Breach Preparedness , Cybersecurity , Data Breach

From MySpace to MagSpoof, Famed Hacker Pushes Boundaries

Samy Kamkar's MySpace Worm Launched a Prolific Hacking Career
From MySpace to MagSpoof, Famed Hacker Pushes Boundaries
Hacker Samy Kamkar speaks at the AusCERT conference on May 26, 2017. (Photo: Jeremy Kirk, ISMG)

Samy Kamkar became nearly everyone's virtual friend in October 2005. No one knew him, of course. But within just a day, he gained nearly a million new friends on MySpace, the once-popular social network.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Kamkar, who was then 19 years old, harnessed so many new acquaintances by writing what still stands today as one of the most potent worms - the term for self-propagating viral code - to ever strike a social network. It came from a relatively innocent idea.

"I was just trying to learn JavaScript better," he recently told attendees of the AusCERT computer security conference in Gold Coast, Australia. "I didn't think I was crossing a terrible line. I felt like 'Yeah, it's probably like a little wrong.'"

Kamkar's MySpace foray landed him in a legal tangle that kept him off the Internet for three years. But it was the product of nine years of self-study of programming, which eventually led to Kamkar, now 31, becoming one of the most innovative hackers.

Last year, the independent "white hat" security researcher developed a device called PoisonTap that takes advantage of computers' implicit trust in connected USB drives. The year before, he released MagSpoof, a homemade gadget that spoofs a payment card and tricks a payment terminal into thinking the card's key security feature - a microchip - isn't needed for a transaction (see Locked PCs No Match for Samy Kamkar's Latest Hacking Tool).

Still, Kamkar says most of his projects fail. "If I don't put enough time into something or if I hit enough roadblocks, then I get discouraged," he says in a separate interview. "Usually, I then will come back to it later on in life. A lot of my projects span multiple years."

First Computer

His mother squeezed her budget and bought Kamkar his first computer, a Windows 95 machine, at age 10. Immediately, he says he went online and searched for what he says everyone looked for, or at least in a 10-year-old's mind: information about the X-Files television series.

He came across a few message boards, but the responses from other participants were too slow. Kamkar ended up on IRC, or Internet Relay Chat - instant chat. He asked if someone wanted to chat about the X-Files. The response was: "Get out. You have 10 seconds to get out of this chatroom."

"I was like, 'OK, random person on the Internet'," Kamkar says. "No."

Ten seconds later, his brand-new computer was bricked. His antagonist used malware called WinNuke, created by someone nicknamed BurntBogus of the Den. Due to a Windows vulnerability, it could brick a computer with a single data packet.

"My brand-new computer that my mom spent everything she had just got destroyed," he says. "I had no idea what to do."

Kamkar says he panicked, unplugged the computer and then "waited for about a half an hour for all the bad stuff to get out of the computer." When he turned it on again, everything was fine. But then he thought that attack "was actually the coolest thing ever."

"How do I do that?" Kamkar says.

Counter-Strike Hacking

Kamkar's interests advanced to gaming. He began reverse engineering Counter-Strike, a first-person shooter, figuring out how to see opponents through walls. Creating Counter-Strike hacks was so compelling that Kamkar says he dropped out of high school at 15.

He pubicly published the cheats, but found that actually using them quickly became dull. Counter-Strike's engineers used software called PunkBuster that's designed to detect client-side cheats and then block them. It was the sort of tit-for-tat engineering race that Kamkar craved.

"Counter-Strike had become fun again," he says. "Once you have a cheat, it's really fun for a day or two, but it gets pretty boring. But once someone stops it from working, then I now have engineers I can work against and on a daily basis. Instead of going to school, I got to play against these engineers."

His Counter-Strike open-source cheats surprisingly led to his first job. He was still only 15 and couldn't rent his own place. So he created his own bogus emancipation documents, faking a judge's signature, in order to move out on his own and get a lease.

Eventually, he came across MySpace.

'Samy is My Hero'

MySpace was surprisingly flexible as a social network from a coding standpoint. It allowed users to customize their profiles using CSS and "div" elements, which generally isn't allowed on sites such as Facebook today.

At the time, Kamkar was experimenting with JavaScript. MySpace heavily restricted JavaScript, but Kamkar found that some browsers would still render obfuscated JavaScript within CSS tags. His first version of his worm didn't really catch.

But then he souped it up: He modified it so that if someone visited a profile that had been infected with his worm, that person would also add Kamkar as a friend. It also added the tagline to people's profiles that said, "But most of all, Samy is my hero."

Over the course of a day, his followers leaped from a handful to 10,000, then 20,000, then 40,000 and 80,000. A screenshot showed after 18 hours, he had 919,000 followers. At one point, he was gaining 3,000 friends a second.

The worm grew far beyond his control. Deleting his profile, which he did, didn't solve it. And even if people deleted Kamkar as a friend, the code would refresh a person's profile and execute the worm again.>

He confided to his girlfriend over lunch as the worm tore through MySpace. "I said 'This might be my last burrito'," he says.

Felony Plea Deal

MySpace never contacted him even though Kamkar did send a note describing exactly how the worm worked. But for about six months, nothing happened. He thought by that time, he might have escaped law enforcement attention.

Then one day law enforcement officials from four agencies surrounded him as he was getting into his car. They were from the Secret Service, California's Electronic Crimes Task Force, the Los Angeles District Attorney's Office and the California Highway Patrol.

"I see two guys standing next to my car," Kamkar says. "And I'm thinking. 'Ah man. I'm getting carjacked.' And then two guys come up behind me. Another two. And they say, 'Samy?' I'm like, 'Mmmm, carjackers don't know your name.' ... 'Samy, we have a search warrant for your place'."

He paid dearly. He reached a felony plea agreement with the Los Angeles District Attorney's Office. Kamkar had to pay restitution to MySpace and, as part of his parole, could not touch a computer that was connected to the internet for three years. He also spent 720 hours collecting trash along California's highways.

Even with the restrictions, he continued to work, but viewing code from a distance. The three-year break from computers, Kamkar says, was actually good: he learned how to socialize and gain real friends outside of the internet.

"My probation officer said I was her best client," he says.

Kamkar is coy about his next project. But he's interested in side-channel attacks, which involve collecting electric or electromagnetic emissions from a computer. Other researchers have shown it is possible to interpret those signals into actions such as keystrokes or recover the secret encryption keys used to encode data.

"Hacking is like a puzzle," he says. "But the thing with hacking is someone created a puzzle that was not intended to be solved. It was a maze with no exit points. So it's even more satisfying that a normal puzzle."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network