When a hacker strikes, what's an investigative journalist with a strong technology background to do? TED BRIDIS gives chase.
Ted Bridis won't get hacked again. (AP Photo/J. David Ake)
The intruder first unlocked the back door to our modest, neighborhood Web site before dawn on a Saturday, while I was still asleep. In only four seconds, he amassed an inventory of the most sensitive electronic files accessible to him and quietly disappeared.
He returned two days later in a more destructive mood, implanting hidden commands to infect visitors with password-stealing software. He also seeded pages with references to Viagra and Cialis, apparently an effort to lure more traffic to victimize. It was akin to pick-pocketing guests at a party and hanging out a "free beer" sign to guarantee a packed room.
The ensuing high-tech hunt for the intruder crisscrossed the U.S. and ventured overseas to England, China, Moscow and Novosibirsk, Russia. The hacker got away -- at least so far. But my search uncovered a trail of digital destruction across the Internet broader than anyone first realized: I wasn't this hacker's only victim.
___
HARD LESSON
Along the way, I encountered support employees eager to blame me for my Web site's break-in, interminable telephone waits, implicated companies that ignored requests to help, sympathetic experts and outraged victims of the same hacker.
"It's like having your house broken into," said Andrea Cutler of Irvine, Calif., a designer whose corporate Web site also was hacked. "There's a sense of violation."
My lesson: No one is safe these days on the Internet, where bad people operate with apparent abandon. A private citizen without a badge or a search warrant is hopelessly outgunned by hackers who can virtually hop across international borders in moments. It can be nearly impossible even for federal authorities to catch these criminals.
"As soon as we tell them we've tracked it down to China or Russia, they laugh and they leave," said Don McLeman, vice president for operations at Apollo Hosting Inc., the company in Austin, Texas. It operated the server computer where my Web site was hacked -- along with roughly 75 others.
___
LEMON APOLLO?
My 2-year-old Web site is hardly an ambitious e-commerce powerhouse. Its audience includes 200 families who live in my subdivision in northern Virginia. It describes the upcoming Easter egg hunt and summer pool party and reveals winners of the Christmas lights decorating contest. Neighborhood teens volunteer to baby-sit, rake leaves or shovel snow. On a busy month, the site might receive 65 visitors.
Why would hackers -- apparently operating from China and Russia -- care about us?
I discovered the break-in while updating the Web site over a snowy weekend with pictures of kids on our sledding hill. I didn't recognize software code from an unfamiliar Web site, lem0n.info, that had been added to my home page and was attempting to load some suspicious programs. My Web browser and antivirus software blocked the downloads, warning these programs were dangerous.
The intruder also added hidden links with references to "Viagra" and "Cialis" to trick Internet search engines to steer more Web visitors to my site to infect. Each link traced to a computer in the engineering department at the University of Miami, then redirected Web surfers to an Internet pharmaceutical vendor. School officials shut down the computer hours after I complained to them. The university computer was named "Apollo," the same as the Texas company where the Web break-ins occurred.
Coincidence?
___
FOLLOW THE BYTES
The lem0n.info Web site -- which was spreading the infectious software code -- is registered in Novosibirsk, Siberia's largest city, to a person identified in Internet records as Dmitriy Mashkov. The site's home page consists entirely of one word, "WELCOME!!!!", and Internet search engines and Web archives do not suggest it ever contained any substantial content. Mashkov did not respond to telephone calls or e-mails over several days from The Associated Press.
Another trail also led to the same e-mail account.
Messages sent to the e-mail address listed in Internet records for lem0n.info are delivered to an administrator account at the "spacemail.ru" Web service. Separately, the software code from lem0n.info was distributing infectious programs from several other Web sites, including space-sms.com. It operated from a computer in Texas at Apollo Hosting, the same company that powered my site.
The space-sms.com site has been shut down to stop further infections. Its Web address is registered in Lancashire, England. But when the site was still operating it included a prominent link on its home page to that same "spacemail.ru" e-mail address.
Another coincidence?
___
WHAT, US WORRY?
I removed the offending material from my neighborhood Web site, changed its passwords and called Apollo Hosting's support line in Texas.
"I've been hacked."
The support staffer speculated the hacker guessed my password -- a random jumble of eight characters -- and told me I was the only victim. He wondered aloud whether my home computer had been hacked; perhaps that's how the hacker discovered my password?
Apollo Hosting assured me its network was secure. "All of our software is currently running versions with no known security holes and our servers are secure," a technician wrote.
By morning, I was checking some of the 305 Web sites that operate on the same computer in Texas as mine: a bankruptcy law firm in Illinois; a nuclear plant consultant in Canada; a Texas rock band; a karate school in Norfolk, Va.; a Pennsylvania sheep rancher; a mediator in Texas. Many were hacked the same as my Web site, suggesting a broad intrusion at the hosting company. I passed my findings to an astonished support technician. "This could be a big problem for us," he said.
Meanwhile, the designer in California whose Web site was hacked was mortified. Business cards that Andrea Cutler handed to prospective clients steered them to her Web site, which tried to infect their computers. Shopping for a new computer at a retail store, Cutler showed the salesman her Web site -- which promptly tried to infect the store's computers.
"I don't know how many people I've sent to my site in the last few weeks," she said. "This is extraordinarily dangerous for me. The frustration is thinking it was something we did."
___
OK, WE WORRY
Apollo Hosting's executive, McLeman, acknowledged in an interview the company knew weeks ago about a serious break-in at the computer that runs my Web site and hundreds others.
The company said it detected the incident immediately and traced the attack to China. But it now realizes the intruder stole passwords to nearly 100 Web sites running on the same computer, McLeman said. "We thought it was an isolated incident," he said.
McLeman defended not disclosing the break-in to customers who reported their Web sites were hacked. "If you tell every customer, it can be taken in the wrong context," he said. Every customer was urged to change all passwords.
The company is confident its computers are safe now, McLeman said, although some Web sites previously hacked are still infected. McLeman reported the break-in to the FBI -- he is not optimistic about agents arresting anyone -- and the company intends to offer free antivirus software to all its affected customers.
___
E-FORENSICS
Computer logs showed the intruder made five separate break-ins to my Web site over eight days in late February, each time arriving from a different network to discourage attempts to trail him home. Most companies whose own networks were implicated in the break-ins ignored requests from me and Apollo Hosting to investigate what happened.
Ecommerce Corp. of Hopkinsville, Ky. -- whose network was used in the earliest break-in at my Web site -- followed the trail back to one of its own server computers running roughly 2,000 Web sites for as many as 500 customers. It couldn't determine who was responsible. "This is extremely difficult to track down," said Sam Taunton, a customer relations manager. He called it a dead end.
Other sets of footprints, however, also led separately back to Russia. Experts held little hope of ever catching the intruder.
"I probably wouldn't pursue this," said Joe Stewart of SecureWorks Inc., a leading security expert. "If evidence even suggests the traffic leads back to Russia, there's not going to be a great deal of time and effort invested in this."
___
Ted Bridis, who now runs the AP's investigative reporting team in Washington, routinely covered stories about the U.S. government and some of America's largest companies suffering hacker attacks as the technology writer.
___
Want to comment? Sound off at soundoffasap@ap.org.
___
Want to comment? Sound off at soundoffasap@ap.org .
©2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. Learn more about our Privacy Policy.
