By Juan Carlos Perez
IDG News Service
April 26, 2007
A New York teenager broke into AOL networks and databases containing
customer information and infected servers with a malicious program to
transfer confidential data to his computer, AOL and the Manhattan
District Attorney's Office allege.
In a complaint filed in Criminal Court of the City of New York, the DA's
office alleges that between December 24, 2006 and April 7, 2007, 17-year
old Mike Nieves committed offenses like computer tampering, computer
trespass, and criminal possession of computer material.
Among his alleged exploits:
* Accessing systems containing customer billing records, addresses, and
credit card information
* Infecting machines at an AOL customer support call center in New
Delhi, India, with a program to funnel information back to his PC
* Logging in without permission into 49 AIM instant message accounts of
AOL customer support employees
* Attempting to break into an AOL customer support system containing
sensitive customer information
* Engaging in a phishing attack against AOL staffers through which he
gained access to more than 60 accounts from AOL employees and
Nieves faces four felony charges and one misdemeanor charge. He was
arraigned on Monday and remains detained, a DA's office spokesman said.
His next court date is Friday for a procedural hearing to determine the
next step in the case, the spokesman said. Nieves' attorney didn't
immediately return a call seeking comment.
The alleged acts cost AOL more than $500,000. It's not clear whether
customer data was stolen. AOL declined to comment. The DA's office
spokesman said the investigation into Nieves' alleged acts continues.
"It's too early to tell exactly what [data] he compromised or not," he
The complaint states that Nieves admitted to investigators that he
committed the alleged acts because AOL took away his accounts. "I
accessed their internal accounts and their network and used it to try to
get my accounts back," the defendant is quoted as saying in the
complaint. He also admitted to posting photos of his exploits in a photo
Web site, according to the complaint.
One doesn't have to be a computer genius to carry out the alleged acts
thanks to the free availability of multiple hacking tools, said Mark
Rasch, managing director of technology at FTI Consulting. "Even a
disgruntled kid working alone can throw a virtual tantrum and cause a
significant amount of damage to a large technology corporation," Rasch
said. "Welcome to the new world."
If the defendant was honest about his motivation in his reported
confession, it's safe to assume that he wasn't interested in stealing
data for financial gain, Rasch said. Still, it'll be interesting to find
out what steps AOL is taking if customer data was in fact compromised,
There aren't enough facts available to judge whether AOL could have done
more to prevent the alleged intrusion. "We'll learn more as the case
goes on," he said. "AOL has had pretty good security over the years."
Authorities arrested Nieves after AOL provided them with information
from an internal investigation into the alleged acts. AIM subscriber
information and IP address data involved in the acts led AOL to Nieves,
whose address and phone number AOL had on file, according to the
The New York Post reported Thursday that Nieves lives in Staten Island
and quoted his mother as saying that he is a special education student
with behavioral problems. An anonymous source told the Post that Nieves
has caused AOL problems for years.
A source close to the investigation told IDG News Service that Nieves is
allegedly part of a "loosely coupled" group of hackers who have targeted
AOL and other companies in recent years, but that Nieves focused
specifically on hacking into AOL.
Subscribe to InfoSec News