Poking the bear – when you provoke hackers

After losing his job in a reshuffle, “recovering” journalist Brian Krebs has forged a reputation as one of the world’s foremost information security reporters. While he has broken a number of major security stories, including the Target breach, there are times when things get a little precarious.

At the Check Point Cybersecurity Symposium held at Sydney’s Luna Park on 2 June 2015, Krebs talked about the consequences of “poking the bear”.

“About a year and half ago I started getting these random tweets and nasty tweets from people I didn’t know,” says Krebs. “Half of them were in Russian”. Many of the tweeter had replaced their profile photos with images of a prize-fighter holding Krebs’ severed head and other threatening and distasteful images.

Following some research, Krebs was lead to a guy who went by the name “Flycracker”, or just Fly. Fly ran a Ukrainian fraud forum.

“If you’re going to poke the bear, expect them to poke back,” says Krebs. After setting up an account on the forum Krebs found that Fly had posted a message saying Krebs had a heroin problem.

“I don’t have a heroin problem,” Krebs clarified.

Fly took up a collection and was able to hustle up a couple of bitcoins and proceeded to order some heroin from Silk Road for delivery to Krebs’ home. Fly would then pretend to be a concerned neighbour and call the police in order to frame Krebs for drub possession.

Having seen the exchange of messages on the forum, Krebs notified the local police who came to his home. Their reaction:

“He says just give us call if the heroin shows up and we’ll come and pick it up”.

Incredibly, Krebs was able to track the shipment as Fly put a tracking number for the parcel in the forum post. When the heroin arrived he passed it on to the police.

Krebs wrote about the exchange on his website, not just outing Fly publicly but embarrassing him in front of his peers.

The bear was well and truly poked.

A couple of weeks after this, Krebs was returning home from BlackHat Las Vegas and called his wife. She was in tears as a large cross-shaped floral wreath had been delivered and left at the door. Attached was a card with a chilling message addressed to his wife from Fly.

“Rest in peace Jennifer. You married the wrong guy. It’s OK. We’ll always take good care of you”.

Investigations had revealed Fly was a Ukrainian living in Naples, Italy and was running a card-printing factory, producing bogus credit cards. Also, he was engaged but didn’t trust his fiancé so he installed a key-logger on her computer. As a result, all of her communications about Fly were available to investigators later. These were used to eventually track down and prosecute Fly.

Krebs received a phone call from a law enforcement agency with a simple message:

“The fly has been swatted”.

Ultimately, Fly was imprisoned in Naples’ highest security prison.

A year later, returning from the next year’s BlackHat event in Las Vegas, Krebs called his wife and found her in tears again. This time, in possession of a letter from Fly. Urging caution, Krebs told her to not open the envelope. Given he had sent heroin previously, there was no knowing what he’d send from prison.

After police checked the letter, it was found to just be a letter. It was an apology from Fly, detailing how his life had fallen apart. Later that year, Fly also sent Krebs a Christmas card.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags Brian Krebssecurity reporterCheck Point Cybersecurity Symposium 2015poking the bear#CSOAustraliaTarget breachtwitter#CyberSecAUprovoke hackersCSO AustraliablackhatFlycracker

More about Check PointCSOTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

More videos

Blog Posts