By Kim Zetter
February 23, 2009
A Tennessee teenager who was raided last October for hacking the Gmail
account of teen star Miley Cyrus cracked multiple celebrity accounts for
a spamming scheme that netted him at least $100,000, according to an
affidavit filed by an FBI agent who questioned the teen. The affidavit
was obtained by WTVF Channel 5 in Tennessee.
Josh Holly, 19, told Threat Level last October that he obtained access
to Cyrus's Gmail account and stole personal photos from it, which he
posted on the web. He also said he obtained access to MySpace's
administrative panel by social engineering an employee, then reset
account passwords for a number of MySpace users. He used the accounts
for a spamming scheme that netted him about $50,000. Holly didn't
provide details at the time.
But the newly released affidavit (.pdf) provides a few more hints about
this activity. According to the document, Holly admitted to the FBI
agent that since 2005 he had hijacked numerous celebrity internet
accounts, which he used to conduct spamming. The affidavit doesn't
mention MySpace specifically in connection with this activity. An
investigation of Holly's bank records showed that between November 2007
and July 2008, Holly received more than $110,000 from companies for
spamming on their behalf.
The affidavit also reveals that Holly spilled the names of associates to
Additionally, Holly corresponded with MySpace's director of security
over the course of several months and provided the company with
information regarding "MySpace system weaknesses and potential
intrustions," according to the document. In exchange for this
information, Holly asked the security director to reactivate his MySpace
account, which had been suspended for "suspicious or inappropriate
Best Selling Security Books and More!