Can you be famous if no one knows your name? A new band of hackers is giving it its best shot, trumpeting its cyber-capers in an all-sirens-flashing publicity campaign.
Lulz Security has stolen mountains of personal data in a dozen different hacks, embarrassing law enforcement on both sides of the Atlantic while boasting about the stunts online.
The group, whose name draws on Internetspeak for “laughs,” has about 270,000 followers on the messaging site Twitter. Although LulzSec has declined interview requests, it has laid out its prankster philosophy in “tweets” and press releases.
“Vigilantes? Nope. Cyber terrorists? Nope. We have no political motives — we do it for the lulz,” the group said in a message sent shortly after it emerged in early May.
LulzSec’s Twitter mascot is a black-and-white cartoon dandy that looks like a cross between Mr. Peanut and The New Yorker magazine’s monocle man. Its rambling messages are peppered with references to YouTube sensation Rebecca Black, the Dungeons and Dragons role playing game and tongue-in-cheek conspiracy theory.
One of LulzSec’s victims says the group sets itself apart from the rest of the hacker underground with its posturing and bragging on Twitter.
“Most of the hacker groups that are pretty well known out there … don’t really like to flaunt their findings. They’ll do it among their peers, but not typically the public,” said Karim Hijazi, a security expert whose emails were ransacked by the hacking group last month.
LulzSec made its name by defacing the site of the U.S. Public Broadcasting Service, or PBS, with an article claiming that rapper Tupac Shakur was still alive. It has since claimed hacks on major entertainment companies, FBI partner organizations, a pornography website and the Arizona Department of Public Safety, whose documents were leaked to the Web late Thursday.
Many attacks have yielded sensitive information including usernames and passwords — nearly 38,000 of them, in the case of Sony Pictures. Others appear to have been just for kicks. In a stunt last week, LulzSec directed hundreds of telephone calls to the customer service line of Magnets.com, a New Jersey-based manufacturer of custom refrigerator magnets.
LulzSec uses a similar technique to temporarily bring down websites, flooding them with bogus Internet traffic. This is an old hacker standby that doesn’t require much sophistication. Members also break in to sites to steal data. That requires more skill and often involves duping employees into revealing passwords.
LulzSec’s actions against government and corporate websites are reminiscent of those taken by the much larger, more amorphous group known as Anonymous. That group has launched Internet campaigns against the music industry, the Church of Scientology, and Middle Eastern dictatorships, among others.
Both are fiercely protective of the secret-busting site WikiLeaks. The hacking groups’ supporters share the same brand of offbeat humor inspired by Internet catchphrases and viral videos.
LulzSec has repeatedly insisted on its independence.
“We’re not AnonOps, Anonymous, a splinter group of Anonymous, or even an affiliate of Anonymous,” the group has said. “We’re LulzSec.”
An Anonymous member told The Associated Press that he believed LulzSec was formed by people from Anonymous who got tired of the time it took to reach consensus and launch hacking projects. He said that they also wanted to go beyond the ethical boundaries of Anonymous.
“They wanted to go on more adventurous, brazen hacking adventures and really get their names out there,” he said. He spoke on condition that his name is withheld given the pressure being put on Anonymous members by law enforcement.
Judging by the timing of its tweets and other communications, he believes that LulzSec is based mainly in the eastern half of the U.S., but a few members are European. The number of members is not known, but there appears to be no more than a handful, perhaps a dozen.
Anonymous also uses Twitter as a soapbox, but more as a way of recruiting helpers than publicizing its exploits. It’s also been more selective about its targets. It attacked the Egyptian Ministry of Information’s website during the revolution in the country, but has shied away from leaks of ordinary user information, for example.
There’s every sign authorities are paying attention to the new group, although it isn’t clear how much progress they’ve made in tracking the hackers down. On Tuesday, 19-year-old Ryan Cleary was arrested as part of a joint FBI-Scotland Yard investigation into hackings linked to both LulzSec and Anonymous.
British Police Commissioner Paul Stephenson described Cleary’s arrest as “very significant,” although LulzSec has shrugged off the development — and promised more spectacular hacks.
The Anonymous member believes law enforcement has little chance of finding LulzSec. He told the AP that LulzSec likely used such methods as logging on only from public Wi-Fi hotspots. Police could possibly trace the attacks to the hotspot, but by the time they get there, any hacker would be long gone.
Hijazi believes LulzSec harassed him because his firm, Unveillance, tracks “botnets” — clusters of computers that can be controlled remotely because they’ve been infected with malicious software. The botnets, each of which can have more than a million computers, are usually controlled by cybercrime gangs.
He speculates that LulzSec wants botnets because it would boost its power to bring down websites. But the group would be stepping on the toes of some very dangerous people if members started taking over botnets, he said.
“It’s going to make everyone really mad, both the good guys and some really big bad guys,” he said. “I hope law enforcement finds them first.”
A timeline of Lulz Security’s international hacking spree:
— Early May: LulzSec sets up shop on Twitter and claims its first series of hacks, leaking what it says is a database of “X Factor” contestants and attacking Fox.com.
— May 30: LulzSec breaks into the website of the U.S. Public Broadcasting Service, or PBS, posting a phony story claiming that dead rapper Tupac Shakur is actually alive in New Zealand. The hack came after the broadcaster aired a documentary seen as critical of WikiLeaks founder Julian Assange. PBS’s ombudsman defends the program’s treatment of Assange as “tough but proper.”
— June 2: LulzSec announces that it has broken into Sony Pictures Entertainment, posting the usernames, passwords, email addresses and phone numbers of tens of thousands of people, many of whom had given the company their information for sweepstakes draws. The group said it had compromised about 1 million accounts but could only leak a small selection. Sony calls in the FBI.
— June 3: The hackers strike again, this time announcing that they’ve stolen about 180 passwords from the Atlanta chapter of an FBI partner organization called InfraGard. The group also claims to have used one of the passwords to steal nearly 1,000 emails from Unveillance LLC, an Internet surveillance company in Delaware. Among the emails is a report outlining how Libya’s oil infrastructure could be compromised by sophisticated computer viruses.
— June 10: LulzSec leaks what it says is a database of email addresses and passwords belonging to users of an established pornography website. A handful appear to belong to U.S. Army personnel.
— June 13: LulzSec attacks the U.S. Senate, although there doesn’t appear to be much damage. A law enforcement official says that a public-facing server was accessed and that no other files were breached. The group also claims to have stolen information on more than 200,000 users from video game company Bethesda Softworks, which makes games such as “Brink” and “Fallout: New Vegas.”
— June 16: LulzSec claims responsibility for technical problems with the CIA’s public website.
— June 20: LulzSec claims to have hit another branch of InfraGard — this time in Connecticut — compromising several hundred more accounts. The group also claims responsibility for bringing down the public website of Britain’s FBI equivalent, the Serious Organized Crime Agency.
— June 21: A 19-year-old Brit is arrested on suspicion of cybercrime following a joint FBI-Scotland Yard investigation. He’s later charged with attacking the Serious Organized Crime Agency. British police have hailed the arrest as a significant development, but LulzSec says his involvement with the group was only tangential. The teen has yet to enter a plea.
Sources: The Associated Press, Lulz Security.
Peter Svensson contributed from New York.
Copyright 2011 The Associated Press.