Extortion

This is a first time a hacking report is a video flick. If, like me, you find it hard to understand, you can read a written summary on this Kiwi site. I guess that their readers also needed a translation of the speech in the video to English.

In a nutshell, hackers defaced Soulja Boy's MySpace page and published his e-mail and YouTube passwords on the net. They demanded $2,500 to give him his web presence back. For an artist that grew our of the Internet this presence is naturally very important, however he is now important enough that his record label was able to contact the different sites to get him his web properties back without paying the money.

In this case I have decided to categorize the attacked entity as Soulja Boy and not MySpace or YouTube, as I used to do in the past. The fact that the attack was against Soulja Boy properties around the web makes him, rather than any technology platform, the attack target.

Update (Dec 30th 2008)

It seems that the original report was not accurate and it was not a CSRF vulnerablity that was exploited. The mistake is reported by the victim in an imaginary discussion with Google blog post (Search the page for XSRF) and by Google. Google hints that it was a phishing attack, but David Airey is not convinced.

Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored.

The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.

Additional information:

• When fixing is not enough [Securiteam, Dec 28 2007]
• WARNING: Google's Gmail security failure leaves my business sabotaged [David Airey, Dec 24 2007]
• Google GMail E-mail Hijack Technique [GNUcitizen, Sep 25 2007]
• Collective effort restores David Airey.com [David Airey, Dec 27 2007]