Digital Assassination – The Ultimate Revenge!

July 30th, 2009 by Barrett Lyon

All examples included in this posting are for educational purposes only and should never be put to practice or used. In other words, do not do them!

Death by Ethernet Given that today is the opening day for DEFCON 17 (a hacker conference), I figured I would pay homage by exposing some cyberwar techniques that are more social in nature, easier than writing amazing meterpeter exploits, but just as (if not more) impactful.

These days, cyber bullying is popular. Cyber bullying is when a bully makes fun of a kid online using MySpace, email, posting jokes, etc. Cyber-bullying is so harmful to a child’s mind and online persona that it has led several victim children to suicide. Cyber-bullying was brought to light when Megan Meier’s suicide was attributed to cyber-bulling via MySpace.

Children are not the only possible victims of cyber-bullying; someone’s online persona is also a great target. An online persona is an important commodity these days; a Google search on someone’s name is almost the modern day resume. These online personas are part of a larger group of what I term Digital Natives. The Internet has simply amplified older techniques used by intelligence agencies and governments.

Attacking someone’s online persona or discrediting someone using their online persona could have horrific consequences.

With communication and social media, there are new attack vectors, and cyber-bulling can be taken to a new level, something I call “Digital Assassination”. Digital Assassination, which is not anything new per-say, takes old methods and some new methods to manipulate, embarrass, cause jail time, discredit associations, politicians, corporations, or (in some people’s minds) have the ultimate result by invoking someone to commit suicide.

I had an internal struggle about writing this post. I do not condone the methods I discuss, nor have I ever practiced them. I hope this posting is used merely as a mean to inform people and protect them from being victims, rather than encouraging unethical, illegal, or nefarious actions.

There are a lot of tricks to the SEO (Search Engine Optimization) trade. Most of them involve manipulating Google, embedding data on pages to cause Google to think your site is more important than another site. This is what I call “search engine de-optimization.” What if the same techniques used in SEO were used to power a disinformation (or smear) campaign designed to destroy or manipulate someone or something’s digital existence? What if those techniques were combined with hacking, social manipulation? The result is scary.

At first you may feel that the general concept seems somewhat “out there”, but let’s look at some of the possible implementations.

Blog Pressure and Disinformation

    If an attacker is trying to eliminate a movement or politician’s influence, what better way is there to do so than ruining the essence of the movement or tainting the politician’s reputation? Someone can hire a team of paid bloggers; say 150 of them, working in India. There are companies that provide small blogger armies (just Google “paid bloggers”). They all operate on the Internet as if they come from different parts of the world (via proxy servers to make it more convincing), and all they do is post negative sentiments.

    The more this is deployed, the more the victim’s name in Google becomes associated with these negative blog postings. Thus, a Google search for the victim reveals blog postings about how he or she is an alcoholic, child molester, a physical abuser, etc.

    This can be amplified by using mailing list postings and USENET.

    Taking that further, one can link each blog comment to each other and create a more articulated web of links, which will help Google optimize the data.

    Likewise, what if you wanted to start marital troubles for someone? The attacker could start posting about the victim on dontdatehimgirl.com or various places such as twitter:

    “This guy is an asshole, we met at a corporate dinner three years ago, have been having an ongoing affair, and he’s been telling me that he was going to leave his wife, now he just cut me off! I want to expose for who he really is.”

    Or

    “I met last week at the conference, it was an amazing, romantic whirlwind. Now I am pregnant he refuses to return my calls or emails. Help!”

    What’s worse is this could be used via Facebook or even via pure email to the wife. With a little Photoshop help, by creating fake caught-cheating photos, it may be a hard to disprove

    Taking the caught-cheating photos and placing them on various sites will also help Google cache them in images.google.com. Further, if the images are named after the person’s name, it will help them come up first in a Google search.

    Cheating can also be replaced with other actions like industrial espionage, bad associations (having dinner with people you should hate). Imagine photoshopped photos of a VP of a company handing documents to the CEO of a competing company.

Jail Time

    Another method requires a little more work and some hacking skills that some people may not have. Yet it’s one of the most powerful methods one could use. This method basically involves hacking someone’s computer or taking it over remotely, implanting a lot of child porn on the computer, and posting that same child porn on USENET with the victim’s real email address.

    USENET is patrolled so carefully for this type of material that the result would be an FBI agent’s knock on the victim’s door, jail time, public embarrassment, maybe a pile of felonies, and to top it off… everyone thinks the victim is a pedophile.

    There are other methods such as filling a USB Drive full of child porn and simply dropping it near the victim’s car where he or she may pick it up. The attacker then tips off the police.

    In essence, the attacker frames someone for a crime. With the anonymous nature of the Internet, Operating Systems, and general digital accounting, it’s easy to put these crimes on the shoulders of the victim.

Fake Logs

    Another vicious attack vector would be simply to make-up an attack. Create logs of someone uploading child porn to a web site, making fake posting to your blog threatening to kill the president, or just a fake hacking attempt. System logs are all text, so typing up a log that looks real would be very simple and law enforcement can use that information as evidence.

    If fake evidence is introduced, it could have more power than actually attempting to frame someone for a crime.

Rogue Disinformation

    Hacker groups, governments, terrorist groups, politicians, businesses, and other activist groups use the Internet to spread their propaganda, turning their web sites into recruiting machines.
    What better way is there to disrupt them by using disinformation to discredit and fragment the momentum?

    One can hack their web site, and rather than a full website defacement, only change the wording a tiny bit, just enough to turn people off. Doing so will make their followers go, “huh?” and it may take a while for the changes to be caught.

    As an example (which should never be done and is fictitious), on a Governor’s web page, there is usually an about section. Let’s just say the text officially reads, “People who know me know that besides faith and family, nothing’s more important to me than our beloved Alaska.”

    IF one were to change that text to read; “People who know me know that nothing’s more important to me than my liberal views and beloved Alaska. In my life, I reject faith and family.”

    If the site massaging is not detected, the new text would sit for a few weeks would spread some serious disinformation.

    It’s also possible to register web sites that appear to be supporting a victim, gather viewing, and then negatively morph the message over time. For example, register supportgovernorname.com, copy the full text and content from other governor support sites. Link the site in places such as Wikipedia and other political blogs. Once there is traffic and linking going directly to the site (people are reading it/using it), slowly morph the text to make her messaging appear negative. Using DDoS attacks to shutdown the official web site to force people to the alternative fake site would also help force people to your messaging.

    For “informal movements” such as “the anti-sec movement”, a few well-placed postings usually derail them quickly. I suggested in a previous post that their threat of finding exploits to OpenSSH may have been someone not with the anti-sec movement anonymously posting using their name as a smear campaign. This hurt their public reputation.

Moving on…

There are many other examples of using Digital Assassination to control situations. I’m sure my readers could think of many other methods of using the Internet to control people and movements. I would be interested in hearing these ideas and attribute them in this page.

What you see, read, and link to may not always be reality.

Tags: , , , , ,

6 Responses to “Digital Assassination – The Ultimate Revenge!”

  1. Sameer says:

    Hi,
    This is a good one and scary too. Other similar concept is “Digital residue”. Social n/w sites come up and go like fashion fads nowadays — it was orkut then facebook and twitter .. who knows whats next. But what happens when people suddenly shift preferences from one social n/w site to another and forget the old one. it has a lot of scraps personal info, photos and such stuff availaible with the past site. and if this site just goes bankrupt u can imagine the goldmine that site sits on… especially if its run out of Cyber safe havens (i.e. countries where there are no strong cyber laws)
    Just a thought and would like to hear ur views on this.

  2. Stiennon says:

    Scary stuff! I thought that first quote from a Governor’s site, before modification, was fictitious! Funny.

    China and now Israel have formal cyber psyops. They pay people to comment on blogs with their approved state message. Just as spam killed USenet, and has made email impossible to use without constantly updated filters, blogs and comments and even social networks are going to lose the impact they currently have.

    Believe nothing, trust no one. Not a pretty perspective.

  3. Jim Lippard says:

    It seems to me that “digital assassination” isn’t really the right term for what you describe. That term would be more appropriate for the extinguishing/destruction of an online identity, say by deleting an account after gaining access to it.

    The cases you describe seem to be more like “digital character assassination,” the destruction of an online reputation, and “digital kidnapping” or “digital impersonation” or “digital identity theft,” the acquisition of someone’s online persona and use of it for nefarious purposes. Another example of a use of the latter would be acquiring a high-reputation eBay account to commit fraud with it, or acquiring control over a high-value blog in order to insert links for black-hat SEO purposes or for malware distribution.

  4. Barrett Lyon says:

    Jim, yes I do agree to some extent. However, when there’s an intent to cause harm in the physical world using online means…. I feel that crosses the line from character assassination and becomes something else.

  5. Jim Lippard says:

    Here’s a better fit for “digital assassination”–spoofing caller ID with a call to the police, with a hoaxed call to send SWAT teams to the spoofed location, kicking doors in and with guns blazing. Also known as “swatting”, e.g.: http://www.wired.com/politics/law/news/2008/02/blind_hacker

    Another “digital assassination” would be gaining access to electronic medical records or hospital systems, and making a change that either indirectly causes a treatment that kills a patient, or actually disrupts systems that cause death. There have been some close cases to that, as well, though inadvertent–like Christopher Maxwell (“Botmaster”)’s botnet that infected systems at Seattle’s Northwest Hospital in 2005.

    I think “digital assassination” should be reserved for cases where either the online consequences are analogous to an assassination, or the real world consequences are.

  6. Barrett Lyon says:

    It’s a question of intent: In the case of Megan Meier, if the woman harassing her was doing it with the intent to push her over the edge, to kill herself, then that would be assassination.

    Likewise, some people feel they are “Digital Natives”, their real life is online, and if you execute a character assassination on a digital native, that is also a form of assassination in the digital sense.

Leave a Reply