Everything You Wanted to Know about
Social Engineering -- But Were Afraid to Ask...
Anatomy of a Massive Social Engineering Campaign
1999 was the year Brian Martin's Attrition.org team decided to
use social engineering to run John Vranesevich's Antionline.com
out of business.
The previous year, August 1998, an alliance of computer criminals
had developed distaste for Antionline. It had all begun when the
Hacking for Girliez gang was trying
to run me off the Internet. They broke into one web site after
another defacing it with soft porn and insults against me. In
one case they mailed out credit card information over the official
Def Con dis.org email list.
(It is moderated by "evil" Pete Shipley, a few months
later to be, according to Upside magazine, the chief
security architect of "Big
Six" accounting firm KPMG. Note that his moderation of
the list has been spotty, so there is no evidence he approved
that particular post.)
The Girliez next defaced two Motorola web sites, the main NASA/JPL
web site, Penthouse, and many others. In the process they did
damage estimated by the FBI, in their
attack on Rt66 Internet alone, at close to $2 million dollars.
What got the Girliez' goat was that, despite their pleas and
threats, Vranesevich refused to report their crime spree. In fact,
no one, except some local new media in Albuquerque, seemed interested.
I'm guessing that this messed up a goal of getting their victims
and the FBI to pressure me into closing down my Happyhacker.org
web site. Yes, it seems they couldn't hack happyhacker.org, so
they had to hack other sites instead.
A few weeks later the Girliez finally managed to get their publicity.
Sept. 13, 1998, they defaced the
New York Times web site. They did so much damage to their
network that parts of that web site took over a week to get back
online. This finally got them publicity at Antionline - and in
just about every major Internet news site, as well as Time magazine,
US News and World Report, and print editions of many newspapers.
The NY Times hack was the last major public appearance of Hacking
for Girliez. In place of their noisy crusade, in October 1998,
an anonymous wave of computer crime attempts thundered down on
Antionline. It began with break-in attempts. Some of these were
quite ingenious. Later, according to Antionline logs, someone
using a computer with what appeared to be a L0pht
domain name even tried repeatedly to break into the Antionline
network printer. Yes, printers have CPUs and can be compromised.
The most likely use for a compromised printer would be to run
I don't want to get sued disclaimer: Please note that this does
not mean that any member of the L0pht would actually commit computer
crime. For example, someone from outside of L0pht might have broken
in and used one of theirs as an attack computer.
Denial of Service Attacks
When these break-in attempts appeared doomed, denial
of service (DOS) attacks run by parties unknown began, and
soon grew quite ingenious. Totally novel corrupt packets began
to arrive. This suggested that his assailants were not ordinary
code kiddies, but rather the sorts of hackrs who know how to write
When even these didn't bring down the network, the mass DOS attacks
began. By simply filling up the entire capacity of Vranesevich's
Internet connection, the attackers were able to keep his business
offline for hours at a time.
These were the same kinds of attacks that during
the week of Feb. 6, 2000, shut down Yahoo, Buy.com, and many
other major web sites. However, back in 1999, the FBI wasn't interested
in tracking down that kind of criminal. This type of crime would
have to amount to millions of dollars in damage per day (the lost
revenues from those web sites) before the FBI would act.
More on social engineering --->
Back to the index of "Everything You
Wanted to Know About Social Engineering -- But Were Afraid to