Fraud starts after Lulzsec group releases e-mail, passwords

Debbie Crowell never ordered the iPhone, but thanks to a hacking group known as Lulzsec, she spent a good part of her Thursday morning trying to get US$712.00 in charges reversed after someone broke into her Amazon account and ordered it.

"They even had me pay for one-day shipping," she said via e-mail Thursday afternoon.

Crowell is one of more than 62,000 people who must now change passwords and keep a close eye on their online accounts after Lulzsec posted their e-mail addresses and passwords to the Internet Thursday. It's the latest escalation in a messy hacking rampage by the anarchic group that's caused damage at Sony, the U.S. Public Broadcasting Service and even the U.S. Central Intelligence Agency.

It's not clear where all of the Lulzsec e-mail addresses and passwords came from. At least 12,000 of them, including Crowell's, were gathered from Writerspace.com, a discussion forum for readers and writers of mystery and romance novels. The site's technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.

The 62,000 e-mail addresses and passwords belong to victims at large companies such as IBM, as well as in state and federal government. Affected agencies include the U.S. Army, Navy and Air Force, the U.S. Federal Communications Commission, the U.S. National Highway Traffic Safety Administration, the U.S. Department of Veterans Affairs and the U.S. Coast Guard.

Unlike other hacking groups, Lulzsec doesn't seem to have much of an agenda, except to settle a few scores and cause as much chaos as possible. Lulz is hacker speak for the plural of "laugh out loud."

Soon after the accounts were posted Thursday, Lulzsec followers started to say, via Twitter, that they had accessed Facebook, Twitter and online gaming accounts. "I am now an level 85 human warrior on mal'ganis server," wrote one follower, called Miracle Joe, referring to a server used by World of Warcraft gamers.

"Got an Xbox Live, Paypal, Facebook, Twitter, YouTube THE WHOLE LOT! J-J-J-J-J-J-JACKPOT," wrote another follower, Niall Perks. The "idiot had the same password for everything," he later explained.

Others claimed that they'd chatted with friends of the victims or posted obscene photos or messages to their profile pages.

Crowell, a property assessment specialist with the Wisconsin Department of Revenue in Milwaukee, describes herself as a "boring old lady on the Internet." Though she knew better, she reused her passwords, including the one she used at both Amazon and Writerspace.com. "Everyone knows that everyone uses the same password for everything," she said. "You know what you're supposed to do, but do you do it?"

Crowell is right; most people do reuse their passwords, said E.J. Hilbert, a former U.S. Federal Bureau of Investigation agent who is now president of fraud investigation company Online Intelligence. It's a bad habit that needs to change. "You need to use different passwords for different sites. Period. Across the board," he said.

In a sense, Crowell was lucky. The hackers didn't break into her e-mail account. When that happens, things can become much worse because hackers can often access other Web accounts by claiming to have forgotten their password and asking for a new one to be sent via e-mail.

There are often treasures in the victim's sent mailbox and archives. Old e-mail messages often include personal information that can be used in further attacks, and a surprising percentage of e-mail accounts also include nude or embarrassing photos.

Finally, criminals can use the e-mail addresses to send malicious software to military and government employees, in what could be the first stage of a larger attack, Hilbert said. These targeted spearphishing attacks are a big problem for the government and military contractors, and have become a standard way for hackers to break into secure systems over the past half-decade.

"Government e-mail addresses should not be used for non-governmental work, and if they are there's a huge, huge problem," Hilbert said.

Although she knew she was making a mistake by reusing her password, Crowell was still "shocked" when she discovered the fraud. "It's one of the things that you hear about all the time, but you never think it'll happen to you."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com