Brazen, publicity-seeking hackers on attack spree
LONDON » Can you be famous if no one knows your name? A new band of hackers is giving it its best shot, trumpeting its cyber-capers in an all-sirens-flashing publicity campaign.
Lulz Security has stolen mountains of personal data in a dozen different hacks, embarrassing law enforcement on both sides of the Atlantic while boasting about the stunts online.
The group, whose name draws on Internetspeak for "laughs," has about 270,000 followers on the messaging site Twitter. In an online interview via Skype with The Associated Press late Friday, one LulzSec member said the group’s current hacking campaign was about attacking "the common oppressors" — which he identified as "banks, governments (and) law enforcement."
"Not all of them of course, but they know who they are," he said.
The hacker refused to reveal any personal details beyond identifying himself as male, but he proved membership in LulzSec by posting a prearranged message to the group’s popular Twitter account following the interview. The hacker agreed to the online interview in response to an email request sent by the AP to the group’s website registrant.
The group may cause serious damage, but its online persona often veers into wackiness. LulzSec’s Twitter mascot is a black-and-white cartoon dandy that looks like a cross between Mr. Peanut and The New Yorker magazine’s monocle man. Its rambling messages are peppered with references to YouTube sensation Rebecca Black, the Dungeons and Dragons role playing game and tongue-in-cheek conspiracy theories.
Don't miss out on what's happening!
Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!
One of LulzSec’s victims says the group sets itself apart from the rest of the hacker underground with its posturing and bragging on Twitter.
"Most of the hacker groups that are pretty well known out there … don’t really like to flaunt their findings. They’ll do it among their peers, but not typically the public," said Karim Hijazi, a security expert whose emails were ransacked by the hacking group last month.
LulzSec made its name by defacing the site of the U.S. Public Broadcasting Service, or PBS, with an article claiming that rapper Tupac Shakur was still alive. It has since claimed hacks on major entertainment companies, FBI partner organizations, a pornography website and the Arizona Department of Public Safety, whose documents were leaked to the Web late Thursday.
In the interview, the hacker promised more embarrassing leaks, saying LulzSec was already sitting on at least 5 gigabytes of government and law enforcement data from across the world, which it planned to release in the next three weeks. The claim couldn’t be independently verified. In the past, the group has targeted U.S. and British government sites.
Many past attacks have yielded sensitive information including usernames and passwords — nearly 38,000 of them, in the case of Sony Pictures. Others appear to have been just for kicks. In a stunt last week, LulzSec directed hundreds of telephone calls to the customer service line of Magnets.com, a New Jersey-based manufacturer of custom refrigerator magnets.
LulzSec uses a similar technique to temporarily bring down websites, flooding them with bogus Internet traffic. This is an old hacker standby that doesn’t require much sophistication. Members also break in to sites to steal data. That requires more skill and often involves duping employees into revealing passwords.
LulzSec’s actions against government and corporate websites are reminiscent of those taken by the much larger, more amorphous group known as Anonymous. That group has launched Internet campaigns against the music industry, the Church of Scientology, and Middle Eastern dictatorships, among others.
An Anonymous member told the AP that he believed LulzSec was formed by people from the group who got tired of the time it took to reach consensus and launch hacking projects.
"They wanted to go on more adventurous, brazen hacking adventures and really get their names out there," he said. He spoke on condition that his name is withheld given the pressure being put on Anonymous members by law enforcement.
In the interview, the LulzSec hacker acknowledged that members of his group had participated in Anonymous operations in the past, such as attacks on Tunisian government websites during the country’s revolution earlier this year. He said that there were six members of LulzSec altogether, working eight-to-10 hours a day, but declined to go into detail when pressed.
"We’d prefer not to be waterboarded, so for the foreseeable future we’ll try our best to remain as anonymous as possible," he joked.
Authorities — and rival hackers — are trying hard to strip that anonymity away, although the hacker claimed not to be worried. On Tuesday, 19-year-old Ryan Cleary was arrested as part of a joint FBI-Scotland Yard investigation into hackings linked to both LulzSec and Anonymous. British Police Commissioner Paul Stephenson described Cleary’s arrest as "very significant," but the hacker insisted he wasn’t a member of the group.
"He hosted an IRC (a kind of chat room) we used, yes. But it wasn’t our official meeting place, it was just a place for fans to gather," the hacker said.
The hacker declined to be drawn on the content of the material he said his group was planning to release, except to say that it was all related to "governments and law enforcement."
He added that, behind the scenes, the group’s hacking attacks were ongoing.
"Every day our stash increases," he said.
Peter Svensson contributed from New York.