How the FBI investigates the hacktivities of Anonymous
On September 19, 2008, hackers from the Anonymous collective attacked the website of Fox News host Bill O'Reilly. The hackers found and immediately posted e-mail addresses, passwords, and physical addresses of 205 O'Reilly site members paying $5 a month to hear Bill's wisdom. The next day, a distributed denial of service (DDoS) attack hit the site with 5,000 packets per second. That night, another attack flooded two O'Reilly servers with 1.5GB/s of data.
The site member data was put to use by hackers immediately. One woman suffered $400 in fraudulent charges; as an interview with the FBI would later make clear, these were purchases for things like "penile enlargement." Like many Internet users, the woman had used the same e-mail address and password for many online accounts, including PayPal. AOL, and Facebook, which gave the attackers access to many aspects of her online life.
The woman's AOL account was used to "send e-mail of three men performing oral," according to FBI interview notes, with the offending message purporting to come from "John McCain." Her Facebook account was also hijacked "and lewd photos of naked men were posted," along with the Anonymous tagline: "We do not forgive, we do not forget." The woman had to cancel credit cards and close bank accounts, though she did manage to get the fraudulent charges reversed.
By the time the fiasco was over, Billoreilly.com claimed $10,000 in losses after refunding site membership fees and offering affected users an extra year of service. Beyond the O'Reilly hack, Anonymous calls, apparently made to another Fox personality, said "they are going to rape her." An interview with the website admin showed that his "family is being threatened." Fox corporate security, the NYPD, and the FBI were all dragged into the case.
Hard to find
As Anonymous attacks go, the Bill O'Reilly episode was small-scale. But that's precisely why it's interesting. How frequently are such operations legitimate "hacktivism" and when are they merely vandalism and fraud? How does law enforcement respond? And is anyone arrested?
Thanks to a Freedom of Information Act request by Ars Technica, we now have an inside view of the FBI response to these minor incidents. Case documents (PDF) provided to us by the FBI show that the Los Angeles office requested permission to open an investigation on September 22, 2008—the next business day after the incident. The Bureau moved quickly to send “preservation letters” to Facebook and relevant Internet service providers, asking that they retain log information regarding the attack that might prove useful in the investigation.
That Monday afternoon, agents were already interviewing a victim in the case, the woman whose accounts had been compromised. According to interview notes, the attackers used her Paypal account to make two purchases of $119 and $140, then moved to eBay, Amazon, and a flower company. The electronic purchase confirmations from those sites were then sent, using the woman's e-mail account, to her entire list of contacts "in order to embarrass" her and her husband.
Lewd photos came next, sent by e-mail and posted to Facebook, but it was a Facebook wall posting that provided a motivation for the attack. Former Vice Presidential candidate Sarah Palin's Yahoo e-mail account had recently been hacked, and Bill O'Reilly had taken to his TV to denounce the attackers, whom he wanted to "go to prison for a very long time." O'Reilly expressed absolute confidence that the perpetrator of that hack would be caught (and he was), but went on to make clear his belief that catching such people was simple for the FBI. After all, they leave digital fingerprints everywhere, right? The segment angered Anonymous, which then attacked O'Reilly's website in retaliation; the Facebook posting made this clear.
But finding the offenders proved difficult. The attack itself wasn't particularly clever, but it was effective. Billoreilly.com's administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a "New premium member report" showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was "just an error"—but it made the new member report available outside the secure admin structure to someone who knew the location.
The feds surmise that attackers found the URL for this new members page by running a dictionary attack on the admin subsection of the site, looking for insecure addresses. "Logs show various IPs exploring the path of the administrative section looking for pages not under the servlet's control,” say FBI notes. Attackers hit a jackpot when they found the unprotected URL and suddenly had access to the most recent five days of new member info, which gave them 205 addresses and e-mails.
The attackers took the name at the top of the list, an account registered only one hour before, and used it to log into the O'Reilly site as a check of the data's accuracy. The information was then posted to Wikileaks and discussed on 4chan. Three O'Reilly members who had used the same password on multiple other sites experienced additional fraudulent use of that information. 4chan also hosted real-time discussion of the DDoS attacks that later hit O'Reilly's site.
Despite its preservation letters, the FBI couldn't get its hands on useful data about the attackers. The DDoS attack on O'Reilly's site failed to bring it down, but it did provide the FBI with IP addresses of the offending machines. The Bureau took the top three addresses and looked into them. Two came from outside the US and were not pursued; the third belonged to a Web hosting company in the US which it knew nothing about it.
As for the new members page, the IP address of the machine that found it belonged to a proxy service. The FBI was able to trace the trail from the proxy service back to a second proxy service called Vtunnel, but there the trail went cold. "Vtunnel did not have the IP address logs for the date and time of the incident," noted the FBI.
On October 24, one month after opening the investigation, the FBI's Los Angeles field office recommended its closure.
Not so hard to find
In plenty of other cases, though, the FBI has arrested attackers. In 2010, a 23-year-old hacker was arrested for attacking O'Reilly's site in 2006 and 2007. As the Los Angeles Times noted, agents "eventually raided Frost's dorm room seizing a disc, which had been hidden above a ceiling tile, that stored credit card account numbers, card holders social security numbers, and information pertaining to their personal bank accounts." O'Reilly claimed $40,000 in losses from that episode, mainly due to refunds.
And the FBI has come down hard on Anonymous in particular, going back to the collective's days of harassing Scientology. The FBI stepped up operations after the group last year attacked websites of Visa, Mastercard, and PayPal. Earlier this year, the agency executed more than 40 search warrants around the country. The FBI is apparently working off a list of the 1,000 top DDoS IP addresses in those attacks as it hunts down those responsible. And the UK recently arrested the young man believed to be "Topiary," who functioned as the voice of Anonymous and a spin-off group called LulzSec and was involved in the HBGary Federal debacle earlier this year.
One line of argument used to suggest that Anonymous was shepherded by hackers who knew how to cover their own tracks, but who had no qualms about inciting groups of preteen hacker wannabes to participate in DDoS attacks, with little attention paid to security. This narrative, which may have some truth to it, suggested that the authorities could only pick up low-level LOICers in their raids. The O'Reilly and HBGary Federal cases certainly remind us that some Anons are great at hiding their tracks, but the more recent large-scale spate of search warrants and arrests—even of high-profile people like Topiary—suggest that the authorities aren't stymied quite as easily as they were in 2008.
Some of that is certainly due to more resources being thrown at Anonymous as the group escalated its activities in 2010 and 2011 (the HBGary Federal hack made worldwide headlines and even generated Congressional interest). What's next for the cat-and-mouse game? Given the scope of FBI search warrants, we're guessing that a major crackdown is brewing—though the Bureau refused to share information with us on Anonymous cases in progress.