undefined | Better HN

0 pointstyingq8y ago0 comments

Hundreds of millions, per year, to a single exploit specialist, is. Not arguing your general point of financial benefit for world class exploit specialists. Just arguing the scale.

The most famous one I'm aware of got $100M over two years and didn't get to keep it. http://fortune.com/2017/04/27/facebook-google-rimasauskas/

0 comments

3 comments · 1 top-level

ryanlol8y ago· 2 in thread

Sure, I would expect that most people doing this sort of work don’t actually work full time.

But the amounts of money you could steal with relatively little work are truly immense.

>The most famous one I'm aware of got $100M over two years and didn't get to keep it. >http://fortune.com/2017/04/27/facebook-google-rimasauskas/

This guy seems to be the polar opposite of a world class exploit dev, but he got pretty far.

However he was also a pretty small player, I’m on my phone now but I’ll try to post some useful links in the morning.

tyingqOP8y ago

>This guy seems to be the polar opposite of a world class exploit dev

Stealing $100M over two years from FB and Google? Sounds world class to me. Social engineering isn't an inferior skill to actual code exploits.

ryanlol8y ago

>Stealing $100M over two years from FB and Google?

Yeah, I think at this point the largest actors in this field have stolen $1B+ just by themselves.

>Social engineering isn't an inferior skill to actual code exploits.

For this specific purpose it probably is. With a single webmail exploit you could trivially be stealing similar amounts in days from vast numbers of businesses. All you need to do is automatically (or manually) replace bank account information in the emails. This is a relatively simple task to automate.

A $20M wire being sent to some random bank account copypasted from OWA is nothing out of the ordinary. There are thousands, probably tens of thousands potential targets.

At least the FBI seems to think that these email compromises are a 5 billion dollar industry, https://securityledger.com/2017/05/fbi-business-email-compro... We haven't even seen any fancy 0days being used yet, the whole industry is prime for disruption by more sophisticated, more efficient actors.

In the face of all this it really seems hard to argue that a world class exploit dev couldn't be earning hundreds of millions a year with relative ease.

j / k navigate · click thread line to collapse