Cosmo, the Hacker 'God' Who Fell to Earth

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/gadgetlab/2012/09/cosmo-the-god-who-fell-to-earth/

By Mat Honan
Gadget Lab
Wired.com
September 11, 2012

Cosmo is huge — 6 foot 7 and 220 pounds the last time he was weighed, at 
a detention facility in Long Beach, California on June 26. And yet he’s 
getting bigger, because Cosmo — also known as Cosmo the God, the 
social-engineering mastermind who weaseled his way past security systems 
at Amazon, Apple, AT&T, PayPal, AOL, Netflix, Network Solutions, and 
Microsoft — is just 15 years old.

He turns 16 next March, and he may very well do so inside a prison cell.

Cosmo was arrested along with dozens of others in a recent multi-state 
FBI sting targeting credit card fraud. It is the day before his court 
date, but he doesn’t know which task force is investigating him or the 
name of his public defender. He doesn’t even know what he’s been charged 
with. It’s tough to narrow it down; he freely admits to participation in 
a wide array of crimes.

With his group, UGNazi (short for “underground nazi” and pronounced 
“you-gee” not “uhg”), Cosmo took part in some of the most notorious 
hacks of the year. Throughout the winter and spring, they DDoS’ed all 
manner of government and financial sites, including NASDAQ, ca.gov, and 
CIA.gov, which they took down for a matter of hours in April. They 
bypassed Google two step, hijacked 4chan’s DNS and redirected it to 
their own Twitter feed, and repeatedly posted Mayor Michael Bloomberg’s 
address and Social Security number online. After breaking into one 
billing agency using social-engineering techniques this past May, they 
proceeded to dump some 500,000 credit card numbers online. Cosmo was the 
social engineer for the crew, a specialist in talking his way past 
security barriers. His arsenal of tricks held clever-yet-idiot-proof 
ways of getting into accounts on Amazon, Apple, AOL, PayPal, Best Buy, 
Buy.com, Live.com (think: Hotmail, Outlook, Xbox) and more. He can 
hijack phone numbers from AT&T, Sprint, T-Mobile and your local telco.

“UGNazi was a big deal,” Mikko Hypponen, the chief security researcher 
at F-Secure, told Wired via email. “The Cloudflare hack was a big deal. 
They could have done much more with that technique.”

So, yes, he is Cosmo the God. But before he was Cosmo, he was Derek*. 
And while Cosmo may be a god, Derek is just a kid. A high school 
dropout. A liar, fraud, vandal and thief. But ultimately a kid, without 
much adult supervision or guidance.

I met Cosmo by accident and opportunity, after hackers used 
social-engineering techniques to circumvent Apple’s and Amazon’s 
security mechanisms and break into my accounts. They wrought enormous 
damage, wiping my computer, phone and tablet, deleting my Google 
account, and hijacking my Twitter account.

[...]

--
#HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia
with no keynotes, no labs - just three tracks filled with our most
popular speakers from the last decade: http://conference.hitb.org/