Posts Tagged: Ryan


9
Nov 18

Bug Bounty Hunter Ran ISP Doxing Service

A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data, KrebsOnSecurity has learned.

In May 2018, ZDNet ran a story about the discovery of a glaring vulnerability in the Web site for wireless provider T-Mobile that let anyone look up customer home addresses and account PINs. The story noted that T-Mobile disabled the feature in early April after being alerted by a 22-year-old “security researcher” named Ryan Stevenson, and that the mobile giant had awarded Stevenson $1,000 for reporting the discovery under its bug bounty program.

The Twitter account @phobia, a.k.a. Ryan Stevenson. The term “plug” referenced next to his Twitch profile name is hacker slang for employees at mobile phone stores who can be tricked or bribed into helping with SIM swap attacks.

Likewise, AT&T has recognized Stevenson for reporting security holes in its services. AT&T’s bug bounty site lets contributors share a social media account or Web address where they can be contacted, and in Stevenson’s case he gave the now-defunct Twitter handle “@Phoobia.”

Stevenson’s Linkedin profile — named “Phobias” — says he specializes in finding exploits in numerous Web sites, including hotmail.com, yahoo.com, aol.com, paypal.com and ebay.com. Under the “contact info” tab of Stevenson’s profile it lists the youtube.com account of “Ryan” and the Facebook account “Phobia” (also now deleted).

Coincidentally, I came across multiple variations on this Phobia nickname as I was researching a story published this week on the epidemic of fraudulent SIM swaps, a complex form of mobile phone fraud that is being used to steal millions of dollars in cryptocurrencies.

Unauthorized SIM swaps also are often used to hijack so-called “OG” user accounts — usually short usernames on top social network and gaming Web sites that are highly prized by many hackers because they can make the account holder appear to have been a savvy, early adopter of the service before it became popular and before all of the short usernames were taken. Some OG usernames can be sold for thousands of dollars in underground markets.

This week’s SIM swapping story quoted one recent victim who lost $100,000 after his mobile phone number was briefly stolen in a fraudulent SIM swap. The victim said he was told by investigators in Santa Clara, Calif. that the perpetrators of his attack were able to access his T-Mobile account information using a specialized piece of software that gave them backdoor access to T-Mobile’s customer database.

Both the Santa Clara investigators and T-Mobile declined to confirm or deny the existence of this software. But their non-denials prompted me to start looking for it on my own. So naturally I began searching at ogusers-dot-com, a forum dedicated to the hacking, trading and sale of OG accounts. Unsurprisingly, ogusers-dot-com also has traditionally been the main stomping grounds for many individuals involved in SIM swapping attacks.

It didn’t take long to discover an account on ogusers named “Ryan,” who for much of 2018 has advertised a number of different “doxing” services — specifically those aimed at finding the personal information of customers at major broadband and telecom companies. Continue reading →


8
Jul 15

Finnish Decision is Win for Internet Trolls

In a win for Internet trolls and teenage cybercriminals everywhere, a Finnish court has decided not to incarcerate a 17-year-old found guilty of more than 50,000 cybercrimes, including data breaches, payment fraud, operating a huge botnet and calling in bomb threats, among other violations.

Julius "Ryan" Kivimaki.

Julius “Ryan” Kivimaki.

As the Finnish daily Helsingin Sanomat reports, Julius Kivimäki — a.k.a. “Ryan” and “Zeekill” — was given a two-year suspended sentence and ordered to forfeit EUR 6,558.

Kivimaki vaulted into the media spotlight late last year when he claimed affiliation with the Lizard Squad, a group of young hooligans who knocked offline the gaming networks of Microsoft and Sony for most of Christmas Day.

According to the BBC, evidence presented at Kivimaki’s trial showed that he compromised more than 50,000 computer servers by exploiting vulnerabilities in Adobe’s Cold Fusion web application software. Prosecutors also said Kivimaki used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimaki allegedly also was involved in calling in multiple fake bomb threats and “swatting” incident — reporting fake hostage situations at an address to prompt a heavily armed police response to that location. DailyDot quotes Blair Strater, a victim of Kivimaki’s swatting and harassment, who expressed disgust at the Finnish ruling.

Speaking with KrebsOnSecurity, Strater called Kivimaki “a dangerous sociopath” who belongs behind bars.

Although it did not factor into his trial, sources close to the Lizard Squad investigation say Kivimaki also was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others say it started with a call from Kivimaki.

In a phone interview, Smedley said he was disappointed that the judicial system in Finland didn’t do more.

“I personally got to listen to a recording of him calling in to American Airlines, and I know it was him because I talked to him myself,” Smedley said. “He’s done all kinds of bad stuff to me, including putting all of my information out on the Internet. He even attempted to use my credit numerous times. The harassment literally just did not stop.”

In an online interview with KrebsOnSecurity, Kivimaki denied involvement with the American Airlines incident, and said he was not surprised by the leniency shown by the court in his trial.

“During the trial it became apparent that nobody suffered significant (if any) damages because of the alleged hacks,” he said.

The danger in a decision such as this is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Case in point: Kivimaki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimaki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.” Continue reading →