AOL Employee Arrested in Spam Scheme

LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."

Re:Fired?

[Kiryat Malachi]

Only in criminal court. Unless the guy had an employment contract that stated otherwise, he was employed "at the pleasure of the employer" - i.e. he can be fired for just about anything, barring discriminatory or retaliatory firings.

And I don't think anyone can argue that there's cause here.

Re:Arrested and accused... how about convicted

[Kiryat Malachi]

Hi.

I'm the government. I can't do anything prison-like or fine-like to you without convicting you first.

Hi.

I'm your employer. Unless you have a contract stating otherwise, odds are you're an at-will employee, which means *I can fire you for just about any reason I want*.

Re:That's a lot of names...

[cipher uk]

which is why he got $52,000 for it.

Re:Fired?

[lukateake]

Virginia (among others) is a state where "employment-at-will" prevails. That means he can be fired at anytime for any reason, thus his punishment. Surely, he was terminated from AOL for good cause after an internal investigation fingered him. But he isn't guilty in a legal sense and that's what the proceedings before him will determine. But you don't have to be legally convicted of anything in order to be terminated. Also, IANAL.

More details

[Gogo Dodo]

More details about the scheme are available at CBS Marketwatch [marketwatch.com].

Re:Access?

[homer_ca]

The article says he's a software engineer at AOL with inside knowledge of their computer systems. It doesn't say that he was directly responsible for the customer database systems, but even if not, it can't be that hard to dump the names out. Any sysadmin is in a position of great trust. They could walk off with all your data on their servers, but they're trusted not to.

Re:This reminds me

[Anonymous Coward]

With the value of valid e-mail addresses increasing...how long before /etc/passwd is no longer world readable?

There's no real trouble with having /etc/passwd world readable. Unless you're running something archaic, that file doesn't contain passwords, or even encrypted passwords. About the only useful info a cracker would find in /etc/password is usernames, and if he can see that file to begin with, he's already got a login.

Now, if your /etc/shadow or /etc/master.passwd are world readable, you've got an issue...

Say what??

[Robert Petersen]

Reception of stolen property? Industrial Espionage? Violation of consumer privacy? anti-spam laws?

Re:Access?

[YU Nicks NE Way]

When I was a young man, a bank in New York hired an ourside consultant to find out how to protect their data against their programmers. The response was one of the shortest lists of recommendations ever:

• Pay them well

• Keep them very happy

• Watch them very very closely

Re:This reminds me

[stratjakt]

/etc/passwd has to be world readable, or some other nameservice (ie, nss_ldap or whatever).

That's why they moved the passwords to the (non world readable) /etc/shadow, many many moons ago.

Though if you're really cool you'd move that to LDAP. If configuring pam, nss, openldap and samba wasn't such a PAIN IN THE ASS (why cant ldap clients just agree to read one conf file, why do I have to deal with /etc/openldap/ldap.conf, /etc/ldap.conf, /etc/smbldap-tools/smbldap.conf, et cetera et cetera) it'd probably be standard by now.

Secure authentication against an LDAP directory. What a concept. Wonder who does that, oh yeah, Windows 2000 and up. Meanwhile here I am sending out MD4 password hashes to authenticate against samba, one of the biggest security faults of NT4.0 that's now embraced by the OSS community for some reason. (Andrew, Samba needs to function as an Active Directory controller! Accept nothing less!)

Anyways, you need to upgrade, fella. There shouldn't be anything special in /etc/passwd.

Re:AOL's New Slogan

[homer_ca]

That's easy to block if you run your own mail server. All AOL dialups have hostnames ending with ipt.aol.com. AOL's mail servers have hostnames ending with mx.aol.com. Deny hosts from ipt.aol.com and problem solved.

Re:That's a lot of names...

[bigman2003]

Especially for a list of confirmed gullible people.

The chances of an AOL user falling for a spam-scam are probably good. They already fell for one scam, so they've proven themselves to be targets already.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:AOL's New Slogan

[JPriest]

Why would they? Once the aliases are sold and resold, what can AOL really do to recover them?

Mr. Spammers, please delete all @aol.com email addresses in you list, yeah right!

My girlfriend recently recovered an account that has not been active in 3 1/2 years, it still gets flooded with spam despite 3 1/2 years of not existing.

I doubt AOL users will be much better off unless they want to create a new alias.

Perhaps...

[nelsonal]

Section 1037(a)(2), (b)(2)(C), and (b)(2)(E) of Title 18 of the USC, at least according to these court documents [thesmokinggun.com].

$25,000?

[ackthpt]

Read the article lately?

Former AOL employee Smathers sold the initial list for an unmentioned amount to Dunaway (the spammer) then Smathers sold an updated list to Dunaway for $100,000. Dunaway sold lists to other spammers for $52,000.

Smathers & Dunaway to AOL members: "All your screenname are belong to us!"

I expect something like this happened at eBay a while back. I changed my email address for eBay to a new mailbox. A few weeks later someone spammed it offering to sell lists of eBay members. Then spam followed, usually from phishers.

Re:AOL's New Slogan

[bugmenot]

The new AOL spam filters work pretty well. I've had my AOL email address for almost 8 years and used to recieve hundreds of spams per day. This has drastically improved after the new spam filter was implemented. I now get less than five per day. I guess that may still be five too many for some people, but all of my friends have this address and it would be too difficult to change it. I also enjoy some of the other exclusive content that AOL provides.

Re:Now do the same over at MSN/Hotmail

[mt v2.7]

Acctually I got about 27.004 years.

Re:AOL's New Slogan

[Anonymous Coward]

This doesn't relate to people sending mail *from* AOL accounts though... it's people sending mail *to* AOL addresses, or AIM screennames. The spammers apparently didn't steal any passwords.

Re:92 million??

[ChairmanMeow]

It's 92 million screen names, and many people may have more than one screen name, especially for AIM, etc., so it wouldn't actually be 92 million people.

RTC!

[Pakup]

Read the Complaint filed by the Secret Service agent. Posted over at Smoking Gun, it's fascinating and shows how Smathers pointed the finger right at himself: when he did a test retrieve, logged of course by AOL, he retrieved just one, incriminating account from the millions there: his own.

He also e-mailed himself logs of his IM conversations with the buyer, which his AOL laptop stored away, to wit:

"I think I found the member database . . . Just need to figure out how to get the SNs [screen names] it is spread over like 30 computers . . .

OK, I got it figured out . . . there are going to be millions of them so, will take time to extract I will do them a chunk at a time . . . "

Most interestingly, the government isn't just charging him with theft; it's also charging him with conspiracy to spam, under the so-called Can-Spam Act enacted late last year.

Re:Security?

[BalloonMan]

How was he caught? I don't know, ...

RTFA, please, instead of spouting completely unfounded theories.

It explains exactly how he was caught. AOL looked at the datestamps in the file that the Secret Service showed them, then correlated that with database access logs and determined whose computer was using the database at the time. It was so easy that it's clear this crook never expected to be caught. But, AOL would never have noticed this activity if nobody had asked them to look. Apparently, they did not monitor database usage in any way before this happened. Maybe now they will.

It would not surprise me at all if the alarm bells didn't start ringing as soon as the DB ground to a halt while it was returning 92000000 rows.

I seriously doubt AOL's DBMS would "grind to a halt" doing a straightforward query of any scale.

Re:Fired?

[SillySlashdotName]

In an Employment-at-will state you are employed "at the whim of the employer", and only as long as the employer wants you to be employed. Without a contract, the employer can, without any stated reason, tell you you are no longer employed and you have no recourse.

From this [bls.gov] (pdf) article in the "Monthly Labor Review" written by Charles J. Muhl, Esq. "In legal terms, though, since the last half of the 19th century, employment in each of the United States has been "at will," or terminable by either the employer or employee for any reason whatsoever. The employment-at-will doctrine avows that, when an employee does not have a written employment contract and the term of employment is of indefinite duration, the employer can terminate the employee for good cause, bad cause, or not cause at all"

In the footnotes, it is noted that "This article does not address statutory exceptions to employment at will. Many such exceptions have been enacted at both the Federal and State level." examples given are federal laws against discrimination, and some states laws against termination for 'whistleblowing'.