AOHell, or How Phishing Got Its Start

In a paper [PDF link] penned last year, Koceilah Rekouche recounts the earliest days of phishing. Surprise, surprise: it happened on America OnLine (or AOL). Here’s how the process worked:

1. Obtain an anonymous AOL account by creating one using a fake bank account number or credit card, or use an account that was stolen in a previous attack.

2. Create a screen name on the account that appears official (e.g. BillingDept). 

3. Write the “bait” message which will explain to users the need for us to “verify”their passwords or billing information. For example: “Hi, this is AOL customer service. Due to a problem with our records, we need you to reply to this message with your current password in order to avoid being disconnected.”

4. Locate a New Member Lounge chat room and open its occupant list.

5. Send a private message containing the bait to each person in the room.

The paper is quite revealing, and having read the whole thing, it’s obvious that the people behind the phishing attempts wanted to create a community of hackers. Rekouche discusses how AOHell, an early software created for the purposes of stealing passwords and credit cards, proliferated:

A major goal in writing AOHell was to gain a user base not just within AOL’s hacking community but, moreimportantly, to get users from outside this community and thus increase its size by recruiting and educatingnew people. This was extremely successful as the popularity of AOHell and similar programs were largelyresponsible for growing the warez, hacking, and programming communities to a point where they reachedthousands of participants. For each new release, and periodically in between releases, I would spam a copy ofthe program, along with a layman’s description of the things that it could do, to every person in the Teen Chatrooms. This was a very effective way of getting new people to use the program as email spamming had not yetcome about. Phishing was one component of the software, but most AOL teenagers were drawn by the otheradvertised functions such as the ability to “punt” their friends offline or the ability to scroll ASCII art in thechat rooms.

It’s a fascinating paper. For the pointer, I thank this Wall Street Journal post, in which you can make a contribution of how you’ve been hacked, if ever.


Readings: J.D. Salinger, Free Writing, Charles Darwin

Three things I’ve read today, all worth twenty minutes of your time:

1) “An Evening with J.D. Salinger” [Paris Review] – Blair Fuller recounts a very interesting evening with one of his favorite writers, J.D. Salinger. In attendance are Blair’s younger sister, Jill and her husband, Joe:

He [J.D. Salinger] asked us to call him Jerry, then asked some routine questions about what we were doing and why, but with a pleasing sympathetic intensity. He made several comments that put him on our side, the side of people starting out rather than the people settled in to lifelong careers. The conversation warmed, and we found that we could make each other laugh.

But as the evening progresses, things turn for the worse. The narrative in this piece is wonderful — you have to read the entire thing.

2) “No One is Forced to Write for Free” [Anna Tarkov’s blog] — the day after the huge AOL purchase of Huffington Post, Anna Tarkov writes an excellent piece about why Huffington Post writers continue to write for free (and why it’s not as bad as some people make it out to be). Great argument:

No, the reality as we all know is that people chose to write on Huffington Post for free. They chose to do it because HuffPo gave them a platform where a lot of eyeballs would potentially see what they wrote. Most people can’t get that kind of visibility on their own blog. Maybe Dan Gillmor can, but I can’t. So if I decide to write on HuffPo for nothing more than attention, then I’m getting paid in a sense, just not in dollars. How is this different than a business buying a billboard on a busy expressway?

I’m curious whether people in other professions feel similarly about exposing their work for free: photographers, artists, etc.

3) “Charles Darwin’s Little Known Psychology Experiment” [Scientific American] – Darwin wasn’t just well-known for advancing his theory of evolution. This is a great read:

In 1872, Darwin published The Expression of the Emotions in Man and Animals, in which he argued that all humans, and even other animals, show emotion through remarkably similar behaviors. For Darwin, emotion had an evolutionary history that could be traced across cultures and species—an unpopular view at the time. Today, many psychologists agree that certain emotions are universal to all humans, regardless of culture: anger, fear, surprise, disgust, happiness and sadness.

(Hat tip: @matthiasrascher)

Readings: Knowledge and Predictability, AOL-Time Warner, Soyabeans

I’ve decided that in addition to posting about the books I read, I’ll also provide links to interesting articles I find across the web. I don’t see myself posting links daily, but perhaps three to five links once a week. If you think this is a worthy venture, please let me know in the comments!

Here are the articles I’ve read recently which are worth checking out:

(1) “The Degradation of Predictability and Knowledge” [] – interesting, but perhaps overly pessimistic take on the internet, by Nassim Taleb, author of Fooled by Randomness and The Black Swan (both of which I read and highly recommend).

(2) “In Retrospect: How the AOL-Time Warner Merger Went So Wrong” [New York Times] – an excellent interview with Stephen Case (co-founder of AOL), Gerald Levin (CEO of Time Warner), and Ted Turner on what went wrong with that fateful merger ten years ago.

(3) “Worth a Hill of Soyabeans” [The Economist] – how the gradual introduction of internet kiosks providing price information affected the market for soyabeans in the central Indian state of Madhya Pradesh. Interesting to discover that not only farmers’ profits increased but that the cultivation of soyabeans increased as well.

On another note, today is a palindrome day (01/11/10).