Darknet Diaries - 108: Marq
Episode Date: January 11, 2022This is the story of Marq (twitter.com/dev_null321). Which involves passwords, the dark web, and police.SponsorsSupport for this podcast comes from Cybereason. Cybereason reverses the attacke...r’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.Support for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.View all active sponsors.SourcesCourt records and news articles were used to fact check this episode. However Marq requested that links to his full name not be made available.https://techcrunch.com/2019/12/19/ring-doorbell-passwords-exposed/https://www.wired.com/2010/03/hacker-bricks-cars/
Transcript
Discussion (0)
Back in 2010, there was a guy named Omar who worked at a car dealership in Austin, Texas.
He was 20 years old at the time and was trying to build his career up.
Well, for whatever reason, it didn't work out.
And the car dealership fired him.
Omar was mad. I don't know why, but he was furious for being fired.
He wanted revenge. He wanted justice.
He felt like what they did to him was wrong and he wanted to fight back.
Omar knew the computers and systems at the car dealership because he had to know them to do his job.
So after he's fired, he checks to see if he still has access to the systems.
But nope, the dealership disabled his account and he couldn't get in.
But he had another employee's login who still worked there. And he
was able to use this other employee's login to access the computers at this car dealership.
He logs in and looks around. The first thing he goes for is their WebTech Plus system. See,
if a customer is late paying their car payment, the dealership may repossess the car, which means
they're going to physically go and get that car back. But this is hard and time consuming. Car
dealerships today can implement a feature which can remotely disable a car so that person can't
use it until they pay their payment. And that's what this WebTech Plus system did. It remotely
disabled cars from starting. So Omar gets into that system and starts typing customer names that he remembers.
And he just starts clicking on them and disabling cars so they couldn't start.
And he also starts making the cars honk continuously.
Phones started ringing at the car dealership.
People were calling in saying they cannot start their car and the car just keeps honking.
The dealership was baffled, thinking it must have been a mechanical error.
And they were walking people through how to disconnect the car battery to make it stop honking.
And then they were sending tow trucks out to pick up these cars and bring them to the dealership to take a look.
The dealership couldn't understand what was going on.
They were scratching their heads and had no clue why this was happening.
Omar kept locking in and disabling
more cars. Day after day, he was getting in and causing grief to their customers. At some point,
he found a way to see all 1,100 cars that were connected to the system and just started going
down the list, one at a time, disabling them. The dealership kept getting phone call after phone
call from angry customers saying
their cars won't start and it just keeps honking. This continued to go on for five days. A hundred
people called the dealership with these problems. The dealership reset all the passwords on the web
tech system, which stopped Omar from being able to get in and do any more. And that meant the madness stopped too. And this
gave the dealership a clue that had something to do with that system. They turned over the system
logs to the Austin police who were able to track it back to a home internet connection that Omar
had. He was arrested for this. But I couldn't find what the punishment was that he got for this.
A remote kill switch for a car is a powerful piece of technology.
When there's such a powerful piece of technology that exists like that,
it's only a matter of time before it becomes abused.
These are true stories from the dark side of the internet. I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless. And it personal information is all over the place online. Phone numbers, addresses,
family members, where you work, what kind of car you drive. It's endless. And it's not a fair fight.
But I realized I don't need to be fighting this alone anymore. Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them because
Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code Darknet at checkout. That's join, delete me.com slash Darknet Diaries. Use code Darknet.
Support for this show comes from Black Hills Information Security. This is a company that
does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing, securing the cloud,
breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
In this episode, we're going to hear a story from someone who's been in tech all their life.
You can just, you know, call me Mark, of course.
Mark grew up in Florida, but he moved around as a kid.
So I'm a military brat. So I lived in Korea. And my eighth grade year in Korea,
I had a computer programming class where we were learning Java. Coding was a fun thing for him to do. And from there, he learned more about Windows,
DNS, IP addresses, and all kinds of stuff. I want to say probably the next year when we got back to
America, going into my ninth grade year, that's when I started experimenting with Linux once I
got my own laptop.
From there, he heard about Backtrack and was drawn to different hacking tools.
Backtrack was a Linux distribution system that came with hundreds of different hacker tools
just pre-built into it, like Metasploit, Aircrack, Burp Suite, SQL Map, stuff like that,
which makes it easy to just get started playing around with some of these tools and see what they can do.
Backtrack has since become Kali Linux, which is still a popular hacking operating system.
So this was a while ago, but this version of Linux made it easy to also access Tor, the darknet.
There was a Tor browser that came with it.
And so it was just as easy as loading it and waiting to connect to Tor.
And then you were on the Darknet.
And when Mark was in high school, he heard about this and checked it out.
Yeah, yeah.
And, you know, the Dark Web always seemed pretty enigmatic around that time.
You know, you had Anonymous doing a lot of hacktivist things going on.
And a lot of times, you know, depending on what they were doing, they would be using Tor.
So that's when I first found out what Tor was.
I went on Tor a couple of times, but honestly, I never did anything.
It always, I don't know, just back then I was never really, I never really delved too deep into it.
But, you know, I dabbled in and just got on just to see how, you know,
how to work it and things like that. He would check out the typical places,
anonymous chat rooms, hacker forums, but he never really participated. He was just lurking to see
what was going on there. After he graduated high school, he put his resume online and a recruiter
from Oracle found it and reached out
and Oracle hired him. I worked on their point of sale software called Micros. I was like a support
engineer. So for example, you were a company and you called in and you had, let's say like a check
stuck in the system. I would basically, you know, remote to the system and then connect to their
SQL database. And once you're connected, it's pretty simple.
A lot of times, depending on the issue, like I said, if it's something like a stuck check,
you can just go into the SQL database and then you can see the check, you can see the error,
and you just write a couple of SQL commands to basically kick it out and then just have them
restart the POS system and everything will work. He worked there for about a year and a half and decided to leave and go somewhere else.
And this was his decision.
After that, I went and worked at a local NOC, Network Operations Center for ISP.
I actually enjoyed that a lot as well because prior to that, I didn't know much about networking.
And I knew basic things about networking.
But from there, I actually learned quite a bit about networking.
A network operation center or NOC is a place where people sit
and watch the systems for any faults in the network.
If the internet goes down, this is who will be the first to know.
If a computer has a high CPU, then they'll go in and check it out.
If a router isn't able to keep up with the amount of traffic that's going through it,
they'll see this alert and jump into action.
Mark gained a lot of IT experience working for this company.
But then he decided to apply for a job at Microsoft.
While I was at the NOC, I saw that they were hiring.
And it was in Orlando, so it was like 45 minutes away from where I currently resided.
I just put in for them as well.
And I, you know, got a message back saying that they would be very interested.
And so I went through the interviewing process and I was hired.
At Microsoft, I was a exchange engineer.
So I helped, you know, mostly systems administrator, but I would help them with pretty much any exchange engineer. So I helped, you know, mostly systems administrator, but I would help them
with pretty much any exchange issue. So it could be exchange on-premises issues. It could be
Office 365 issues, you know, in the cloud, or it could be like hybrid setup issues as well.
I would pretty much help them with a variety of anything.
Exchange is the email system that Microsoft sells.
So Mark was really leveling up his skills in Exchange, too,
understanding all the ins and outs of how to be an Exchange admin.
And he liked his job there, too, but was tired of Florida.
I ended up moving just because I sort of wanted a change of scenery.
I've been living in Florida since 2012 because I'm of wanted a change of scenery. I've been living in Florida for, since 2012,
because I'm originally from Florida.
And I was doing high school in Georgia,
then moved back to Florida, finished high school there.
And that's when I was doing college and working in Florida.
So I had an aunt who lived in Atlanta and she said,
hey, I think you might like, you know, living in Atlanta. And there's a hey, I think you might like living in Atlanta. There's a lot of
IT jobs out here as well.
It'd be a good opportunity as well.
So I said,
sure, I'll move to Atlanta.
And I ended up moving.
Of course,
once he gets to Atlanta, he looks around to try
to find a job in tech.
I worked at an MSP and I was
a systems administrator.
Ah, now this job is quite a powerful role.
First of all, this was at an MSP or managed service provider.
If a business doesn't have the people to take care of the computers in the network,
they can hire an MSP to come in and do that work.
So the MSP would be the ones who go in and patch and update
and fix faults in the systems and keep things running smooth.
This is what Mark did, too.
He was assigned a few customers or companies,
and in his customers' networks were systems that he would need to take care of.
Exchange servers, database servers, and domain controllers.
I had access to everything.
Access to servers.
Yeah, access to literally everything.
Which is normal for a system administrator and even an MSP to have access to everything. They need complete control over all the things in order to fix stuff when there are issues.
And what's your relationship with the dark web at this point? So during the time that I moved from Florida to Atlanta and I was waiting to apply for different positions,
that's when I started going on the dark web a little bit more.
Honestly, probably just out of boredom.
Doing what?
Nothing specific. Again, just looking at stuff.
Around that time, I actually did join a specific site and became a member of that specific site.
The site he joins was a hacking forum, one that criminals would like to visit and post data dumps to that they have for sale, like credential lists, malware, ransomware for sale, or botnet seats available, this kind of thing. And then I would just, you know, look at
postings of people saying what they were selling on the dark web. There was even a website I came
across where people would sell zero days. I thought that was pretty interesting, but I never,
again, I never still did anything at the time. I was just more looking more, but I was also
engaging a little bit more. So if someone posted something that seemed a little interesting, I might respond, that seems pretty cool, but still never, never taking it up a notch yet.
Yet.
Stay with us, because after the break, he goes up several notches on the dark web. My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off, because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag and drop templates.
And Shopify helps you manage your growing business. Shipping, taxes, and payments are all visible from one dashboard,
allowing you to focus on the important stuff. So what happens if you don't act now and someone beats you to the idea? The best time to start your new business is now with Shopify. Your first sale
is closer than you think. Established in 2025. That has a nice ring to it, doesn't it? Sign up for your $1 per month trial period at shopify.com slash darknet.
Go to shopify.com slash darknet and start selling with Shopify today.
Shopify.com slash darknet.
Mark was working for an MSP as a system administrator during the day.
And at night, he liked tinkering around with hacking tools.
And he liked visiting hacker forums on the dark web sometimes.
And then I started seeing more and more, increasingly, people selling databases of, you know, credit cards,
hacked users information, you know, passwords, email addresses,
just things like that.
Stuff that I, you know, when I first delved into the dark web,
I didn't see as much, but now it seemed like
no matter where you went on the dark web,
there was a plethora of websites showing a variety of the same content.
Right.
Yeah.
And so why is this fascinating to you?
I've always found hacking interesting.
Like I said, I've never really tried to hack anyone or do anything previously before.
But I always found it interesting. It's a little mysterious. never really tried to hack anyone or do anything previously before.
But I always found it, you know, interesting.
It's a little mysterious and, you know, it seems like you have a little,
you have power and knowledge that I'd say a good 90 something percent of the population don't have. So I always found it a little intriguing.
Was there something on these forums that you're like seeing people make a lot
of money or just kind of attracted you to it?
Like, man, if only.
Yeah, it's probably the money.
People were making tons and tons of money.
And so a lot of these people were in Signal or they'd be using Telegram and they'd be in different rooms. And you could join a room and you'd see, you know,
the data that these people had available and how much money they were making. And they were making
a lot of money. People were making money selling database dumps or selling their coding skills.
And others were buying dumps and using this data to steal stuff or fish people and get into accounts.
But Mark had absolutely no interest in participating in any of this.
He liked watching, just mostly out of curiosity.
He never hacked anyone before and knew that was wrong to do.
The worst thing on Mark's record up until that point was just a speeding ticket.
And he liked his job, too. He was a system administrator. There was one guy at work
who seemed to disagree with Mark
on how to do stuff.
He was very knowledgeable in exchange,
but I would say he wanted to try
and take shortcuts to do certain things,
and I tried to explain to him
that it couldn't be done that way.
Maybe he thought that I could possibly,
you know, just do it, but I couldn't.
And then I do also remember there was one time he wanted me to write a PowerShell script
for this specific client that was just way out of my zone.
A few weeks after that, out of the blue, they fired Mark.
I was let go. I was told i was let go because
it just wasn't really working um that's what the one of the owners of the company told me
um but there was really no specific reason that they provided besides that statement
and how did you feel about being let go um I was pretty upset, honestly. So once I
left, I ended up moving to another part of Georgia where my friends and where I had more friends.
What Mark is hesitant to say is that he went to see his best friend who had severe cancer. Mark wanted to spend some time
with him and make some final memories together. So he moved to that part of Georgia where his
sick friend was and some of his other friends lived there too. And he was looking for a job
there but wasn't finding anything. And he was also running out of money. He was fired from his job in June of 2019.
In the two months after that, he moved on
and wasn't really thinking about that old job at all.
But a few months after he was fired,
something triggered him to think about it again.
And this made him curious about something.
I can't remember specifically why either.
I just checked to see if I still had access to one of the servers
where we administered several of our clients,
and I still had access to everything.
At his last job, he was a sysadmin for a few clients.
To get to the client's network,
he had to log in through a central dashboard
portal-like system. From there, he could then connect to his client's devices. He had remembered
his username and password to get into that dashboard when he worked there. And he tried
to log into the portal, and it worked. His account was not disabled when he was let go. And it was two months later now.
This is a huge failure of his former employer. And then, of course, once you are on the platform to
access each individual server, they had a username and then a password. There were about five customers' servers that he could connect to.
But in order to connect to them, he had to know the username and password to get on them,
which is different than his own username and password to log into the portal.
It's more like a shared one that the customer set up to allow this MSP to hop in and fix stuff.
But since he had been in those customers'
devices so many times in the past, he had the username and password memorized still.
And that's when I dealt into one of the servers.
The username and password was still the same from when he was working there.
Now, this one is a little bit more tricky for this company to fix. Obviously, it's a no-brainer to disable the logins for former employees when they quit or get fired,
but changing all the shared passwords that they may have seen while working there is a bit more
complex. It would mean changing the passwords for all of Mark's customers, because these were shared
passwords that other system administrators use too. The more secure way to handle this is to create a different login for everyone who will
access those systems, which when you work in an MSP, that can be over 100 people who might need
access. So a lot of NOCs and SOCs and managed service companies don't often have separate
logins for everyone, because it's a pain in the neck to get the customers to create new logins
for every new hire and remove access for all former employees.
But perhaps they should, just to prevent situations like this.
So at this point, he has logged on as an administrator
to an important server in one of the companies he used to be a sysadmin for.
From there, one of the companies had a database of a lot of information.
So I'd say credit cards, banking information, because one of the customers was an accounting company.
But he doesn't steal it.
He just wanted to see if he could gain access to some pretty important data
that he shouldn't be allowed to access.
And yeah, he can.
So he sees that he can get there.
But then he logs out and steps back and thinks about what's going on.
So the first time I connected and realized,
just not even connecting to a server,
but just connecting to the hosting provider,
I thought it was pretty odd that I still had access for one.
And then two, I was like, I shouldn't be doing this.
So I do remember the first time I logged out,
but just, you know, delving back into the dark web
and going back on those specific sites that I was going to, it sort of, I don't know, makes you believe that you can do things that you shouldn't do.
Go on. What do you mean?
Like I said, just seeing the amount of money that people were making, the type of things that people were doing.
There were even, you know, similar postings of people saying that I work at X company and I have such and such access and I would like to sell it.
Or, you know, I remember even one person said, I'll give you access to the server.
You can ransomware.
It's just pay me.
So things like that.
Mark was broke.
His friend was actually dying of cancer.
Mark had no job, and he's spending his nights
scrolling through these forums where people are buying
and selling data dumps or just access to servers.
So yeah, just going back on there more and more
and seeing the type of stuff
people was doing and the access I had led me to go back to the server, access it.
And that's when I started to download quite a bit of the information from one of the servers.
He downloaded a lot of customer data that this company had. And this company did
accounting for people. So they had not only names and addresses, but lots of financial information
on lots of customers. This database had banking account information, tax return information,
addresses. For whatever reason, this accounting company also had people
just take a picture of their driver's license
or credit card and debit card sometimes
and just send it to them in an email,
which is a thing very insecure to do.
So I would have access to all of that
and thousands and thousands of documents.
I want to say probably 15,000 documents in total.
It was a juicy grab.
And Mark knew it and thought surely someone would find this valuable.
So Mark grabs what he can and logs out. He takes a screenshot of a sample of the data,
careful not to include the company's name, because he doesn't want them to know this happened.
Because if the company knew they had just been breached, they would start to investigate,
and he didn't want that. In fact, he did a few things to cover his tracks while in there.
Because he was logged in as an admin to the server, he could just delete the event logs,
which showed his login and download activities.
And hiding his tracks like this made him feel confident that they're never going to know about this.
I never honestly thought that they would know because of the way the company was set up.
Basically, I just didn't believe that or didn't think that anyone would realize that that's how I was getting the information.
Honestly, I don't know. It's stupid of me,
but I just didn't think anyone would connect the dots at the time.
Now keep in mind he used to work at this MSP and manage this customer's network.
And so he has a strong understanding of what they audit and how they go about finding security issues.
So he was careful not to do things that he knew would raise alarms.
So he takes the data he stole and posts a sample of it on a dark web hacking forum
and says, if you want to see the rest, it'll cost you $600 in Bitcoin.
Yeah, basically that.
So basically posted like a screenshot, basically, of some of the content I had and then posted it.
And, you know, just as a sneak peek to show people that I actually had the access, because a lot of times people may be yes on the dark web and rip you off.
And once people started seeing that I was legitimate, then more and more people started requesting access to these documents,
which was quite a bit of documents at the time.
Now, posting something like this,
it's like opening a box of venomous snakes that you can't close back up.
Yeah, it's a little scary.
Because one, you went from the first step,
which is being on a dark web, looking at stuff, being interested, to the next step, which is I submitted a post saying I would do something illegal.
So it is a little nerve wracking, but it's also like a little bit of an adrenaline rush.
So, yeah, it is made me very anxious, honestly, at the time.
He was giving a small sample of data for people to look at.
And if they liked it, he was hoping they would come back and buy access to the rest.
So I remember one day I actually got someone who messaged me and they wanted to purchase some of the documents.
So I basically showed them another sneak peek that I had more access to more documents than what I had before.
So I sent them another screenshot.
This buyer liked what they saw and agreed to pay the $600 in Bitcoin to see the rest. And so someone messaged me on that specific website and requested the information.
The $600, of course, was in Bitcoin.
And then, yeah, they transferred the money to my wallet and I gave them the information they wanted.
But I made a big mistake there as well. Well, of course, the biggest mistake was going on the dark web and doing this.
But at the time, the mistake was at two Bitcoin wallets.
I had a personal one for just, you know, Bitcoin when I was investing in Bitcoin and stuff like that.
And then another wallet where I was doing my dark web stuff and any crypto or anything that I was given would be transferred to that wallet.
When the person on the dark web sent me their Bitcoin, I transferred it to my personal one where I do investing.
And that was pretty, pretty dumb.
Right. The reason why this is a problem is because whenever he bought and sold Bitcoin with his other wallet, he did it through an exchange, which in the U.S., exchanges are required to know their customers by collecting personal information on them, like upload a picture of your driver's license kind of info. So if the authorities were to somehow see that there was
a transaction for $600 in Bitcoin, they could possibly follow that transaction to see his
wallet was registered at an exchange and then send that exchange a search warrant asking for
information on who owns that wallet. So I'm trying to figure out like in your mind here,
the reason for this is it 50% you're pissed off at this
company for firing you and 50% you want money? Yeah, it was more financial. Um, I had a lot of
things going on personally at the time as well too. So at the time I just needed money. My best
friend, uh, he was dying from cancer. Um, and, uh, I pretty much felt at the time I needed money so that I could go
be with him and also do the last couple of things that he wanted to do before he passed.
So that was one of the main reasons why I was doing some of the things I was doing.
It wasn't necessarily that I was that upset at the company for being fired. Like I have
worked at a job before and I've been let go.
And I, you know, I understand that things happen.
So I wasn't necessarily that upset at the company.
It was just the monetary gain
that I could get from the information
that some of the customers had convinced me to do it.
If you had like another job lined up
and you didn't need the money,
would this have even been a thing for you?
No.
No.
There was only one buyer for this data dump.
But by this point, Mark was all over the dark web,
getting more familiar with different
onion sites and who the players were. One day while surfing around there, he sees something
that was surprising. Some hackers I knew, they posted on a website on the dark web. This wasn't
really like a form, but it was a site where you could go on there and people could just anonymously post stuff or they could just go on there and request
something. But yeah, so one day I'm on there, these hackers that I know, you know, they let
me know that they posted some information regarding rings. I'm like, okay, what did they
post? So I look and see, and they post a credentials dump for about 1,500 customers of Ring.
So this included their password, their username, and also their address.
Now, if you aren't aware what Ring is, it's a doorbell webcam.
So people buy it, and they connect it outside their front door.
And when someone approaches the door, you get an alert on your phone telling you someone is at your home.
But that's the weakness.
You can view your camera from anywhere in the world.
It's connected to the internet.
So you don't have to be home.
All you need is that username and password and you can see what's on the camera.
And Mark was looking at the post of over a thousand usernames and passwords of Ring camera users,
which had their address of where they lived.
So that was a little scary to me because, you know, that's real world harm that could happen
to people if you have their address and you can look through their cameras. So I did sign on to
one of the accounts just to see if I could see through their ring camera and see if this was real.
And it was.
The specific person's camera, I just logged in that randomly,
was someone bringing in their trash can up into the driveway.
Something about this was just going too far for Mark.
He had to say something to Ring to let them know about this.
And so he did.
At first, they didn't respond.
So he got connected with Zach Whitaker at TechCrunch, who wrote an article about this.
Zach contacted 12 people on the list and told them their passwords,
and they confirmed that was the correct password for the Ring camera.
Then Amazon, the parent company for Ring, responded to Mark and sorted it out. I presume they changed the user's passwords.
Mark felt confident that he did the right thing here,
getting these accounts cleaned up so they can't be abused.
He didn't even ask for a bounty reward,
since the passwords were just sitting out there on a website for anyone to see.
It wasn't like he posted it.
But at the same time, Mark still needed money.
And his original listing made him $600 so far,
so he decided to make another post on this dark web forum.
On the hosting provider, there was about four other servers.
So I did make a post later on saying that I would sell access to the remaining servers.
What he would do, since he had admin access to these servers,
was that he would make a new user account and give it RDP access from the internet.
So he could sell that username and password that he just made to someone else so they could log in and do whatever they wanted to that server.
He was basically selling backdoor access into a company's network. And what people might do with that is they might look for customer data
to take like a fresh database dump,
or they might just straight up ransomware the machine
and try to make some money that way.
So this kind of posting happens sometimes on these forums.
Did anybody purchase this from you?
No, no one purchased that.
The only thing that someone purchased was me selling, you know, customer information. Um, I'm not sure specifically why it seemed like on that site, especially at the time, more people were invested in buying information versus, you know, buying server access and then having to go in, put malware and do things themselves.
People just wanted the information and then they could just sell it on a dark web.
Well, the person Mark sold this database dump to was a well-known IT security company
called Binary Defense, founded by Dave Kennedy.
And what they do is get on these forums, see posts like this,
and buy the data. And then they investigate the data to try to figure out who the victim was and
who the person is that sold this to them. And then they just turn all that over to the FBI.
It's what's known as a confidential informant. So the combination of the forensic investigation
that Binary Defense did and turning that over to the FBI,
the FBI quickly identified Mark was the person who sold this data.
And all I remember is one day in January, I was asleep and I had a noise at the door and I was thinking it was my girlfriend
because she worked about five minutes down the street.
So I thought she was coming home.
But there was the like the deadbolt on the door.
And so the person was trying to open the door, but didn't realize the deadbolt was on the door.
And two seconds later, they just bust open the door.
I didn't realize specifically what was going on at the time.
This is like 6 a.m. and I literally just went to sleep.
But I remember, you know, rubbing my eyes and looking and saw it was the FBI.
But that's when I, you know, I realized I didn't put two and two together at first.
Like I didn't realize specifically why they were there.
But when they showed me the warrant and they started trying to ask questions,
that's when I knew what it was for.
So, I mean, I imagine if they're busting down doors,
they've got weapons drawn and they're pointing them at you.
Yes, that was very frightening.
I've told people before who've asked me,
it was like a scene out of, like, Call of Duty.
It was very nerve-wracking.
Never want to go through anything like that again.
But, yeah, they had guns aimed at me.
It was probably, say, about eight agents in there, all with guns aimed at me.
And I was just on the ground with my hands up.
The police come in his home, take all his electronics, laptops, his iPhone, thumb drive, even some books on programming.
Oh, and they took his girlfriend's MacBook, which she had nothing to do with any of this.
They left my raspberry pie, which I always thought was interesting.
But yeah, they turned the whole house upside down looking for stuff.
Of course, the police were asking him a million questions and wanted him to unlock his iPhone and computer and stuff.
But he refused to talk at all.
The only word he just kept repeating over and over was lawyer.
So they took me down to the courthouse.
And once I was at the courthouse, I met my lawyer, who I had a public defender.
So I met her and she explained to me specifically what was going on.
And that's when I had the feeling of, yeah, I messed up really bad.
So I go to court the you know prosecutor is showing all the information and everything she has and she's talking to the judge but this is what where
I found it very weird um I think they made it seem like at the time specifically that I had access to maybe way more
stuff than what I did. And I remember the prosecutor said I had a whole criminal enterprise.
And she, it seemed like she was trying to convince the judge that I had, I don't know,
hundreds of thousands of dollars in Bitcoin. But at the time, I didn't, I hardly had any Bitcoin because I had spent the Bitcoin that I
had. So I didn't have hardly any Bitcoin. He didn't like that they were making things up
about him. And they were trying to say he had lots of money from doing this. So he pleads not guilty.
The judge sentenced him to house arrest while the prosecutors can build the case against him.
And sadly, while he's in court dealing with this, his friend lost his battle against cancer and passed away.
Mark didn't even get to go to the funeral because he had court that day.
Eventually, the prosecutors for this case and the FBI turned up all the evidence, which clearly showed that Mark had
accessed the server and taken this data and sold it on the dark web. They had a significant amount
of data showing all of what he did. They pretty much had me dead to rights.
There wasn't that much of a great defense. I would say they tried to say that I did $900,000 in damage, which I'd say was nowhere near that amount. And later that damage amount did come down to about $32,000. So nowhere near a million. With all the evidence before him, he had no choice but to plead guilty to breaking in and stealing this data.
What helped, though, was that he had a very clean criminal history.
And the whole Ring camera thing came up, too.
It actually looked good for him that he reported that problem to Amazon.
He had to go see a judge to receive his sentencing.
And he told the judge,
You know, I'm sorry I did this. It was really stupid of me. The owner of the MSP was actually
there in court as well. So I did apologize to him and let him know that it was just very dumb of me
to do this. Not a bad person. I don't really want anyone to think that, but what I did was dumb. You know, hacking
isn't, you know, hacking on your own devices. You know, you set up a router or something, or you
use Kali on your own devices. That's perfectly fine, but doing it to someone else, it's not good.
And the judge, he did grant me leniency because the feds, they were, they wanted me to be arrested, go to jail for about 10 to 12 months.
And he actually gave me 30 days,
but the counting the time that I already served when I was arrested and held,
it was really 24 days.
So all in all, I just had had to do i was arrested for i had to go to jail for 24
days and three years of uh probation um but he did say you know he didn't want to um see me off
for a long period of time because this was the only thing i had ever done um and i'm you know
i explained to him i was trying to change my life around, going back to school for engineering. I have a family as well, like a son. So it wasn't
something, you know, you know, like I said, I'm not a malicious person, but what I did do was
malicious. And there, of course, is repercussions for what you do. When did you serve your sentencing? Was it this year?
It was in October, from October to November.
That's just two months ago.
Yep.
Well, last month. So you were in jail last month for this.
Yes.
Mark is hoping to get another job in the IT space since this is what he knows best. But he might have a
really hard time finding something with a criminal record like this. So he's currently going to school
for electrical engineering. Yeah, yeah. I hopefully plan to work on like circuit boards and stuff like
that. But I come from a family of engineers. My uncle's an engineer at NASA. My aunt works at NASA. So yeah.
Insider threats is one of the biggest threats companies face today. And because of that,
I wanted to bring on Lisa Forte. Yes, you pronounced it correctly. Most people in the
UK pronounce it Forte, which is really annoying. But Americans tend to pronounce it correctly.
So that's good. Lisa consults with companies to help them handle
insider threats so first i was just curious what she thought of the story well for a start i mean
to still have your credentials working four months afterwards is a little bit crazy um that those
clearly should have been revoked but also i think i think the crucial thing with all insider threats
is to understand that nobody wakes up one morning kind of happy
satisfied fulfilled and decides I'm going to attack my employer it's a it's a process with
many key moments and tipping points that lead to someone becoming an insider threat or in this
particular case I suppose technically at the time he did it he was an outsider. But it's no, there's no like bad apple that exists in an organization.
These people, it tends to be a product of circumstances, timing and personality. And
when you combine all three, sometimes it can yield an insider threat.
What are what are the incentives on why insiders even become threats?
So there's sort of three typical types of attack that we see with
insider threats, and that's fraud, sabotage and theft. Ignoring fraud for a second, because it's
a little bit different from the other two, theft and sabotage tend to happen at the end of
employment. So whether that's because they've been fired, or whether they've been, you know,
sort of made redundant, or whatever it is that's happened to them. Those two attacks tend to happen at the end of that
employment. And a lot of the motivation is really complex. I mean, sabotage tends to be very much
motivated by sort of vengeance or anger towards the employer, whereas theft often actually is a lot more complicated and as in this case
it tends to be people who are in difficult situations there's been a mounting amount of
pressure they probably are dissatisfied with their employer or see their employer as you know
oh well they can afford it they can lose this this information or even sometimes people think that
the the project that they've worked on is part theirs and so they
take a copy of it. So it's really, really complicated and it's very easy to just say
these people are bad people, but it's actually a product of a lot of circumstances that leads
people to do these things. Do you have any tips on how to combat this? So I would say if you're
looking at theft, there are certain departments that are
going to be key for that. It's the same with sabotage, you know, only certain departments
are going to be capable of doing those kinds of attacks. So increasing some monitoring around
those employees in particular, so not your whole cohort of staff, but also making sure that you're
increasing some monitoring during those crucial periods. So theft and
sabotage happen at the end of employment. So making sure that when someone's notice is handed in,
or they're fired or made redundant, that you increase that monitoring at that crucial period.
And make sure you communicate with your staff that that's happening. So there's no sort of
cloak and daggers. I find what Lisa is saying very interesting because it reminds me
of General David Petraeus. Petraeus was director of the CIA. And before that, he had spent 37 years
in the army. He was rock solid when it came to handling classified and top secret information.
When someone dedicates their entire career to the U.S. military, they probably are really great at keeping government secrets.
And he was until his marital situation started to unravel. He was having an affair with someone
and he was sharing classified information with her. He even pled guilty of doing this.
And I was shocked to hear this because someone who is the director of the CIA must have had a rigorous background
check and passed many interviews to get into that position. So to ultimately betray the same entity
that employed him for 37 years is crazy. Oh, and a note here about how he was exchanging information
is interesting. Both him and his mistress had access to a single Gmail account,
and they would write messages back and forth to each other on there, but they would never send these emails. They would just keep them in the drafts folder. So one person would go into the
drafts folder, read the message, and then delete it, and write another message, and keep that in
the drafts folder for the other person to see. So there weren't ever any records of emails being sent. Crazy. But what Petraeus
taught me the most was it doesn't matter who you are, because even the leader of an organization
might flip someday and become the next insider threat. A big thank you to Mark for sharing this crazy story with us.
Oh, and thanks to Lisa Forte for jumping on and giving some good perspective too.
Don't forget to check out darknetdiaries.com sometimes.
Every episode of this show has unique artwork,
which if you haven't seen, you've got to go to the website and check it out.
Every episode also has full transcripts posted too, so if you didn't catch something, you got to go to the website and check it out. Every episode also has full transcripts posted, too.
So if you didn't catch something, you can just go read about it there.
And there's a link to the shop where you can buy shirts with all this artwork on it, too.
Also, at the bottom of the page is an invite to the Darknet Diaries Discord server.
We've got 10,000 members there, and we would love for you to come join us there, too.
Oh, and if you're on Twitter, please find me there.
My name is Jack Reciter.
I'd love to hear from you. This show is made by me, a citizen of the metaverse, Jack Recider. Sound
design was done by the sparkling Andrew Merriweather, and our theme music is by the mysterious
Breakmaster Cylinder. I renamed my printer the other day. It's now called Bob Marley, because
it's always jamming. This is Darknet Diaries.