Hacker Leaves Online Trail, Loses Anonymity

By on Apr 17, 2012

Since March 20, the @Anonw0rmer Twitter account has been silent. Its owner, w0rmer, is known as a member of the CabinCr3w group, a hacker team linked to Anonymous.

In early February, as part of the Operations PiggyBank and PigRoast, the CabinCr3w members were suspected of hacking various police department- or law enforcement-related websites including:

  • West Virginia Chiefs of Police Association website (February 5)
  • Salt Lake City Police Department
  • Texas Police Association (February 8′)
  • Syracuse Police Department
  • Newark Police Foundation
  • Wisconsin Chiefs of Police Association
  • Dallas Police Department
  • Alabama Department of Public Safety (February 9)
  • Alabama Houston County (February 20)

Among the leaked data are login credentials, badge numbers, addresses, home/mobile/office phones, and social security numbers. They information was leaked to the public and posted on pastebin, pastebay, or pastehtml. The data were generally posted on Twitter account @CabinCr3r, which has been silent since March 12.

On February 5, the first post appeared Twitter account @higochoa. More appeared on @Anonw0rmer, which was created the following day.

In the Alabama case, the leaked data were posted on pastehtml by someone named w0rmer. The user’s Twitter profile picture was at the top of the document. At the bottom, our hacker added a photo exhibiting a woman’s breasts with a sign attached to her belly.

Unfortunately, w0rmer was not concerned with what was revealed by the exchangeable image file format (Exif) metadata that accompanied these images. The police, however, were.

I found that downloading the picture and using Phil Harvey’s ExifTool was very informative. I discovered the photo was taken with an iPhone 4 on February 5. Most interesting is the embedded GPS information. It came from a home in Southern Australia.

As mentioned in the affidavit in support of a criminal complaint, the hacker left some other clues that I followed:

  • Two IP addresses assigned to computers located in Galveston, Texas
  • Five other images (Exif free) posted on the i.imgur.com website, where one finds the same woman in various states of undress holding various other statements by w0rmer or CabinCr3w

A screenshot in another image shows a computer desktop running an IRC chat client (KVIrc) at the bottom right. In its window, the user @higochoa is logged on.

Following the username, I found two posts retrieved via an open-source search on the website gmane.org. One is signed Higino Ochoa AkA w0rmer.

I next retrieved a photo via open-source search for @Higochoa that showed an individual geocaching in Texas. This picture, compared with the one displayed on the driver’s license of the suspect, was of the same individual.

The same person had a Facebook account and another identifiable portrait. According to the profile, the suspect resides in the Galveston area.

On his Facebook profile he states that he is in a relationship with a woman whose Facebook profile indicates she lives in New South Wales, Australia.

Thus we come full circle. Be careful before breaking the law. Using only open-source searches, even an Anonymous member can be unmasked.

About the Author

McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

Categories: McAfee Labs
Tags:

Subscribe to McAfee Securing Tomorrow Blogs