Confessions of an Internet hacker: Stealing your personal information was hard to resist

California CPA, March, 2002 by Larry Russell

Some friends and I have pretended to be you a few times-setting up credit card accounts to purchase a few things. I hope you don't mind. Your personal information was easy to obtain over the Internet with the aid of a few well-known cracker tools. It was hard to resist.

THE PERFECT COVER

My name is John Smith. I'm from Crescent City. In school I earned good grades, was always in my room before curfew and went to church every Sunday. A few months ago, my buddy and I were hired by a start-up computer security company to protect companies like yours against people like me. Unfortunately I had no idea that the folks who hired me were really from the Federal Bureau of Investigation. Now, it's pretty safe to say the jig is up. I'm writing this from my federal prison cell in Lompoc.

If only we had stayed in Crescent City, you never would have found us.

We had the perfect conditions for monitoring service providers, e-commerce sites and online banks that pointed the way to your personal computer to steal credit card numbers and other personal financial information. Sometimes we were able to use this information to persuade our "clients" to pay us not to share their sensitive data with the public or we would damage their computers.

Once we were inside your computer, we made copies of your financial data files from Quicken, Quickbooks, your tax return software and other data sources.

You pretend to protect your valuable data with passwords that don't take long to crack.

Password-cracking software-supplied by some good friends of ours--allowed us to discover your passwords in minutes. Fortunately, you didn't bother to use uncrackable passwords. Apparently they are too hard to remember or a nuisance to change.

We were able to obtain more than 56,000 credit cards with personal information "courtesy of" a few Internet service providers and Internet retail sites. You may have felt safe when you signed up for Internet services or bought stuff online, but those online vendors have big back doors just waiting for us to walk through. We also "borrowed" bank account and other personal financial information from online banking services.

PIECE OF CAKE

It was not difficult for us to take control of your unprotected computer over the Internet-using it to establish thousands of anonymous e-mail accounts at e-mail Web sites like Hotmail, Yahoo! and My Own Email. With our "personalized" e-mail accounts we used special software to create associated accounts at PayPal, an online payment service, with random identities using your credit card numbers.

With other software, we controlled and manipulated eBay auctions. We could act as both seller and winning bidder in the same auction and then paid ourselves with your "borrowed" credit cards.

Did I mention that we had accumulated over 56,000 valid credit card numbers? Most of these card number sources were from sites that had weak firewalls with ports opened by common trojans.

That's also how we accessed your PC. You may have acquired our trojan by opening an e-mail with attached script files, or by visiting some of our choice "educational" Web sites where this agent was downloaded without your knowledge.

Thank you, computer users who do not use good virus protection or keep your definition files updated. You feel secure because you have a firewall? There is an old saying, "No security is better than false security."

Even when we walked in through your computer's back door, we still had to crack a few passwords to get your personal information to authorize credit card use. If that information had secure password protection that took longer than a day or two to crack, we would have given up and moved on to one of your neighbor's computers whose passwords were not so secure. So please keep your passwords short--using only common English words and names.

At least I had five fun years before I was caught.

I have to go now. I have a hearing scheduled for 9 a.m. Monday. Don't worry, if I should somehow shake this rap, we'll be in touch.

Larry Russell, CPA, CITP, is a consultant with Valencia-based Cambridge Technology Consulting Group Inc., an information technology service provider. He is a member of CalCPA's state Technology Committee, CalCPA Council and chairs the Los Angeles Chapter's Members in Industry Committee.

RELATED ARTICLE: Viruses 101

Destructive. Secretive. Embedded. Executable. Variable. Just a few of the terms that describe a computer user's archenemy--the virus.

Once executed, a mechanism in the virus enables its distribution to other computer systems. Some current strains, known as worms, spread on their own. The Code Red Worm automatically sends itself to 99 IP addresses it generates. Once activated, viruses can do anything--delete files or send themselves, together with documents on your hard drive, to some, or all, of the names in your Microsoft Outlook address book or to any Internet address.

A virus attached to e-mail messages can infect an entire enterprise in a matter of minutes. It's estimated that businesses spend millions of dollars annually in productivity loss and clean-up expenses due to viruses. According to the International Computer Security Association, more than 10,000 already are identified, and more than 200 new ones are created monthly. No computer is immune from viruses.