- September 11, 2012 |
- 6:00 am |
That may be, but it turns out this wasn’t his first tangle with the law. He describes previous run-ins as he sits cramped, legs and head akimbo, in the passenger seat of my rental car, while we drive around looking for a quiet place to talk. The year before, he’d been arrested after getting caught smoking pot in a bathroom at school. I ask if that was the only other time. He says it was. Then he pauses.
“Oh! And I also got, I guess you could say arrested, in October 2011. Someone called in a bomb threat to my school. They did it every day of the school week, and on the fifth day they said my name. The fifth day they called in and said I had a gun. It was other hackers.”
Cosmo’s name and address — his documents, or “dox” as hackers know them — have long been published online. And it’s meant he’s been a target for both vengeance and lulz — just, you know, because he’s Cosmo the God and one of the more notorious social engineers around.
“Someone also swatted my house,” he tells me, smiling. “It happens a lot to me. Well, the SWAT team was only once at my house, but lots of time with the local police department.” Swatting is a vicious prank where a hacker uses an internet call system to report a hostage situation, which scrambles local law enforcement to the victim’s doorstep.
“Through AOL, you can use AT&T Relay to call the SWAT. It’s for handicapped people. You have to sign up, but it’s easy to sign up. You just instant message the username AT&T Relay and then 911. They ask what’s your location, the emergency. That’s what they did to me. That’s what they did to my school too, because there’s less ways of getting caught.”
Cosmo shrugs at this, like it’s all perfectly normal stuff for a teenage boy. And the thing is, in 2012, it is perfectly normal for a bored teenage boy on the edge of delinquency. Instead of egging cars and swinging bats at mailboxes, he’s breaking into e-mail accounts.
Cosmo got into hacking via online gaming. He grew up on Xbox, and played others online competitively. One day, he was knocked offline mid-match, forfeiting the game. He discovered that this was done via a simple trick, where one gamer turns a script on his opponent’s IP address. He began using this same tactic himself. It was easy and required nothing more than off-the-shelf programs, like Cain and Able. It was a veil lifted.
Xbox gamers know each other by their gamertags. And among young gamers it’s a lot cooler to have a simple gamertag like “Fred” than, say, “Fred1988Ohio.” Before Microsoft beefed up its security, getting a password-reset form on Windows Live (and thus hijacking a gamer tag) required only the name on the account and the last four digits and expiration date of the credit card on file. Derek discovered that the person who owned the “Cosmo” gamer tag also had a Netflix account. And that’s how he became Cosmo.
“I called Netflix and it was so easy,” he chuckles. “They said, ‘What’s your name?’ and I said, ‘Todd [Redacted],’ gave them his e-mail, and they said, ‘Alright your password is 12345,’ and I was signed in. I saw the last four digits of his credit card. That’s when I filled out the Windows Live password-reset form, which just required the first name and last name of the credit card holder, the last four digits, and the expiration date.”
This method still works. When Wired called Netflix, all we had to provide was the name and e-mail address on the account, and we were given the same password reset.
Cosmo says he did not know with certainty Netflix had the information he wanted prior to the call. But his success was an ah-ha moment.
“I figured that if Netflix could score, so could any big provider. Back then, Amazon was easier. And then it got a little bit more security. They made it where you needed the last four of the credit card to reset [a password]. That’s when I figured out you just have to go to fakenamegenerator.com to get a credit card number. So, I would just add the card, hang up, call back, give them the last four and they’d reset it.”
This Amazon method, the same one other hackers used to break into my accounts, was one of Cosmo’s innovations. (Although other hackers also claim to have discovered it independently.) I ask him how he figured out he could pull it off, because it’s as clever as it is devious. He shrugs. “It just came to me.”
Cosmo was soon finding all manner of sources for getting information: Hulu, Buy.com, BestBuy, PayPal, Apple and AOL all offered avenues into others’ accounts, where he could peep in at credit card numbers, addresses and emails. He learned new social-engineering techniques online and likewise passed along what he knew to others. There is a constant information trade back and forth online. IRC and AIM are the user manuals to every back-end customer service system in corporate America.
Meanwhile, he had more time than ever to devote to his particular brand of hacking, also known as socialing. After the bomb threats, he was asked to leave Woodrow Wilson High School in October. He started taking classes at an adult continuing education program where he could complete his degree. But he found it boring. And he had to walk there and back, three miles each way. So in December, he quit.
This meant he was now home all the time, bored. The next month, an online friend of his approached him about joining a new hacking team. The friend was Josh the God, and he was putting together a hacktivist group called UGNazi, with the intention of using their combined skills to protest SOPA and CISPA. Far from being intimidated by the proposed anti-piracy legislation, they were motivated by it. They wanted to attack it and those who supported it. Cosmo’s job was to socially engineer companies that could provide data about their targets.
One of their initial targets was UFC.com–the website of the Ultimate Fighting Championship–in retaliation for its support of SOPA. (They did the same to Coach.com.) Once Cosmo gathered the necessary background information on UFC’s president, Dana White, they were able to get into the company’s account with Network Solutions. Via Network Solutions, they redirected the DNS to one they controlled. Bang.
SOPA, of course, died. But UGNazi lived on. They took down the websites for the states of California and Washington and the cities of New York and Washington D.C. They took out Papa John’s website after it failed to deliver a pizza in a timely manner. They hacked into MyBB.com, the back-end that many websites use to power forums, and then hijacked its domain. They were pure mayhem.
“UGNazi was also remarkable in how they apparently had no limits on who to attack–the U.S. government, CIA, Wounded Warrior etc.” says Hypponen, “and no apparent [sense of] self preservation, which led to their demise. In this regard, UG and Lulzsec were similar.”
The group’s last big takedown was 4Chan. “Josh thought everyone on 4chan was a child molester,” Cosmo explained. But there was more than likely another motivation as well: Lulz. Not to mention huge traffic. If they could redirect 4chan to their own Twitter feed, even for a minute, they would achieve instant notoriety.
Their avenue to jack 4chan was a web services company called CloudFlare that was providing 4chan’s DNS services. (Ironically, UGNazi.com was also a CloudFlare customer.)
The original idea was to take CloudFlare via Network Solutions, something UGNazi done many times before with other companies. They had gotten CloudFlare CEO Matthew Prince’s dox and had all the information they typically needed to hijack a NetSol account. But they hit a snag: Prince had a two-step security mechanism on his account. They needed a device-specific PIN code that they couldn’t get. But they had been able to ascertain that Prince’s phone number was on AT&T, which meant they had another avenue of attack: his Google email, which used that AT&T number as an account recovery option.
Security is only as strong as its weakest link. And in this case, the weak link was AT&T. If UG Nazi could get to Prince’s phone, which was his backup mechanism, they could get to his Google account. And to get to his phone, they just needed his Social Security number. That sounds like it’s a tough thing to get. It’s not.
Social Security numbers are freely bought and sold online, not on hidden Tor sites or via some dark back alley, but on the open Web in broad daylight. The cost to buy a Social Security number and date of birth on one Russian site Cosmo referred us to, for example, is $3.80, payable via an alternative currency favored by carders called Liberty Reserve.
Once they had Prince’s Social Security number, it was time to manipulate AT&T’s customer service.
“First we called AT&T to forward [Prince’s] cell phone number to Google Voice. We did that, and the lady said ‘alright what’s your name?’ And Josh said ‘Matthew Prince.’ And the lady said, ‘what’s the last four digits of your SSN?’ And Josh gave the full SSN anyway. And she was like ‘alright what’s the phone number you want to forward it to?’
“He gave her the Google Voice number, and it was forwarded.”
Cosmo initially said UGNazi used text message forwarding, which both Google and Prince say is not the case. Furthermore, while Wired was able to set up a forwarding number in the manner Cosmo described, we were not able to forward text messages to Google Voice from AT&T. Voice yes, text no. It’s the one glaring inconsistency in everything Cosmo reported. When I asked him about it again, via AIM, he replied “maybe it’s just voice for them then.”
As Prince described the attack to Wired, his personal Gmail address was the backup address for his corporate Google Apps email. Although he had two step on the corporate account, he did not have it on the personal one. Furthermore, his phone number was the account-recovery option on that personal address. So UGNazi sent an account recovery request to his phone, which was forwarded to their number, and then used it to take over his personal Gmail.
“Once they were in that, they used it to get into my corporate email by doing an account recovery, which was sent to my personal email,” says Prince. “Even though I had two-factor authentication on, for this one account-recovery procedure, Google didn’t verify any out-of-band system. They just sent the email to my personal Gmail and then, once they were in that, they were able to get into my personal email.”
Google says this type of attack is no longer possible. A Google spokesperson gave Wired a statement noting “We fixed a flaw that existed in the account recovery process for Google Apps for Business customers under very specific conditions. If an administrator account that was configured to send password reset instructions to a registered secondary email address was successfully recovered, 2-step verification would have been disabled in the process. This could have led to abuse if their secondary email account was compromised through some other means. We swiftly resolved the issue to prevent further abuse.”
Ultimately, the end result was that UG Nazi was able to bypass the Google two factor and gain access to Prince’s CloudFlare’s email and then admin tools. They were then able to redirect 4Chan’s DNS to point to their own Twitter account. The hack lasted mere minutes, but given 4chan’s traffic volume, it was enough. It was extremely high profile, and UG Nazi was now basically the most notorious hacking crew of 2012.
People Are The Key to Every Lock
As he did with Prince and CloudFlare, Cosmo accomplished many of his feats by going after individuals associated with organizations UG Nazi was targeting. He would gather little bits of information here and there, collecting dox data from various online services, like addresses and credit card numbers, until he had what he needed to launch an attack. Often, he did that by calling a company’s tech support system and pretending to be a worker in another department. Sometimes he was able to pull that off by learning intimate details of a company’s back-end systems.
“I had a friend who installed a remote access tool on a Netflix computer. When [the Netflix employee] was AFK–not at the computer–he could use that computer. From there he took a bunch of screenshots, and saw the [support] tool was called Obiwan.”
Cosmo couldn’t actually use Obiwan himself because he didn’t have a Netflix IP address. But that didn’t matter. He just needed to know what the back end looked like.
“You have to impersonate a Netflix agent. So you call up and say ‘Hey, my name is Derek. I’m from Netflix Canada and I’m having a technical difficulty with Obiwan. Can you look something up for me?’ Then you say the email, the name, the billing, and then you ask for the last four. Then you just call back and reset their password.”
And that’s the secret. When Cosmo calls a company pretending to be an employee, he doesn’t wait for them to ask for details. He tells them all the person’s data he has up front. If he knows three pieces of a puzzle and just needs the fourth, he gives them those first without waiting to be asked for them. That way he demonstrates a knowledge of the system, disarming the person on the other end of the line and making them less likely to question his authenticity.
Cosmo sometimes even provides details that he knows tech support doesn’t need. For example, if a tech support requires only the zip code on file, he’ll provide the full address anyway. It makes him appear more knowledgeable and less likely to be questioned. That’s classic social engineering.
“You can pretty much do it at any company–impersonate an agent,” he shrugs and smiles. “Most people will fall for it unless they’ve been trained not to. But most companies aren’t doing that.”
Some of his techniques are incredibly complicated and involve multiple levels of social engineering, like the method he developed for getting into PayPal.
The inside of a PayPal account is a trove of information for social engineers. Once logged in, you can see the last four digits of someone’s credit cards and bank accounts, and their current billing address. That information can, in turn, be used to obtain password resets on all sorts of other sites. More nefariously, once inside someone’s PayPal account, you can flat out rob them.
Cosmo explained exactly how it is done.
“You have to add a bank account. You can make a virtual bank account on eTrade.com with info from FakeNameGenerator.com.”
Wired verified that it’s possible to create online bank accounts with automatically generated information–although we were also required to enter a driver’s license number, which we got via a second site, using the information from FakeNameGenerator.
“You call PayPal, and you have to have the last four of a payment method. You can get that from Amazon or you can impersonate a PayPal agent. They access your account from the last four. You tell them you want to add a phone number, and you add a Google Voice number. And then you say, I also want to add a new bank account I just got. And they add that for you.
“Then you hang up, go to PayPal.com, and go to Reset My PayPal Account. It says send to a phone number and shows the last digits. You pick your Google Voice number, and then it [calls] your phone. You enter that, and you go to a new page of verification that says please enter your full bank account with routing number. You just add the bank account number you made with E-Trade. And once you click next, it prompts you to create a new password.”
Wired was able to replicate this method and receive PayPal password resets. After we disclosed the issue to PayPal, the company closed this security hole. PayPal’s director of communications, Anuj Nayar, told Wired this was a temporary issue caused by product testing that was accidentally left open and had now been closed.
Wired’s subsequent tests found this to be the case, although we could still add a phone number to an account, PayPal would no longer send a password reset to it until it had been verified by logging in.
Cosmo was still sleeping when the police arrived at his apartment. Officers and a detective with the Long Beach Police Department searched his home and seized three of his netbooks and his iPod Touch. They put him in handcuffs and refused to let him change clothes out of the shorts and t-shirt he’d been sleeping in the night before. Then they took him to the Los Padrinos Juvenile Hall, where he spent the next two days.
They raided his grandmother’s home, too.
“I was in the bathroom and I heard some guys talking,” she says. “When I opened up the bathroom door there was this cop standing right at the door. He stood right inside this door and it startled me. He took me by my arm and told me to come in and sit down. I sat down and the three cops were standing over there and they just stood there. I was startled and some cops walked by with Derek, and he was handcuffed.”
Cosmo suspects the raid was tied to UGNazi’s participation in the WHMCS credit card dump, when they dropped a half million credit card numbers on the open Web, and not the CloudFlare hack that ultimately landed UGNazi on the FBI’s hit list. Still, he expressed remorse for what had gone down with Prince and for people who were still having accounts compromised via methods he pioneered.
“I called Matthew Prince the night before [the hack],” Cosmo told me. “I was going to tell him about it. I called through AT&T relay and he hung up on me. I was just going to let him know, ‘Your site’s about to get hacked.’ Josh was going to do it anyway, but…”
Did Cosmo really try to warn Prince? Prince confirms that he did get several calls via an AT&T relay the night before. And while a warning may seem far fetched, it would not be completely out of character.
For example, I was hacked long after Cosmo was arrested and had lost his ability to do any more damage. Yet he managed to learn about how it was done and attempted to relay that information to me via Mikko Hypponen, whom we both follow on Twitter. It was too late, but, still, he made the effort.
And then there’s the question of why he’s speaking to me at all. Why he’s essentially incriminating himself before he goes to trial. He ultimately reached me via Phobia, the guy who hacked me. Phobia said Cosmo wanted to tell me about a specific AOL account hack that they wanted closed. From my first interaction with Cosmo, weeks ago, through today, he has maintained this was his motivation for talking.
The method Cosmo described for taking an AOL account away from its owner is distressingly simple. Worse, multiple hackers described the AOL exploit as ancient and well known. In short, it takes nothing more than someone’s name and address to take over their AOL email.
To get a password reset on a free AOL email or chat account, all one needs to give the over-the-phone tech-support worker is the first and last name and zip code on the account. For a paid account, AOL asks for either the address or the last four digits of the credit card on file.
Cosmo tells me this casually, while drinking water from a plastic bottle. I stare at him.
“Yeah…. that’s all you need to do.”
Wired was able to confirm this and received password resets on both paid and free accounts, despite being being unable to answer account security questions. In some cases, we even deliberately provided incorrect answers. After we informed AOL, it quickly halted issuing password resets over the phone.
“We looked into the matter and found that there was, in fact, a gap in our phone support processes,” AOL’s Senior Vice President for Mail and Mobile David Tempkin informed Wired via email. “We addressed the problem immediately, and as of today, AOL users are better protected — it’s no longer possible to hack into an account via a phone-based password reset.”
As a direct result of Cosmo coming forward, PayPal and Aol changed their account security procedures. For me, this only adds to his enigma.
I wonder how much of everything else Cosmo has told me is true. The only thing I am certain of is that online security is an illusion. But I think he is being honest now. I think he’s genuinely remorseful and just wants all these gaping account holes, many of which he found or helped publicize, closed at last before anyone else has their identity stolen, or the SWAT team sent to their door. That’s what I believe, at least.
But then, he’s a very, very good liar.