3 - Sale of the century

London – January 2020

Welcome to my online cyber thriller, The Phisherman. If you'd like to learn more about the story and meet the three main characters, click HERE. If you’d like to start at Chapter 1, click HERE.

A note from the storyteller: This chapter is unlike most others in 'The Phisherman' because of its semi-technical bent. Fyi, you're about to be a silent spectator to a darkweb auction (granted, it's been given many "bells & whistles" for dramatic effect). I've included footnotes explaining key technical terms in simple language + links if you want to learn more. You don't need to understand the terms to follow the story. However, they will help you understand a critical aspect of the darkweb economy & what many phisherman do in the real cyber universe.

You’ll also find the first of many music links. If you want to get into the character’s mood, click the link so the song plays as you read.

Photo by Kasia Derenda on Unsplash

A brilliant flash of lightning lit up the narrow street, briefly illuminating row upon row of terraced, double-storey houses, cloned in build yet distinct in decor.

As the streak of white light receded, most of the houses gratefully returned to the silent darkness that cloaked the sleepers within. Despite the angry peals of thunder and the relentless battering rain, the occupants remained dormant, the windows remained dark, only lit from outside by the erratic lightning show that accompanied January in London.

A sole window differed. An upper room in number 17 emitted an eerie blueish glow.

Within that upper room’s square window, the light emanating from three massive computer monitors created flickering shadows that shifted and danced as they reflected the vast array of sci-fi collectables and obsolete computer components littering the small space.

To the dark-haired, scrawny man seated at the cluttered wooden desk, the cramped area filled with the smell of stale pizza boxes and the raucous sound of heavy metal was not merely an upstairs room in a rented townhouse. It was his sanctuary. Nobody could find him there unless they had a particular set of skills they could apply faster than him – something that was highly unlikely.

Yet, he didn’t consider his den to be a hideaway. Though the crowded chamber cloaked him from many who sought him, it also connected him with computers, clients and chumps across the globe. With his custom keyboard in hand, the phisherman could reach out and touch anybody through the world that was his domain: cyberspace.

Tonight, he hoped to connect with faceless punters who would pay top dollar for the opportunity he was selling. With any luck, it would be his largest sale yet.

Still, you know the saying: hindsight is 20/20 vision.

That was the core truth any angler could tell you. No matter how big you thought a fish was when you hooked it, you never knew what you had until you landed it. And as every angler knows, it’s the basis for many exaggerated stories of “the one that got away.”

Of course, the prey this phisherman’s tackle caught was larger than that of regular anglers. He hunted phish – they walked the land on two legs and were dressed in clothes, not scales. As for what type of phish were trapped, that was largely irrelevant. After the catch had been gutted and cleaned, all the buyers of the phisherman’s tackle cared about was the raw value they could extract from their hapless victims.

That was why the software exploit¹ he discovered two weeks ago was invaluable. It was like giving an angler a net instead of a line.

And I’ll even throw in some bait for the buyer to attract his prey, something millions of senseless mobile phone users worldwide will find irresistible.

Once the phish swallowed the lure by installing and running his customised game app, his hidden software would be activated on their smartphones.

Well, any phone is only as smart as its owner. And thankfully, many users are not smart when it comes to tech.

Then, whoever purchased his software could sit back and collect the money pouring in from the surge of suckers who entrust their lives to whatever apps they plug into from cyberspace.

And my exploit will find a lot of sucker phish!

Best of all, being a Zero-Day Exploit² meant that not even the developer of the software it attacked knew the exploit existed. That made his hacking kit highly attractive to buyers.

Nobody can stop it.

Of course, that would change once the purchaser started using it and the "good guys" became aware of it. Until then, only the darknet denizens invited into the anonymous world of underground auctions would know of its existence.

Unsurprisingly, the guarded announcement of his exploit kit’s auction had attracted plenty of interest in several underground chats over the previous few days. Thankfully, the details were kept discrete enough to prevent anyone from tracking the exploit.

So whoever wants to use it needs to purchase my kit. That means a higher price.

The hard work was done. All the phisherman needed was for the auction to attract the right buyers. If so, he would make more money from the sale of this kit than the average 9-to-5 worker earns in a year.

He was nervous when the time arrived for him to sign in to the auction room.

After putting on his favourite tee, he logged in.

C’mon now - you know you want one. And you can buy it from HERE. Sadly, I don’t get a cut, so if you buy one, make sure you tell them ‘The Phisherman’ sent you.

Wot the?

He was amazed at how many registered bidders were participating.

Must be because I’ve never discovered such a significant exploit before.

The auctioneer welcomed everyone to the secure chat before handing the session over.

Effortlessly, the phisherman took control of the screen as he delivered a brief introduction via a digital voice generator that also provided subtitles.

“Today, I’m going to show you a new zero-day that attacks the world’s most popular smartphone OS. That means the successful buyer will have over a billion targets.”

Swiftly, he opened a split-screen for the viewers.

“You should all be able to see two windows. The left pane shows the command centre controlling how, where and when to activate the exploit. The other window has a smartphone emulator replicating one of your millions of cash cows.”

He slowly moved the pointer over various parts of the screen as he continued.

“As you can see from the command centre options, it’s easy to select when to activate the exploit, what targets to activate it on, and how much selected targets will need to pay.”

“Click here to set the payment option. It accepts multiple digital currencies across several anon crypto exchanges.³ I’ll keep it simple and set it for Ethereum⁴ via FortressEx.⁵”

“Lastly, clicking this tab lists current phish you’ve caught, along with their status. I’ve preloaded a few victims to demonstrate how it looks and feels. And you can easily change each person’s status from caught to locked or paid by clicking each individual’s button like this.”

After showing the options available for targets and how each status had a distinct colour, he clicked back to the main screen. By then, a few questions and comments had appeared in the chat box.

“Please hold your questions for now; I’m sure my demo will address most of your concerns.”

Seeing a lot of positive responses in the chat, he continued.

“So, let’s go through how to use my kit.”

“As with most passive phishing kits, you upload infected apps to the app store and wait for idiots to install one of them. For this demo, I’ll install my version of the current top downloaded game, though you know that the kit you’re bidding for today comes with three infected apps. And, as per the brief, the successful bidder can contract me for other specific apps if they choose, subject to negotiation of time and cost.”

Swiftly, he installed the bait app on the smartphone emulator in the right pane.

As soon as the game finished installing on the phone, the green number in the top right corner of the command console increased by one.

“As you can see, the counter at the top of the screen shows how many phones are infected.”

Clicking the counter, he explained, “And clicking the counter provides a breakdown of what type of phones have been hacked and their locations.”

“As you know, once people start reporting the attack, the zero-day value will diminish. So you’ll wait for many more victims before activating the locker. However, I’ll lock this victim on the right screen to demonstrate how simple and powerful my kit is. Time for the magic.”

With one press of a key, the application proceeded to encrypt the phone’s data: photos, messages, social media content, everything. The data he’d preloaded onto the phone emulator was encrypted within thirty seconds and no longer available for the phone’s user.

After the emulator’s screen locked with a message detailing how the user was to pay to get their data back, the chat box flooded with brief compliments. The bidders liked what they saw.

“Once the user transfers the required funds and they clear, simply click here to unlock their data.”

He hit another button on the control application for the specified user.

Within a minute, the phone was unlocked. The user’s data was available again.

Breathing a sigh of relief, he thanked everyone and handed the session back to the auctioneer. Thankfully, no bidders withdrew during the demo. He had piqued their interest.

Photo by Kanchanara on Unsplash

Once the auctioneer resumed control of the auction, the bidding started.

The phisherman watched those first few seconds nervously. They were the moment of truth. They would reveal whether it was a big one or if he was merely dreaming.

It was evident from the first three bids in rapid succession that he'd hit pay dirt. He couldn't believe the price was over ten bitcoins⁶ already.

That’s almost 70,000-pound sterling – the biggest payday of my career.

However, the bidding was far from over. By the end of the first minute, five buyers were vying to own the rights to his software.

It made him proud.

If only my parents could see me now.

Then, remembering why he did what he did, he knew that would never be true. They would never be proud of him, no matter what he accomplished.

And that’s okay. I’m not proud of them either.

Pushing thoughts of his parents aside, he watched in agonised glee as the bids mounted, climbing higher and higher. The offers neared, then passed, 20 bitcoins.

Excitedly, he realised the price was as good as 140,000 pounds.

That’s US$180,000.

Unfortunately, all good things must come to an end. After a few furious minutes, the winner was decided – someone using the moniker p3rd1T10n. It was a play on the word “perdition.” However, that was irrelevant. All that mattered was the price p3rd1T10n offered for the phisherman’s software.

29.96 bitcoins.

He could not believe the final price. It was over 200,000 pounds sterling.

Un-be-lieve-a-ble.

After thanking the auctioneer and exiting the auction room, the phisherman sat back in his worn but comfortable black leather chair. He closed his eyes, revelling in the raucous sound of System of a Down screaming in the background. It was a perfect finale.

What a night.

He released a massive sigh of relief.

It was always nerve-wracking, waiting to see if the right buyers turned up to compete for the prize on offer. Thankfully, the auction was a success. He’d netted a more significant pay-off than expected.

His bank balance had never looked that good. He didn’t care that his parents had disowned him.

I can buy a new family.

And bugger them. I might even change my name.

His online moniker was far better than the pathetic title his selfish parents had saddled him with – Alan Watson.

Not that anyone in his world knew him by that name.

To them, he was Xenon135.

Or simply Z.

Thanks for reading my online serial. I hope you enjoyed meeting "The Phisherman," not that you know the one who is full of surprises. If you enjoyed this chapter, please click the heart-shaped LIKE button below. And if you have any suggestions to help make the story better or want to encourage me as a storyteller (either would be nice), please leave a comment.

1

An exploit is how a hacker uses a vulnerability in a piece of software (typically the operating system or an app) to hack a computer device. When a hacker runs an exploit, whoever is being hacked won’t be aware that they’ve been hacked until the hacker performs an action outside of that program, for example: delete files or change a password. For an excellent description in everyday terms (and some great ideas on how to prevent them), refer to exploits [malwarebytes]

2

A “Zero-day” exploit (ZDE) has not been discovered or fixed by the software’s developer. However, someone else (a hacker) has found it. That means a ZDE cannot be stopped, as the “good guys” don’t even know it exists. For more information, refer to zero-day-exploits [kaspersky]

3

Crypto exchanges are used for buying, selling, and exchanging various digital currencies. For more information, refer to cryptocurrency-exchanges [investopedia]

4

Ethereum is the 2nd largest digital currency, regarded by many “techperts” as the major challenger to Bitcoin.

5

FortessEx is a mythical crypto exchange I’ve invented for my stories. If you want to see a real crypto-exchange, have a look at Binance – they include some good tutorials for you to understand how the crypto-world works.

6

The events in this chapter occurred in mid-January 2020. At that time 1 Bitcoin was worth around US$9,000 = €8,000 = £6,900 = AU$13,000

Comments

[Nick Watson]

This chapter was great! It’s not an easy task to make a software demo be that interesting using pure text!