Busted! Founder sells $51m website, hacks it, tries to sell site its own data

What’s worse than Dracula sucking out your lifeblood? Dracula sucking out your lifeblood, bottling it and trying to sell it back to you.

The cyberbloodsucker in this case is David W. Kent, the man who in 2000 founded a recruitment and networking website, Rigzone, for professionals in the oil and gas industry. Ten years later, he sold it for a gushing geyser’s worth of money: DHI Group bought Rigzone off Kent for $51 million.

Four years after the sale of Rigzone, Kent slipped back into the site with an eye on a second windfall, using a number of cyber doors he’d left open during his tenure.

According to court documents (PDF), Kent also set up at least one employee to work at scraping all the member data from Rigzone. Next, he used the ripped-off Rigzone members’ details to plump up membership for his new site, Oilpro.com, which was in the same gas and oil business.

It gets better: next, Kent tried to entice DHI into buying the ripped-off members he’d stolen from them, offering to sell Oilpro to Rigzone.

Kent emailed the Rigzone CEO in October 2015. His sales pitch was classic marketing brag: Oilpro’s membership of 540,000 was grown by “LinkedIn style growth hacks”- in other words, Oilpro asked its members to upload their LinkedIn contacts and invite them to join Oilpro. In November, he told Rigzone that Oilpro had “a half dozen strategies that work well and are repeatable”. Plus, he later said, Oilpro was advertising on another site, Indeed.com.

In his conversations with Rigzone, Kent somehow neglected to mention his most effective strategy of all: waltzing into Rigzone’s database and sucking it dry. For this bundle of ripped-off members, Kent was looking for something like a $20m payoff. At least, that’s what he claimed that Oilpro had been valued at.

Michael Durney, president and CEO of DHI Group, said that the company smelled a rat – detecting unauthorized access to proprietary Rigzone information in early 2014.

According to the complaint, the tip-off was a Rigzone member who called customer support, asking why they’d received an email solicitation to use Oilpro’s services, even though they’d never provided any information to Oilpro.

Rigzone set up a honeypot to figure out who got into its members database. Namely, it set up two fake accounts in the database. Neither had a public-facing profile; all they had were names and email addresses that were only available through Rigzone’s members database.

Well, what do you know: in spite of not appearing anywhere publicly, both the fake accounts were solicited, via email, to join Oilpro.com. As the criminal complaint describes, the source of the access was from an IP addresses registered to Oilpro and to Kent’s home address. Between 2013 and 2016, Kent and at least one of his Oilpro employees accessed Rigzone’s data multiple times without authorization, slurping up details from more than 700,000 customer accounts.

The first round of hacks took place sometime between 17 October 2013 and 15 April 2014.

The rate of at which the Rigzone site received requests “suggests very strongly that they were sent using an automated computer program,” FBI Special Agent Evelina Aslanyan wrote in the complaint. They used a command to access resumes that had been “crafted to exploit a piece of source code unique to [Rigzone]”: one that was known only to a few individuals, including Rigzone’s founder, David Kent.

The Register quotes a transcript of Kent’s acknowledgement of his wrongdoing, in which he explained to the judge that he didn’t abuse anyone’s password:

The web pages I accessed didn’t necessarily have a log-in feature but I do believe I accessed those web pages without authorization.

The FBI arrested Kent in March 2016.

On Friday, Acting Manhattan U.S. Attorney Joon H. Kim said that Kent has been sentenced in Manhattan federal court to one year and one day in prison for intentionally accessing a protected computer without authorization