Hijacked by Spammers

by Brian McWilliams, author of Spam Kings

Since you visit the O'Reilly Network, it's safe to say you're a savvy internet user. If you're running Windows, chances are good you've got antivirus software and aren't vulnerable to the numerous internet worms designed to turn PCs into spam zombies. You surely aren't gullible enough to respond to phishing scams that try to steal your account information.

So, no way is some spammer going to hijack your internet account and use it for sending junk email, right?

Well, that depends on how susceptible you are to what might be called the Paris Hilton Attack. Ms. Hilton, as you may have heard, relied on an extremely weak password and "secret question" to protect her T-Mobile Sidekick account. You know how things turned out for the heiress and actress.

Although it didn't make the front page of the Drudge Report like Hilton's hacking, apparently many users of BellSouth's internet service were victims of similarly flimsy passwords.

Earlier this month, the Atlanta-based ISP announced that a Florida man admitted to hijacking dozens of BellSouth user accounts in early 2002 to send millions of spams. A court recently sentenced Charles Frye, 26, to a year in prison followed by six years of probation, during which he is prohibited from using computers.

According to court papers, Frye used a popular password-cracking tool called WWWHack to hijack BellSouth customers' accounts. The program comes with a dictionary of common usernames and passwords that it cycles though and, by trial and error, attempts to find combinations that are accepted by the server. After gaining access to user accounts, Frye apparently sent out large batches of spams for cell phones and web design services, the majority of which were aimed at America Online customers.

Frye's hijacking technique enabled his junk emails silently to slip by AOL's anti-spam blacklist, since they emanated from BellSouth's outbound mail servers and not from rogue machines. But two things nonetheless made Frye a noisy spammer.

Related Reading

Spam Kings
The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements
By Brian McWilliams

First, he forged his messages so they bore return addresses belonging to, the big computer publishing company. Second, he used mailing lists containing a large number of invalid AOL accounts. As a result, IDG was flooded by so many "bounce" messages from AOL that its mail servers crashed, according to court documents.

As BellSouth began investigating the case, one of the ISP's tech support reps posted an urgent warning to a customer newsgroup: "Account hijacking is a real threat to your security and internet access. Please DO NOT use the same password as your user name."

BellSouth's security team subsequently discovered that whomever was accessing the hijacked accounts had dialed in from a handful of phone lines in the Daytona Beach area. The lines turned out to be registered to Phone Pros Incorporated, a company Frye ran with a couple of partners. It wasn't long before police were at Frye's doorstep, and his clever spam campaign was over.

Security experts are of mixed minds about whether the hijack technique used by Frye in 2002 still presents a significant threat today.

Dominique Brezinski, a security analyst with Black Hat, Inc., says the ability to evade blacklists makes account hijacking an attractive option for desperate spammers. What's more, many ISPs today remain vulnerable to brute-force password guessing. According to Brezinski, few websites monitor the rate of failed logins or take other countermeasures against such attacks.

"The result is that ISP account hijacking will remain a good target for criminal spammers," concludes Brezinski.

Some spammers don't bother with hijacking, and instead just sign up for ISP accounts using stolen credit cards. A few years ago, Buffalo spammer Howard Carmack sent over 800 million spams using some 340 accounts he created at EarthLink with stolen credit cards and bank account information.

But why hijack just an ISP account when you can take over the whole PC? That's the question from Dmitri Alperovitch, a research engineer with CipherTrust, Inc. Alperovitch believes that spammers are likely to continue their reliance on malicious software that turns innocent users' computers into remotely controlled spam factories.

"I think it's lot easier to use viruses and Trojans, because you can get a lot more interesting information than just ISP accounts. You can find bank account information and other data that's worth a lot on the black market," says Alperovitch.

Still, spammers appear to be diversifying their techniques in hopes of staying ahead in the cat-and-mouse game. Insiders at one major ISP say spammers have recently been sending huge blasts of spam from free web mail systems such as Hotmail. The spammers use scripts to sign up for thousands of accounts, and then fire off as many messages as possible from each one without triggering the system's spam alarms.

To combat this approach, web mail providers have been trying to secure the account sign-up process through CAPTCHA systems and other techniques. But recent anecdotal reports suggest that clever spammers are recruiting unknowing visitors to pornography sites into answering the CAPTCHA challenges in order to gain access to porn.

As for BellSouth, spammers may find that account hijacking there is a bit more of a challenge these days. The ISP now automatically issues strong passwords to all new users.

Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.

Return to the O'Reilly Network.