AOL Employee Arrested in Spam Scheme

LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."

AOL's New Slogan

"You've Got Spam!"

Re:AOL's New Slogan

[Janek+Kozicki]

AOL's New Slogan "You've Got Spam!"

what about: "hungry? we've more spam!"

Re:AOL's New Slogan

[frodo+from+middle+ea]

In the context of mails previously received to/from AOL accounts..
prey explain how's this different from their previous slogan.

Re:AOL's New Slogan

[homer_ca]

That's easy to block if you run your own mail server. All AOL dialups have hostnames ending with ipt.aol.com. AOL's mail servers have hostnames ending with mx.aol.com. Deny hosts from ipt.aol.com and problem solved.

Re:AOL's New Slogan

[JPriest]

Why would they? Once the aliases are sold and resold, what can AOL really do to recover them?

Mr. Spammers, please delete all @aol.com email addresses in you list, yeah right!

My girlfriend recently recovered an account that has not been active in 3 1/2 years, it still gets flooded with spam despite 3 1/2 years of not existing.

I doubt AOL users will be much better off unless they want to create a new alias.

I'm surprised...

That they didn't pay more for the list. I mean, the names of 92 million really clueless people who think AOL is "that thar interweb" would probably buy V1@GR@ by the case. Jesus, it would be a spammer's wet dream!

Welcome!

[Motherfucking+Shit]

You've Got Jail!

Security?

[shadowkoder]

You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?

Re:Security?

[isthisthingon]

Hmmm...just a guess, but it probably went something like this:

SELECT *
FROM customer_list
ORDER BY last_name ASC;

[zoom to scene of employee nervously looking over his shoulder and tapping his fingers impatiently]

92,213,798 rows returned.

[employee thinks to self]: "Dude! Cool! Bonus! We only had 91,125,553 last time I ran this. I'll have to thank the marketing department for sending out those CDs!"

Re:Security?

[DrXym]

I suppose it depends what the guy was working on. If it was on their accounts database, what limits can you impose on someone like that? He might have a legitmate reason for running through every screen name, for example to gather statistics or whatnot.

As it happens however he has been caught. How was he caught? I don't know, but it's not beyond the realm of possibility that the aforementioned database had triggers and an audit trail that says who did what and dumps it in a log somewhere. Or perhaps he tripped over by querying for everything including the flagged accounts - accounts that AOL regularly sacks people for looking at because they belong to celebs and so forth.

It would not surprise me at all if the alarm bells didn't start ringing as soon as the DB ground to a halt while it was returning 92000000 rows.

Re:Fired?

[Kiryat+Malachi]

Only in criminal court. Unless the guy had an employment contract that stated otherwise, he was employed "at the pleasure of the employer" - i.e. he can be fired for just about anything, barring discriminatory or retaliatory firings.

And I don't think anyone can argue that there's cause here.

Double standards..

[BlueLines]

..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..

Re:Fired?

[EvanED]

Firing someone has a lower burden of proof (and rightly so) than a criminal conviction; if there's enough for an arrest and charges to be brought, then there's probably enough evidence to warrant a firing.

And this is the inherent problem . . .

[kfg]

with large, easily searched and copied databases of highly consolidated private data.

The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.

The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.

KFG

Re:Arrested and accused... how about convicted

[Kiryat+Malachi]

Hi.

I'm the government. I can't do anything prison-like or fine-like to you without convicting you first.

Hi.

I'm your employer. Unless you have a contract stating otherwise, odds are you're an at-will employee, which means *I can fire you for just about any reason I want*.

Now do the same over at MSN/Hotmail

[SomePoorSchmuck]

It's well known that you can invent "unguessable" accounts at hotmail, e.g. rmgdrduckk5arp@hotmail.com, and never join any mailing list or submit your name to any website or allow MSN to list you in the Hotmail User Directory, and yet within a few days or weeks your account will miraculously begin receiving offers from mail order brides, pills, porn, and so on. I've long suspected that someone working for Hotmail is making money on the side by downloading the user list once a week and selling it to spammers. Which is why my hotmail accounts have lapsed and I mainly use my yahoo or Gmail accounts.

Re:Now do the same over at MSN/Hotmail

[Hays]

Dictionary attacks become exponentially harder as your user name becomes longer, assuming that is constructed of random characters.

The likelihood of a dictionary attack hitting a n character random string of characters and numbers is miniscule for n larger than 15 or so, even if the dictionary attacker is trying 1 million combinations a second, because there are (at least) 36^n user names in that space.

my rough calculations say that it would take 7 billion years to dictionary attack the space of 15 character random numbers of and letters, even if you could do so at a rate of one million a second.

So if your 15 character random user name gets spammed immediately after creation without ever being used, it's an inside job.

But I wouldn't be surprised if it was buried in the Hotmail terms of service that they can sell your addresses.

Fair Punishment

[SkyWalk423]

I say make him answer AOL tech support phone calls. He'll beg for jail time after about a week.

Re:Fired?

[Motherfucking+Shit]

Aren't we supposed to wait for someone to be found guilty before punishing them?

My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security (do they still call it OpsSec?). My second guess is that he probably admitted what he did.

In any case, AOL doesn't have an opportunity to wait around and find out whether or not this guy is guilty in a court of law. This is a huge privacy breach affecting millions of people. According to CNN's version of the story, not only did the list contain screen names, it also had each user's telephone number, ZIP code, etc. AOL has no choice but to take immediate and harsh action, i.e. terminating the employee and alerting the authorities. If they hadn't fired the employee they'd be sued faster than you can say "1099 Hours Free."

There may be lawsuits anyway. Millions of people entrusted their information to AOL, and now it's floating around in the hands of who knows how many spammers.

AOL

[elbazo]

News just in :

In response to this 99% of AOL members surveyed who recieved the e-mail clicked on the link and frittered many dollars away at the casino making spam profitable and so continuing the downward spiral of e-mail.

One user replied saying : "I trust AOL so much when it comes to spam, they always send me the top dollar stuff like penis enlargement pills and always ask me to change my password on non secure sites and ask for my credit card as my account has been hacked. They care so much"

Yeah the only problem is.

[nlinecomputers]

Is that it will be quickly followed by.

Welcome!

"You've got Bail!"

Maybe there're more?

[oberondarksoul]

What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.

What about those screennames?

[fembots]

Okay the guy has been arrested and fired, but what about those names already sold to spammers?

In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".

Is this good enough? Sometimes you can punish the offender enough to compensate the victims.

An observation.

[steve+buttgereit]

An interesting way to look at this is consider the age of the people involved. The engineer was 24 and the Casino guy was 21. IT, notorious for age discrimination in favor of young, brighteyed types, may actually be introducing a greater security risk with the practice.

I remember when I was in my early 20s and lets just say I didn't have a lot to lose... and everything to gain from taking a chance here and there. By placing less mature workers into places where personal ethics and great responsibility collide, you're asking for issues just like this.

I don't mean in indict all younger workers. Certainly most are good employees; I've hired many younger people without trouble. But as a percentage of population, the younger I expect to make more 'mistakes' both simple errors and errors in judgment.

My two bits...
SCB

Re:An observation.

[Kphrak]

Why don't we put it another way? "Note that both people involved were guys. By its traditional discrimination against women (who more civilized) in favor of men (more aggressive and violent), IT is introducing a security risk since men will take more chances." It makes as much sense as the above "these damn' kids screw up all the time" rant (and before some /. feminist says "you go girl!", I should add that I'm male, 23, and consider both arguments completely idiotic).

IT is a younger field, therefore more IT guys are younger. Granted, it's been around for the last 40 years, but for about half of that time, you needed a lot of money to get a computer. The generation that got to use truly cheap computers came of age just ten years ago. It's natural that there is now an explosion of younger IT workers.

Marital, family, religious, and civic ties to society, IMHO, are much more likely to keep people honest than their age, even counting the fact that younger workers may be less experienced. And if you don't believe me, check a newspaper and see how many older, powerful men are at this moment headed to Club Fed because they weren't any better at ethics than the AOL dimwits mentioned in this article. Most of Congress is composed of older men, and I'd almost rather have Sanford Wallace (of Cyber Promotions infamy) representing me than some of these folks.

I work in a government agency, so I see a large proportion of older workers. Some are smart, hard workers; others are idiots. I see no larger proportion of idiots among younger people than I do among older ones, nor do I see any indication that the intelligence or ethics of the old have anything to do with the fact that they are old.

i've confirmed this.

[bani]

i've created hotmail accounts with crypto-hard random usernames, not listed anywhere, and almost immediately started receiving spam to them.

it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.

it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.

Re:Access?

[homer_ca]

The article says he's a software engineer at AOL with inside knowledge of their computer systems. It doesn't say that he was directly responsible for the customer database systems, but even if not, it can't be that hard to dump the names out. Any sysadmin is in a position of great trust. They could walk off with all your data on their servers, but they're trusted not to.

Ah but it Never happen.

[nlinecomputers]

Damn Cruel and Unusual clause will stop it. I mean somethings are just too inhumane. He's ONLY a spammer....

What a crime!

[CHaN_316]

This AOL employee only made $0.0005652174 per e-mail address he sold. Is that anywhere near the fair market list for e-mail lists? Seems a bit low, but then again IANAS (I am not a spammer).

Honeypotting with stolen names

[G4from128k]

This case presents an interesting opportunty. If some of those 92 million names were faked, AOL-internal-only addresses (i.e., no outsider ever had them or ever could have them) then anyone caught using or selling them is guilty of accepting or selling stolen property. Any email arriving to a never-released, but stolen name would let AOL and authorities track the spammer network and subpeona spam-using e-commerce sites to reveal the identity of marketing affiliates.

Re:Access?

[YU+Nicks+NE+Way]

When I was a young man, a bank in New York hired an ourside consultant to find out how to protect their data against their programmers. The response was one of the shortest lists of recommendations ever:

• Pay them well

• Keep them very happy

• Watch them very very closely

AOL has to tell California customers

[Aidtopia]

If I understand correctly, California has a law that requires a company to contact each customer that was affected by disclosure of information due to a security problem. I wonder what that'll cost AOL.

I'm also interested if the spammers the casino guy resold the list(s) to will also be prosecuted for purchasing stolen goods. At a minimum, they should be publicly identified.

Re:AOL has to tell California customers

[Fuzzums]

That is not that hard.

All AOL has to do is give the list to a spammer and ask him to mass-mail the required information.

Re:That's it?!?!?!?!?

[DaveAtFraud]

I'm guessing that AOL will go for something like grand theft. The list was re-sold for $52,000. No telling how much the guy he originally gave it to paid him. I'm sure the value of the list to AOL's business is much higher but this sets a lower bound that easily puts the theft into the range where grand theft would stick. From this perspective, what he did was no different than carting out a server or some other piece of equipment and fencing it for $52,000.

Personally, I think the dweeb should be staked out on an ant-hill or drawn and quartered but I've been accused of being a little extreme when it comes to spam, spammers and people who disclose e-mail addresses without the owners's permission.

Re:That's a lot of names...

[bigman2003]

Especially for a list of confirmed gullible people.

The chances of an AOL user falling for a spam-scam are probably good. They already fell for one scam, so they've proven themselves to be targets already.

New Dictionary Term

[Morgon]

smather (verb) To have personal information sold to advertisers without your consent or knowledge.
"Man, I just got this new Hotmail account, but in less than an hour, it's been smathered!"

Comment removed

[account_deleted]

Comment removed based on user account deletion

$25,000?

[ackthpt]

Read the article lately?

Former AOL employee Smathers sold the initial list for an unmentioned amount to Dunaway (the spammer) then Smathers sold an updated list to Dunaway for $100,000. Dunaway sold lists to other spammers for $52,000.

Smathers & Dunaway to AOL members: "All your screenname are belong to us!"

I expect something like this happened at eBay a while back. I changed my email address for eBay to a new mailbox. A few weeks later someone spammed it offering to sell lists of eBay members. Then spam followed, usually from phishers.

Oh now that's the last straw

Of all the ills you could accuse AOL of -- lowering the signal-to-noise ratio of the Internet, filling our landfills with CDs -- there is absolutely no evidence that AOL use causes erectile dysfunction ... ... you insensitive clod!

Re:Oh now that's the last straw

[Surazal]

There's a big difference between AOL use causing erectile dysfunction and AOL users causing erectile dysfuncion.

Re:That's a lot of names...

[mothz]

$52,000 for 92 million addresses is nearly 1800 addresses per dollar. At that price it would cost only $3.6 million to get the address of every man, woman, and child in the entire world. And to think, spammers used to hang out in AOL public chat rooms to collect screennames. Ahh, economic efficiency.

Re:Fired?

[chimpo13]

Enough to fire him in a private company. For the first three offenses at a state or federal job it'd be a written warning.

Some guy brought in a gun to work with him at the UC Davis monkey lab, allegedly with a list of people he was mad at (gun for sure, not sure about the list). He's one of the same 2 people who "lost" a monkey. That one made national news, and the other guy got a promotion. Anyway, he got 30 days of "administrative leave" for the gun, which meant they were going to fire him.

Security was told, "Hey, we had to suspend this guy. If he shows up, wave, let him through, and call the police because he knows he's not supposed to be here". No point in actually telling the security why they were looking for him. And no point in telling employees what was going on. This was during the period when UC Davis was trying to get the Level IV Biohazard Lab, so that *might* have been part of the secrecy, but I think it's because all state jobs usually have A Giant State Head up their ass all the time. In the meantime, this guy got arrested in Wyoming, with the gun, with filed off serial numbers, and illegal drugs. He was in a car his mom rented that wasn't supposed to leave the state. Not sure how much time he's serving. But being black in a Wyoming prison can't be fun. He was a nice guy before he started taking drugs.

Clearly you've never sent bulk mailings...

[Theatetus]

Not really. Mailing to AOL is a hit-or-miss thing. We run a lot of mailing lists (bands' fanlists, organiztions' newsletters, etc.) and about half of the time you have AOL addresses on a list they bounce it. And they don't *just* bounce it, they set up a slow-ass connection to your bounce server and time it out (clever idea actually).

So, if you were a spammer, AOL addresses would be of dubious use.

Appropriate penalties

[Artifakt]

First, I am not a lawyer. This is a lay opinion only.
Second, I am not a particularly vengeful person, or at least I don't really want spammers to face the death penalty, castration, or other such suggested punishments.
Jason Smathers has been charged with theft and fired by AOL. I'm assuming the actual charge is something like felony grand theft, and that the amount his co-conspirator got for the lists will be all the proof AOL will need to offer for a grand jury to agree with that charge.
According to the article, he also used another employee's ID in the act. That's probably either a separate charge or at least an aggrevating factor to the first charge. Among lots of other effects, this employee probably has standing to sue both men and a fair chance of winning, regardless of whether AOL does (with "winning" limited by the condition that they must somehow have forfitable assets after their prosecution).
It also looks like there was possibly more than one actual theft, as the article mentions the men either actually obtaining or conspiring to obtain an updated version of the list, which would imply an older version also existed in their posession. One or both men may have made fraudulent promises to a person or persons who bought the list, representing it as legally obtained.
So, Smathers could well be inditeable with three or more felonies (three strikes rules may apply), and it's possible with multiple persons accused that the whole thing could fall under RICO, either of which could easily make the overall sentence 30 years or more. Even with the usual time off for good behavior type clauses, that means serving a good solid 18 years or so.
AOL probably wants the whole thing to go away. Since they can't really get that, the next best thing is to get seriously Neolithic on his ass, and hope it has a deterrent effect.