Hacking victim describes the mysterious network attacks, conference call, and e-mail activities that led up to hackers threatening to go public with his information.
Karim Hijazi knew his nightmare was just beginning when he saw that a mysterious e-mail had arrived in his inbox at 3 a.m. on May 26 that included his e-mail password and the subject line "Let us talk."
That would mark the beginning of a weeklong saga of e-mail exchanges and Internet Relay Chat (IRC) discussions in which Hijazi says a group of hackers told him they wouldn't publicly divulge information they had gotten from snooping on his accounts if he revealed sensitive security information acquired by the botnet-tracking firm, Unveillance, that he launched last year. The hackers, who call themselves LulzSec, wanted to know the whereabouts of compromised computers on the Internet that when remotely controlled are used en masse to attack Web sites, he told CNET in an exclusive phone interview late last night.
When he refused, LulzSec went public with his data, Hijazi says, posting his personal contact information, e-mails, and chat logs for download online yesterday as part of a campaign to embarrass the FBI and its InfraGard partner. The group had hacked the Web site of InfraGard Atlanta and grabbed usernames and passwords for about 180 members, including Hijazi. Because Hijazi had used the same password on the InfraGard site that he used on his personal Gmail account and his corporate Google Apps account, the hackers were easily able to spy on his personal and business activities.
Hijazi contacted the FBI right after that first LulzSec e-mail and said he plans to prosecute if he can.
"They had me under the gun for a little over a week with threats and extortion," said Hijazi, chief executive of Unveillance. "The very nature of having to contend with someone who is holding something ransom is not pleasant."
"I don't believe it will impact our organization; it just sucks for my family and me," he said when asked whether his business would suffer as a result of the incident.
The first signs that something was amiss in Hijazi's world were suspicious activities related to Unveillance's corporate network that started about a week before he was contacted by the hackers. Someone kept repeatedly trying to sneak into the network using a VPN (virtual private network) tunneling tool called iPredator designed to let people traverse the Web anonymously.
And then there was what appeared to be a lurker on a company conference call when Hijazi heard the telltale beep sound of someone joining the call but no new participant was identified. In a chat log, one of the hackers threatens to play a recording of a conference call they listened in on.
However, Hijazi started to get a sense of real dread when he witnessed the group's snooping activities firsthand, though. The night of May 25 he was going through his mail when he noticed a message go from being marked as "unread" to "read" and back again to "unread" right before his eyes.
He immediately changed his password but considered that maybe a friend was playing a joke on him somehow. Hours later the first LulzSec e-mail arrived. "I think they were locked out then and they got frustrated," he said.
"I was not entirely shocked because we clearly were being watched and targeted," Hijazi recollected. "I thought 'I knew it!' First you think 'now it all makes sense.' And then you immediately think 'this is not good.'"
He didn't know who his adversaries were until the InfraGard data was released. "They clearly wanted to teach a lesson," he says.
'Give us all the info you can get'
In chat logs released by both him and LulzSec, the hacker group appears to be pressuring him for money and information. But LulzSec denies that extortion was the motive, saying it was instead trying to see if a group of "blackhats"--industry parlance for underground or criminal hackers--could squeeze information out of a "whitehat" like Hijazi.
Hijazi released on his company's Web site an excerpt of a chat log in which one of the hackers allegedly said: "The point is a very crude word: extortion...Let's just simplify: you have lots of money, we want more money...Prepaid Visas, MoneyPaks, BitCoins, Liberty Reserve, WebMoney, the flavor of your choice. Naturally we'll avoid PayPal."
In Twitter messages and a statement, LulzSec insists it was pretending to extort Hijazi as a test and accused him of offering to pay them to destroy his competitors and help find "enemy" botnets.
The hackers appear to take a coercive, bullying approach with Hijazi in the IRC chat released by LulzSec and repeatedly ask him for information, including "government portal/info searches" and "inside FBI alerts."
Hackers target Sony, Nintendo, FBI partner
Sony confirms Lulzsec compromised server data
Hackers steal more customer info from Sony servers
"Give us all the info you can get and we will do with it what we can. Which is usually a lot," one hacker says.
The hackers also disparage Hijazi's security work. "There's no so (sec) things as whitehats you guys are as corrupt as we are. The only difference is we admit it," one hacker says. "Whitehats are just blackhats that have board meetings with lengthy rhetoric," another says.
Later, the hackers complained about Hijazi providing information to a U.S. nonprofit that wrote a report for the government on cyber threats and opportunities in Libya, saying the data could be used to attack that country. Asked why he participated in the project, Hijazi said "I didn't know the intent and was in marketing mode. I am truly starving guys."
Although it's possible the group just happened to stumble upon Hijazi, the information his company gathers to help its customers stay safe from DoS attacks would certainly be useful to anyone who wants to cause a ruckus online or make a statement. Sony's recent security troubles started with a DoS campaign launched by the Anonymous hacker group.
While DoS attacks are useful for shutting down a site temporarily, LulzSec seems to prefer the smash-and-grab approach of using a SQL injection attack to break into a Web site and steal customer data. That was the method cited earlier this week to grab data from Sony Pictures, and last month against Sony Music Entertainment Japan. Company representatives confirmed the Sony Pictures breach last night and said they are working with federal authorities on the investigation and have hired their own forensics experts.
Last weekend LulzSec hacked into the site of PBS, snatched passwords and posted a fake news story that said deceased rapper Tupac Shakur was "alive and well" in New Zealand, Wired reported.