I met the 16 year old Hacker who took down StayUncle for Rs. 5000

met the 16 year old Hacker who took down StayUncle for Rs. 5000
A balmy Saturday afternoon in Delhi’s Connaught Place. Cut to an up-market café in the Inner Circle. It’s too early for the evening’s party crowd. Young couples fill most seats, cooing sweet nothings. The smell of hookah lingers. My guest is a hacker. He recently took down an entire travel startup. Ever heard of StayUncle? Yeah, them.

For the uninitiated, this New Delhi-based startup has tied up with hotels. Unmarried couples can rent rooms here for a duration as short as 8-10 hours. The idea here is to help them find affordable accommodation, minus the judgmental stares.

My chap arrives. Nope, nothing like Hollywood. No hoodies, no hesitation, no mystery music in the background. He’s a 16 year old school kid. I offer him a seat, positively shocked. What followed would make for a killer film-script.

“I got a call. He asked me to take down StayUncle and offered Rs. 5000 ($75) in return. I did it at 11 pm that night. 30 minutes in, I started reading about them (StayUncle). It was a noble idea. I stopped the attack mid-way, and contacted Sanchit. The employer called me several times the next morning. I didn’t pick up his call ever again.”

This lad had taken down more sites than he can recall. I ask him how it feels to work as an online mercenary, accepting money from anonymous clients. “It’s common in the field of hacking. My targets are usually individual sites. They run on free hosting. This was the first business site I took down.”

While this may startle most of us, he says getting these 'assignments' isn't really tough, mentioning a forum where such work is readily available, HackForums. It’s an online forum to connect with a ' h4x0r' (hacker). Drop in a message. Someone accepts your assignment. Once the job is done, you pay the money. This is one among hundreds of such forums, and it’s not even Darknet.

“Everybody is anonymous. People are known only by their usernames. I typically never disclose my number. I just do my initial research, and quote the price. This guy asked if I was Indian, and then for my contact number.”

StayUncle founder-CEO Sanchit Sethi confirms the incident. “It was 18th of April this year. I got a call from a hacker. He admitted to taking our site down, and that he was hired by one of our competitors. He said they might do it again.”

Well, they did. StayUncle’s website was pulled down by another brute-force attack a month and a half back.

“We were going crazy. Finally, I asked help from one of my cousins, a senior tech guy. He found all our ports were shut down, our securities disabled. Thankfully, our database was safe. Somebody clearly hacked into our systems again”, Sethi says.

This isn't the first time. App-based taxi hailing service Ola was allegedly hacked by a group by the name ‘TeamUnknown’. Ola denied its database was ever breached and that any hacker group ever contacted them. It did admit though that the test server, which is used internally, had been hacked. In recent months, hackers have exploited security flaws in several other Indian startups including online restaurant search provider Zomato and music streaming app Gaana. Most Indian startups still remain apprehensive of ethical hackers.

My guest says brute-force attacks don’t help now. “A Paytm, Flipkart or Snapdeal has multiple servers. If one goes down, the other takes off. That’s server rotation. If you don’t have a lot of servers, you can’t take down theirs”, he observes.

The hour seemed to pass in the blink of an eye. My guest stood up to leave. We shook hands and parted.

A simple Google search will reveal a breeding ground for script kiddies. Most have little knowledge of the tools they use or how they work. These are ready-made and easily-found tools on the internet that can do some serious harm. The more hardcore ones can dedicate hours a day scanning the internet for computers that are vulnerable to a security hole. They can then exploit that and use what is known as a 'rootkit' to give them 'root' (or total control) over a computer.

With the likes of Ola and Paytm waking up to the value of bug bounty programmes, denial seems to be in the air. As evening fell, I couldn’t help but feel worried.

In an age where you can set up shop at the touch of a button, that’s all it takes to bring down one as well. A guy, a laptop, and 5000 bucks.

Image Source