Gutsy Hacker Sells Access, Info

Artwork: Diego Aguirre
Want access to the administrator accounts to the U.S. Army or Italian government websites? Maybe you're just looking for personal information hacked from .edu websites. Either way, it can apparently all be yours for a price.

Imperva, a data security firm, discovered a hacker is selling alleged access to military, government and educational sites across the globe. Prices range from $499 for U.S. military websites to $55 for MySQL root access to the State of Michigan website.

Hacker's alleged conquests (click to enlarge screen)
Imperva also reports that the hacker is selling personal information from the hacked websites at $20 for 1000 records. The hacker provides screenshots to prove access to personal information and access to the admin interface at a major university.

Imperva thinks the hacker was able to gain access through a code injection technique.

"The victims' vulnerabilities were probably obtained by SQL injection vulnerability automatic scanner and exploited in automatic manner, as the hacker published his methods in a post in some hacker forum," Rob Rachwald wrote in a post on the Imperva Data Securities Blog. (Good thing these guys are keeping an eye on the seedy underbelly of the Web.)

Former Washington Post reporter, Brian Krebs thinks the hacks are legit.

"I've seen some of the back-end evidence of his hacks, so it doesn't seem like he's making this up," he writes on his KrebsonSecurity blog.

Thanks to a few mostly-unaltered screenshots from Krebs' blog we are able to see the hacker is making more services available to those willing to pay.

The hacker will also "hack a normal website," scan a site for vulnerabilities for $2 and give you 3MB of random hacked accounts for $65. Check out the screenshot below to see his or her full portfolio of offerings.

Price list for claimed hacking services (click to enlarge)

Subscribe to the Security Watch Newsletter

Comments