We’ve seen a lot of cunning hackers exploit weak or dumb security measures to compromise users’ information.
One unidentified hacker did just that in June, for instance, by using a fake passport against an unthinking Facebook customer support representative.
But just because you’re a hacker doesn’t mean you’re smart.
Don’t believe me? Ask Dwayne C. Hans.
Last week, law enforcement arrested Hans, 27, of Richland, Washington and charged him suspicion of computer fraud, wire fraud, and money laundering.
Why? For being one of the stupidest hackers in history.
Hans’s first offense came sometime between 28 April and 17 June 2016 when he gained unauthorized access to the United States General Service Administration’s Systems for Awards Management (SAM) website.
SAM is a website through which vendors that hold contracts with the U.S. government can input their bank account credentials in order to get paid.
The defendant went in and altered a financial institution’s entry on SAM so that the Pension Benefit Guarantee Corporation (PBGC) was tricked into transferring more than $1.5 million to a bank account under his control.
Fortunately, officials were able to spot and reverse the fraudulent transfers before Hans had a chance to withdraw the money. That’s because the hacker left a trail.
As reported in court documents:
“According to Internet Protocol (‘IP’) address information associated with the defendant’s intrusion into SAM.gov, the unauthorized access was gained through IP addresses registered to ‘Dwayne C. Hans’ at an address in Richland, Washington (the ‘Richland address’), at which address the defendant has been observed by the FBI on multiple occasions in August 2016 and and September 2016. In addition, the user information that was provided as part of the process to access the SAM.gov website without authorization was associated on SAM.gov with the email address ‘firstname.lastname@example.org.”
That’s right. Hans used his own IP address, his own name, his own home address, and his own personally identifiable email account to steal money from a site operated by the federal government.
But that’s not all!
Sometime between 15 March and 11 April 2016, Hans set up five bank accounts with the financial institution from which he later stole. He then linked those accounts to an account at JP Morgan so that he could try to steal $134,000 from two corporate accounts at the bank.
Those transfers were spotted by the financial institution before they could proceed. Here’s why:
“The five accounts that the defendant Dwayne C. Hans created were associated with the name ‘Dwayne C. Hans’ and with information linked to the defendant, including the Richland Address and the defendant’s social security number. For example, the new account to which the defendant attempted to link the JP Morgan Account was registered using the name ‘Dwayne C. Hans Jr.,’ the defendant’s birthdate, and the Richland Address. In addition, the defendant listed a home phone number ending in -3434; the same phone number is associated with the bank account that the defendant entered on SAM.gov, as discussed above.”
“These five accounts created by the defendant Dwayne C. Hans were also accessed using IP addresses registered to ‘Dwayne Hans’ at the Richland Address and with other IP address associated with Richland, WA.”
With all that stupid, it didn’t take law enforcement long to put all the pieces together and arrest Hans.
If only more criminals were that dumb… it certainly would make the job of the FBI’s cyber division that much easier.
Hat-tip: The Register.