Day In The Life Of Net Scam Artists 257
NeoCode writes: "This articles chronicles a day in the life of two hackers. Seems like a reporter anonymously paid these hackers to log in their typical day. In the article, they talk about how they fool people with their spams and phreaking scams. Its in quite a bit of detail in terms of what these guys do to make money (and tons of it). Obviously these guys are breaking the law and nibbling on innocent/naive users. Looks like AOL and other ISPs still have to beef up their filters to stop spamming." Not a lot of details, but it's kinda interesting.
It's an infectious disease. (Score:2)
These people are *not* what are considered script-kiddies. They are not hackers. The author has no idea about this terminology. Any one of you can download a program and do exactly what they do. It takes absolutely no computer knowledge or intelligence.
Most people are in the business of scamming for a few years, then realize it won't get them anywhere in life. Then, a new generation emerges, and the last generation become so-called "old school" (which, we know they really aren't).
All and all, it's a black void drawing in lost teenagers through short-lived fame/money and steals away their future so they rot away and leech welfare.
Re:Do not try this you will go to jail. (Score:3)
He spent a few weeks in Juvie Hall and 18 months on probation as a 16-17 year old. He would have spent 6 months in the prison, but apparently the Juvenile Courts/ Corrections Dept for Cuyahoga County, Ohio have too many schoolyard drug pushers and child rapists to keep kids who "only defrauded a company for four thousand dollars" more than a couple weeks.
He violated his probation several times by not checking in with his court-appointed supervisor (parole officer) and being picked up for curfew violations, but they never called him on it. They sealed his record at 18 because he hadn't commited any other serious offenses. He quit HS and nowworks at Pizza Hut as a 20-year-old, with no appreciable skills or education.
Funny thing is, our parents were giving him plenty of stuff; new PCs, vidgame consoles, allowance. All they asked in return is that he go to school and study. He just wanted more without having to work for it. Bum.
Story Summary (Score:5)
This story is a huge crock of shit.
Shame on MSNBC for confusing 'crackers' with 'hack (Score:2)
Hackers are people who thrive on being faced with problems and finding clever, innovative solutions to them. Crackers are people who break into computer systems. Confusing the two is like calling every martial-arts student a 'ninja.'
I'm annoyed that MSNBC doesn't understand the difference, and even more peeved that CmdrTaco didn't catch it, either.
Re:*67 has no effect on ISP/Telco logs (Score:2)
A lot of older ISP lines, and even some newer ones from more out of the way places do not have ANI or caller ID.
You can still get the account ID, and maybe the telco can get PEN info, or maybe not.
Or how well indexed the logs are. A big ISP gets over 300 login/logout events per second. You don't want to use a flat text file and grep for that. (Actually that number is about a year old, it may be 600/sec now)
Re:11 is popular (Score:2)
You can do that. As a credit card merchant making a data call at least. You can do a verify for a charge (that doesn't actually make the charge), or a reserve for the charge (which still doesn't make the charge, but eats up credit for something like a day or three, until there is another charge from the same merchant number). You could even make a charge, and then issue a credit (but that costs money). There may even be other things, but that was the set that the two places I had to write software to talk to would do.
Of corse that requires a merchant account, and scamming those is probably a lot harder then snarfing up a few AOL accounts :-)
Re:*67 has no effect on ISP/Telco logs (Score:2)
Four years or so ago Sybase couldn't even delete a day's data as fast as it was rolling in. Machines have gotten faster since, any maybe Sybase has too, but so has the call volume (I don't know of Oracle was tried). It ended up being done with Sleepycat's DB B-tree product and a lot of custom code.
I can see a smaller ISP being able to get away with Sybase though. There are economies of scale, and diseconomies of scale too.
Criminal Mind (Score:2)
The "criminal mind" is different from others: they truely believe that they won't get caught. I think neither criminal was really worried about getting caught. They took certain precautions, but it is these precautions that allow them to feel uncatchable.
If this joker... (Score:2)
If that joker is a leet haxor, then so am I.
This was a 15 year old wanking a gullible adult. A real criminal (one smart enough to be making "6 figures") does not brag about his exploits, and certainly do not write diaries to be published on MSNBC.
Hell, for $250, I'll yank that reporter's chain, and give him a better diary, too. Drop me an email, guy, and I'll give you a Great Gatsby-like retelling of how I
"Beware by whom you are called sane."
Re:Yeah, Fort Knox... (Score:2)
Did anyone else notice that the one guy was glad to get the $250 from the reporter so he could go out drinking?
Yes, I definately think they're embelishing - at least in terms of how much money they're making with these scams. Others have commented that the logs were faked - I think the idea of suddenly getting $250 to go out drinking wouldn't occur to a reporter that hasn't lived down & out for a while - sounds a lot more like some of my friends back in college.
-"Zow"
Re:If more people would fight back (Score:5)
Sounds like spam to me.
It would be nice if (Score:2)
Re:deficiency (Score:5)
Uh... subpoena Anonymizer for logs (by law they have to keep them) then timestamp the occurances...
Specifically, what law requires you to keep logs?
D
addendum (Score:2)
Re:Shame on MSNBC for confusing 'crackers' with 'h (Score:4)
Says who? Try looking up "hacker" in, say, Merriam-Webster's Collegiate Dictionary. You seem to be under the mistaken impression that small subcultures get to force their own pet definitions on society at large. It works the other way around...words mean whatever the population at large decide they mean. Heck, even the Jargon File admits that hacker was originally used to mean "a malicious meddler" and only recently has that use become deprecated.
Confusing the two is like calling every martial-arts student a 'ninja.'
No, it's more like a subset of karate students (it's only a subset because not all karate students agree with them on this issue) suddenly deciding that, because of the increased media exposure that the movie Karate Kid brought to their subculture they now want to be called "judo-ka" -- and who cares if karate and judo are already in widespread use? -- and then getting their obi in a twist when everyone keeps calling it karate.
Unless you are trying to suggest that there is some innate meaning in the two words completely separate from what society imparts to them.
Re:And the credit card companies just don't care (Score:2)
make a list of all the costs involved with spam -- man hours tracking it down, downtime of mail servers swamped with it, getting yourself out of the RBL, business lost/cost to customers of being RBL'd -- make it as detailed as possible, be realistic, but remember that things like the amount they paid some sysadmin to come in at midnight to fix the mail server 'cos some spammer brought it down counts!
Split this into per-spammer chunks (i.e. maybe each spamming incident costs $250 or something, this is, btw, probably too low an estimate)
find out how much your lawyer costs
compare number-of-spammers times per-spammer-costs to lawyer-costs
if a is greater than b, tell the higher ups.
otherwise, file it and return to it occasionally -- increases in costs or spammers might make it useful eventually
Re:Hmmm. (Score:2)
To confirm this, go down to your local western union and read the 'to send money' form.
Re:GF??! (Score:2)
--
Re:GF??! (Score:5)
-jon
My only point of confusion (Score:2)
How is using a friends house as a' drop site' for carded equipmetn safe? How do they not track it down? Someone explain this to me...
Re:And the credit card companies just don't care (Score:2)
Re:deficiency (Score:2)
All your politician are belong to us.
Dave
If more people would fight back (Score:2)
follow the link in my sig. to find out more about what you can do
Re:I emailed the author of the article. (Score:2)
You can argue all you want, but "hacker" is understood by the general public, but "cracker" is not. In the same light, "Virus" may be something different from a "Trojan Horse", but you tell that to an average computer users and they'll say "huh?" MSN is written towards the general public and while the author may very well know the difference between cracker and hacker, he/she would rightly chose to say "hacker" rather than wasting the readers time with a paragraph explaining what a cracker is. It is a sign a good author to target the language to the reader. You just need to accept the fact that the general population isn't interested in learning a billion vocabulary words to make you happy. While it may seem important to you, it's useless trivia to most of the world.
I would argue that the language of hacker and cracker does not even have the meaning you say. You can be a cracker and still be "one the side of good". Crack is actually a very positive word. "That is a crack team." Cracking generally means to "crack open", as an a bank vault, a copy protection scheme etc. It implies an action, not an intent. So a locksmith might be called to crack a safe for which the keys were lost, or I might be consulted to crack a copy protection software scheme and test it for weaknesses before it is released. I consider myself both a hacker and a cracker, but I do not use either talent for evil.
jc @ crack.com (yes, my real email address)
Hackers? (Score:2)
Since when did the term hacker become a catch all for criminals who use a computer? I am absolutely appalled by this. While it is true that words should and will naturally evolve in a language, this is really not the case here.
It seems to me that the author or editor decided to use the word hacker in the title for some sensationalism. This story does not even describe what an average citizen would call a hacker. Most people think of a hacker as someone who infiltrates a computer system. Most people also think that hackers steal information and damage property (e.g. delete or destroy data).
In all reality, a hacker is someone who is extremely skilled with computers. A hacker also has knowledge about how to break into a system. For instance, any system administrator worth a damn is a hacker. That is to say that they are skilled with computers and know how to break into the system. This puts them in a position to keep computer criminals (note the word choice, criminals not hackers) from breaking into the system.
In this article, the computer criminals are just that, criminals. They are simply modern-day scam artists. But hey, "Watch a computer scam-artist work the system" probably doesn't have that same ring to it.
Originally I was going to send an e-mail to Bob Sullivan (the author) but if you do a search for the word hacker on the page you will not find it in his article, only in the headline and in links to other MSNBC headlines. Apparently this is just some editor with his head way up his ass.
That's the third time... (Score:5)
That's the third time I had to enter my credit card info to post to slashdot.
What's up with that?
11 is popular (Score:2)
This bullshit is worse than those hollywood movies showing a 16yr old breaking into the NSA and breaking their strongest encryption in 3mins with a full GUI animation sequence. At least the hollywood bullshit doesn't claim to be true. (It only claims to be entertaining, which is enough lying in itself).
Word GUID (Score:2)
Who is more gullible... (Score:2)
Re:Hackers? (Score:2)
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
difference? (Score:3)
-------
CAIMLAS
lol rofl BANG! (Score:2)
I swear, if AOLamers actually talked like that, they'd be institutionalized... or shot...
-grendel drago
Re:My only point of confusion (Score:2)
Re:My only point of confusion (Score:2)
Try hard carders (Score:3)
Re: (Score:2)
Re:Bell Sympatico's taking care of this the Bad wa (Score:2)
So lemme get this straight - punk spammers doing direct-to-MX out of port 25, who are easily traced, are blocked, but dirtbags who relay-rape anonymizing Sendmail 8.6 relays in China (traffic to port 25) continue to abuse with imputiny?
Fuck, that is clueless.
Re:My only point of confusion (Score:2)
But between the "*67 protects you from being traced", the "I use my friend's house to drop off carded stuff", and all the other things in that article that don't work, I'm kinda glad this article got published.
This article phishes for punk spamming wannabe-thieves in the same way punk spamming wannabe-thieves phish for AOLamer accounts with spams saying "AOL billing needs your password".
I love the smell of roast spammer in the morning... Dawn is but a few hours away.
Re:Huh? (Score:2)
And who do we know from adcops.com?
Why, it's Maurice O'Bannon [google.com]!
What does Maurice do for a living? Why, he's the Treasurer [google.com] of Empire Towers!
And what does Empire Towers do? Why, they're a bunch of spammers [spamhaus.org]!
What an amazing coincidence!
Re:Huh? (Score:2)
Not my research, I just read about it in nanae and followed a few links in google.com.
> I'm off to DDoS adcops.com...
Please don't.
The way to DDoS spammers is to teach all your friends how to read headers so they can report the spammers to their upstream ISPs.
Likewise, teaching your friends to report pump-and-dump spams to the SEC, Nigerian 419 scams to the SS, tax evasion scams to the IRS, quack medicine to the FDA, and Make-Money-Fast to the USPS, is a highly effective ways to deny service to the scammers behind the spammers.
Traditional DDoS over a network is (a) illegal, and (b) network abuse, the very thing anti-spammers are trying to prevent. We're the good guys, remember?
But getting the spammer deleted - whether from his network (abuse @ his upstream ISP) or from society (various .GOV agencies weilding heavy LART) - is a much more satisfying way of denying service to spammers. Best of all, it's (a) legal, and (b) prevents network abuse.
The best scam is... (Score:2)
You can just repeat the last few steps... don't even need to change the pictures or the HTML, unless you want to scam the same people over and over. Just make sure to change the name of the site and the name of the management.
I would set up an adult site of my own, but it's too much bother. Oh yeah, and my girlfriend would kill me.
Re:deficiency (Score:2)
>Uh... And how do you suppose your gonna dial into it?
Maybe using one of the scammed cell phones? Its not hard, not even remotely hard. One laptop (which he talks about getting), and a dongle, and he is all set with a cellphone that is -- somewhat -- untraceable.
>Uh... subpoena Anonymizer for logs (by law they have to keep them) then timestamp the occurances...
As far as I know, they dont keep logs there *AT ALL*, on purpose.
>.. Boy is this moron sure dumb
Actually, I know a few darker-hat individuals, and this is rather close to their actions. Maybe a few key details were left out for those with less of a clue, but hey, it's not his fault you cant connect the dots.
Re:deficiency (Score:2)
At least in OUR company, thats how it is done.
Sounds like you smoked a little too much while watching the net.
Re:My only point of confusion (Score:4)
For the credit card companies, it's a business decision, in the USA you can only be held liable for $50 in fraud if you report it, so they likely feel it's the consumer's problem to report it.
For law enforcement, it's only a few thousand dollar scam at most, and they are probably more interested in going after murderers and higher profile criminals. If these scam artists don't get too greedy and don't make too much noise, I'm sure they can keep up scams like these for years.
For the internet computer store, it's a tough call, many customers really do buy laptops as gifts or want stuff sent to a different address, are you going to turn away that business?
Here's a typical story from here [scambusters.org].
While I think the stories are probably somewhat exaggerated, I think that there is more truth than many posters have been willing to admit.
- Twid
Hmmm. (Score:4)
Can you really pick up money from Western Union without an ID? I checked their website and their FAQ says:
"You may pick up your money transfer at any Agent location. You will need to complete a "To Receive Money" form with the following information: name, address, telephone number, amount expected, as well as the sender's name, telephone number, city and state being sent from. Valid identification is also required. Some restrictions may apply."
Seems fishy...
I also found this interesting:
"Screw the Feds, they are lazy they won't trace me back that far. Plus I got *67 on, they'll need subpoenas to, and a ton of tracing to even get close to me."
I'm pretty sure *67 doesn't work on some ISDN/PRI Lines (which many ISP's used). I know for a fact it didn't work at a local ISP here (I tested it personally).
Re:Shame on MSNBC for confusing 'crackers' with 'h (Score:2)
I figured that someone would point this out sooner or later. I thought that priests seemed like the professional speachmaker most likely to produce images of good honest people. Especially when compared with the other obvious choice..... Senators.
_____________
Re:Shame on MSNBC for confusing 'crackers' with 'h (Score:3)
These guys aren't even crackers. They aren't breaking into computer systems or anything like that, they just steal credit cards. The only way in which they even resemble a hacker is that they use a computer to do their 'job'. But so do most receptionists. Confusing web con artists with hackers is like confusing real world con artists with priests because both make speaches as part of their work.
_____________
Re:Spammy (Score:3)
According to CNN, it's passed Committee vote and will be sent to the House floor for consideration. A version needs to be introduced and passed in the Senate, the two reconciled, then sent to POTUS.
Here's the text [loc.gov], if anybody's interested. Actually, that's probably a temporary link which will break VERY soon, so you can instead use this link [loc.gov], which should hopefully re-exec the query, and then click 'Full Display'.
It's actually fairly interesting. There's explicit protection for service providers to take 'good faith' efforts to block UCE, which would appear to protect users of things like the real-time black-hole list for mail servers, and what not. And you can't go after them for innocent retransmission, either.
It's probably based on existing telemarketing law, with its references to pre-existing business relationships, opt-out (they need to provide a means for opting out of lists in their UCE, but they don't need you to opt in BEFORE they send the first UCE) and all.
Interestingly, it only refers to individuals. I'm not sure how it applies to UCE from corporations -- for instance, whether the entire company is liable as a whole or just the employee(s) who decided to spam, or whether this could in any way be applied to spam-friendly ISPs.
Obviously faked (Score:2)
I'm sorry, but this has my "bull-meter" pegged at maximum, and here's why:
Regardless of whether you can get cash by Western Union with an ID (which has been touched upon by others), we're supposed to believe this guy didn't just take the money and run? The same guy who has stolen countless credit card numbers, bought thousands of dollars of merchandise, and is "untraceable"?
Please.
Re:Shame on MSNBC for confusing 'crackers' with 'h (Score:2)
Re:If more people would fight back (Score:3)
A lot of my spam now shows that type of disclaimer. (well, it did before I switched accounts). The most common line goes something like:
<BEGIN PASTE>
"Duruing your recent visit to our affiliate, <some fake site>, you "opted-in" to our email promotion campaign to alert savvy web users to outstanding online offers. This is not Spam. We are adhereing to <some fake law>, <some fake section>, <some fake paragraph>, where it states that <what we are doing is compleltely legal, you turd>. If you wish to be removed from this mailing list, plase vist <fake web address> or reply to this email message with only the word REMOVE. <...which won't work, because we forged the headers, haw haw.>
COMPLETELY FREE PENIS ENLARGMENT, PLEASE CALL THIS INTERNATIONAL NUMBER TO ORDER YOUR KIT TODAY!
<END PASTE>
Yeah, Fort Knox... (Score:4)
How much validation is done on these claims of great exploits?
"9:15am Cracked a Brinks truck using my PalmOS hackmaster app called 'cash'."
"9:45am Almost tripped the goons at Fort Knox, but hid in the bushes an extra five minutes. An hour later, a five-nines bullion bar in my backpack, and off for new challenges."
Might this be just a tad bit embellished for the reporter's sake?
Re:And the credit card companies just don't care (Score:2)
w0w!!! (Score:2)
And to think...I thought hackers wrote tight code, and messed with hardware and such. Boy was I ever wrong...it's all in the credit card fraud, banner ad fraud, spamming, and porn! So many wasted nights...
Speaking of nights, what hackers work from 11 am to 11 pm?! And when was somebody going to tell me that netzero and AOL were the ISPs of choice? This article has really opened my eyes, and I'm going to get a few phony email accounts and turn my life around!!
.....*grumble*
Re:Spamming (Score:2)
Follow the money (Score:2)
Why would there be a hoax? Well, hmm. Follow the money. I went to the Adcops site where the original story comes from. Poked there a bit before finding out that to be a member (and read or see the 'Fraud Museum' or other valuable evidence, you need to fork over US$90.
Hmm. Perhaps Adcops did a little hack job of their own to get publicity and increased revenue sales. Ya Think?
Re:deficiency (Score:2)
considering how things worked out for him, i don't know if i would reccomend following in mitnick's footsteps...
Does anyone actually believe these people? (Score:2)
Did you know that they have removed the word "gullible" from the dictionary?
Praying on Naiveity (Score:2)
Yes, they did work the system, but I don't see anything here to be worried over - people will simply have to learn that you don't give your credit card details out on a whim...
The only thing that does concern me is that people like this provide the powers at be the perfect excuse to attack anonimity...
Ah well - rant over.
Bell Sympatico's taking care of this the Bad way.. (Score:3)
But in typical Bell Canada fashion, they've blocked all traffic eminating FROM port 25, not traffic with a DESTINATION of port 25. So those of us who run SMTP servers for a useful purpose (receiving mail at erik@ is quite useful) are screwed ... and the true spammers will just reconfigure their spambots to send out traffic on port 31337 or something.
If you use Bell Sympatico HSE (I'm in Montreal, but they go over to Toronto, Ottawa, maybe out to BC I don't remember), check out SympaticoUsers [sympaticousers.org]. You'll find the messageboards and announcements quite useful.
--
Can't track?!! (Score:2)
What?! If he can't "track" him how was he able to contact him with the request in the first place?!!!
Such reports by notable journalist coming from a well known source, MSNBC.com, does nothing but scares the hell out of your average computer users. MSNBC.com would have done a better *service* to its readers if it educated them about how to *NOT* become victims.
---------------
Sig
abbr.
Do not try this you will go to jail. (Score:5)
The first guy collects his money at western unions. This will not work because the feds work with AOL and you will scam a fed who will be at the western union waiting to meet you.
The second guy has his carded mail sent to a friends house. Whoever signs for this is going to jail. Once the friend gets arrested he will rat him out.
I bet these two guys pulled this off once or twice and wrote about it like its a day job. If someone stupid falls for it you might make quick cash once or twice. If you keep trying it you will get busted sooner than later.
Re:And the credit card companies just don't care (Score:2)
And the credit card companies just don't care (Score:5)
Now according to this acrticle these people use SPAM as one of their main forms of getting to victims. Hmmm how can we fight this problem?? If we were ALLOWED to enforece our AUP, and our contract that a customer signs then this activity would be less profitable and easier to trace.
For isntance, joe/badboy/hacker uses a stloen card signs up for a throw away account and start spamming. If joe is useing a stolen card a 19.95 gets looked over, but a 500 dollar charge gets noticed. So come on Credit Card people, if we can PROVE it why can't we charge these people for taking up our time, system resources etc. As this article clearly points out SPAM is used very often for illegal practices.
Why won't the credit card companies help us clean up?
Fake ID? (Score:2)
Anyway, I'm not saying you're wrong, it does seem a little fishy, but on the surface the facts seem reasonable enough.
The only "intuitive" interface is the nipple. After that, it's all learned.
Re:deficiency (Score:2)
Excuse me? Since when was any entity required by law to keep logs of anything?!
--
Re:Do not try this you will go to jail. (Score:5)
You know what, though? I'd rather return to the days when the "hip" thing for highschool outcasts to do was warez scams and carding.
It sure beats the current fad of shooting your classmates.
(Lovecraftian emphasis added)
Crackers, not hackers (Score:2)
great fanfic (Score:2)
Welp, I gotta jet. sQu1db0y (a 'hacker') teld me hes gonna score me some perqs. (UNIX 'shell' accounts) Dam. Some days it just feels like the whole worlds smeared with Vaz. (?)
--
oh, please (Score:2)
I thought the ESR fanboys had given up. If all hackers wore a white hat, then why the need for the term 'white hat hacker'. While its obvious that these guys are not hackers, crackers, or script kiddies by any sense of the word, claming that 'hackers' are all good guys is ludicrist. Please stop, you're making us all look stupid.
Rate me on Picture-rate.com [picture-rate.com]
It has already been said but.... (Score:3)
Education is the only way to stop this type of thing. heh and castration
________
Re:And the credit card companies just don't care (Score:2)
Re:My only point of confusion (Score:2)
Teenage hacker has dinner with girlfriend? (Score:2)
WTF? (Score:4)
I started laughing when I read that. Most of the rest of it was very funny also. I never thought I would read the words "clever" and "script kiddie" in the same sentance. LOL
Re:Crackers, not hackers (Score:2)
Damn media. Ok, I read the article. All it really shows me is that AOL users are easily duped. Other than being yet another example of how easily script kiddies can work, was there anything informative about that article? I think not.
It may not have been informative for you or most other Slashdot readers, but it wasn't aimed at you. If you notice, the article was posted on MSNBC News, not on Slashdot. It wasn't aimed at informing people who already know about this problem, it was aimed at informing the vast majority of Internet users who aren't aware of this kind of activity.
Sometimes its easy to forget that 99.9% of Internet users have never even heard of Slashdot and don't have the same background and interest in technical matters that Slashdot readers have.
Re:Yeah, Fort Knox... (Score:2)
No one can steal crap from me...
Sorry, the title forced me to reply....
Re:deficiency (Score:3)
Uhh... No matter how many times you change your number, there is always a record
A little clarification on this:
Almost all large customers of the phone company (i.e. those who have some kind of leased line or ISDN services) have a service called ANI, which stands for (AFAIK) Automatic Number Identification. The *67 service has no affect on whether this aquires your number or not, so you are pretty much screwed if you call in on your own phone line.
The only way I know of to get past ANI is to trick the operator to diverting your call to the number that you wish to call, thereby having the number of the operator (always xxx-0000) showing up on ANI. But, of course, you can't route data calls this way, so you are pretty much limited to either using someone else's line, or doing what Kevin Mitnick did and aquire a different number through the cellular telephone network, although, with the state of cellular networks today, that is considerably harder to do than it was 5 or 6 years ago.
You can really tell this story is fictional, (Score:3)
GF??! (Score:3)
5:30 p.m. I'm going to go meet my girlfriend. Take her out to dinner, go back to her place.
How did he meet this girl? By spamming a whole bunch of E-mail addresses??
Hey, then again...
--
Re:Do not try this you will go to jail. (Score:3)
A lot of people got rounded up for just this sort of naughtiness in the late 80s and early 90s and it changed a lot of things in the underground. The warez d00dz and the carderz and the coderz (phone code guys) all used to be part of the same clique. It was good fun for bored high schoolers everywhere- like I said, this changed.
The FBI made some very prominent credit card fraud arrests due to guys using this exact scheme. The carders were buying computer equipment and hanging out on BBSes with warez doodz. They were also posting CCs to a number of warez BBSes for trading purposes. Unfortunately for the warez dudes who weren't involved with the carders, the FBI found out about the use of the BBSes and infiltrated and raided a huge number of them. When the busts started going down, there was a huge media shitstorm.
Anyway, word got around that carding was a quick ticket into jail, so almost everyone avoided it from then on. Warez is a fun hobby for some (I dont "get it" personally), but these guys arent looking for jail time. I strongly disagree with the 6 figure salary. Once the CC companies notice a pattern, the feds will be invited in almost immediately. Once they compromise a single carder, they will eavesdrop on his dealings for a while to pick up all his friends. Then they raid. Like Oztun said, this has happened before.
Re:Obviously faked (Score:2)
Re:however... (Score:4)
Re:deficiency (Score:2)
I don't recall the exact name of the law, but I believe the bill in congress was HR1984.
Re:deficiency (Score:2)
Re:Yeah, Fort Knox... (Score:2)
Exactly! And by the way, how comes those kids make $4,000 a day when AdCops' Top3 list of cheaters contains a $5,000 fraud guy?
All this is is free adverisement, stupid e-journalism, and ridiculous fiction.
--
"Moderate down and we'll get your balls in Meta-Moderate."
Re:My only point of confusion (Score:2)
Re:WTF? (Score:2)
When I was a begining programmer, back in the days of yor, we regularly wrote fake-login programs. Some with malicious intent, and some, like me, to see how clean an imitation we could write. Not hard to leave one running, come back in an hour, type KWIT and see how many accounts and passwords I collected. Only caught if there was an admin on duty that night (rarely.)
I have in my email box a fake request to update PayPal account information, very well done, but obvious that it forwarded to an ISP with free accounts and CGI support. The spammer sent this out on a Friday, at the time the staff at the ISP went home. After a few calls to InfoSpace, I knew this ISP (a subsidiary of InfoSpace) didn't have abuse/support staff on call all weekend. A perfect choice and the timing was thoughtful. An entire weekend for the password stealer to collect PayPal accounts from unwitting people.
This diary, if you view it in the correct light, betrays some lack of understanding on the part of the perpetrator, but it would be an error to assume that it's all BS because of the *67 part. People misunderstand many things and a criminal usually gets nabbed when they get lazy. (a la, returning to the scene of the crime, because it worked so good the last time.) Clever in some ways, stupid in others.
--
Re:GF??! (Score:4)
Either dinner was really short, or something else was.
Nah, she charged by the hour and he didn't want to run up the cc bill too high.
This is a joke. (Score:2)
Not real h4><0rs (Score:3)
11:00AM: I just woke up. Apparently I fell asleep while loading slashdot. I reload again.
11:01AM: Reload slashdot. I have a script to reload slashdot for me. I'll be sure to get "First Post" today!
11:02AM: Reload slashdot.
11:03AM: Reload slashdot.
11:04AM: Reload slashdot.
...
Observation... (Score:3)
Obviously, straightforward scams like getting AOL accounts and cc numbers are much more productive than stupid pyramic schemes.
Re:*67 has no effect on ISP/Telco logs (Score:3)
Wouldn't it be because he is supposed to be a great hacker-geek who also has a girlfriend, something NOT seen in real life?
In real world, Mr. Hacker would be having dinner with his old granny, tops...
Re:GF??! (Score:5)
--
Re:My only point of confusion (Score:3)
OK, some guy on Efnet (an Internet chat area) told me last night he would Western Union me $250 if I wrote a diary of one of my typical days and e-mailed it to him in
Okay...anyone who knows IRC knows what insano things that posers will say in channels. Enough said, just someone say it to a reporter before he does this sort of story again?
He was too stupid to be a Fed.
Ok...maybe that one is credible. If I were a journalist doing a story on something that gets as technical as this topic, I'd have someone backing me up who can smell the difference between truth and what these guys are dishing out.
Um...ok...I don't follow that NetZero is untraceable because it is free. And if he knows it's untraceable, why use anonymizer? Or try to hide his number from logging systems by using *67 (which won't work, btw)? And he talks as though subpoenas are hard to get...fact is, getting a subpoena for a phone number is a piece of cake. All you need to do is file a "John Doe" lawsuit and request an expedited subpoena. The ISP will gladly turn over the information...they have entire departments just for this purpose usually.
By then I'll have a new number. Hell, I go through telephone lines about one every 2-3 months.
Um...dude? Word of warning...the phone companies keep their records longer than that...some of them actually remember your address for upwards of 4 or even as many as 5 or 6 months...amazing huh?
At that point I started tuning out. These guys supposedly are pulling in thousands a month in fraud, yet somehow they have managed to elude capture despite the incredible numbers of mistakes they make in covering up their tracks? This is ludicrous...but the biggest scam is the fact that a reporter got a great story that even got slashdotted, for $250. Too bad it's all lies...it looks as though these two losers really ended up scamming even more people than they claim to.
deficiency (Score:5)
Uh... And how do you suppose your gonna dial into it?
I use www.anonymizer.com to go to the Yahoo account because I'm paranoid. Hell if anyone's going to get my IP (Internet address). Screw the Feds, they are lazy they won't trace me back that far.
Uh... subpoena Anonymizer for logs (by law they have to keep them) then timestamp the occurances...
Plus I got *67 on, they'll need subpoenas to, and a ton of tracing to even get close to me. By then I'll have a new number. Hell, I go through telephone lines about one every 2-3 months.
Uhh... No matter how many times you change your number, there is always a record
If I'm super paranoid, I skip Anonymizer and hack me a Wingate. Then the Feds will trace back to one of the lamers' home computers not mine
Boy is this moron sure dumb
Seems to me like the only thing he "hacked" was some dumb ass reported who was an ass enough to get conned into thinking this e-tard was anyone special or had any talent other than bullshitting.
The media is going ballistic on "hacker" cases these past few months, and I'm starting to think they should be held accountable for promoting this activity, especially when you pay someone to do this (basically).
The media has totally bastardized hacking and those in the computer security field like the hackers at companies like @stake, Neohapsis.com, etc, end up getting bad reputations from morons like this. Its a shame to think people actually pay mind to idiots like this often casting dark shadows on to those that "hack" for just cause, such as fixing issues, e.g., Rain Forest Puppy [antioffline.com], DugSong [antioffline.com], obecian [antioffline.com], etc..
Stupid news [antioffline.com]
4 d4y 1n th3 l1f3 0f 4 h4ck3r (Score:5)
7:20am: Elite hax0r wakes up to prepare for another challenging day of 7th grade.
7:25: Elite hax0r signs onto AOL (computer is never turned off)
7:30: Elite hax0r checks new mail for elite hacking progs and warez
7:40: After 10 minutes of chatting in with the folks in leet, elite hax0r's mom takes the telephone off the hook.
7:55: m0m and elite hax0r are having an argument about wasted time online.
8:00: elite hax0r's dad drops him off at Mitnick Middle School
8:05: elite hax0r enters typing class. this is his elite hacking playground, and he loves to confuse the teacher by pressing num lock, and shouting '3y3 hax0red j00!!!'
9:00: typing class is over, and elite hax0r travels to his history class. No 'puters here, so, he strategically places his copy of 2600 inside his history book and memorizes the 'how to steal stuff' article.
9:30: history teacher catches elite hax0r with the clandestine 2600 and takes it away from him. elite hax0r begins a heart-wrenching speel about freedom of speech, and his right as a citizen of this country to read his elite 2600 whenever he pleases. he compares this atrocity to the unjust imprisonment of hax0rs everywhere, and takes comfort in his martyrdom. leet is definitely hearing about this tonight.
10:05: elite hax0r goes to english.
10:50: elite hax0r goes to lunch period. here, he sits with his class in the cafeteria and takes his usual spot near the lunchlady's cashregister so he can write down people's lunch numbers. This comes in handy, as they could possibly use their lunch number as their AOL password. And if not, its always really leet to have even the most insignificant 1nph0z.
11:25: elite hax0r goes to pre algebra. today, he makes the kid in the desk next to him ph33r when he types 1134 on the calculator and holds it upside down. he wonders if this is similar to hacking an LED sign like in 2600..?
12:15: elite hax0r goes to science class where he learns about the reproductive system. elite hax0r excuses himself from class where he performs a quick wetware hack.
1:30: elite hax0r gathers his books and stands in front of the school
1:35: elite hax0r is picked up by the small yellow bus with the power lift on the back.
2:00: elite hax0r is dropped off at home, and he rushes inside to sign on and check his mail.
2:30: after 30 minutes online, elite hax0r is forced to sign off and take a nap. Ms. Hax0r cant have her baby getting cranky.
4:45: elite hax0r wakes up, and begins writing his manifesto, which he plans to present to his history teacher tomorrow.
4:47: elite hax0r gets tired of writing and feels like going outside. he and his little brother ride their bikes around in circles in the carport.
5:15: Ms. Hax0r calls the children inside for dinner.
6:00: hax0r children finish dinner, and elite hax0r asks for permission to get online and hack some stuff.
6:05: elite hax0r battles AOL's perpetual busy signal; its probably just a ploy by AOL to block him from coming online, in ph33r he might hax0r their network.
7:05: elite hax0r continues to hax0r away at AOL's "busy signal"
7:30: finally, elite hax0r crax0rs the busy signal and sneaks his way inside. He checks his mail for leet progs and tries to enter pr 'leet'. But, in another attempt by AOL to bring him down, the room is full (its really just their $3cur1ty 3xp3rt$ trying to keep him out).
7:40: elite hax0r finally busts into 'leet' in 137 tries. he chats with his homies.
8:00: elite hax0r is still chatting with the leets, when Ms. Hax0r picks up the fux0ring telephone and signs him offline.
8:35: after 20 minutes of crax0ring the "busy signal", in an angered retalliation attempt, elite hax0r steals mom's credit cards and scrolls them in 'leet' and 'phreak'.
9:00: elite hax0r finally finishes scrolling, and takes some time to work on his webpage; http://members.aol.com/Leethax0r/index.html. Here, he posts his new hax0r's manifesto, and lists $houtoutZ to his homies in 'leet' and 'punt', and his main chix0r Annie.
10:00: after an hour of figuring out how to use the AOL webpage software, he grows tired of all this brain work, and signs offline.
10:25: leet hax0r brushes his teeth,puts on his kevin mitnick pajamas, and goes to sleep.
11:00: leet hax0r dreams that he is Dade Murphy, and that he is having wild sex0r with Acid Burn, while hacking the FBI's Main Gibson.
Stupid News [antioffline.com]
*67 has no effect on ISP/Telco logs (Score:5)
I'm pretty sure *67 doesn't work on some ISDN/PRI Lines (which many ISP's used). I know for a fact it didn't work at a local ISP here (I tested it personally).
The "hacker/cracker/bad guy's" comment made me laugh uncontrollably for a few minutes. Having recovered from the initial shock at the stupidity of his comment, I'll share a bit of info as to how hard one would have to dig to find out who he was, or at least where he was calling from:
Note: I work for a national telco/isp, the combination of which greatly helps this process.
1. Find just one of spam boy's emails originating from his "phished" account. The message's headers will be more than pleased to provide you with time stamps.
2. Take the time stamps and userid, and compare them to the logs in the authentication servers (tacacs or radius, normally). These logs should, unless morons setup the system, indicate which NAS (network access server, the box you dial into) was used to logon to the ISP. The NAS should have sent a string to a syslog with connection speed (upstream/downstream), dialed number, and originating number.
3. You *will* have the originating number even if *67 was used. This is because *67 is a feature set for end users which can be disabled/masked, whereas the originating number received on an ISDN PRI has been provided by SS7 signaling, and is mandatory to the system's proper functionning.
4. With the originating number, the local telco will provide the line's physical address. This is assuming that a police officer/investigator/detective makes the request. Of course, there are many free number-to-address directories on the net that could provide this data.
5. All of the above requires about a day, depending on the size of the log files that have to be searched through, and the short delay in getting info from local telcos (they do move quickly if the right person asks).
All this to say that if these guys are getting away with their crimes for the time being, good for them. However, some "cyber crime" unit will eventually do a sweep, grab all of the above info for a bunch of small time operators in a given city, and shut them down. Yee-haw.
Did anyone else notice that bad guy #1 only spent 2 hours at his girlfriend's place for dinner? Not much time...
I emailed the author of the article. (Score:3)
Bob--
I read your article located at http://www.msnbc.com/news/550567.asp and I found some things that I disagreed and thought that I would share my ideas with you. I am basing my statements from both my personal knowledge and a thread at
Firstly, I'd like to quibble some semantics with you. These kids are not 'hackers', they are 'crackers'. A hacker wears a white hat. The crackers wear a black hat. As far as that goes, these kids are not even crackers, they are spammers and thieves. They do not bypass system security in any way, they do not have to show any cleverness. Speaking of clever, you say "clever teen-agers, so called "script kiddies" Script kiddies are not clever. That is the point of the term. They use scripts that were formatted by someone who possessed skill and they just run them. This is not clever, it is, to use thier lingo ' 74m3' (lame).
Secondly, I think that you were had. I think that these were just a couple of bored guys on EFnet who decided to see how much money they could leach from 'the man'. If they are, in fact, making $100k+ a year or anything even close to that (which I doubt), why would they risk jail for a measly 250 bucks? There are, as noted on slashdot, numerous errors and inconsistencies which I won't go into here.
Thirdly, unless you knew this story was false, it seems like you were subsidizing criminal activity by paying these children to steal cc numbers; which is, last time I checked, illegal. A way your article could have helped people, instead of just making AOL users paranoid is to have explained what it was these people were doing and how to know to be suspicious. You could have made a sidebar of the major free e-mail providers and free webspace providers (geocities, yahoo, hotmail, e-mail.com, freeyellow, juno, ad infinitum) and explained how easy it is to get multiple emails/webpages from them. Also, did you do any validation of this story? I could have written a diary for you that would have been written better and more technically accurate. And you could have sent me a check at home instead of bothering with the Western Union subterfuge.
If you would like to contact me, feel free to do so by any of the information listed below.
Brant Pierce
512-xxx-2732
brant.pierce@xxxxxxxx.com
Numeric Paging: 888-536-7251
Text Paging: 5367251@skytel.com
----
This letter represents the opinions of Brant Pierce. It does not represent the views or opinions of xxxxxxxxx Communications, Inc. or any of its subsidiaries.
Brant
PRAVDA - Don't it feel good? (Score:3)