By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, September 13, 2005 5:56 PM
A Massachusetts teenager has pleaded guilty to hacking into the cell-phone account of hotel heiress and Hollywood celebrity Paris Hilton, a high-profile stunt by the youngest member of the same hacking group federal investigators say was responsible for a series of electronic break-ins at data giant LexisNexis.
The 17-year-old boy was sentenced to 11 months' detention at a juvenile facility for a string of crimes that include the online posting of revealing photos and celebrity contact numbers from Hilton's phone. As an adult, he will then undergo two years of supervised release in which he will be barred from possessing or using any computer, cell phone or other electronic equipment capable of accessing the Internet.
The U.S. Attorney's Office for Massachusetts and the state district court declined to identify the teen, noting that federal juvenile proceedings and the identity of juvenile defendants are under seal. But a law enforcement official close to the case confirmed that the crimes admitted to by the teen included the hacking of Hilton's account.
The teen also pleaded guilty to making bomb threats at two high schools and for breaking into a telephone company's computer system to set up free wireless-phone accounts for friends. He also participated in an attack on data-collection firm LexisNexis Group that exposed personal records of more than 300,000 consumers. Prosecutors said victims of the teen's actions have suffered about $1 million in damages.
In a series of telephone and online communications between March and June with a washingtonpost.com reporter, the teen acknowledged responsibility for all of the crimes for which he was sentenced.
Washingtonpost.com is not revealing his name because he communicated with the reporter on the condition that he not be identified either directly or through his online alias.
Investigators began focusing on the teen in March 2004 when he sent an expletive-laced e-mail to a high school in Florida threatening to blow it up, according to a statement from prosecutors. The school was closed for two days while a bomb squad, a canine team, the fire department and other emergency officials examined the building.
In August 2004, the teen broke into the internal computer systems of "a major internet service provider" by tricking an employee into opening a virus-infected file he sent as an e-mail attachment. The virus -- known as a "Trojan horse" program -- allowed the juvenile to use the employee's computer remotely to access other computers on the ISP's internal network and gain access to portions of the company's operational information, prosecutors said.
The teen told washingtonpost.com earlier this year that around that time he broke into the network of Dulles, Va.-based America Online. AOL did not return calls seeking comment.
In January, the teen hacked into the telephone records system of T-Mobile International. He used a security flaw in the company's Web site that allowed him to reset the password of anyone using a Sidekick, a pricey phone-organizer-camera device that stores videos, photos and other data on T-Mobile's central computer servers. A month later, the teen would use that flaw to gain access to Hilton's Sidekick files, according to corroborating information and screen shots he shared with washingtonpost.com.
Later that month, according to prosecutors, an associate of the teen "set up accounts for the juvenile at a company which stores identity information concerning millions of individuals."
Again, prosecutors declined to name the company targeted in that attack. But according to screen shots provided by the teen -- supported by other information from the teen that was verified by a senior federal law enforcement official investigating the case who spoke on condition on anonymity -- the company was LexisNexis, which reported in March that hackers had gained access to the personal records of more than 310,000 Americans.
An adult member of the hacker group acknowledged in phone conversations with a washingtonpost.com reporter that he collaborated with the teen in sending hundreds of e-mails with an explicit image and a message urging recipients to open an attached file to view additional pornographic images of children. According to both hackers, a police officer in Florida was among those who opened the e-mail attachment, which harbored a virus-like program that allowed the hackers to record anything a victim typed on his or her computer keyboard. Not long after his computer was infected with the keystroke-capturing program, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data.
The teen said the group members then created a series of sub-accounts using the police department's name and billing information. Over the period of several days, the group looked up thousands of names in the database, including those of friends and celebrities.
Then in June, according to prosecutors, he called "a major telephone service provider because a phone that a friend had fraudulently activated had been shut off." (A washingtonpost.com reporter was invited to listen in on the call, which was made to Little Rock-based Alltel Corp.) When the company refused to provide the requested access, the teen threatened to cripple its Web site with a "distributed denial of service" attack, in which attackers use the Internet bandwidth of hundreds or thousands of remote-controlled computers to overwhelm a site with so much traffic that it can no longer accommodate legitimate visitors.
Roughly 10 minutes later the teen and others "initiated a denial of service attack that succeeded in shutting down a significant portion of the telephone service provider's web operations," according to the prosecutors.
The Justice Department said the investigation of the teen's associates is continuing, but it remains unclear how many of those individuals will be prosecuted. In May, Secret Service and FBI officials served search warrants on at least nine people thought to be connected to the hacking ring of which the teen was a member, known as the "Defonic Team Screen Name Club" or "DFNCTSC" for short.
The teen is likely to be required as a condition of his plea agreement to cooperate with the government in their ongoing investigation and provide information not only about how the attacks were carried out, but who else was involved and what their roles were, said Mark D. Rasch, senior vice president at McLean, Va.-based online security firm Solutionary Inc. and a former federal prosecutor for computer crimes.
According to interviews with at least two other former members of the group, investigators now are focusing on the individual who helped the teen gain access to LexisNexis.
"They came and took my laptop and asked a whole bunch of questions about him," a former group member known online as "DJint" said. "They told me they're looking to go after him for access-device fraud and possession of child pornography."
Still, Rasch said, it could be some time before the government wraps up its investigation into these attacks.
"Investigations of computer crimes are particularly difficult because they always involve many different types of evidence from numerous locations, and they require cooperation from many different organizations," Rasch said. "It's hard work."