Stupid hacker tricks: Exploits gone bad
- 24 October, 2011 21:12
If the Internet is the new Wild West, then hackers are the wanted outlaws of our time. And like the gun-slinging bad boys before them, all it takes is one wrong move to land them in jail.
Whether they are out to steal money or merely wreak havoc, the consequences of an exploit gone bad can be harsh. And these days, the margin for error can be measured in bits. After all, thanks to the Internet's international nature, cyber outlaws have an awful lot of sheriffs sniffing out their online footsteps.
Sometimes, though, the sheriffs don't have to work too hard. Clever as they often are, hackers can turn boneheaded pretty quickly and slip up in silly ways, leaving authorities a virtual road map pointing right to their doorsteps.
Just ask the suspects in these five cases, all of whom have officially earned a spot in InfoWorld's Stupid Hacker Tricks Hall of Shame.
Stupid hacker trick No. 1: Hack, tweet, repeat -- until arrestedThe suspect: Scott Arciszewski
The crime: Hacking an FBI-sponsored website
Dossier: Arciszewski is accused of hacking into the website of InfraGard, an FBI-run program focused on cyber crime prevention. Yes, you read that correctly: cyber crime prevention. In other words, if there were an encyclopedia entry for "places you don't want to mess with," InfraGard would top the list.
Common sense be damned, though, someone decided InfraGard needed to be infiltrated. Apparently the company's ties with the government rubbed some folks the wrong way; this past June, the hacking collective known as LulzSec took credit for taking down one of the organization's sites, citing recent computer crime legislation as the cause of its ire.
The incident connected to Arciszewski came just one month later, in July 2011. The FBI alleges that Arciszewski, a 21-year-old computer engineering major at the University of Central Florida, broke into InfraGard's Tampa Bay chapter website. He's accused of uploading a few files -- animated kitty GIFs, one can only hope -- and then posting a link on Twitter showing others how he skirted the website's security.
The tweet reportedly contained just eight words -- "Infraguard [sic] Tampa has one hell of an exploit" -- along with a shortened link. That turned out to be more than enough to send the bloodhounds on Arciszewski's path.
The bust: FBI agents, none too pleased with their public flogging, set out to find the guy who tore a hole in their virtual fence. It didn't take too much work, from the sounds of it: According to reports, Arciszewski retweeted his boast to the attention of the FBI's official press office account. D'oh!
"Word of mouth leads to a lot of arrests," says Clifford Neuman, director of the USC Center for Computer Systems Security. "Hackers often brag to others on message boards and social [media] services, so detectives look for indications like online postings and then start tracing forward from that activity."
In Arciszewski's case, the feds tracked down the IP address used in the attack and connected it to that troublesome tweet. According to Ryan J. Reilly at TPM Idea Lab, the FBI went from Arciszewski's Twitter account to his personal website. Before long, they found his real name, matched up some photos, and showed up at his UCF dorm room with a warrant for his arrest.
On the plus side, that may have been the most action Arciszewski's dorm saw all semester.
Stupid hacker trick No. 2: Risqué Miley Cyrus pics arouse suspicionThe suspect: Josh Holly
The crime: Hacking celebrities' Internet accounts as part of a spam and credit card-stealing caper
Dossier: It's no party in the U.S.A. these days for Josh Holly, the 21-year-old accused of hacking Miley Cyrus's Gmail account and posting provocative pics of her online. Holly is currently facing criminal charges -- though, in a surprising twist, not for the semi-indecent exposure of the then-15-year-old star.
Holly's trouble actually revolves around a series of spam-based credit card thefts. In August, he pleaded guilty to felony charges stemming from the possession of about 200 compromised credit card numbers. According to the FBI, Holly hacked into numerous celebrities' MySpace accounts, then used their accounts to spam the masses, reaching legions of responsive followers and bringing in more than $100,000 in shadily obtained revenue.
So where does the lovely Ms. Cyrus factor into the equation? Holly famously bragged about breaking into Miley's email and stealing her risqué photos (which, of course, were plastered all over the Web in no time). Holly told Wired the whole thing started when he broke into a MySpace admin panel and found a plain-text list of passwords. He tried Miley's MySpace password on a Gmail account she was known to use, according to the interview -- and sure enough, it worked.
The bust: Though Holly was never charged specifically for the Miley incident, that high-profile hack appears to have played an integral role in his arrest. The FBI followed his boastful bread crumbs and raided his Tennessee home. They seized his computer and found all the evidence they needed inside.
Holly seemed to spot his slip-ups pretty quickly -- after the fact, at least. In an interview conducted with Wired shortly after his arrest, Holly is quoted as saying, "There's no way I can get out of this. ... I was an idiot and I didn't delete any of my [hard drive data]. I never thought they would raid me. They're going to get full proof [sic] evidence of everything that I've said I've done."
Of course, the massive amounts of money moving through various accounts probably didn't help, either. Where there's money, after all, there's almost always a trail.
"Whenever there is required collusion -- the exchange of a hack or credit card number or anything like that -- that creates a point of vulnerability where information can be exposed," USC's Neuman explains.
Holly could face up to 10 years in prison and a $250,000 fine.
Stupid hacker trick No. 3: Boost score, get bustedThe suspect: An unnamed 17-year-old from Manchester, U.K.
The crime: Launching a DDoS attack on the Call of Duty website and bringing the game to a screeching halt
Dossier: The British teen is accused of using a tool called Phenom Booter to perform a DDoS attack on the servers responsible for hosting the popular Call of Duty video game. According to U.K. media reports, the boy's goal was to keep other players from signing in and killing his character -- thereby allowing him to maintain a high score.
To his credit, the plot worked. It reportedly took the Call of Duty staff several hours to get the site back up and running. In the meantime, countless users were unable to get online and play.
Our junior hacker didn't stop with the single attack, though. Investigators say he spent time scouting out other would-be hackers and offering to sell them the secret to his score-boosting ruse.
The bust: Police tracked the teen to his home -- where you can imagine Mum and Dad were none too pleased.
While hackers often use proxies and redirection services to mask their locations, it sounds like our amateur attacker didn't do much to hide. Officers say they quickly figured out that the server responsible was hosted in the United Kingdom. From there, it didn't take them long to make their way to the Manchester neighborhood where Boy Wizard lived.
"Hackers only need to make a mistake once for that to be the piece of evidence which ultimately identifies them," says Graham Cluley, senior tech consultant at Sophos.
Needless to say, this little prank didn't have police laughing. "This type of crime can often be the precursor to further offending in more traditional areas of online crime," detectives told the Daily Mail.
"Spanky, spanky," the kid's parents probably added.
Stupid hacker trick No. 4: Pummel PayPal, get paybackThe suspects: Christopher Cooper, Joshua Covelli, Keith Downey, Mercedes Haefer, Donald Husband, Vincent Kershaw, Ethan Miles, James Murphy, Drew Phillips, Jeffrey Puglisi, Daniel Sullivan, Tracy Valenzuela, Christopher Vo, and one unnamed minor
The crime: Conducting a DDoS attack against PayPal
Dossier: When a handful of financial companies decided to stop handling payments for donations to WikiLeaks last December, the Internet temporarily went wild. Hackers from the group Anonymous cocked their guns and fired, promising to take down anyone "bowing down" to what they called "government pressure" to muzzle WikiLeaks' efforts.
For PayPal, that meant a bunch of bogus Internet traffic. Hackers around the country conducted a DDoS attack against the site, allegedly using a tool called "Low Orbit Ion Cannon" to send massive amounts of data into PayPal. The goal, of course, was to overwhelm the company and cause its service to collapse.
The bust: A "Low Orbit Ion Cannon" sounds impressive -- but apparently, the tool did a poor job of hiding its operators' locations. PayPal was reportedly able to identify the IP addresses of different attackers in its server logs, allowing authorities to use that data to dig up the suspects.
"Even if hackers do redirect through other sites, it's frequently still possible to track an attack back to them," USC's Neuman notes. "You trace it back to one point, then you go through diplomatic channels to get the authorities in the outside country to find and collect the logs. It's a months-long process, but it can be done."
In this case, that kind of international effort wasn't even needed. FBI agents conducted raids on the suspects' homes and made their arrests. And remember: For someone with something to hide, a raid can spell serious trouble.
"When they arrest them, they've got warrants," Neuman says. "Even though the path back to them may have been somewhat obscured, they usually have information on their own machines that shows they had the source code or program related to the attack. A lot of individuals don't think it will ever get to that point and don't even try to prepare."
Each suspect is charged with conspiring to cause damage and intentionally causing damage to a protected computer -- charges that, combined, carry penalties of up to 15 years in prison and $750,000 in fines. Some payback indeed.
Stupid hacker trick No. 5: Chat up your iPad account hack, end up in the clinkThe suspects: Andrew Auernheimer and Daniel Spitler
The crime: Hacking into an AT&T database and exposing the email addresses of thousands of iPad owners
Dossier: Aurenheimer and Spitler discovered a public script on AT&T's website in which you could plug an ICCID number -- a unique identifier associated with each iPad's SIM card -- and get back the email address of the user who owns the device.
Armed with that knowledge, the two men, allegedly operating as "Goatse Security," are accused of creating their own script called the "iPad 3G Account Slurper." That script is said to have input random ID numbers in rapid-fire succession. Every time it came across a legitimate one, investigators say, it retrieved and logged the corresponding email address.
Harmless, right? Not quite: The script harvested more than 100,000 email addresses in all, including those of folks like New York Mayor Michael Bloomberg, former White House Chief of Staff Rahm Emanuel, and numerous other national leaders. And the guys from Goatse didn't keep the info quiet: The company is accused of offering the data to both News Corp. and Thomson Reuters. It was Gawker, however, that eventually bit and published a glimpse of the stolen tidbits, causing an embarrassing debacle for AT&T and Apple alike.
The bust: Once the data dump went public, the pressure was on to find the responsible parties. In this instance, once again, the old adage "loose lips sink ships" may describe what brought Goatse Security down.
In their complaint against Aurenheimer and Spitler, prosecutors cite numerous emails and chat logs in which the men appear to discuss the hack and their involvement. One note even mentions the possibility of "iPad focused spam" -- something that certainly doesn't look good for anyone mulling over the men's intentions.
"In the cases of less-professional cyber criminals, they may find it irresistible to brag online about their activities, or leave nicknames in their attacks, which ultimately help authorities unmask them," Cluley points out.
Unmasked, perhaps -- but hey, at least their email addresses weren't exposed.
- Stupid user tricks 5: IT's weakest link
- Jackass IT: Stunts, idiocy, and hero hacks
- Dirty IT jobs: Partners in slime
- IT admins gone rogue
- IT inferno: The nine circles of IT hell
- IT personality types: 8 profiles in geekdom
- 7 IT superheroes -- and their fatal flaws
- Stupid hacker tricks, part two: The folly of youth
- The 7 dirtiest jobs in IT
- True IT confessions
- The 2010 InfoWorld Geek IQ test
- IT personality type quiz
- Programming IQ test: Round 2
- Linux admin IQ test
Read more about security in InfoWorld's Security Channel.