Programmers accused of hacking 2.3 million IDs
Two computer programmers were indicted yesterday on charges of hacking into Web sites and obtaining personal data of 2.3 million persons and using part of that information to post spam advertisements on Naver and other Web sites.
According to investigators at the Seoul Central District Prosecutors’ Office, the pair allegedly hacked into more than 100 Web sites from January 2008 until February of this year.
They targeted Web sites for games, florists, real estate agencies and used car dealerships that have vulnerable security systems.
“They developed their own computer program to sort out whether some of the users’ stolen IDs and passwords collected from various Web sites were identical to Naver IDs and passwords,” said Roh Seung-kwon, the prosecutor in charge of the case.
The suspects took advantage of the practice by some Internet users of using the same ID and password to access different Web sites, he added.
Of the 2.3 million people whose personal information was hacked, some 150,000 had used the same ID and passwords on Naver, prosecutors said.
Investigators said the suspects used 90,000 of those accounts to post gambling Web site advertisements at Naver’s Jisik-in. Jisik-in, Korean for “knowledge person,” is a knowledge pool created by all Naver users where one user asks any question and whoever knows the answer responds.
This kind of data has been gathered for several years and the database is full of answers, attracting many Koreans.
The hackers then used some 3,400 local computers to post mass questions, answers and advertisements regarding a baccarat game on Jisik-in and other sites.
They disguised malicious code as a movie or music player program and posted it on the Internet. The code would secretly install itself on a computer once it was clicked.
The “botnet” hacking tactic (a combination of “robot” and “network”), also known as a “zombie army,” allowed the suspects to remotely control 3,400 computers, prosecutors said.
In return, the suspects received 130 million won ($97,232) from the gambling site owner as a commission.
Prosecutors say they also sold information on 60,000 Naver users to a personal information broker based in China for 10 million won.
“The prosecution notified Naver to send a notice to 90,000 users to change their IDs and passwords that had been leaked,” Roh said.
“Internet users should use different passwords on Web sites. They also need to change their passwords on a regular basis.”
By Park Yu-mi, Kim Mi-ju [firstname.lastname@example.org]