UK hacker busted in Spain gets 5 years over Twitter hack and more
Credit to Author: Naked Security writer| Date: Mon, 26 Jun 2023 15:35:42 +0000
Some hacks become so notorious that they acquire a definite article, even if the word THE
ends up attached to a very general technical term.
For example, you can probably trot out the names of dozens of well-known internet worms amongst the millions that exist in the zoos maintained by malware collectors.
NotPetya, Wannacry, Stuxnet, Conficker, Slammer, Blaster, CodeRed and Happy99 are just a few from the past couple of decades.
But if you say THE internet worm
, then everyone knows that you mean the Great Worm of November 1988 – the one written by Robert Morris, student son of Robert Morris of the US National Security Agency, that ended with Morris Junior getting three years of probation, 400 hours of community service and a $10,050 fine:
And if you say THE Twitter hack
, everyone knows you mean the one that happened in July 2020, when a small group of cybercriminals ended up in control of a small number of Twitter accounts and used them to talk up a cryptocoin fraud.
But what accounts they were, as we wrote a year later, including Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, Kim Kardashian, and Apple (yes, THE Apple
):
One of the suspects in that case was Joseph O’Connor, then 21, who wasn’t in the US, and who eluded US authorities for a further year until he was arrested on the Costa del Sol in Spain in July 2021:
Off to prison at last
O’Connor was ultimatly extradited to the US in April 2023, pleaded guilty in May 2023, and was sentenced last week.
He wasn’t convicted only of the Twitter cryptocoin scam we mentioned above, where high profile accounts were used to trick people into sending “investments” to users they assumed were people such as Gates, Musk, Buffett and others.
He was also convicted of:
- Using a SIM-swap trick to steal about $794,000 in cryptocurrency. SIM swaps are where a criminal sweet-talks, bribes or coerces a mobile phone provider into issuing them with a “replacment” SIM card for someone else’s number, typically under the guise of wanting to buy a new phone or urgently needing to replace a lost SIM. The victim’s SIM card goes dead, and the crook starts receiving their calls and text messages, notably including any two-factor authentication (2FA) codes needed for secure logins or password resets. By taking over the SIMs of three staff members at a cryptocurrency company, O’Connor and others drained nearly $0.8m in cryptocoins from corporate wallets.
- Using a similar trick to take over two celebrity Tik Tok accounts and threaten the account holders. O’Connor “stated publicly, via a post to [the first victim’s] TikTok account, that he would release sensitive, personal material,” and “threatened to publicly release […] stolen sensitive materials unless [the second victim] agreed to publicly post messages [promoting O’Connor’s] online persona, among other things.”
- Stalking and threatening a minor. O’Conner “swatted” the victim, meaning that he called law enforcement claiming to be the victim and saying “he was planning to kill multiple people at his home,” as well as calling in the guise of someone else who claimed that “the [third victim] was making threats to shoot people.” The same day O’Connor also made similar “swat” calls to that same day to a high school, a restaurant, and a sheriff’s department in the same area. The following month, he “called multiple family members of [the third victim] and threatened to kill them.”
Swatting gets its name because the usual reaction of US law enforcement to a call claiming that a shooting is imminent is to send a so-called Special Weapons and Tactics (SWAT) team to deal with the situation, rather than expecting a regular patrol officer to stop by and investigate.
As the US Department of Justice describes it:
A “swatting” attack occurs when an individual makes a false emergency call to a public authority in order to cause a law enforcement response that may put the victim or others in danger.
O’Connor was convicted of multiple offences: conspiracy to commit computer intrusions, conspiracy to commit wire fraud, conspiracy to commit money laundering, making extortive communications, stalking, and making threatening communications.
He received a five-year prison sentence, followed by three years of supervised release, and he was ordered to pay $794,012.64 in forfeiture. (What happens if he can’t or won’t pay, we don’t know.)
What to do?
SIM swaps are tricky to protect against, because the final decision to authorise a replacement SIM card is down to your mobile phone company (or the staff in one of its stores), not to you yourself.
But the following tips can help:
- Consider switching away from SMS-based 2FA if you haven’t already. One-time login codes based on text messages are better than no 2FA at all, but they clearly suffer from the weakness that a scammer who decides to target you can attack your account indirectly via your mobile provider instead of directly via you. App-based 2FA generally depends on a code sequence generated by an app on your phone, so you don’t even need a SIM card or a network connection on your phone.
- Use a password manager if you can. In some SIM-swap attacks, the crooks go after your SIM card because they already know your password, and are getting stuck at your second factor of authentication. A password manager helps to stymie the crooks right at the start, getting them stuck right at your first factor of authentication instead.
- Watch out if your phone goes dead unexpectedly. After a SIM swap, your phone won’t show any connection to your mobile provider. If you have friends on the same network who are still online, this suggests that it’s probably you who is offline and not the whole network. Consider contacting your phone company for advice. If you can, visit a phone shop in person, with ID, to find out if your account has been taken over.