Busted! Founder sells $51m website, hacks it, tries to sell site its own data

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
What’s worse than Dracula sucking out your lifeblood? Dracula sucking out your lifeblood, bottling it and trying to sell it back to you.
The cyber bloodsucker in this case is David W. Kent, the man who in 2000 founded a recruitment and networking website, Rigzone, for professionals in the oil and gas industry. Ten years later, he sold it for a gushing geyser’s worth of money: DHI Group bought Rigzone off Kent for $51 million.
Four years after the sale of Rigzone, Kent slipped back into the site with an eye on a second windfall, using a number of cyber doors he’d left open during his tenure.
According to court documents (PDF), Kent also set up at least one employee to work at scraping all the member data from Rigzone. Next, he used the ripped-off Rigzone members’ details to plump up membership for his new site, Oilpro.com, which was in the same gas and oil business.
It gets better: next, Kent tried to entice DHI into buying the ripped-off members he’d stolen from them, offering to sell Oilpro to Rigzone.
Kent emailed the Rigzone CEO in October 2015. His sales pitch was classic marketing brag: Oilpro’s membership of 540,000 was grown by “LinkedIn style growth hacks”- in other words, Oilpro asked its members to upload their LinkedIn contacts and invite them to join Oilpro. In November, he told Rigzone that Oilpro had “a half dozen strategies that work well and are repeatable”. Plus, he later said, Oilpro was advertising on another site, Indeed.com.
In his conversations with Rigzone, Kent somehow neglected to mention his most effective strategy of all: waltzing into Rigzone’s database and sucking it dry. For this bundle of ripped-off members, Kent was looking for something like a $20m payoff. At least, that’s what he claimed that Oilpro had been valued at.
又是欠费又是涉嫌洗钱
Michael Durney, president and CEO of DHI Group, said that the company smelled a rat – detecting unauthorized access to proprietary Rigzone information in early 2014.
According to the complaint, the tip-off was a Rigzone member who called customer support, asking why they’d received an email solicitation to use Oilpro’s services, even though they’d never provided any information to Oilpro.
Sophos Home
没有百分百的安全,安全事故不可能百分百避免,事故之后的及时和正确的响应关乎组织的信誉。
Free home computer security software for all the family
Learn More
Rigzone set up a honeypot to figure out who got into its members database. Namely, it set up two fake accounts in the database. Neither had a public-facing profile; all they had were names and email addresses that were only available through Rigzone’s members database.
Well, what do you know: in spite of not appearing anywhere publicly, both the fake accounts were solicited, via email, to join Oilpro.com. As the criminal complaint describes, the source of the access was from an IP addresses registered to Oilpro and to Kent’s home address. Between 2013 and 2016, Kent and at least one of his Oilpro employees accessed Rigzone’s data multiple times without authorization, slurping up details from more than 700,000 customer accounts.
The first round of hacks took place sometime between 17 October 2013 and 15 April 2014.
The rate of at which the Rigzone site received requests “suggests very strongly that they were sent using an automated computer program,” FBI Special Agent Evelina Aslanyan wrote in the complaint. They used a command to access resumes that had been “crafted to exploit a piece of source code unique to [Rigzone]”: one that was known only to a few individuals, including Rigzone’s founder, David Kent.
The Register quotes a transcript of Kent’s acknowledgement of his wrongdoing, in which he explained to the judge that he didn’t abuse anyone’s password:

The web pages I accessed didn’t necessarily have a log-in feature but I do believe I accessed those web pages without authorization.
The FBI arrested Kent in March 2016.
On Friday, Acting Manhattan U.S. Attorney Joon H. Kim said that Kent has been sentenced in Manhattan federal court to one year and one day in prison for intentionally accessing a protected computer without authorization
信息安全专家不敢用网银,安全专家太过小心谨慎,自己没有被黑的经历,如何来指导他人防黑?在不敢用网银的安全专家不会爆出网银安全事件,就如同实战经验缺乏的信心不足的专家们常讲的,断了电的放在保险柜里的服务器才是绝对安全的。

猜您喜欢

总局关于山西振东安特生物制药有限公司红花注射液和江西青峰药业…
针对无线终端设备的HTTP请求劫持应对之策
Security-Frontline-安全前线
东南亚火爆 国庆假期微信大数据报告发布
SOLTAIS EASTCOASTBLUING
是否应该对用户的安全失误进行严惩