July 18, 2014

Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business.

Indexeus[dot]org

Indexeus[dot]org

Indexeus boasts that it has a searchable database of “over 200 million entries available to our customers.” The site allows anyone to query millions of records from some of the larger data breaches of late — including the recent break-ins at Adobe and Yahoo! — listing things like email addresses, usernames, passwords, Internet address, physical addresses, birthdays and other information that may be associated with those accounts.

Who are Indexeus’s target customers? Denizens of hackforums[dot]net, a huge forum that is overrun by novice teenage hackers (a.k.a “script kiddies”) from around the world who are selling and buying a broad variety of services designed to help attack, track or otherwise harass people online.

Few services are as full of irony and schadenfreude as Indexeus. You see, the majority of the 100+ databases crawled by this search engine are either from hacker forums that have been hacked, or from sites dedicated to offering so-called “booter” services — powerful servers that can be rented to launch denial-of-service attacks aimed at knocking Web sites and Web users offline.

The brains behind Indexeus — a gaggle of young men in their mid- to late teens or early 20s — envisioned the service as a way to frighten fellow hackers into paying to have their information removed or “blacklisted” from the search engine. Those who pay “donations” of approximately $1 per record (paid in Bitcoin) can not only get their records expunged, but that price also buys insurance against having their information indexed by the search engine in the event it shows up in future database leaks.

The team responsible for Indexeus explains the rationale for their project with the following dubious disclaimer:

“The purpose of Indexeus is not to provide private informations about someone, but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service. Indexeus is not a dump. A dump is by definition a file containing logins, passwords, personal details or emails. What Indexeus provides is a single-search, data-mining search engine.”

Such information would be very useful for those seeking to settle grudges by hijacking a rival hacker’s accounts. Unsurprisingly, a number of Hackforums users reported quickly finding many of their favorite usernames, passwords and other data on Indexeus. They began to protest against the service being marketed on Hackforums, charging that Indexeus was little more than a shakedown.

Indeed, the search engine was even indexing user accounts stolen from witza.net, the site operated by Hackforums administrator Jesse LaBrocca and used to process payments for Hackforums who wish to upgrade the standing of their accounts on the forum.

WHO RUNS INDEXEUS?

The individual who hired programmers to help him build Indexeus uses the nickname “Dubitus” on Hackforums and other forums. For the bargain price of $25 and two hours of your time on a Saturday, Dubitus also sells online instructional training on “doxing” people — working backwards from someone’s various online personas to determine their real-life name, address and other personal data.

Dubitus claims to be a master at something he calls “Web detracing,” which is basically removing all of the links from your online personas that might allow someone to dox you. I have no idea if his training class is any good, but it wasn’t terribly difficult to find this young man in the real world.

Dubitus offering training for  "doxing" and "Web detracing."

Dubitus offering training for “doxing” and “Web detracing.”

Contacted via Facebook by KrebsOnSecurity, Jason Relinquo, 23, from Lisbon, Portugal, acknowledged organizing and running the search engine. He also claims his service was built merely as an educational tool.

“I want this to grow and be a reference, and at some point by a tool useful enough to be used by law enforcement,” Relinquo said. “I wouldn’t have won the NATO Cyberdefense Competition if I didn’t have a bigger picture in my mind. Just keep that in yours.”

Relinquo said that to address criticisms that his service was a shakedown, he recently modified the terms of service so that users don’t have to pay to have their information removed from the site. Even so, it remains unclear how users would prove that they are the rightful owner of specific records indexed by the service.

Jason Relinquo

Jason Relinquo

“We’re going through some reforms (free blacklisting, plus subscription based searches), due some legal complications that I don’t want to escalate,” Relinquo wrote in a chat session. “If [Indexeus users] want to keep the logs and pay for the blacklist, it’s an option. We also state that in case of a minor, the removal is immediate.”

Asked which sort of legal complications were bedeviling his project, Relinquo cited the so-called “right to be forgotten,” data protection and privacy laws in Europe that were strengthened by a May 2014 decision by the European Court of Justice in a ruling against Google. In that case, the EU’s highest court ruled that individuals have a right to request the removal of Internet search results, including their names, that are “inadequate, irrelevant or no longer relevant, or excessive.”

I find it difficult to believe that Indexeus’s creators would be swayed by such technicalities, given that  that the service was set up to sell passwords to members of a forum known to be frequented by people who will use them for malicious purposes. In any case, I doubt this is the last time we will hear of a service like this. Some 822 million records were exposed in more than 2,160 separate data breach incidents last year, and there is plenty of room for competition and further specialization in the hacked-data search engine market.


36 thoughts on “Even Script Kids Have a Right to Be Forgotten

  1. Canuck

    Law enforcement should make good use of this website.

    1. john

      Haha yeah right. Law enforcement has their own data they don’t need to pay some 2 bit criminal for it.

    2. The Shark™

      I love how arrogant this kid is. His interpretation of the law may be a little flawed in some areas, though.

      He’ll make a nice boyfriend once he’s released into gen pop.

  2. Uncovery

    I think it’s worth mentioning that you need to register on the site to perform a search.

    Further, I am wondering when the first “AI” search engine pops up that automatically attempts at doxxing people by entering their usernames.

  3. Unrequired

    I’m curious how this guy offers lessons on “SSN Look-Up” as a part of his mentoring service and thinks what he is doing is legal. I thought blackhat stuff like that wasn’t allowed on HF.

  4. Unnecessary

    Hahahahaha. I love you Krebs. Always showing the skiddies what’s up.

  5. Johnny Long

    I looked through the database and could not find emails that were known in the Adobe breach. Anyone else have this issue? I seem to remember that a company called CSID also provided the same service for hacked databases but not sure if they still offer it.

    1. JATny

      Yes, I agree! The skiddies always think they are the only ones who know what’s up. Time and experience count out here, too, even in cyberspace. I’m always amazed at how the kiddies think that mature people in this business can’t keep up. Also, it makes me sad to see how bright some of these kids are. If they would just use their talents positively. By the time they understand that square does not equal stupid, it’s often already too late. Great work, as usual, Mr. Krebs. You definitely know what’s up!

      1. JATny

        Sorry, I meant to reply to Unnecessary, not Johnny Long, and to other kiddie comments on the post. The Indexus list is a little scary from a consumer perspective.

        Time for a couple of anecdotes: some months back, someone at my job ordered concert tickets online with her debit card. The next day, her account was hit for $2K. Not certain at which point her info was compromised, but it was fast and she was lucky to get the perpetrator tracked to a college campus that cooperated. It was up in the air whether the crook was actually a student or had hacked the school’s system

        Last year, another colleague got hit by a couple of “kids” working at one of the local restaurants. Her account was tapped for $9-10K before it was stopped. These “kids” were found and arrested, but the victim is still feeling the effects of the ID theft.

        Both of these people threw their hands up at “these kids!” as if we were talking about cheating at baseball. Electronic and cyber theft are still viewed less harshly than “regular” theft. 822 million records? How many will it take to get some real action on this stuff?

  6. TheOreganoRouter.onion.it

    I checked out Indexeus, the site is a huge joke

  7. NotMe

    Nice list of sites indexed, and a very interesting read.
    Thanks again for keeping up the good work!

    I love chapter one.
    How does it go again? for 25 cents in late fees at the library…… I can get that same education.

    Now it’s no late fees and Google.

    Cheers.

  8. meh

    Doesn’t the premise of ‘future removals’ imply they’re still keeping their info laying around somewhere?

  9. Betan Testravosky

    Indexeus … one big ol’ giant scam. LOL I get more information from my toaster … which has the added benefit of toasting bagels. Indexeus can’t do that … or much else.

  10. Manoa Kahuna

    I heard your interview with Terry Gross.

    You were good.

  11. Rakesh

    Now Jason has his full name shown on ablog that exposes (mostly) frauds. I hope your future boss doesn’t look you up on the internet.

  12. Name

    Rescator pops up in Indexeus. I wonder what database they got his info from.

  13. Dancho

    Brian! Come home already i need my husband back!

  14. Dennis

    The site appears to have been hacked already krebs.

    1. john

      wait, no indexeus.net is bonged. indexeus.org is okay.

      1. john

        Yes. You are right. All extensions are bonged.

  15. Nick P

    He won the NATO competition and tells people how to avoid being doxed. Yet, you were able to quickly locate him on Facebook… LOL. Nice burn yet again Krebs.

    1. someone

      He won the competion which involved writing one sentence about how NATO could protect your security… a joke!

  16. Reader

    Damn. Based on the headline, I was expecting a story with philosophical musings on law, technology, privacy, second chances, and the errors made in our younger years. I’m kind of sad that it’s not.

    The headline should have been “Scammers blackmailing scammers.” :-/

  17. Jason

    I love the ego and sense of grandiosity these script kiddies have about their projects and “accomplishments”. It’s so incredibly funny. They’re the laughing stock not only of the information security community, but are jokes even to random spectators.

    It’s like a combination of wannabe e-thugs mixed with the long-lasting art of pretending to know how to “hack”.

  18. Kyle

    booters = powerful servers? hardly.

    but chances are these are just all the same script kiddies only gone rogue amongst original rogues. they no doubt leech off of leaks, not their own, instead of doing the dirty work. The simple fact, too, that they are not giving to law enforcement or doing research with it, and instead, plan to make a buck, is script kiddy nature.

  19. Soufiane Tahiri

    I think we are witnessing the birth of a new gneration of script kiddies lol

  20. D

    i don’t think any of you commenting actually know what a script kiddie is.

Comments are closed.