What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Everything You Wanted to Know about Social Engineering -- But Were Afraid to Ask...


Anatomy of a Massive Social Engineering Campaign

1999 was the year Brian Martin's Attrition.org team decided to use social engineering to run John Vranesevich's Antionline.com out of business.

The previous year, August 1998, an alliance of computer criminals had developed distaste for Antionline. It had all begun when the Hacking for Girliez gang was trying to run me off the Internet. They broke into one web site after another defacing it with soft porn and insults against me. In one case they mailed out credit card information over the official Def Con dis.org email list. (It is moderated by "evil" Pete Shipley, a few months later to be, according to Upside magazine, the chief security architect of "Big Six" accounting firm KPMG. Note that his moderation of the list has been spotty, so there is no evidence he approved that particular post.)

The Girliez next defaced two Motorola web sites, the main NASA/JPL web site, Penthouse, and many others. In the process they did damage estimated by the FBI, in their attack on Rt66 Internet alone, at close to $2 million dollars.

What got the Girliez' goat was that, despite their pleas and threats, Vranesevich refused to report their crime spree. In fact, no one, except some local new media in Albuquerque, seemed interested. I'm guessing that this messed up a goal of getting their victims and the FBI to pressure me into closing down my Happyhacker.org web site. Yes, it seems they couldn't hack happyhacker.org, so they had to hack other sites instead.

A few weeks later the Girliez finally managed to get their publicity. Sept. 13, 1998, they defaced the New York Times web site. They did so much damage to their network that parts of that web site took over a week to get back online. This finally got them publicity at Antionline - and in just about every major Internet news site, as well as Time magazine, US News and World Report, and print editions of many newspapers.

The NY Times hack was the last major public appearance of Hacking for Girliez. In place of their noisy crusade, in October 1998, an anonymous wave of computer crime attempts thundered down on Antionline. It began with break-in attempts. Some of these were quite ingenious. Later, according to Antionline logs, someone using a computer with what appeared to be a L0pht domain name even tried repeatedly to break into the Antionline network printer. Yes, printers have CPUs and can be compromised. The most likely use for a compromised printer would be to run a sniffer.

I don't want to get sued disclaimer: Please note that this does not mean that any member of the L0pht would actually commit computer crime. For example, someone from outside of L0pht might have broken in and used one of theirs as an attack computer.

Denial of Service Attacks Begin

When these break-in attempts appeared doomed, denial of service (DOS) attacks run by parties unknown began, and soon grew quite ingenious. Totally novel corrupt packets began to arrive. This suggested that his assailants were not ordinary code kiddies, but rather the sorts of hackrs who know how to write serious code.

When even these didn't bring down the network, the mass DOS attacks began. By simply filling up the entire capacity of Vranesevich's Internet connection, the attackers were able to keep his business offline for hours at a time.

These were the same kinds of attacks that during the week of Feb. 6, 2000, shut down Yahoo, Buy.com, and many other major web sites. However, back in 1999, the FBI wasn't interested in tracking down that kind of criminal. This type of crime would have to amount to millions of dollars in damage per day (the lost revenues from those web sites) before the FBI would act.

More on social engineering --->

Back to the index of "Everything You Wanted to Know About Social Engineering -- But Were Afraid to Ask --->


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

 © 2013 Happy Hacker All rights reserved.