October 4th, 2012Top StoryConfessions Of A Teenage Xbox HackerBy Jason Schreier In some ways Juvi is just an average eighteen-year-old. He speaks in short, brusque sentences. He works as an artist at a tattoo parlor. He was born in the U.K., but he now shares a loft with his girlfriend in Spain. He spends a lot of time on the Internet, and he sometimes says mean things to people online. In other ways he's a little bit different: Juvi claims he's hacked into hundreds of accounts on Xbox Live, YouTube, AIM, PayPal, and various other services over the past few years. And he could probably get into your Netflix account right now. Juvi, who prefers to use that Internet handle rather than his real name, uses what's called social engineering—that is, phishing for information from customer support representatives—to reset e-mail addresses, change passwords and get into other peoples' personal accounts. He's done this for quite some time now, and he says he's made thousands of dollars doing it. Juvi used to be able to get into just about any Xbox Live account—and he can still get into some—but he says Microsoft has clamped down on security for their gaming console in recent years. Other companies aren't quite as vigilant. During a conversation on Skype earlier this week, Juvi let me listen in as he convinced a Netflix customer support representative to give him the password to someone else's account. It was frighteningly simple; all Juvi needed was the e-mail address of his target—easy to find on AIM, YouTube, or any other social network—and a full name, which anyone can get by entering an e-mail into Spokeo, an online phone book. Walking me through the process, Juvi pulled up an e-mail address for an account he had previously stolen. He already knew the password, but he wanted to show me how easy it was to get it reset on Netflix. So without giving me any other info, he had me enter the e-mail address on Spokeo. A few seconds later, I had the full name of the guy who owned the original account. That was all we needed. Juvi loaded up a conference call and dialed up customer support. "Thank you for calling Netflix," said the representative. "What can I do for you today?" "Um, I forgot the password for my Netflix account," Juvi said. "Is there anything you can help me- to reset it?" "Yes I can," said the representative, asking for the e-mail address. Juvi gave it to him. "And who am I speaking with?" asked the representative. Juvi gave him the account owner's name. "Give me one second here to plug in the information... I see you started an account in April of 2010—have you had an account since then?" "No, I haven't—I did create the account a long time ago," Juvi said. "Okay, so that was two years ago, correct?" "Correct." "Okay, I was just making sure that you- that I didn't pull up the wrong account and that you may have another one that has more recent activity on it," the representative said. "Yeah, okay," Juvi said. "Give me one second here and I'll reset the password for you," the rep said. "Alright, sir, if you would just go to Netflix.com for me and click on 'Netflix sign-in' in the upper righthand corner?" "Okay," Juvi said. "Once you're there, you're set to log into your account," the rep said. "Put in the email address you gave me, and then your password will be 1-2-3-4-5 and let me know if that works for you." "Yeah, that worked." "Okay then, so you're good to go," the rep said. And that was that. I tried to log onto this Netflix account—someone else's Netflix account—with the new "12345" password. It worked. I started to feel supremely guilty, like I was entering someone's house without their permission and looking through their things. I quickly closed the browser. "This account doesn't have a credit card added," Juvi told me, "but if it did, you could see the last four digits." Scary stuff. The Xbox HackerThree or four years ago, Juvi stumbled upon a website that had been defaced by some group of hackers. "Hacked by [some name]," it read. Juvi was immediately interested. He googled the name and found a forum for people who like to do illicit things on the web. Posting a new thread to introduce himself, he asked where beginners should start off. A few people suggested keyloggers, devices that can track a target's key strokes and keep a printed record of their passwords and credit card information. "I just thought it was pretty cool," Juvi said. "I just thought that it seems pretty easy to get access to somebody's account, and when I started Xbox Live I would get host-booted offline, so I wanted to be the one to host-boot them back, like get revenge or whatever." ("Host-booting," a phrase first made popular by Halo 3 users, is slang for kicking someone off Xbox Live.)
Keyloggers weren't enough, though; in order to get into peoples' Xbox Live accounts, Juvi had to try different techniques. He'd guess peoples' security questions, many of which were mindbogglingly easy to answer. And he'd mine for details, either googling or calling different customer support representatives and phishing for different bits of account info from each one. "If you can find the name of somebody, you can find their e-mail," Juvi said. "From their e-mail you can see if it's connected to an Amazon account, PayPal maybe, even Netflix—anything that stores credit card information. And then all you need is the last four digits." Sometimes Juvi would set his sights on gamers. He'd call up Xbox customer support pretending to be a Microsoft employee, then say something like "Hi, I'm John Doe from Tier 3 and my Customer Care Framework has crashed. Could you help me pull out some information on this gamertag?" With a name, e-mail address, date of birth and the last four digits of their credit card, Juvi found it pretty easy to get into an Xbox account. That was all the information he needed in order to convince customer support to reset the e-mail attached to someone's gamertag. Microsoft has tightened security since then, though. "[Now] you need the last console that it was signed in on, the console ID, the serial ID," Juvi said, "and it takes one to three days for them to find out whether you've got access to the account or not. You used to be able to just do it in one phone call, like straight up." These days, Juvi says he doesn't get into that many Xbox accounts. People are using other sorts of phishing techniques to get peoples' information, though: "You can get information on that person and call that phone pretending to be an Xbox employee, say that you need their information for something, say someone's been trying to access their account and you need to confirm that they're the owner. "Basically all you need for that is the e-mail and the secret question. You could reset the e-mail, sign into the Xbox account—if you were able to get the console ID and the serial number, you'd be able to sign into their account easily. That's pretty hard to do." In fact, Juvi added, "you pretty much can't, unless you have access to their console or unless they tell you. Possibly some really, really dumb people—you could get it out of them." Victims Who Deserve ItIn July, Juvi hacked the YouTube account for SteelSeries, a gaming accessory manufacturer that distributes headsets, keyboards, and mice. He deleted all of their videos and posted a couple of his own. "It was actually really easy," Juvi said. He got the e-mail address associated with the YouTube account, then went to to take a look. "I was gonna call up and get his e-mail reset, but the secret question was like something really stupid, like 'when was Steelseries founded?' So I just googled it and it was right there." (I reached out to SteelSeries to hear their side of the story, but as of press time, I haven't heard back.) Juvi deleted all of SteelSeries's videos, some of which are still missing today. "I had it for three weeks before they could get it back," Juvi said, pride in his voice. "They couldn't do anything." Click to view "Why target SteelSeries?" I asked. "I don't like their headsets." "You don't like their headsets?" "I had one, I think it was a year ago, and it broke and they wouldn't give me a refund," Juvi said. "That simple." I asked if they had any way of knowing that he did it for revenge. "Nope—I was e-mailing them but they never responded." Juvi also took over YouTube accounts for a dubstep artist named Caspa, a Kim Kardashian video page, and a wrestler named Raven. (The victims were all able to recover their accounts later.) He defaced a website called Forum Revolution because the guy who owned it scammed one of his friends for $100. Juvi says he still "jacks" accounts on AOL Instant Messenger, particularly the ones with valuable, original handles. He says he's made thousands of dollars selling them on the Internet. And he says he only takes the inactive ones—in fact, Juvi says, he took an AIM account recently and its original owner messaged him, so he gave it right back. So why did he break into those celebrity YouTube accounts? "I dunno," Juvi said. "Just seemed fun." The ArrestJuvi says in late August, he was arrested and put in jail for three days. Although I've been able to verify the majority of his other claims, I could not completely confirm the veracity of the following story. Juvi sent over parts of a court document, but he did not want to share specifics about his name and location, so we could not verify this with a police department. About two months ago, Juvi was asleep at his mom's house in Spain when he heard someone pounding at the door. He woke up, got dressed, and went downstairs. Policemen were standing there with an arrest warrant, ready to put him in cuffs and drag him to prison. Juvi was charged with "unauthorized access and DDOS," he says. "I was kept in prison for three days," Juvi told me. "I was in court and then I was on bail and I went back to court and I got let off because they couldn't tie me to the alias of Juvi... I was using a VPN that they could get logs from, and so they logged it back to my IP address, but obviously a lot of people are connected to that VPN so that's not really solid proof. " A VPN, or a virtual private network, allows people to mask their info so their real IP addresses—identification numbers assigned to every person's Internet connection—can't be found. If not for that VPN, if the cops did figure out that Juvi was Juvi, the hacker thinks he'd be in jail for a while. "I was kinda scared 'cause I didn't know the outcome, I didn't know what evidence they had," Juvi said. "If they actually had my IP address—my solid IP address, not the VPN—that was pretty much... "I always use a VPN and then I go on a Tor browser. They couldn't really track it connecting to websites or logging into the accounts." I asked why he had to stay in jail for three days. Shouldn't he have been able to get out on bail? "I think I could've... but I dunno. My mom—maybe she was punishing me. "She was shocked," Juvi said. "But I was— I'm 18. So I guess she just lets me get on with what I do." Juvi says his parents have gotten used to his activities. They can't do much now that he's out on his own. And he says he's going to keep hacking, keep breaking into people's accounts. He's still snagging accounts and websites from enemies and people who piss off his friends. He's still defacing websites. Sometimes it's just for money. Other times it's just for "the lulz," as he put it in an e-mail to me. "I don't hack peoples accounts as requests any longer," he said, "mostly because I'm not online as much as I was. "But if someone was to fuck with my friends online then they would get what they deserve." |
|
A destination on the Interweb to brighten your day (now get back to work!)
Thursday, October 4, 2012
Confessions Of A Teenage Xbox Hacker
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment