Teens Arrested in MySpace Extortion Scam

An anonymous reader writes "Two New York teens have been arrested after trying to extort $150,000 from the makers of MySpace, the popular online community site." From the article: " MySpace discovered the intrusion earlier this year and blocked it. The Los Angeles-based company also reported the incident to authorities. During the course of the investigation, threats were made that unless $150,000 was paid, new exploit code would be released, according to the statement. By this time, the sting operation had been set up, so instead of meeting with MySpace late last week, the pair from New York met with undercover officers from the U.S. Secret Service and the Los Angeles District Attorney's Bureau of Investigation. "

Tracker Sites

[P!Alexander]

I was wondering if Slashdot would ever cover this.

These kids were associated with a site that charged for code that you can add to your MySpace profile which would allow you to see who had viewed your profile, when, and where they got to you from (another friend, search, etc). By my calculations they were making upwards of $20,000/month from their service ($5.00/mo with around 4000 users).

They, and other tracker sites, have been constantly battling with MySpace over the use of the "hacks". Most of the stuff they've used has simply taken advantage of bad programming. The first generation of trackers used a flash file in the profile to read users cookie data. Then MySpace forced all embedded flash objects to disallow the use of actionscript. They moved on to inserting javascript in CSS commands, using image files to capture browser info, etc. MySpace responded by blocking the use of certain domains within profiles. They then bought a bunch of different domains and assigned them randomly to users.

Then there was some random legal trouble that they never really talked about but had apparently moved past. The next planned release was supposed to be "unstoppable". They had promised the release for about a week and a half and it was eventually pushed back to May 19. Then they got arrested. The site, myspaceplus.com, switched over to a basic notice about "info coming soon" and that was it. There was a pretty active forum on there but I think people were starting to sense that there was trouble and/or the two owners (who went by Jack and Jake on the site) were skipping town.

Anyway, it's a really interesting phenomenon, especially considering that other services have built in the ability to see who's viewing you as long as you allow others to do the same when you view their profile (Friendster). Most of the tracker sites now are on a similar model where the tracker will only work with other users ot the service.

So, not really "hacking" per se. It seems that MySpace was most worried about people's IP addresses getting stolen. The sites started hashing them so you couldn't see the actual address. Seems like a weird thing to be worried about on the privacy front if you ask me.

Re:if the story is factual

[yagu]

Nothing in the article says anything about them 'crying foul'. It mentions that they're pleading 'not guilty' to the charges but nothing else about their reaction.

My bad, I read a different (additional) article... From this Chicago Tribune article [chicagotribune.com] (possible registration required).

The pertinent text from that article:

...,

The popular social networking site improperly lured Saverio Mondelli, 19, and Shaun Harrison, 18, to Los Angeles with the prospect of a consulting contract, said Mondelli's lawyer, Michael Dowd of Manhattan.

And when they arrived in California last week and sat down for a business meeting with what they thought was a contingent of MySpace employees -- who were actually Secret Service agents and local detectives -- they were arrested without warning, Dowd said.

"The proposition to hire them as consultants was made by MySpace," Dowd said. "This was a naked attempt to lure them into the lion's den and to somehow make an allegation of impropriety against them."

WTF

[SmallFurryCreature]

Okay, first off if the ZDnet story is the true account these kids must surely get somekind of "dumbest criminals" award.

However if you google for other news stories there seems to be more going on.

First of they are not teens. 18 and 19 makes them adult in america doesn't it?

Second is that they apparently ran a website http://myspaceplus.com/ [myspaceplus.com] (wich is still up but empty of content, and horribly laid out on opera/linux). Before this it apparently was a site for some software to hack myspace.

This "first" hack was discovered and plugged. They then apparently tried to extort myspace into paying 150.000 (or get paid to be consultants) and were then trapped by law enforcement officials at a meeting.

A lot of the explenation by the lawyer of the young idiots sound like typical lawyer crap "anything to get my clients off".

The real question is, what was myspaceplus.com about? Is this just a story of two idiots who were to greedy and now can learn a bit about the real world. Or did myspace step over the line in trying to get rid of a couple of hackers by appealing to their greed.

Either way the young aduls are stupid but you can wonder if they really need to spend several years in a federal jail because of it, oh who am I kidding. Fry the suckers.

It just is fucking hilarious. If their attorny is claiming the truth (HA) then you got to admire their lack of common sense. Ooh, yeah we publish a tool to hack myspace. Oh look they are sending us a job offer to advise them for 150.000 dollars. Lets travel across the country to get rich!

By the way doesn't the fact that they travelled across the state border (LA and New York are different parts of america right? You yanks ain't got a monopoly on bad education you know) make it a federal crime?

Oh well, since they are geeks they will at least soon loose their virginity. Squeel piggy, squeel!

The value of Myspace Data

[DaggertipX]

Are you kidding me? There is a reason that Fox bought myspace - strictly for it's "data" as you put it. Myspace is a site where one of the most profitable(not to mention fickle) demographic in the world voluntarily offer up their likes/dislikes etc to a company in great detail that is easily searched, cross referenced, and advertised to. It is possibly the biggest advertising goldmine I've ever imagined.
It's always baffled me how so many people could miss what is so big and profitable about Myspace. Even if the site itself never made money (which I doubt, as they advertise heavily and widely) - the data they collect is worth millions upon millions of dollars.

Some mothers do have 'em

[Anonymous Coward]

Hmmmm Betty. The cat did a whopsee on the boys' website's google cache:

http://66.249.93.104/search?q=cache:XrpeKGWy2egJ:s py.myspaceplus.com/+&hl=en&gl=uk&ct=clnk&cd=1 [66.249.93.104]

The Real Deal

[rivetgeek]

I speak from experience in that I was the one to bring this scam to the attention of myspace in the first place. And I cracked the first several codes they released. ( Having friends that work at myspace helps) They ran a site that released "trackers". These were bits of flash mostly that when loaded onto a users page cause anyone viewing that page to be victimized by a series of css or bad design exploits. These mostly took advantage of css through flash actionscript that was encrypted to obscure the actionscript (swfencrypt). As for their latest "unblockable" code: it was really lame. A flash file on the users page redirects you to a 3rd party site that looks like myspace (think pishing tactics) that then asks you to enter your email address that is associated with your myspace account to view the users page. So now they have your ip and your myspace account and how often you visted the users account. Frankly you'd have to be a moron to fall for this though. For an example check www.blendnet.com/verify.php (though I wouldnt recommend entering a valid email address since these guys still control this server. And should this give anyone an idea, don't bother, it's already been blocked) P.S. If there are any myspaceplus users reading this, you people are some of the dumbest forum posters on earth, we watched you all this entire time and you gleefully gave us everything we needed to find and crack these stupid little codes.

Re:Not surprised

[Anonymous Coward]

If it goes high enough and gets ingested by the engine, it is potentially deadly. Those small diameter high-rev turbojets don't like trash coming through the intake. She'd be very lucky to have accomplished that, though. Her chances were methinks on par with winning big in lotto.

Cheers, Kuba

Exactly!

[jZnat]

An attorney's job (as confirmed by the American Bar Association [abanet.org]'s Attorney's Oath) is to do his or her best job possible for every client to win the case. It's their job! You need to blame the person who hires the attorney for malice or idiocy typically.