[ISN] AOL Employee Charged in Theft Of Screen Names

From: InfoSec News (isn@private)
Date: Thu Jun 24 2004 - 04:35:42 PDT

  • Next message: InfoSec News: "[ISN] Police: Thief was unaware of laptop's secret data"

    [The Smoking Gun has the amended complaint at:  
    http://www.thesmokinggun.com/archive/0623042aol1.html  - WK]
    By Jonathan Krim and David A. Vise
    Washington Post Staff Writers
    June 24, 2004
    A 24-year-old software engineer at America Online Inc. was arrested 
    yesterday on federal charges that he hacked into the company's 
    computers to steal 92 million e-mail addresses that were later sold 
    and used to bombard AOL members with spam.
    Jason Smathers, who worked at the company's Dulles headquarters, is 
    accused of illegally obtaining the e-mail addresses of nearly all of 
    the Internet provider's customers in May 2003. Smathers allegedly sold 
    the names for $100,000 to Sean Dunaway, 21, who ran an Internet 
    gambling business in Las Vegas, prosecutors said.
    Dunaway then sold the list to unidentified spammers, who used it early 
    this year to send millions of e-mails peddling herbal penile 
    enhancement products, according to a criminal complaint filed in 
    federal court in the Southern District of New York.
    Smathers, who became an AOL employee in 1999, obtained other AOL 
    member information as well, including telephone numbers, Zip codes and 
    types of credit cards used by members, though not credit card numbers, 
    according to the complaint. The company said those numbers are stored 
    in a separate, secure facility.
    The revelations come as AOL and other Internet providers have ramped 
    up their efforts to track down the purveyors of spam, which has grown 
    into a maddening scourge that costs consumers and businesses billions 
    of dollars a year.
    "I am very, very angry about this," said Jonathan F. Miller, AOL's 
    chief executive, in an e-mail to employees yesterday. "We will 
    absolutely not tolerate wrongdoing by employees. . . . We will do 
    everything we can to uncover abuse and assist law enforcement in 
    prosecuting it." 
    The company, which helped investigators surreptitiously monitor 
    Smathers for the past two months, said in a statement that it is 
    reviewing and strengthening its internal controls.
    AOL uncovered the scheme after it filed suit in March against another 
    spammer. In the course of that case, a source told an AOL official 
    that one of its employees was stealing screen names from the company 
    and selling them to a third party.
    According to prosecutors, Smathers was not authorized to access AOL's 
    customer database, which can be viewed by only a small number of 
    employees and is "housed" in secure computers. But in May 2003, 
    Smathers used the computerized employee identification code of another 
    AOL worker to gain entry to the data and compile the lists of AOL's 
    roughly 30 million users, many of whom maintain more than one screen 
    "I think I found the member database," Smathers wrote in an instant 
    message to an unidentified person who used the handle The Brews. 
    "There are going to be millions of them so, will take time to extract. 
    I will do them a chunk at a time."
    The text of the instant message was in an e-mail found by 
    investigators, including Secret Service members, on a company laptop 
    belonging to Smathers. Computer logs also showed that Smathers 
    apparently was also able to get access to the data from his home in 
    Harpers Ferry, W. Va.
    The informant who alerted AOL to the scheme told investigators that 
    roughly a month after Smathers accessed the data, Dunaway sold him the 
    92 million names in 26 separate blocks, one for each letter of the 
    alphabet, for $52,000. He provided investigators with CD-ROMs 
    containing the lists, which matched the way the data was stored by 
    The source told investigators that early this year he bought a revised 
    list from Dunaway for roughly $32,500. That list was much smaller, 
    about 18 million screen names, and Dunaway said it was more up to date 
    and "a more risky proposition for his AOL insider to obtain" because 
    it had other subscriber data, according to the complaint.
    Prosecutors said Dunaway boasted that spamming for his Internet 
    gambling business was earning between $10,000 and $20,000 a day. 
    Smathers was arrested yesterday morning at his home, made an initial 
    appearance in federal court in Alexandria and was held in jail 
    overnight, pending a detention hearing scheduled for today. He was 
    assigned a public defender, who declined to comment.
    Dunaway was arrested yesterday at his home in Las Vegas.
    The charges against both men include conspiring to transport stolen 
    goods across state lines, gaining unauthorized access to computers and 
    sending out deceptive bulk e-mail with disguised origins.
    Each man faces a maximum sentence of five years in prison and a fine 
    of $250,000.
    The government said that the source was cooperating in hopes of 
    winning leniency and that his information has been independently 
    "It is a very disturbing fact of life that an employee with criminal 
    intentions can betray our members' trust by working around systems and 
    procedures that are in place to protect data from disclosure," AOL 
    said in statement.
    Staff writer Jerry Markon contributed to this report
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Thu Jun 24 2004 - 06:58:50 PDT