Hacker Sold Backdoor Access Information to Corporate Networks and Earned More Than $1.5 Million

Hacker Sold Backdoor Access Information to Corporate Networks and Earned More Than $1.5 Million

 

A hacker under the username fxmsp has been an active online threat for the past two and a half years, selling backdoor access to hundreds of corporate networks across the globe. Uncovered to be Andrey A. Turchin of Almaty, Kazakhstan, the hacker had managed to earn well over $1.5 million since 2017. In fact, he had become so in-demand in online circles that he had managed to hire a sales manager, a different hacker by the name Lampeduza.

fxsmp’s Activity

Turchin had been frequenting hacking forums since at least 2016. However, he would not attempt to offer his hacking services until late 2017. During his first 11 months, Turchin has managed to earn close to $268,000. He did that by selling access to various organizations across the globe, including a global chain of luxury hotels and a Nigerian commercial bank. It was at this point that he hired Lampeduza, a fellow forum member, to handle all of his hacking requests. Lampedusa himself was an active hacker, largely selling stolen Facebook data and bank card dumps.

 

From August to November of 2018, fxsmp and Lampeduza had managed to earn over $1,100,800, making it their most profitable period to date. A mere month before that, Turchin took a short break, but soon enough he reappeared promising access to over 60 different companies. In addition, he had also claimed that he managed to compromise three different antivirus software systems: McAfee, Trend Micro, and Symantec. He and Lampeduza would go on a new break until reappearing again in May of 2019. From May to September that year, the pair had made ‘only’ $124,100 and offered information about 22 different companies. Turchin reportedly retired from this venture in December of 2019, according to Lampeduza.

fxsmp’s System

 

fxsmp had used a somewhat low-key technique in hacking his victims. He would exploit the 3389 RDP port, which programmers commonly use for remote access to Windows servers. The hacker did not develop his own tools for hacking the companies. Instead, he would use different IP scanning tools and look for any available RDP port. Next, he would deploy a password-guessing attack with a special tool that searches for passwords based on previously compromised company credentials. That way he would have access to both the regular and the backup files of the company.

Authorities Yet to Catch fxsmp

Turchin was tracked by a cybersecurity firm called Group-IB for three years. Operating from both Moscow and Singapore, the group managed to learn about Turchin’s identity through his old Jabber account, which he used during his early forum days in order to learn how to monetize backdoor access. Experts managed to track down an old email account linked to an old domain registration under Turchin’s full name. In addition, they matched this info with similar data that Turchin had posted to one of his social media accounts. However, the hacker still remains at large, with the government of Kazakhstan assisting the US DoJ in his eventual capture.

 

Read More →
What are the Possible Consequences of Computer Hacking

The term “hacker” has taken on a negative connotation in some circles. This unfortunate turn of events for the non-criminal hackers out there happened with the explosion of criminal activities by some hackers on the Internet in the 90’s. Hackers often believe they are performing a valuable service with their hacking. And some of them are. Hackers can be abstractly divided into two categories: Black Hat and White Hat. Black Hat hacking is criminal in nature. White Hat isn’t. White Hat hacking is probably what most hackers reading this perceive themselves as doing. Now, this is possible, but it is often a matter of perspective.

It might seem harmless to you, but there are larger issues to consider. While you may believe it is harmless to let the world know about some security problem, realize that the ethics of others out there may not be as pure as your own. Your noble goal of helping the computing world through your hacking may not be viewed as noble by everyone else.

If you haven’t been asked specifically to try to hack something on a network or the Internet, the best rule is don’t do it! Trying to hack a program you’ve purchased, running on your personal computer on your own home personal network, and only with your own personal data isn’t going to bring the Gestapo to your door (of course). But consider that the software vendor may or may not be interested in hearing your report about the problems you have so expertly found? Do they have a public bug reporting forum or form on the Web? How have you documented your findings? Do you really think they will appreciate you reporting to the world the problems with their software without notifying them first?

Unless it’s part of your job, if you engage at computer hacking at work you are very likely going to be fired when caught. Almost every company will have a policy against hacking. It’s important to understand that with new laws and regulations, especially regulations like HIPAA, that liability for employers has increased enormously. Your employer just can’t take the risk that you won’t keep hacking. In this case, curiosity definitely killed the cat–and you’re the cat!

The possible problems for you are even worse if you try hacking a company’s presence on the Internet and are successful. This may seem strange–you may think you’ve gotten away with it if you “get in” and get some “interesting” information. It’s not always as easy to hide your trail as it appears on TV and in the movies. If things go very badly for you and there is a strong evidence trail and documentation of your hacking adventures, criminal charges may be filed against you. These will likely be federal charges. Laws such as the Computer Fraud and Abuse Act and others can result in you serving hard time just because you wanted to see what the security of this-or-that system was like.Lawsuits against you for damages are another likely item on the list, especially if criminal charges are filed. Do you really want to defend yourself against criminal charges as well as civil ones just because you wanted to show your hacking buddies how much better you are than they are?

Read More →