living in America is that we have access to free public WIFI just about everywhere you go and if you know the right tools to use, you can stay pretty much anonymous while you wreak havoc on the world. So it was from a park bench under a beautiful Elm tree I began gathering information on my victim. I went through tax deeds, family birth records, corporation listings, family names, addresses both past and present, Facebook, Twitter and anywhere else I could find my targets name. After 5-6 hours under that Elm tree I had enough information to begin working on password combinations. The first thing I did was hack my targets cell phone. Well, “hack” may be a strong word. I used my VoIP server, spoofed the targets phone number and called it. The victim did not have the option set to prompt for a password when the voicemail was accessed from his phone number and I was in (this is also how the phone “hacking scandal in the UK occurred). I could now listen to every voicemail that came in, and gather even more information.
Within a week I knew my target had not just one but two girlfriends outside of his marriage, one of his sons was gay and his best friend thought about hiding his money in Bangladesh to escape their country’s exorbitant tax rates. By the time 10 days had gone by I had social engineered my way into his medical records, his bank account and found all three of his hidden email accounts. At the end of two weeks I had enough personal information to figure out his bank account password. The reason it was possible to gather all this information is for one simple reason: human nature. Humans make up passwords based on their life, their surroundings and their experiences. Tell a person they have to make up a password with a number and 75% of them will use a birth date, Social Security Number or Anniversary as part of it. So, if you know that John and Jane Doe were married on April 25th in 1992, you can just bet that 42592 is somewhere in John’s password so he can a) remember his password and b) remember his anniversary. Men are funny that way. They think they are being smart and killing “two birds with one stone” and not realize they have just compromised the security of their account. Throw in a kids name, a mother’s maiden name (which can be found on death and birth certificates) and you have the basis for about 50% of the populations password.
20 days after I started gathering information I had access to every piece of information I needed to change the course of one man’s life. I went to my underground connections and started touting my abilities. In 24 hours I had an offer that if I could prove my abilities, they would pay $25,000 for me to perform the same act on a target of their choice. 24 hours later, the news was ablaze with headlines of extramarital affairs, secret donations from offshore accounts ($25 from my papyal account in Taiwan to be precise. Turns out the news people don’t so much care about the amount as they do the act) and a candidate for political office who had voicemail on his phone from a transsexual wanting hush money for “services performed”.
It has been six months since I proved my abilities that day. I now have 14 hackers working for me full time all over the world and we target some of the biggest names in the news. You would think that with more and more of our lives going online people would take the security of their digital information more seriously, but alas it is not to be. People have become weary of the screaming headlines, constant threat of someone stealing their data and ever increasing amount of passwords to remember. Yes, this is my environment. Become complacent. Get frustrated and just use the same password everywhere based on your anniversary. That just makes my job that much easier…