Dutch Developer Added Backdoor To Websites He Built, Phished Over 20,000 Users

An anonymous reader quotes a report from BleepingComputer: A Dutch developer illegally accessed the accounts of over 20,000 users after he allegedly collected their login information via backdoors installed on websites he built. According to an official statement, Dutch police officials are now in the process of notifying these victims about the crook's actions. The hacker, yet to be named by Dutch authorities, was arrested on July 11, 2016, at a hotel in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek. According to Dutch police, the 35-years-old suspect was hired to build e-commerce sites for various companies. After doing his job, the developer also left backdoors in those websites, which he used to install various scripts that allowed him to collect information on the site's users. Police say that it's impossible to determine the full breadth of his hacking campaign, but evidence found on his laptop revealed he gained access to over 20,000 email accounts. Authorities say the hacker used his access to these accounts to read people's private email conversations, access their social media profiles, sign-up for gambling sites with the victim's credentials, and access online shopping sites to make purchases for himself using the victim's funds.

Re:

[tattood]

This proves the importance of using different passwords for every online service you use.

I knew it!

[Anonymous Coward]

There are two kinds of people in this world I hate.

Those that are intolerant of other people's cultures and the Dutch.

Re:

[Mr D from 63]

There are two kinds of people in this world I hate.

Those that are intolerant of other people's cultures and the Dutch.

How about people who don't know what "phishing" means?

Re:

[gnick]

Obviously, phishing means hacking and hacking means "stealing with a computer." What other definitions could there possibly be? Duh.

Re:

[gweihir]

I get it! You mean to say in a circumspect way that you are Dutch! Nice!

Re:

[TechyImmigrant]

There are two kinds of people in this world I hate.

Those that are intolerant of other people's cultures and the Dutch.

I met a drunk Dutch guy in Seattle last week. He was quite the bore.

Re:

[Oswald McWeany]

I think he's my doppleganger because a lot of women say his name when they meet me.

Re:

[tattood]

People think I am weird if I don't like to create an account if I can help it and often don't use a service if it forces the issue for some nebulous reason.

Then stuff like this happens. Again. And even more services force account creation.

Even if you don't create an account, the company still has your name, email and mailing address, and credit card info if you actually bought anything. That is why I only use virtual credit cards on websites, or PayPal.

Why not name him?

[haruchai]

He's been in custody for over 6 months and is not a minor so why keep his name a secret?

Re:Why not name him?

[Anonymous Coward]

The Dutch never reveal the names of the accused, even after they are found guilty after trial, has to do with the privacy laws.

Re:Why not name him?

[ctilsie242]

As a devil's advocate, it can be argued that other than a direct victim or people who are affected by the criminal's actions, keeping the names of people arrested private isn't such a bad thing. It is a better system than here in the US where as soon as someone is booked, that info goes into hundreds of databases, and even if charges are dropped or the person is found innocent, the arrest record is still public, and can affect finding work in the future. It just might be that the public humiliation of having some peccadillo be forever branded into a person's virtual hide is far greater a punishment than the offense requires.

Re:

[Ravaldy]

Why would we want to give any wiggle room to those who, of their own will opted to be malicious? Isn't trust earned? Why should they get a free pass after screwing up royally?

IMO going to prison is just part 1 of a 2 phase process. Re-integration is probably the hardest part because now you need to earn people's trust again.

Re:

[ctilsie242]

What wiggle room? The justice system here in the US is a meat grinder that destroys lives, even people who were innocent. Take NYC, for example. Someone gets arrested for jaywalking. Unless they bond out, they are going to be staying at Riker's for over a year until trial. Even after trial, if they are found lily-white innocent, their lives are ruined. They are most likely evicted, their job is long gone, and any vehicle they had is either repossessed or impounded and sold.

What do we want in the US, a

Re:

[Opportunist]

Not really. Unless you want to detain him forever.

Else you're one day going to release someone whose only possible career is one as a criminal. Is that what you want?

Re:Why not name him?

[mwvdlee]

Because you want to be able to punish ex-criminals after he has received his punishment according to the law?
If a criminal is released from prison, it should be assumed he won't commit crimes again.
If you assume an ex-prisoner will commit crimes again, your prison system isn't working.

Re:

[slashrio]

Well, we all know whom the US prison system in reality is for.
Hint: it has to do with financial gain.

Re:

[Oswald McWeany]

I thought I read the US was abolishing all private prisons.

(because what you said, was correct).

Re:

[haruchai]

I thought I read the US was abolishing all private prisons.

(because what you said, was correct).

That may not be as big a deal as it sounds .....http://www.mockingbirdpaper.com/content/abolishing-private-prisons-biggest-lie-economic-recovery

Re:

[gnick]

If you assume an ex-prisoner will commit crimes again, your prison system isn't working.

At least in the U.S., it's a good bet that a criminal will re-commit. This may be a sign that the prison system isn't working, but it doesn't change the fact that we have a recidivism rate [nij.gov] of over 50% in the first year after release alone.

That said, if we don't give "rehabilitated" convicts the benefit of the doubt after "paying their debt," we're pretty much guaranteeing that they'll have to return to crime. Convicts do need the ability to escape their criminal past.

Re:

[thegarbz]

That's where they go wrong. (seriously)

With crime, criminality, and incarceration rates at a fraction of the USA, to borrow some popular culture references: if this is wrong I don't want to be right.

Re:

[Desler]

What if the person was wrongfully convicted and later determined to br e innocent?

Re:Why not name him?

[gweihir]

They don't. They just have realized, like any civilized country, that punishment is the task of the state and _nobody_ else. Hence they do not release names. This is actually pretty standard in Europe.

Re:

[Anonymous Coward]

Uh huh. Which is why the recidivism rate in the Netherlands is more than 20% lower than in the US?

Re: Why not name him?

[Anonymous Coward]

Because he's not yet been found guilty, and some cultures take a more enlightened approach than others when it comes to destroying potentially innocent lives via the judicial system.

Think he'd ever find work again, if found not guilty, but named all over Google anyway?

Re:

[Anonymous Coward]

I also like keeping guilty people anonymous simply because it seems like in todays celebrity driven culture there's some portion of the population who will do anything to become famous, including doing some quite heinous crimes. Lets not turn criminals into minor celebrities and make them look as cool as possible. I remember looking at the front page of CNN thinking "is it really appropriate to be using the ISIS glamour shots on the front page? Are you trying to make them look as cool and bad ass as poss

Re:

[ctilsie242]

I remember back in the 1980s, as soon as the press stopped naming people in public who committed suicide, the amount of public suicide pacts and other items went down. What bothered me about the press wasn't the fact that a mass murderer was named. A few years ago, there was a mass shooting at UCSB. The shooter was not just named, but his writings and his YouTube videos were published, and the press spent most of the holiday going through his life like a biography of a hero. What the press should have d

Re: guilty people?

[slashrio]

He's a suspect. He will only become guilty when the judge has ruled so.

Re:

[hcs_$reboot]

Because nobody here can pronounce it.

Re:

[Ol Olsoc]

Because nobody here can pronounce it.

Hmmm, not sure if +1 funny, or +1 insightful........

Re:

[Oswald McWeany]

Dutch is easy- it's just German looking words pronounced as if they were English words. Dutch to me always sounded like "fake German" being spoken by an English speaker.

Re:

[mwvdlee]

You're asking the wrong question.
Why ever release his name at all?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

Because it is not the US and civilized countries have laws that protect the identities of people that are not yet convicted?

Re:Why not name him?

[Holi]

Wow, what's the recidivism rate in Europe compared to America? Yet you seem to think there system is worse then our lock up everyone we don't like policy.

Sorry but an American critiquing anyone else's prison system is the height of hypocrisy.

Re:Why not name him?

[Desler]

Considering the US has the highest recidivism rate, around 76%, in the world, the EU countries by definition are doing better. Norway, as an example, has the lowest recidivism rate, around 20%, in the world.

http://www.businessinsider.com... [businessinsider.com]

Re:

[Anonymous Coward]

Well of course the US has the highest recidivism. We lock people up - often for minor crimes - and then we allow employers to ask if they have ever been convicted of a crime. With a checkbox on an employment application. Duh! Nearly nobody will hire a person who checks the box. And if they don't check the box, a background check finds that they are lying and they still won't be hired. So of course you are going to do more crime if you cannot work to make a living. You aren't just going to say, "well, I scre

Re:

[Opportunist]

That's what you get when you base your justice system on the idea of revenge.

Re: not obvious to law makers

[slashrio]

It is obvious to them, but on the other hand there are the re-election contributions from lobbying prison-organisations that stand to gain from more prisoners.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Desler]

#1 in the world! USA! USA! USA! /sarcasm

Re:

[david_thornley]

As an employer, why would I want to hire someone with a criminal record? If that person does hurt someone else while working for me, I'm likely to be sued for providing an unsafe work environment by deliberately hiring someone with a criminal record. It's safer to reject the applicant and hope none of the crimes we're forcing him to commit just to survive have an impact on me.

If I couldn't know if there's a criminal record when making the hiring decision, or if I were confident of not being liable if s

Re:Why not name him?

[Ol Olsoc]

Considering the US has the highest recidivism rate, around 76%, in the world, the EU countries by definition are doing better. Norway, as an example, has the lowest recidivism rate, around 20%, in the world.

Hey! We pour the most money into our prison system, so it must be the best.

Sad to say, the get tough on crime crowd in conjunction with the war on drugs, has turned the US Prison system into insanity. Then there is the aspect of money, which in some cases gets you three months for sexual assault rape, http://www.cnn.com/2016/09/02/... [cnn.com] versus getting 50 years for stealing a rack of ribs. http://www.huffingtonpost.com/... [huffingtonpost.com]

And yet, the people who think that what amounts to a life sentence for stealing food is a fine idea, almost universally don't want to pay for that incarceration.

We're Kookoo for Cocoa-Puffs some times.

Re:

[mwvdlee]

Hey! We pour the most money into our prison system, so it must be the best.

Your prison companies will be happy to make your prison system even better by increasing their profit margins.

Re:

[Ol Olsoc]

Hey! We pour the most money into our prison system, so it must be the best.

Your prison companies will be happy to make your prison system even better by increasing their profit margins.

Hard to imagine that people could not figure out that in a corporatocracy, that applting the profit motive to incarcerating humans would not lead to demands and baksheesh to incarderate more humans. If you have to make more profit every quarter, you need more prisoners, for longer periods of time. The most contradictory thing about that, is that you need to take care of the prisoners so that they live as long as possible, maximizing the profit per prisoner, while the get tough on crime crowd wants them al

Re:

[Desler]

We're #1! We're #1! /sarcasm

Re:

[Ol Olsoc]

How bad do things have to get for America to get their shit together?

I think we've had a really bad memory leak, and regardless, have voided our warranty.

Re:

[Desler]

Trying to shift the goalposts. How cute...

Re:

[Desler]

Weak trolling is weak.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[The-Ixian]

What I don't understand is why he needed "back doors".

During the course of work (obviously depending on scope) you may need access to sensitive information: admin passwords, internet utility bills, access to admin e-mail accounts (postmaster, webmaster), employee rosters, internal topology information, router passwords, the list goes on. All of this stuff is usually handed over without a second thought.

I have known these details and more for many local companies in my course of work. I have never abused tha

Re:

[IRGlover]

He was using the accounts of the USERS of the websites, not the OWNERS. Putting in a backdoor would mean that even when the admin passwords are changed, he would still have access to the data. Also, a backdoor likely also gives a level of plausible deniability to deflect suspicion should a 'hack' ever be spotted internally - "it can't have been me. I never had access to the live server. I just gave you the code to deploy yourself".

Re:

[volodymyrbiryuk]

There is an interesting talk by Robert C. Martin on a similar topic: http://developeronfire.com/pod... [developeronfire.com]! The registration will probably lead to more bureaucracy to the point where we will have "regulation bodies" who exist for their own sake.

Re:

[Oswald McWeany]

You can probably add Slashdot to that list. They are collecting all our opinions about Trump, AI being real, and the slashvertisement of the day and are going to use that information against us.

Re:

[Megol]

The original meaning? Which of them? That some people are hacks?

Words can have multiple meanings and commonly do. Words also change meaning (or accumulate more meanings). There is no problem accepting people can be hacks, that there are many elegant hardware hacks, that some people are excellent hackers and that some people are hacking into other peoples computers. Not for me anyway, YMMV.

Re:

[Ol Olsoc]

Why do they continue to call these people hackers?

I hear Xanax is now being prescribed for Pedantic Anxiety Syndrome. Ask your Doctor if Xanax is right for you!

Re:

[Ol Olsoc]

My doctor prescribed me Xanax and I feel great.!..!.!;$:)/);&;@:):63$;@/@/);),6$3@/@dhshxhfkkchehdud

Whoa, sorry I just blacked out and fell asleep with my head on the keyboard. What was I saying? I can't remember.

You were saying "Life is damn good!" 8^)

Oh that is just textbook xkcd...

[teslar]

https://xkcd.com/792/ [xkcd.com]

Re:

[Holi]

Comic from 2010, gotta wonder if that is where the idea originated.

Re:

[chihowa]

Why is xkcd (through fastly) still using a cert signed by a revoked intermediate CA? Isn't three months [globalsign.com] long enough to sort that out?

Re:

[chihowa]

OK, it looks like the fix for them accidentally revoking their certificate was just to un-revoke it and pretend that it never happened. Clearing my OCSP cache [globalsign.com] "resolved" the issue. That whole affair really reinforces my faith in the CA system.

Re:

[Quirkz]

"Since March of 1997 I don't really believe in anything." That's oddly specific. Curious if he's referencing a specific thing/event, or if that's a callback to a personal moment of truth, or just a weirdly detailed joke?

Re:

[ChoGGi]

However, he reveals that "since March of 1997" he doesn't really believe in anything. This could possibly refer to the March 26, 1997 incident in San Diego, California, where 39 Heaven's Gate cultists committed mass suicide at their compound. It is a plausible explanation, since one of them was the brother of Nichelle Nichols (a Star Trek actress), so the event got a big resonance in nerd circles (and Randall often refers to Star Trek in xkcd). However, given Black Hat's strange behavior, it could be anything, even Bill Clinton banning federal funding for human cloning research.

https://www.explainxkcd.com/wi... [explainxkcd.com]

EULA

[wardrich86]

Should have just added a line to the EULA that he would be able to gain access to your account(s) if you register. Nobody reads the EULA, and there'd be no case against him because it would be in the EULA.

This should also set the precedent that the government can be arrested if they put backdoors into things... of coursehttps://yro.slashdot.org/story/17/01/18/0527225/dutch-developer-added-backdoor-to-websites-he-built-phished-over-20000-users#, that will never happen. Nothing is illegal if the Government

Re:

[Opportunist]

Dude, if you start dressing as a woman in a male prison, you better be serious about it...

Re:

[Oswald McWeany]

I'm not even sure how one would go about "dressing up" as a woman in prison. It's not like prison uniforms come a wide variety of fashion styles that prisoners get to pick.

"Oh, like, this orange jumpsuit is so, tacky. I'll try the black and white stripes, it is so slimming and fabulous, like, oh, I can add this red belt as an accessory, that would be like, so rad."

The town name just was too funny.

[MensaMoron]

He is a Sneak Thief from Sneek.

What Backdoor?

[coofercat]

Anyone know how he got the information out of the sites he'd created? How did he 'install some scripts'? And even then, how did he get the data out?

I realise that if you're hiring someone like this you might not be so-inclined to watch logs and whatnot, but there must be some sort of trail left by his accesses.

Re:

[The-Ixian]

My guess is that he had the credentials to legitimately log in to the web hosts and make whatever changes he wanted.

In the tradition of: "you touched it last, it's yours", many professional web dev outfits will also just take the role of web server maintainers (even if they typically suck at that job) or, at the very least, hang on to the web host credentials in case the client comes back to them with problems or changes.

If you are the web dev, you could very easily, for example, e-mail yourself in addition

Re:

[LordWabbit2]

Clearly you are not a developer. All you would have to do is create webpage which when you pass it a certain variable pops up a form to upload something and run it on the server. The webpage does a legitimate task (registration for instance) but if you access it with webpage.php?action=registers instead of webpage.php?action=register it jumps to a separate section and allows you to upload a file etc. Even if someone were to give the site a once over it would be hard to pick up. To make it even more secu

Re:

[coofercat]

You're right - I'm a devops, so I know a lot about sysadmin, and a bit about dev. I know he *could* do all those things, but I was looking to find out what he did do, and how he covered his tracks (if at all). I doubt most of the site owners would be checking /var/log/audit logs or /var/log/nginx/access.log or whatever, but if they had been, would they have been able to see something going on?

It my impression that most criminals aren't nearly clever enough. He *could* have written scripts to snaffle the dat

Re:

[swb]

It my impression that most criminals aren't nearly clever enough.

Maybe small-time criminals like home burglars or armed robbery people aren't clever enough, but someone capable of delivering a working e-commerce site? I'm assuming there that all the cleverness required to pull it off is built-in.

My question is -- they caught THIS guy, but how many have done the same thing and not gotten caught? There's possibly millions of e-commerce sites out there written by people with nobody looking over their shoulder and not enough resources for someone to check for something lik

Re:

[LordWabbit2]

The clever ones are not criminals, they get away with it. There are some scary smart people working on the trojans etc. out there. Some of the stuff is hand coded in assembler, which they structure in such a way that the usual debuggers get confused and either crash or start following the wrong path, all just to make it more difficult for the white hats to figure out how to shut down the botnet.

Re:

[coofercat]

Right - so back to my original question... what *did* he do?

Re:

[LordWabbit2]

I doubt he did any of this on a major FOSS projects main trunk, it would definitely have been picked up there. He could have modified a WordPress site to add the functionality / backdoor and deployed that directly onto the server. No one would think to check that the code was not standard. I doubt he did that though, since they have an update function which would have wiped out his backdoor. I suspect this was all custom code, probably some cookie cutter website he used with a lot of his clients.

Hello Mr. victim

[SpaghettiPattern]

Hello Mr. victim. It is me, Steffen van der Hast-Gracht of the Amsterdam police. Wiz my partner and also I am very happy to say my lover Ronald. I am terribly sorry to inform you zat you haf bin vukked ofer ze Internet by some ferry dubious person stemming from Ze Nezerlands. Vee haf already prepared ze forms for you to fill in so zat you can claim insurance, psychological help and absent time from yor wurk. Vee also made petition on ze Internet for you to arrange a silent march over ze canals. You ken bye

Back door unneeded

[CODiNE]

Could have just left a couple vulnerabilities sprinkled in odd places and used poor hashing practices. He'd have complete deniability as it looks just like 90% of websites out there.

Just like roaches. If

[Mark Stewart]

you see one there must be hundreds. There has to be other developers who have installed backdoor into the web sites they built. You should have your web site source code checked for a backdoor..