Featured

Welcome to MilliSec

The story of a hacker.

For the past decade, I have taken precautions to remain unknown and stay hidden from the public eye. In fact, this is the first time that I’m exposing myself to the public. My name is Kyle Milliken, I’m 30 years old and I am the epitome of a hacker and spammer.

house

In July of 2014, I was awoken in my Los Angeles home at 5:01 AM. What seemed to be an earthquake, was actually a flash bang grenade detonating in my guest house. I walked into my living room area to investigate the sound, only to be met by four SWAT team members aiming their M4 Carbine assault rifles at my head on the other side of my glass sliding doors leading to my pool area. There I am frozen, standing in only my briefs, sleep in my eyes, just trying to process what’s happening. Was I just a victim of a swatting prank? Would they really come after me this hard for hacking? Do I take three steps to the right and unplug my computer? Will they shoot me if I go for it? “Fuck it”. I said to myself. “COME IN, IT’S UNLOCKED”, I shouted to the SWAT team. Four more SWAT members simultaneously entered from the front door. One member of the SWAT team quickly put me in cuffs and kept asking me where the weapons were. I didn’t own any guns. I’m a computer nerd for christ-sake. They sat me on my porch and after a couple minutes, I became light headed, dizzy, and nauseous. It was the aftereffects of a serious adrenaline dump. After about fifteen minutes, the SWAT team declared my house clear. Still trying to process everything, I see five agents walking up my driveway. Only these guys didn’t look anything like the SWAT members. They were average looking, with smaller body frames, wearing FBI jackets, with no pistol on their side, they were definitely computer nerds. “Do you know why we’re here?”, one agent asked. “Well you’re not here for a fucking barbecue.”, I sarcastically replied.

Password Reuse & Credential Stuffing

I recently did an interview with @campuscodi of ZDNet that can be read here Disqus & Kickstarter hacker warns against password reuse. There’s a few things that I want to expand on that wasn’t fully covered and give a couple of scenarios. It seems like it’s such an obvious and basic security practice to never reuse passwords. I’m sure most of us have that one password that we use on websites that we don’t really care about. I’m talking about the Netflix password we might share with our friends and family, a food delivery service, or some forum or game that you forgot you signed up for.  These websites and databases get breached daily. If you take a look at HaveIBeenPwned you probably notice that your e-mail address or username is in multiple databases that have been hacked.

reuse

Scenario: You’re an employee at a company that a hacker is targeting.

I want to preface this by saying this is strictly a scenario using breached databases and the reuse of passwords. The first thing a hacker would do is gather as much intel as possible about the employee. We’re only going to use three criteria; name, username, and e-mail address. Once those are collected, it’s as simple as searching those three fields into a website to find every username and email address you’ve ever used along with every known password. From there we would credential stuff any website that could possibly give us more info, a dropbox account, a project management system, a ticket based system, or any account that would have your phone number attached. Without giving a complete blueprint there’s only a couple more steps to successfully infiltrate or breach the employee’s company who the hacker was targeting. This is why it is absolutely pertinent to not reuse passwords and to not use a common pattern with your passwords.

And then there’s 2FA which might seem secure, but you’re still at risk of getting SIM hijacked. While I don’t think there’s much you can do to prevent this from an experienced social engineer, it’s still an extra layer of protection that I would highly recommend.

Finally out of Prison!

Well the past 17 months hasn’t been anything less than interesting. The amount I’ve been able to grow in such a short amount of time has been a blessing. I wouldn’t change anything that I had to go through and I’m extremely grateful for the people who have been on my side through this crazy journey. It’s time to write the next chapter and I’m beyond excited what lies ahead! Over the next couple of posts I’ll write about my experience in prison, the people I’ve met, and what comes next. Stay tuned!

release

Life After the Raid…

After being raided I wasn’t sure what to do, I had every form of communication seized other than my PS4. Actually, as the raid team was leaving I ignorantly asked, “You’re not going to take my PlayStation?” One of the agents, with a confused looked on his face replied, “Should we?” The answer was of course no. My life had just been rocked at 5 A.M. by a dozen SWAT members and FBI agents. I needed at least one form of communication.

Now, it wasn’t a surprise that this day had come, I knew for years it was the inevitable. However, I didn’t expect it to be this day. I wasn’t nearly as prepared as I hoped to be. I had a “go bag”, a few assets, and a couple people in place to help me, or so I thought. One thing I learned is that you can never count on anyone, except yourself.

When I was 17 years old, I found my partner/programmer/best friend in an IRC channel freely helping people with their code. I was young and hungry, but I still missed an important piece of my puzzle, a programmer. It took some convincing, but I eventually coaxed him to be my partner in crime, pun intended. He was a few years older than me, a bit wiser, and could code godlike software. I made a promise to him that I’ve kept till this day, I said, “If we ever get raided, I’ll take the fall 100%, you have kids.”

When you’re part of a criminal organization, there’s a certain level of trust and confidence you have in each other. After a couple weeks of confiding with one of my associates, I was on the phone with him when he hit me with, “My lawyer told me not to speak to you anymore.” CLICK.

Look, I get it, I’ve been burned, the FBI seized all my phones and computers, but this wasn’t just an associate. This is a person who I considered my best friend and a brother. I mean we’ve had discussions about if we were ever raided, we would be there for one another. I played a key role in his success, I single-handedly generated thousands upon thousands of sales to his products and made him God knows how many millions of dollars. We spoke every day for years, stayed at each others houses, partied all over the country, and had countless dinners together. To me, it was a betrayal that I couldn’t predict happening in a million years.

I’m not going to cry about it, everything that was happening, I definitely had coming. I’m just telling you how it was from my perspective. I think the stress of having basic living expenses of $10,000 a month with no income, in addition to almost everyone turning their back on me took a huge toll on me. The worst part was I felt that my greatest passion in life had been taken from me, hacking and spamming. It probably sounds crazy, but this was what I looked forward to every morning I woke up.

Catch Me If You Can

One of the reasons I titled this post “Catch Me If You Can” is because it’s one of my all-time favorite movies. For the majority of my adult life, I’ve considered myself a modern-day Frank Abagnale. In my post “My First E-mail Spam Operation”, I told you that I moved to Kissimmee, FL. What I didn’t tell you is that I was actually on probation from a four year suspended sentence in Arkansas. I obviously violated my probation by moving, but the truth is I had violated way before that and I made the decision to run. I was 20 years old and there wasn’t a chance in hell I was going to do a day in prison.

catchme

Now, nearly five years later I was basically in the same predicament. I guess it’s true when they say history has a funny way of repeating itself. That left me with the dilemma of do I continue running or do I finally accept responsibility. I’m not going to lie, I thought long and hard about my next move. I weighed several options which included fleeing the country to Panama to work for a fantasy sports website. Another option was to move to Costa Rica and continue my hacking/spamming operations. I couldn’t help but to fantasize about the lifestyle portrayed in the movie “Runner Runner”. Ultimately, I decided that I was tired of running and I was going to face this head-on.

Hacking, My Demise.

With the constant need for new data and the unavailability of it for purchase on the dark web, it forced me to become an extraordinary hacker. I’ve always considered myself exceptionally gifted when it comes to reverse engineering, whether it be code, people, businesses, or websites. I’m telling you this because to me, hacking isn’t what’s portrayed on television and movies. Most people have the perception of hacking as fast-typing and matrix code being displayed on screen. It’s the complete opposite. It’s a slow difficult grind, that sometimes takes an extremely long time. I can recall working on hacking multiple sites spending hundreds of hours and even months on obtaining their databases.

I don’t recall the first “real” website I hacked, but some of the most notable ones that gained media attention and what ultimately led to my demise courtesy of the US Government were; airbnb.com, bitly.com, disqus.com, dropbox.com, facebook.com, flickr.com, groupon.com, imgur.com, kickstarter.com, kik.com, linkedin.com, netlog.com, okcupid.com, pinterest.com, rediff.com, reverbnation.com, shopify.com, vimeo.com, vine.co, voxer.com, wehearit.com, wix.com, and yelp.com. Now while I didn’t necessarily get the “key to the castle” to all of them, meaning I successfully dumped their database, but I certainly hacked into each of them in some capacity.

168million

In my proposed plea agreement it stated that, “I possessed over 168 million stolen email user names and passwords and proprietary information belonging to nearly two dozen corporations.”

I made no exception to target any top tier website that would contain large databases, specifically in the Alexa.com’s top 100 websites. Some will say that my actions were extremely nefarious, but I still lived within my own code of not dumping anything other than emails, usernames, and passwords. It was a flawed code, but unlike most nefarious hackers, I still had one that I lived by.

Spam Operation: Twitter & Pinterest

Social network spam was the root of my spamming career, it started with MySpace and as other social networks became popular, they became targets. With a plethora of data at my disposal, it wasn’t difficult to turn the data into dollars. The same concept of my infamous “contact mail” was used on these social networks. Create software that would check to see if the same email/password credentials were used on these sites and spam their friends, wall, board, etc. Now the success rate of these logins were much lower than e-mail, some even as low as 2 to 4%, but when you have 100s of millions of records, the percentage is merely a statistic. Without any login rates or security on these sites, I could easily check a few million accounts in just a few hours. Of course I had 20,000+ proxies at all times to use, but it was only a precaution I used to keep them guessing.

This would eventually lead to 10s of millions accounts being spammed on throughout 2013-2014. I was promoting whatever Dr. Oz was endorsing that month, everything from garcinia cambogia, green coffee beans, and raspberry ketones. Anytime I wanted to make a few thousand dollars I could just run 100k accounts in the matter of minutes.

Here’s a few articles guessing what was going on with these social networks

Hacking Yahoo with XSS

The first time I remember reading about XSS was when the Samy worm was created on MySpace in 2005. In fact, I had actually used different XSS techniques to bypass MySpace’s filters during my operation.

Anyways, the first time I saw a Yahoo XSS was on another spammer’s landing page that was promoting a work from home program. My friend owned the program he was pushing and wanted me to check out his landing page and see how he was making $5,000/day. After investigating it for a few minutes, I saw that there was a bit of code loading from the domain yahoo.com. This was unusual, because there wasn’t any reason why any assets from yahoo.com should be loading. I captured the headers and saw that it linked back to hk.groups.yahoo.com or something similar. There was a forum on the page that was vulnerable to a persistent XSS attack. He was stealing yahoo user’s cookie sessions and mailing with them.

sorted-XSS

After understanding the intricacies of this operation I wasn’t too surprised that he was clearing $5,000/day. Within the hour, I found the injection point and had injected my own code into the vulnerable Yahoo forum. Now when you steal a user’s session cookie it means that you don’t need their login credentials, no email, no password, nothing. You were already logged into their account by having their cookie. The worm was fairly simple, you grab the users cookie, hit mail.yahoo.com, and send mail to everyone in their address book. Once users read the email and visited the website that was sent in the email,  it would grab their cookie and go through the process all over again. Yahoo killed the website that was vulnerable in just a couple of days, but not before making close to $30,000.

For me, hacking and spamming is a high that can’t be replicated. Over the next year, I would go on to find more XSS exploits, once again playing cat and mouse with Yahoo’s security team. The most infamous XSS exploit that I found was on the Yahoo developer’s blog. It was a publicly known exploit, but for me it was a chance to slap Yahoo in the face. Now I didn’t necessarily have a grudge against Yahoo, but at the time they were offering security researchers $12.50 voucher to their store for these same exploits that put every user on Yahoo at risk.

On this particular XSS vulnerability and worm, I hacked over 5 million accounts and sent over 25 million emails in a 3 day period. At the peak of this worm I was making $1,000 every 10 minutes. I was promoting a work from home program that paid $100 per sign up and I accumulated over 2,500 sales, do the math on that one. This caused havoc for yahoo and eventually led them to change the way they stored cookies.

Here’s a couple of articles detailing the exploits:

Hacking Databases 101

There was always a constant need for fresh databases. It was the fuel that kept my spam operation running. The only options back then were to buy them from a sketchy source which was probably a fed or a scammer or to hack them yourself. I don’t know what caused me to have such a great belief in myself, but I remember thinking. “What can any other hacker learn that I can’t?”. I looked at it from a completely different perspective than I did sports like basketball, football, or baseball. It didn’t require you to be physically gifted or talented. I used the same tool everyone else had access to, Google.

I learned how to hack using Google. I think the first thing anyone learns when it comes to hacking is SQL injection. After spending an hour reading about SQL injection and downloading Havij, I was ready to begin hacking. I set my goals high and wanted to only hack the largest databases. To do that I first needed to see what the most popular websites online were. So I headed over to alexa.com and downloaded the top 1M websites list. I had my programmer create software that would search each site on google with a dork list and check to see if the website was vulnerable. When it was done it would look something like this:

site:domain.com inurl:php?*=*
site:domain.com inurl:asp?*=*
site:domain.com inurl:cgi?*=*

etc

This would search Google for all injection points and place a ‘ after the = sign. If an error came back it meant the website was vulnerable. I admit, it wasn’t a sophisticated method at all, but the number of positive hits that came back was astounding. In fact, there were too many results, it got to the point where if the website didn’t have more than 100k records, I wouldn’t even bother dumping them. I hacked hundreds of websites using this method that I basically taught myself in less than a couple hours. At this moment I realized how far security really was behind technology.  This would go on to provide me a steady stream of data for almost a year.

The Battles Fought with Microsoft and Yahoo

A lot of people will assume that everything I did was because of the money. The truth is hacking and spamming was my greatest passion in life. The money was just a bonus and a measurement of my success. The battles I fought with Yahoo and Microsoft’s security team was some of the most fun and greatest moments of my life. Now, I might have given the impression that you can just create automated software, load some data, type a command, and become a successful spammer. It may have been like that in the very beginning, but if you thought Microsoft and Yahoo was going to just sit around and continue to allow me to have my way, you’re wrong.

The entire contact mail operation was a cat and mouse game. Microsoft and Yahoo would implement a security feature and I would figure out a way to beat it. For years, I was using the basic webmail protocol to login and fetch the users address book, to mail I would use good old port 25 better known as SMTP. The first security feature they implemented was CAPTCHA. CAPTCHA could be solved with an OCR or optical character recognition software. There were brilliant programmers out there that created and rented software that could actually read the distorted characters with a 60%+ success rate.  There were also services out there to solve CAPTCHAs for you at a rate of $2 per 1,000 CAPTCHAs. I didn’t like either of these options.

hotmailcaptchaReverse engineering is probably one of my greatest strengths. It can be traced all the way back to my first operation on MySpace in 2007. I simply ask myself questions like; “How does this work?”, “How can I make this computer believe that I’m a human user?”. In this case, the question was how can I trick Hotmail into not showing me that CAPTCHA. The answer was literally in my hand, it was my phone. The developers overlooked implementing CAPTCHA on their mobile website. It was as simple as changing hotmail.com to m.hotmail.com. This would allow me to completely bypass CAPTCHA.

hotmail

It wasn’t long before Microsoft caught on and realized the mistake they made. Within a few months they implemented CAPTCHA on their mobile website and even started locking the accounts. Now here’s the thing, I only needed to login to the hotmail website to pull the list of contacts in the address book. With Microsoft getting smarter, it was time to look at other options. I don’t remember exactly what sparked the idea, but there were a handful of websites that would allow you to import your address book and invite your friends to the website. These special websites were whitelisted and wouldn’t require a CAPTCHA. In fact, it would use the website’s IP address to login to your account. There were several websites like this, but the one I remember most is MySpace.

After months of battling with Microsoft and Yahoo, they finally implemented SMS verification. SMS verification was implemented by locking you out of your account until you added a cell phone number. If there was a suspicious attempt to login to your account, they would send a code to your phone and you would have to enter it to log in to your account. This would prevent guys like me from logging into your account unauthorized, or so they thought.

catandmouse

Like I said, it was a game of cat and mouse. Mobile applications were on the rise and these email providers didn’t miss the opportunity to join the game. Hotmail and Yahoo alike created their own email applications for Android and iPhone. This was new territory for the both of us. The thing about technology is it’s always ahead of security.

When I downloaded the apps, I found that you could login to any account without any kind of security. These mobile applications used entirely different servers and had zero security implemented. In other words, they were wide open. I mean there wasn’t even the standard rate limit request for an IP address. This was a game changer and allowed me to continue my operation for quite some time. While it didn’t only prolong my contact mail operation, it opened my eyes about reverse engineering other applications in the future.

The Evolution of Contact Mail

While the Twitter operation was a success, I still wanted to go back to the more quiet side of my contact mailing. The only problem was that the accounts I was mailing with were producing less and less results. If I wanted to produce the numbers I was used to seeing, I would have to expand my operation into other email providers.

So in 2012, I did a domain extension count on my databases. This would tell me how many accounts I had for each email provider and more importantly tell me the most popular providers. The top three were obviously Hotmail, Yahoo, and Gmail. At the time, I was nearly 2 years into my Hotmail and Yahoo operation. Now I didn’t want to go up against Google, as I knew their security precautions with reCAPTCHA would be a huge headache. I was more interested in the lesser known providers. This left me with four options; AOL, Road Runner, Cox, and Earthlink. There were a couple things about these options that I loved. First, they were all US based, this meant that all of the traffic generated from these accounts and more importantly their contacts would be from the US. Secondly, nobody had ever thought about contact mailing these providers. It was as fresh as the very first contact mail operation on Hotmail.

So which one did I choose to do? All of them.