Are Crackers Behind AOL Spree?

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/business/0,1367,50697,00.html

By Michelle Delio  
2:00 a.m. Feb. 27, 2002 PST 

America Online users, you have unwanted packages -- due either to the
activities of malicious hackers, aggressive pop-up ads or a sudden
widespread epidemic of shopping amnesia.

AOL has billed thousands of its users for products presented in pop-up
ads after users clicked a "no thanks" button to refuse the offer,
according to a lawsuit filed last week in U.S. District Court in San
Francisco. The charges were made public late Monday.

AOL steadfastly maintains there are no glitches in its shopping system
that could have resulted in the erroneous charges and shipments. Users
insist that they did not mistakenly click "Yes" when they meant to
click "No." So who made the purchases?

A group of hackers who focus on finding security holes in AOL's
systems contend the most likely culprits are a bunch of bored kids who
hacked into AOL accounts, perhaps with the assistance of disgruntled
AOL employees.

Members of this group recently reported two major security holes in
AOL's Instant Messenger program.

Although it's far from certain that kid-crackers are to blame for the
shopping sprees cited in the lawsuit, it's possible that once a
cracker has a user's screen name and password, he can log on as the
account user and order merchandise through AOL's shopping service.  
Products ordered through the service are automatically charged to the
account holder's credit or debit card.

These hackers say AOL passwords are remarkably easy to come by,
claiming that they sometimes gain access to accounts with the aid of
AOL employees who provide information in exchange for a share of the
spoils.

"One guy in AOL's Operations Security told me if I used a hacked
account to get his girlfriend a $700 necklace from Barneys Online he
would get me access to six more accounts," a hacker known as Flyman
said. "What it comes down to is that AOL's biggest security risk is
corrupt employees who will straight up give away info for a price."

But the easiest way to crack an account is by using a password
generator that matches a password to an AOL screen name, hackers say.

"If a password is an actual word, not a healthy mixture of upper and
lower case characters with numbers and even some symbols, it's trivial
to figure out the password using one of the hundreds of AOL password
crackers and password stealers lurking around on the Internet," said a
white-hat hacker known as Mancow.

"AOL doesn't want to burden their users by making their password
system too complicated for John Q. Public, but by refusing to force
users to use strong passwords they have left an important aspect of
security solely in the hands of a possibly clueless consumer," Mancow
added. "If AOL wants to allow users to use simple passwords, the
service should then find some way to verify a users' identity before
allowing products to be charged to the credit card associated with the
account."

AOL spokesman Nicholas Graham declined to comment on any specific
allegations, but agreed it was possible that unauthorized charges for
merchandise could be the work of malicious hackers. AOL will
investigate the possibility, Graham said.

Meanwhile, Graham suggested that AOL users visit the service's
Neighborhood Watch section for security tips.

"Our members have the responsibility to make sure that their passwords
and accounts are secure," Graham said.

"It certainly seems logical that the problem is more likely to have
been caused by hackers, or confused AOL users who perhaps pushed 'Yes,
please' instead of 'No, thanks,' than by a glitch in AOL's shopping
system," said Nathan Cohen, an attorney who specializes in Internet
law. "AOL has about 30 million users now. If there was a glitch, it
should have affected more than the 'thousands' of users that the court
case cites. A glitch should have affected millions of people."

"I can't help but think this is the 2002 version of the old stunt of
sending a dozen pizzas to someone who pissed you off," Cohen added.

AOL hackers admit their more malicious brethren crack accounts because
they are angry at the owner of the account. Once they have access to
the account they typically change the password, "muck around with
e-mail and order stuff," Flyman said.

Sometimes the cracks are random: People with short or "cool" screen
names are also prime targets, according to the hackers.

"Ninety percent of the account hacks that some people do is because
they see a cool screen name and they want to use it," said Solitude,
another hacker.

The warning signs of account intrusion include e-mail that has been
marked as read or deleted that users know they haven't seen, as well
as a sudden spike in account activity, say the hackers.

They also advise users to disable any unused sub-accounts. AOL members
can have six screen names per account, and hackers say seldom-used
screen names are ripe for exploitation.

Cohen said AOL would not likely be held responsible for the types of
security breaches outlined by the hackers.

"AOL is following the practices that are standard in the industry,"  
Cohen said. "I don't know of any commercial service that forces users
to use secure passwords. While you could rightfully argue that the
policies should be changed, I don't see any evidence of negligence."

But should the court find AOL responsible for the fraudulent billing,
the company would be "in a world of trouble," criminal attorney Frank
Anderson said.

"I expect that they'd much rather find out that hackers are rampaging
through their system than to face charges that a bug in their software
is spontaneously billing customers for things they did not order,"  
Anderson said. "But the best outcome of all for AOL would be to
discover that they have a bunch of amnesiac shopaholic users."

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.