8 Steps on How to Safely Blog Evil–How I Caught One Such Malicious Blogger

Tagged: Internet

I was hired to stop a person from maliciously attacking a company through blogs and forums. I describe the 8 things he did well to keep from getting caught. I also tell how I finally caught him.

A large technology company (that I had previously done security work for) contacting me regarding stopping a disgruntled employee’s smear campaign. He (she/it) was recently fired and was now suspected in a rash of bad PR and leaked information that was appearing throughout the blog world. The hiring company had a new product being released soon and needed to stop the bleeding.

My contract generically listed some security responsibilities; however, I was told that my objectives were the following:

1. Catalog every maneuver (blog post, forum post, etc) that this person made
2. Prove that the suspected person was indeed the slanderous foe
3. Provide testimony at trial against this person if needed
4. Obtain usernames/passwords to his accounts
5. Develop leverage (find dirt) against him

Due to the timing of the product release and moves regarding the company stock, the company wanted this guys stopped as quickly as possible.

I was flown across the country to a location near his address. I was put up in a nice hotel and given a rental car under the company’s name. The initial plan was to get into his system through his wireless network and start the game; however, I could never get in. I am not a wireless guru by any means, and his wireless setup was more complex than I could figure out. Honestly, I could not find a great place to hide while grabbing his wireless stream either. I felt way exposed sitting in my car with my laptop.

Back in my hotel room, though, I found a safer method. He had been leaving some posts in a few rent-a-coder forums. He was purchasing some programs to help him spam multiple blog systems more easily. He had set a deal with a Russian programmer. I too contacted this programmer and told him that I would double his money if he would insert a rootkit for me into the requested software. Nervous that the Russian would rat me out, I waited a week. Then the software phoned home.

Once the rootkit was in, my job was easy. I recorded his purchases of domain names, his blog postings, and his blog spam. I noted which proxy servers and anonymous systems he used. I recorded his payments to the Russian programmer and several other coders-for-hire whom he had purchased various scripts from. Most of his user/pass combinations were easily obtained. Out of the hours and hours that I watched him work, the most pleasing time I had was when he installed the updated version of his blog spammer software which still contained my rootkit. His software firewall asked him if it was okay to open several ports. He happily selected “yes” never realizing that one of those ports was actual mine.

Once I had collected the information, the rest of the story gets very unsexy. I could have deleted most of his blogs and even formatted his system if requested. However, the company served him a legal notice with the small amount of the proof that I obtained. Overnight, he removed all of his sites from the world. His smear campaign was over. The company still has all the proof of his evil deeds to show anybody who would consider hiring him again. He still must occasionally open that tainted piece of software; however, because every once in a while, it will phone home to me.

So that’s how far a company will go in a pinch to stop an “evil” blogger. Watching him for those many hours, I saw how he did what he did. I also figured out why the company needed me to find out who he was. Other than trusting an unknown programmer to write honest code, he was very clever at hiding his tracks while soiling the company’s name.

How to blog evil (and how not to get caught):

1. Be Anonymous. I have written about this before in my article Blogging and Running Your Website Anonymously – An Introduction. Using throw-away email accounts, hiding your tracks with tor or a proxy service, or even posting from public access areas such as libraries—a combination of these will keep you hidden safe and sound. I believe my target used NetStumbler to find open wi-fi spots to post from as well. I could never prove this, however.
2. Use free and cheap blog services to spread your dirt. Typepad, blogger, wordpress, and geekswithblogs.net were all free services that he used. He linked them all together and back and forth. He also purchased cheap web packages from several companies that automatically installed blog software. One package for $10 a month got him 10-15 hosted domains filled with an evil spewing blogs parked at each one.
3. Be multiple people. He kept people interested by pretending to be multiple people commenting on his multiple blogs. A blog post with 12 comments appears much more legitimate than one with no comments. In forums he would have his nicks talk to one another, each supporting the other’s position. If one of his user nicks got booted from a forum, there was always another identity ready to take its place. Nobody believes the lone soul, but several people agreeing about a subject holds much more weight.
4. Attack your target at home. He would post under his multiple aliases in the comments of the company’s blogs. Eventually he used his purchased scripts to flood the blogs with his opinions and spam. This is an evil attack because potential followers and customers visit these copmany pages. Attacking here got the eye of whom he wanted to influence the most. The company had to eventually shut down the comment systems on all of its hosted blogs. He moved on to attacking and flooding people who were discussing the company and its products.
5. Research your targets. This guy was subscribed to every RSS feed of every blog at the company. He used google alerts, google blog search, technorati, and pubsub to follow any mention of the company or the soon-to-be-released product. By scanning through all of this data with RSS, he could blast the company any time it was mentioned.
6. Buy evil domain names. Buying domains such as companysucks.com or whatever is cute, but they are easily taken down my legal means. This guy would buy domains that were frequent misspellings or typos of the company’s web sites. He would also buy alternative domain suffixes such as company.us or company.org.
7. Buy ads. One of his adsense ads said, “Do you know that this company is evil?” It would come up every time somebody typed the company’s site into google. He bought ads on every search engine out there. Once he started spamming and trolling the sites, he used more anonymous ways of purchasing ads. He would purchase the ads off of ebay or other systems that allowed for paypal payments. Although not as effective as adsense, it was still a pain in the company’s side. As most ads are legitimate, seeing his message in ads supported the validity of his cause.
8. Purchase Scripts? I left the vilest for last. In this guy’s case, it is what eventually led to his demise as well. Any coder worth his salt can write a blog spam script. Blogging against someone in the matter described here is typically to get revenge and not spamming to make money; thus, the only reason to use scripts is to directly torture and torment.

Blogging evil is likely illegal. I am no lawyer, but to write and spam for the pure damage it does to someone could be considered harassment. Depending on what you saying, you might be committing slander or libel as well.

Although safely blogging evil is relatively easily done, the consequences if you get caught are very high. The disgruntled employee that I was hired to find will never work in his area of expertise again. He may have been great at hiding his tracks; however, his one slip up has him blackballed from his beloved profession