Some “Dumb” Hacks

Hackers are known to be very clever and smart — which they need to be to remain one step ahead of the IT Security Professionals and the law administrators. However, here are some interesting “dumb moves” by Hackers that helped the officials track them down. Extracted from an article by Alan Wlasuk, and from a recent “PC World” article.

 

 

1) Kelly Osborne Email Hacking

 

Late last year, Kelly Osborne (of Dancing With the Stars fame) had her email account hacked. The hacker, apart from wanting to only look at all of her past emails also wanted to look at new ones. So what brilliant idea did the hacker come up with? He had Kelly’s emails forwarded to his own, personal email account!! End of Story !

 

2) Genius Mirza

 

Self proclaimed hacktivist Shahee Mirza and several associates defaced a Bangladesh government military website, Rapid Action Battalion, with the following message:

 

“GOVERNMENT DOES NOT TAKE ANY STEP FOR ICT DEVELOPMENT. BUT PASSED A LAW ABOUT ANTI-CYBER CRIME. YOU DO NOT KNOW WHAT IS THE CYBER SECURITY OR HOW TO PROTECT OWNSELF. LISTEN. HACKERS R NOT CRIMINAL. THEY R 10 TIME BETTER THAN YOUR EXPERT. WE ARE GINIOUS THAN YOU CAN’T THINK. DEFACED FROM BANGLADESH.”

 

Unfortunately 21-year old Mirza also left the banner that clearly stated, “HACKED BY SHAHEE_MIRZA.” !!

 

Obviously not the “GINIOUS” indicated in his hack.

 

3) SAMY Worm

 

Famous for his Samy Worm, Samy Kamkar was responsible for a virus-like attack that infected over 1 million MySpace accounts in 2006. Amongst other malicious effects was the ‘Samy is my hero’ addition to the MySpace homepage of each of the million victims. As part of his obvious ego addition, Samy went on to boast of his hacking feat in a blog post.

 

Unfortunately for Samy, the blog contained a picture of him with a license plate in the background, which was then used to find Samy.

 

4) What not to do with a stolen iPhone

 

20-year old Sayaka Fukuda had her iPhone stolen on the streets of New York City. The thief, Daquan Mathis, while enjoying his new iPhone took a picture of himself (dressed in the same clothes he wore during the mugging), which he then sent to his own email address. Unfortunately for Mathis, Fukuda’s iPhone email account could be accessed on the Internet (like almost every such account). Given his email address it was a simple matter to track Mathis down, made even simpler by the fact the police had his picture.

 

5) Single email id for hacking and job hunting?

 

By all accounts, Eduard Lucian Mandru is a very clever hacker. His 2006 hack of the U.S. Department of Defense (DOD) computer system went undetected for years, with the authorities only having Mandru’s email address (wolfenstein_ingrid@yahoo.com) as their single clue. Mandru’s downfall and arrest in 2009, however, came about when he used the same wolfenstein_ingrid@yahoo.com email address on the résumé that he posted on numerous job boards. Sometimes it pays to use different email addresses for different tasks, don’t you think?

 

6) Hacking an FBI sponsored website

 

Scott Arciszewski is accused of hacking into the website of InfraGard, an FBI-run program focused on cyber crime prevention. Yes, you read that correctly: cyber crime prevention. In other words, if there were an encyclopedia entry for “places you don’t want to mess with,” InfraGard would top the list.

 

The FBI alleges that Arciszewski, a 21-year-old computer engineering major at the University of Central Florida, in July 2011, broke into InfraGard’s Tampa Bay chapter website. He’s accused of uploading a few files and then posting a link on Twitter showing others how he skirted the website’s security.

 

The tweet reportedly contained just eight words — “Infraguard [sic] Tampa has one hell of an exploit” — along with a shortened link. That turned out to be more than enough to send the bloodhounds on Arciszewski’s path.

 

FBI agents set out to find the guy who tore a hole in their virtual fence. It didn’t take too much work, from the sounds of it: According to reports, Arciszewski retweeted his boast to the attention of the FBI’s official press office account.

 

The feds tracked down the IP address used in the attack and connected it to that troublesome tweet. The FBI went from Arciszewski’s Twitter account to his personal website. Before long, they found his real name, matched up some photos, and showed up at his UCF dorm room with a warrant for his arrest.

 

7) A DDoS Attack on Gaming Site

 

A British teen is accused of using a tool called Phenom Booter to perform a DDoS attack on the servers responsible for hosting the popular Call of Duty video game. The boy’s goal was to keep other players from signing in and killing his character — thereby allowing him to maintain a high score.

 

It reportedly took the Call of Duty staff several hours to get the site back up and running. In the meantime, countless users were unable to get online and play.

 

Our junior hacker didn’t stop with the single attack, though. Investigators say he spent time scouting out other would-be hackers and offering to sell them the secret to his score-boosting ruse.

 

Police tracked the teen to his home.

 

While hackers often use proxies and redirection services to mask their locations, it sounds like our amateur attacker didn’t do much to hide. Officers say they quickly figured out that the server responsible was hosted in the United Kingdom. From there, it didn’t take them long to make their way to the Manchester neighborhood where Boy Wizard lived.

 

8) Maybe Not a Dumb Hack but Definitely an Interesting one

 

One clever hacker realized that recent speed traps use cameras that automatically register your speed, take a picture of you license plate, and then use character recognition to translate you license plate number into something they can use as a lookup within the DMV database. With this in mind, he changed his license plate number to (‘ZU 0666’, 0, 0); Drop Database Table.

 

If the DMV uses this string of characters in their database lookup it has a good chance of deleting all of the database records containing his actual license plate number, ZU 0666. This has got to be 10 out of 10 on the creativity scale, and once again showing the importance of knowing what SQL injection is all about.