New search engine Indexeus unmasks malicious hackers

library
crime | hacking | security

I don’t know if it’s because every hacker on the planet was frantically trying to look up their details before their enemies found them or what, but Indexeus, a new search engine that exposes personal data, was offline on Monday.

The site indexes user account information – such as email addresses, usernames and passwords – taken from over 100 recent data breaches, including the high profile Yahoo and Adobe breaches.

But the breached databases that Indexeus crawls are mostly from sites frequented by the very hackers themselves.

Indexeus was originally set up to sell record takedowns for $1 – or to solicit a so-called $1 “donation”, if you will, paid in Bitcoin, for every record users wanted to have purged from its index.

That $1 also purportedly bought an insurance policy against having information indexed by the search engine, in the event that future database leaks dribbled personal details out again.

Indexeus’s creators stated that the site’s purpose wasn’t to further dox data pertaining to the hackers (who’ve themselves doxed others’ data), but rather to grow and serve as some kind of educational tool or reference for law enforcers.

In fact, Indexeus’s target customers are unskilled hackers – also known as script kiddies, a term given to malicious hackers assumed to be juveniles who don’t yet know how to write their own programs or exploits and thus use scripts written by others to cause e-mayhem, such as defacing sites or attacking computer systems and networks.

According to security blogger Brian Krebs, Indexeus is dripping in irony and schadenfreude, with the majority of the databases crawled by the search engine being either from hacker forums that have themselves been hacked or from sites that rent out servers from which to launch denial-of-service (DoS) attacks – i.e., “booter services”.

Krebs characterised the people behind the service as “a gaggle of young men in their mid- to late teens or early 20s” headed up by Jason Relinquo, 23, from Lisbon, Portugal.

Krebs grabbed Indexeus’s raison d’être while the site was still live and kicking:

The purpose of Indexeus is not to provide private informations about someone, but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service. Indexeus is not a dump. A dump is by definition a file containing logins, passwords, personal details or emails. What Indexeus provides is a single-search, data-mining search engine.

In response to criticism, Relinquo recently stopped charging for information removal, and the site is going through other reforms, including free blacklisting and subscription-based searches, due to “some legal complications that I don’t want to escalate,” Relinquo said in a chat session with Krebs.

And, in the case of a minor, removal is “immediate”, he said – thus script kiddies are somewhat shielded from the fallout of their own youthful indiscretion, one assumes.

Still, questions abound: how would users would go about proving they’re rightful owners of records indexed by the service, for one thing?

Do some malicious hackers deserve to be protected because of their young age?

Will Europe’s Right to be Forgotten law force Indexeus to forget about the script kiddies it’s indexing? And will a service like Indexeus respect such a law?

Err… maybe, maybe not. After all, as Krebs notes, Indexeus’s creators set up the service to sell passwords to members of a forum frequented by people who use such things for malicious purposes.

Getting spooked by the Right to be Forgotten law or being solicitous toward under-aged hackers just doesn’t seem to fit the character profile.