Awesome story of how the guy who hacked sulit.com.ph was traced. It would be very interesting to follow his (possible) ensuing trial.
Original story source So let's say you run a website with huge, huge traffic. You have a big, dedicated community, and you're raking in the ad money. Then one day, you see that your site has been hacked. You can't find a way to get inside to fix it, and your formerly awesome site is now one big ad generating revenue for somebody. That sucks, right?
That is what happened to Sulit.com.ph, the largest free classified ads site in the company.
Back in November 6, 2008, Sulit, along with some high-traffic Filipino websites, all using the .ph domain, mysteriously went down and were pointed to SEDO advertising pages. This happened just after makeuseof.com was hacked and was pointed to an advertising page. Of course, panic ensued. Onthe web, there was rampant speculation of domain hacking and poisoning, and for a while, everybody was scared of their domains going down.
As it turned out, this wasn't just an ordinary case of a hacker trying to prove he could do something. This guy wanted to actually profit from his misdeeds, a case of fame taking a back seat to fortune.
While this was going on, we at dotPH were working round the clock to stop further hacking, and more importantly, to catch this hacker.
How to catch a hacker
Everything you do on the web leaves a digital fingerprint behind. Whenever you make a transaction, leave a comment on a blog entry, or even watch a video at youtube, those websites will take note of your IP address. It's like leaving behind a digital trail of crumbs for internet detectives to follow. It's like CSI, only without the UV lights and the gross bodily fluid splatters.
dotPH head developer Sherwin Daganato soon checked our logs during the time it happened. He was able to paint a pretty clear picture on what the hacker did, step-by-step. On 9:24 PM of November 6, 2008, the hacker, using Internet Explorer 7 on a Windows XP computer, logged into our system and exploited a vunerability in our website. He tried to log in to Sulit.com.ph's account. Then he clicked on the "Forgot Password" button. Using a specially-crafted cookie, he was able to get into our system without having to enter the correct password. He was now inside Sulit.com.ph's account. First thing he did was to change the login information there, effectively locking out the legitimate owner of of the account. He then pointed the domain to his own Sedo account, so that he is able to monetize any traffic made by Sulit.com.ph. The hacker also used the same process on more .ph sites.
Sherwin was able to get the IP addresses of the hacker. We also know that the hacker, in all of the times he broke into our system, used MS Internet Explorer (Version 7), and the same Operating System version (MS Windows XP). We noticed that the hacker was using the same series of IP addresses, and he was using Bayantel. A quick GeoIP scan of the IP addresses point it to Legaspi City, Albay.
We contacted Bayantel to give us more information regarding the IP addresses. At first they were reluctant to cooperate because disclosing information about their subscribers isn't really company policy. We explained that one of their accounts was used in a hacking incident, which is against their terms and conditions. Bayantel was pretty cooperative afterwards, giving us the name the subscriber: Mark Anthony Clemente. Clemente's registered address is at Clemente Building, Gov. Forbes St., Legaspi City, Albay.
Following the money trail
Sulit.com.ph and the other hacked sites were pointed to a SEDO advertising account. We were pretty sure that the SEDO account contains the real name of the hacker, because how else is he going to claim his money? Calling SEDO, we explained the situtation, and we needed to get the name of the hacker behind the account.
SEDO was reluctant to give us the information at first. It was understandable, because nobody wants to have their financial information readily available. SEDO told us that they suspended some accounts that made a lot of money in a short period of time. We asked them if they could give us info on these suspended accounts. Again, we got a "we can't answer that" from SEDO. In a gamble, we told them that we'll say some domains, and they tell us if they encountered those domains, or if those domains are familliar to them.
"So, is Sulit.com.ph familliar to you?" we asked SEDO.
"Yes."
And we mentioned around five domains, all getting a "Yes" from the SEDO representative. By the time we mentioned the fifth domain, the representative just laughed because everything was right on the money. The noose was tightening around our hacker.
Closing In
Since we learned of the IP addresses used by the hacker, we had been monitoring our system to see if the same IP addresses get in again. True enough, since the hacker was already able to get inside our system easily the first time around, he got greedy and created seven (7) new domains using the same IP address range used to hack the domains. Interestingly, the seven new domains had an expiry period of ten (10) years each. These new domains were created under the reseller account of an Alex Laguilles, from Gov. Forbes St., Legaspi City, Albay.
We just needed a way to confirm if he owns those domains. Laguilles had registered his legitimate and hacked domains under fake names and addresses like “Alex Pogi”. Using fake names and/or addresses were against our terms of use.
We called Laguilles, hoping to gain more information. During the call, our representative immediately identified himself as a dotPH employee, and Laguilles went silent for a good few moments. Afterwards, he was audibly nervous. We decided to not confront him on the hacking issue just yet. Instead, we asked him about the domains he legitimately owns, and why were they registered under fake names like "Alex Pogi".
He admitted that he owns those domains, but mid-conversation he backtracks and says that he just registered those domains for a friend. We also asked him if he uses MS Internet Explorer (Version 7), and the same Operating System version (MS Windows XP) when he surfs the internet, and he says yes.
We advised him to change the ownership of the domains to real names and addresses.
At the end of the call, he asks us "Yun lang? (That's it?)," apparently expecting something worse.
Result: He basically admits to accessing the same dotPH account used in the hacking, and using the same computer and browser the hacker used.
We then called SEDO again to see if both hacked domains and new domains were pointed to the same account. SEDO confirmed that they were, and that they had already suspended all payments because of our concern and also the unusually high volume of traffic -- usually indicates fraudulent clickthroughs.
All we need to close this case would be to prove that Lagulles was indeed the hacker, and to see if he was working with somebody else.
Going Cloak and Dagger
We sent Mario Inocando to Legaspi City. As our operative was en route to Albay, we were gathering all that we can about Legaspi City, Clemente Building, Mark Clemente, and Alex Laguilles. Looking up the address on Wikimapia to make sure our operative knows the exact location, we coordinated with our operative every step of the way.
We even provided our operative with a spy camera (yes, that camera inspired hundreds of bad James Bond jokes). This proved to be pretty useful afterwards, because our operative was able to send us surveilance photos of Clemente Building. Well, the operative was at a loss on how to approach the people inside the building and we needed the photos to figure out a plan.
There was an office called Megapixel on the ground floor. We decided that the best way to approach them without arousing any suspicion was to pretend to be interested in their business. We called them up. As we fished for information about Clemente and Laguilles, we found out that Megapixel is owned by Clemente. We told them that we were sending somebody so our operative won't come off as suspicious.
True enough, our operative was able to talk to the people at Vodacom. Even though Clememte and Laguilles were not present at that time, he was able to gain a great deal of information.
We found out that Alex Laguilles worked as a developer/programmer for Vodacom, another company owned by Clemente. Vodacom is also housed in the same building. Laguilles used the office internet connection that Clemente owns (which explains the IP addresses) to hack into our system. Interestingly enough, the people there knew about the hacking incident, even though they were reluctant to disclose any of the details. So far, no evidence points to Clemente being involved in this, except that his internet account being used (probably without his knowledge) for the hacking incident.
The hacking incident took place on November 6, and by Monday the 10th we had already ID'ed the guy and found out where he operates from. It took us some more time to get the documentation needed to file a case, after which we handed all our evidence to NBI. Laguilles should be expecting a knock on his door any time soon.
Now all evidence points to Laguilles not being in the hacking game for long. He probably found a hole in our security and he used it for monetary gain. There was no real effort at all to cover his tracks. There will be more hackers, and they will not be as careless as Laguilles. dotPH will remain vigilant for more hacking incidents in our system, and end any hacking activity as soon as we detect it, find the source, and use legal action agains the perpetrators.