How hackers get caught
Apparently the mistake that's hardest to avoid is not bragging that you did it
The latest version of InfoWorld's Stupid Hacker Tricks goes a long way toward explaining why some hackers are caught almost immediately, while others stay out on the dark fringes for years.
It seemed as if the FBI grabbed 35-year-old Christopher Chaney of Jacksonville, Fla. for hacking the phones and emails of Scarlett Johansson and other female A-listers within days of the Johansson revelations.
Actually the investigation went on for more than a year and Johansson's photos went missing months before the publicity rush resulting from her request that the FBI quit dawdling and do something about the guy who allegedly stole private data and compromising photos from more than 50 famous women.
Chaney didn't make too many obvious mistakes, unlike fellow hackerazzi Josh Holly, a 21-year-old accused of hacking Miley Cyrus' Gmail account to steal and re-post risqué pictures, but arrested for using stolen naked-celebrity pictures as the bait in a phishing scheme that brought victims back to sites where their credit-card numbers were captured for later misuse.
He is charged with having more than 200 compromised card-account numbers in his possession and defrauding victims of more than $100,000.
Sounds like a serious work effort, not a student on a lark who would make stupid mistakes. Except that Holly allegedly couldn't resist bragging about cracking Miley's account – giving interviews to bloggers and boasting at forums of hacker site Digitalgangster.com, from which he was either traced by IP address, or "ratted out" by other hackers as he told Wired.
The desire for direct fame isn't the only variety of hubris that can bring down hackers.
In June, the Anonymous spinoff group LulsZec took credit for attacking the Atlanta chapter site of InfraGard – an association designed to act as liaison and networking location for the FBI, corporate IT groups and the National Infrastructure Protection Center.
LulzSec did it, allegedly, to protest a decision by NATO and the White House to treat hacking as an offense as serious as an act of war.
21-year-old Florida computer engineering major Scott Arciszewski allegedly did it out of sympathy and for kicks – uploading files to the site, tweeting a boast about it, then retweeting the boast to the attention of the FBI agents investigating the attack – all from the same IP address.
Feds tracked him to a Twitter account, from there to a personal web site and from there to his dorm room.
Failing to hide an IP address was also to blame for the arrest of an underage and unnamed British hacker who launched a DDOS attack on a Call of Duty site after cheatbotting his way to a high score and deciding the best way to keep other players from killing his character was to keep the site too busy to let them log on.
It worked, but also left a trail back to an IP address that – unlike in the case of more savvy hackers – was the perp's actual address rather than one of a chain of free or commercial proxies and malware-infected zombie computers used as identity-concealing proxies and launch points for attacks.
Even the "Low Orbit Ion Cannon" DDOS tool used by Anonymous to attack sites that refused to let consumers sent money to fund WikiLeaks late last year, didn't do much to hide IP addresses. PayPal was able to capture several accurate IP addresses in its server logs, which feds used to track down the attackers.
Most hackers take at least some precautions most of the time. Anonymous as it seems, however, everything that happens online is recorded in server or network logs somewhere.
Those who know how to dig up the tracks – like the coterie of more established hackers who vowed to dox and take down LulzSec for being posers and loudmouths – the tracks remain for long after attacks are over and even after the attackers themselves claim to have ceased hostilities.
That's how Topiary was arrested, shortly after LulzSec claimed to have disbanded and despite social-engineering attempts to throw suspicion on other hackers to confuse the identity of both Topiary and LulzSec leader Sabu.
Other LulzSec'ers were arrested for obvious mistakes. An AT&T contractor named Lance Moore allegedly used an AT&T VPN login to pull data from AT&T servers that he posted as part of LulzSec's triumphalist and ill-advised "50 Days of Lulz" diatribe in which the collective bragged about its success, its wily escape from law enforcement and intent to return to a quiet life in the country.
AT&T recognized its data, traced it to the correct server, checked out the logs and pinpointed Moore as one of very few who accessed that particular data around the time it must have been stolen.
That's roughly like taking a lunch break from your job at the jewelry store and re-entering through the front door to rob the place without having changed clothes or put on a mask first. You might pull it off, but police will be able to get a pretty good idea who the crook might have been.
The key to successfully hiding your identity during an attack seems to be making sure you pass through enough interim sites to conceal your point of origin permanently – either because they're in a country not vulnerable to pressure from the FBI, specifically offer to protect users' data by not saving the login or tracking data on their servers for more than a few days, or because they're zombies being remotely controlled by someone else, who makes sure the zombie doesn't keep enough information to point back to a command-and-control site.
Lacking a trustworthy proxy, the best thing to do is to go through so many interim sites and services that the process of tracking you through them all is too time consuming for most security teams.
"Even if hackers redirect through other sites, it's frequently still possible to track an attack back to them," according to Clifford Neuman, director of the USC Center for Computer Systems Security, who was quoted in InfoWorld's recent Stupid hacker tricks: Exploits gone bad article. "You trace it back to one point, then you go through diplomatic channels to get the authorities in the outside country to find and collect the logs. It's a months-long process, but it can be done."
Either that or you listen to the advice Miley Cyrus phone-hacker Josh Holly got from buddies on Digitalgangster.com: Don't brag about your exploits in public, especially on forums where you've posted enough that the FBI can sift all your previous comments for clues to your whereabouts.
No matter how well you've covered your tracks, telling people you were the one who Did It will always be a fairly good indication that you might not be as innocent as you seem.