RICE

ASIA, UNFILTERED

×
This article is part of a series on the strange, unexpected, and sometimes even borderline illegal services that you can engage on Carousell.  Read the first part on controlled substances here

It’s no news that Carousell is flooded with the strangest people you will ever meet. Much like the New York City subway, it’s filled with crazies, weirdos and occasionally some shady characters that make you get off and change subway cars at the next stop.

Having scoured the the dark underbelly of Carousell, a site 10-year olds use to trade, deal and sell squishies, I stumbled upon a fair share of clearly illegal Netflix upgrades, prescription medicine reselling, and even live pets. 

But what really caught my attention, was this:

You read that right. For a paltry S$70, this guy will hack social media accounts at your behest.

The listing not only comes with a photo of a hooded Mr. Robot-esque figure, but it also guarantees that it is “100 percent legit!”, and that there will be “no scam cause i hate it too”.

I guess that means “100 percent” trust for you, bro.

But despite my initial skepticism, my interest was piqued. I wanted to know whether this guy was a Singaporean Matrix Reloaded, or was he simply a scammer? 

So I contacted him and before I knew it, I had gone from hacking a social media account to a bank account.

Here’s how it happened.

Full disclosure: I’m an English Literature major, and am not formally educated in computer science. I know next to nothing about “hacking”. So when I reached out to the “Hacker” on Carousell, I was armed only with my curiosity.  

I also knew that I needed a simple story, a reason to purchase his hacking services. So I set up a new account with a new identity: I was an insecure guy, seeking surveillance on his new girlfriend by way of getting her Instagram password.

I was also going to set it up for success by providing him the most conducive “hacking” scenario he needed. If he succeeded, I could find out what he used, how he did it, and get closer to finding out what kind of service it was that he offered his satisfied customers.

When I reached out to him, he quoted $180 for the service. More than a 100% markup from the S$70 quoted on his Carousell listing. “Fine,” I thought to myself. At least this might buy me his undivided attention.

After I paid the initial 50% deposit (balance 50% due upon proven success), he sent me this link:

So I sent the link to myself, clicked on the link, and keyed in my password to a domain that I personally found extremely dubious. Throughout the entire process, I couldn’t help but repeatedly question myself, what kind of idiot would fall for this?

His strategy was to send out a “phishing” link, in hopes that the cover story he concocted for his clients was sufficient to make the targets key in their log-in details into a site that was designed to look like the real thing.

In short layman terms, URLs generally come in the form of http://username:password@domain/path, and banking on the fact that people don’t notice their URLs or aren’t as tech savvy, phishing is an easy way to intercept passwords, usernames, and whatever you type.

Not the most sophisticated strategy.

But at the same time, I also realised that this was essentially a confidence scam.

Countless incidents in the past have seen my friends sending me links to click on to help vote for their NUS pageant photos, and not once did I bat an eyelid to screen the domain name or even find cause to raise any suspicions about their intentions.

I surmised that the way this usually worked was that there had to be inherent trust to be betrayed between the victim and the perpetrator. After all, if you already know the person, it’s highly likely that you will open their emails.

After I clicked the link and keyed in the information, the Hacker returned with the good news.

For a moment, I felt slightly violated. Never mind that this was done with my consent,

It wasn’t my Instagram account he accessed, but the thought of someone so casually and confidently invading my privacy irked me. I imagined him reading through my Instagram inbox, scrolling through my photos, and accessing something I thought only I had the privilege and privacy to.

I could only imagine the multiple accounts on social media he helped gain access to, trawling their profiles for his own monetary gain. All because someone trusted their friend, boyfriend, or acquaintance, and decided to click on a link they believed was helping someone out?

Now that he had actually succeeded in “hacking” something. It was time to up the ante.

Previously, while upselling his services, he had sweepingly bragged about being able to “hack” into ibanking accounts. He even claimed to be able to teach me how to do this.

When I asked if he could hack a bank account for me, he said yes without hesitation. When I asked him if he had ever successfully hacked a bank account, he proudly declared that he had indeed done so. Twice.

At this point, I was semi-convinced. Hacking a social media account is easy. Bank accounts on the other hand are a different story. He told me that if he hacked the bank account for me, not only could I view the balance, I could also transfer funds out. What he would provide, was the ibanking username and password.

Upon agreeing on $300 after a lengthy discussion, he blindsided me the next morning with cold feet.

There was no way I could force him to do something illegal, so the next best option was to get him to teach me how to do it instead.

Two arduous days and a lot of delays from his end later, he finally sent me a dropbox link with a screencast video and a software file:

The software, which he claimed to have coded personally, was nothing more than an off-the-shelf keylogger by Ardamax which retails for under S$70.

But I consoled myself that it was his video that was priceless. He mentions repeatedly in a disclaimer on his video that he is not liable for any illegal activities that might result from the use of the software.

All I needed now, was a bank account to hack into to prove that what he sold was legitimate. Most importantly, this would also prove that you could learn how to hack a bank account off someone from Carousell.

So with little deliberation, I decided to hack into my editor’s bank account. 

Following the Hacker’s instructions to a tee, I set up the software he sent me, set the preferences to have a webcam video sent every 5 minutes, and an email firing to me his keyboard input every 1 minute.

I then sent a dropbox file to my editor, like I usually do, titling the file “final draft”, having the software icon look as unassuming as I could manage.

Once my editor clicked into the document, the software began to install itself remotely and rather seamlessly.

Almost immediately, the keylogger began firing emails to me every 1 minute with websites he visited, screenshots of his interface, and passwords he entered.

Regular screenshots of his interface.
A screenshot of the interface on my editor's laptop.

More importantly, the Hacker also instructed me to convince the victim to somehow make a transaction through his browser while I sat patiently waiting to intercept the bank log in details.

It was smart. It ensured I didn’t have to sift through a ton of his keylogged activity hoping to stumble upon the right one.

So, I told my editor to transfer money for my claims to me under the guise that I needed a budget for a story I was chasing, hoping that when he logged into his internet banking account to transfer funds to me, I would be able to intercept his log-in details.

And it worked.

And the coup de grace …

To be very honest, doing this did fill me with a certain sense of accomplishment. I felt like I managed to gain an effective skill through Carousell, almost without any difficulty.

Granted, because most of his “hacks” are cons capitalising on trust, it’s difficult to say whether or not he would be successful if I didn’t actually make the effort to set him up for success.

But the fact remains that I managed to procure keylogger software and a tutorial through a marketplace that, other than a half-hearted list of prohibited items on an FAQ page, has no effective filter to prevent such blatantly heinous activity. 

(More than half the items on this list are still being sold on Carousell.)

And as much as part of me wanted to believe that the Hacker was full of it, I don’t doubt that he has many victims in his trophy case.

Author’s Note: At the time of writing this, the Hacker added a new listing on his Carousell page, selling “ethical hacking” courses for #UOBPayNow.

Though questionable how “ethical” hacking someone’s bank account might be, I’m sure he thinks adding an adjective makes it okay.

Also, what is with him and UOB?

RICE Close
© RICE 2016