Fraud starts after Lulzsec group releases e-mail, passwords

Passwords stolen from Writerspace.com are used to take over Amazon, Paypal and other accounts

Debbie Crowell never ordered the iPhone, but thanks to a hacking group known as Lulzsec, she spent a good part of her Thursday morning trying to get US$712.00 in charges reversed after someone broke into her Amazon account and ordered it.

"They even had me pay for one-day shipping," she said via e-mail Thursday afternoon.

Crowell is one of more than 62,000 people who must now change passwords and keep a close eye on their online accounts after Lulzsec posted their e-mail addresses and passwords to the Internet Thursday. It's the latest escalation in a messy hacking rampage by the anarchic group that's caused damage at Sony, the U.S. Public Broadcasting Service and even the U.S. Central Intelligence Agency.

It's not clear where all of the Lulzsec e-mail addresses and passwords came from. At least 12,000 of them, including Crowell's, were gathered from Writerspace.com, a discussion forum for readers and writers of mystery and romance novels. The site's technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.

The 62,000 e-mail addresses and passwords belong to victims at large companies such as IBM, as well as in state and federal government. Affected agencies include the U.S. Army, Navy and Air Force, the U.S. Federal Communications Commission, the U.S. National Highway Traffic Safety Administration, the U.S. Department of Veterans Affairs and the U.S. Coast Guard.

Unlike other hacking groups, Lulzsec doesn't seem to have much of an agenda, except to settle a few scores and cause as much chaos as possible. Lulz is hacker speak for the plural of "laugh out loud."

Soon after the accounts were posted Thursday, Lulzsec followers started to say, via Twitter, that they had accessed Facebook, Twitter and online gaming accounts. "I am now an level 85 human warrior on mal'ganis server," wrote one follower, called Miracle Joe, referring to a server used by World of Warcraft gamers.

"Got an Xbox Live, Paypal, Facebook, Twitter, YouTube THE WHOLE LOT! J-J-J-J-J-J-JACKPOT," wrote another follower, Niall Perks. The "idiot had the same password for everything," he later explained.

Others claimed that they'd chatted with friends of the victims or posted obscene photos or messages to their profile pages.

Crowell, a property assessment specialist with the Wisconsin Department of Revenue in Milwaukee, describes herself as a "boring old lady on the Internet." Though she knew better, she reused her passwords, including the one she used at both Amazon and Writerspace.com. "Everyone knows that everyone uses the same password for everything," she said. "You know what you're supposed to do, but do you do it?"

Crowell is right; most people do reuse their passwords, said E.J. Hilbert, a former U.S. Federal Bureau of Investigation agent who is now president of fraud investigation company Online Intelligence. It's a bad habit that needs to change. "You need to use different passwords for different sites. Period. Across the board," he said.

In a sense, Crowell was lucky. The hackers didn't break into her e-mail account. When that happens, things can become much worse because hackers can often access other Web accounts by claiming to have forgotten their password and asking for a new one to be sent via e-mail.

There are often treasures in the victim's sent mailbox and archives. Old e-mail messages often include personal information that can be used in further attacks, and a surprising percentage of e-mail accounts also include nude or embarrassing photos.

Finally, criminals can use the e-mail addresses to send malicious software to military and government employees, in what could be the first stage of a larger attack, Hilbert said. These targeted spearphishing attacks are a big problem for the government and military contractors, and have become a standard way for hackers to break into secure systems over the past half-decade.

"Government e-mail addresses should not be used for non-governmental work, and if they are there's a huge, huge problem," Hilbert said.

Although she knew she was making a mistake by reusing her password, Crowell was still "shocked" when she discovered the fraud. "It's one of the things that you hear about all the time, but you never think it'll happen to you."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags amazon.comsecuritylegalpaypalWriterspace.cominternetgovernmentcybercrime

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?