Fraud starts after Lulzsec group releases email, passwords

Passwords stolen from Writerspace.com are used to take over Amazon, Paypal, and other accounts

Debbie Crowell never ordered the iPhone, but thanks to a hacking group known as Lulzsec, she spent a good part of her Thursday morning trying to get $712 in charges reversed after someone broke into her Amazon account and ordered it.

"They even had me pay for one-day shipping," she said via email Thursday afternoon.

[ This week LulzSec claimed to have hacked the CIA's website. | InfoWorld's Robert X. Cringely says dial 'h' for 'hacker': LulzSec is the future of the Net. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

Crowell is one of more than 62,000 people who must now change passwords and keep a close eye on their online accounts after Lulzsec posted their email addresses and passwords to the Internet Thursday. It's the latest escalation in a messy hacking rampage by the anarchic group that's caused damage at Sony, the U.S. Public Broadcasting Service and even the U.S. Central Intelligence Agency.

It's not clear where all of the Lulzsec email addresses and passwords came from. At least 12,000 of them, including Crowell's, were gathered from Writerspace.com, a discussion forum for readers and writers of mystery and romance novels. The site's technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.

The 62,000 email addresses and passwords belong to victims at large companies such as IBM, as well as in state and federal government. Affected agencies include the U.S. Army, Navy and Air Force, the U.S. Federal Communications Commission, the U.S. National Highway Traffic Safety Administration, the U.S. Department of Veterans Affairs and the U.S. Coast Guard.

Unlike other hacking groups, Lulzsec doesn't seem to have much of an agenda, except to settle a few scores and cause as much chaos as possible. Lulz is hacker speak for the plural of "laugh out loud."

Soon after the accounts were posted Thursday, Lulzsec followers started to say, via Twitter, that they had accessed Facebook, Twitter and online gaming accounts. "I am now an level 85 human warrior on mal'ganis server," wrote one follower, called Miracle Joe, referring to a server used by World of Warcraft gamers.

"Got an Xbox Live, Paypal, Facebook, Twitter, YouTube THE WHOLE LOT! J-J-J-J-J-J-JACKPOT," wrote another follower, Niall Perks. The "idiot had the same password for everything," he later explained.

Others claimed that they'd chatted with friends of the victims or posted obscene photos or messages to their profile pages.

Crowell, a property assessment specialist with the Wisconsin Department of Revenue in Milwaukee, describes herself as a "boring old lady on the Internet." Though she knew better, she reused her passwords, including the one she used at both Amazon and Writerspace.com. "Everyone knows that everyone uses the same password for everything," she said. "You know what you're supposed to do, but do you do it?"

Crowell is right; most people do reuse their passwords, said E.J. Hilbert, a former U.S. Federal Bureau of Investigation agent who is now president of fraud investigation company Online Intelligence. It's a bad habit that needs to change. "You need to use different passwords for different sites. Period. Across the board," he said.

In a sense, Crowell was lucky. The hackers didn't break into her email account. When that happens, things can become much worse because hackers can often access other Web accounts by claiming to have forgotten their password and asking for a new one to be sent via email.

There are often treasures in the victim's sent mailbox and archives. Old email messages often include personal information that can be used in further attacks, and a surprising percentage of email accounts also include nude or embarrassing photos.

Finally, criminals can use the email addresses to send malicious software to military and government employees, in what could be the first stage of a larger attack, Hilbert said. These targeted spearphishing attacks are a big problem for the government and military contractors, and have become a standard way for hackers to break into secure systems over the past half-decade.

"Government email addresses should not be used for non-governmental work, and if they are there's a huge, huge problem," Hilbert said.

Although she knew she was making a mistake by reusing her password, Crowell was still "shocked" when she discovered the fraud. "It's one of the things that you hear about all the time, but you never think it'll happen to you."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's email address is robert_mcmillan@idg.com.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies