Friday, August 19, 2011

FBI vs. Anonymous: Captures and Evasions

Anonymous is known for its zany activities on the internet, including the 2008 event when Bill O'Rielly's website was hacked, and a database of users was put to use swiftly. Many a dragon dildos and penile enlargement programs were purchased. $10,000 were claimed in losses by the end of the day.

This was on a much smaller scale in terms of the overblown publicty "Hacktivism" (What a stupid ass word) gets these days, especially if it has the name "Lulz Sec" or "Anonymous" associated with it.

How simple is it for the FBI to catch one of these "intruders" (as we will call them to make an attempt to remain neutral)?

Finding them is hard. In the instance of one of Bill O'Rielly's site hacks, it was very simple.'s administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a "New premium member report" showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was "just an error"—but it made the new member report available outside the secure admin structure to someone who knew the location.

The feds surmise that attackers found the URL for this new members page by running a dictionary attack on the admin subsection of the site, looking for insecure addresses. "Logs show various IPs exploring the path of the administrative section looking for pages not under the servlet's control,” say FBI notes. Attackers hit a jackpot when they found the unprotected URL and suddenly had access to the most recent five days of new member info, which gave them 205 addresses and e-mails.

DDoS attacks on the site gave IP addresses of all information coming into the site.
The FBI took the top 3 addresses. Two were outside of the US, and forced them to drop them. The third was a Web Hosting company in the US that knew nothing of the event upon investigation.

IP addresses of users who accessed the new members page belonged to a proxy. The FBI traced the IP addresses to a second proxy, Vtunnel, where the trail went cold, as it did not provide the IP address logs for the date and time of the incident.

While that instance was an example of getting away with insurgency, there are many others who are not knowledgeable enough to mask themselves properly. An example was when a 23-year old was arrested in 2010 for intrusions on O'Rielly's site in 2006 and 2007. The FBI raided his dorm room, finding a disk containing credit card numbers and other information in a ceiling tile.

The FBI has recently issued over 40 warrants around the US alone to search for individuals involving in the DDoSing of Visa, Master card, and Pay-pal.

What this suggests is that the higher skilled individuals tend to be those shepherding the knowledgeable hacker-wanna-be's to perform the low level attacks. These n00bs don't know how to cover their tracks, and are the ones caught in these events without a care from the higher-ups. This is most common in LOIC related events.

The FBI has not disclosed whether or not that are in the works to perform more raids and searches on suspected members.


  1. Seconded.

    He is also too juicy a target to miss.

  2. I would expect it to be easier for the FBI to find these users hacking/ddosing big company sites.