by Mat Honan | source: wired.com
Cosmo is huge — 6 foot 7 and 220 pounds the last time he was weighed, at a detention facility in Long Beach, California on June 26. And yet he’s getting bigger, because Cosmo — also known as Cosmo the God, the social-engineering mastermind who weaseled his way past security systems at Amazon, Apple, AT&T, PayPal, AOL, Netflix, Network Solutions, and Microsoft — is just 15 years old.
He turns 16 next March, and he may very well do so inside a prison cell.
Cosmo was arrested along with dozens of others in a recent multi-state FBI sting targeting credit card fraud. It is the day before his court date, but he doesn’t know which task force is investigating him or the name of his public defender. He doesn’t even know what he’s been charged with. It’s tough to narrow it down; he freely admits to participation in a wide array of crimes.
With his group, UGNazi (short for “underground nazi” and pronounced “you-gee” not “uhg”), Cosmo took part in some of the most notorious hacks of the year. Throughout the winter and spring, they DDoS’ed all manner of government and financial sites, including NASDAQ, ca.gov, and CIA.gov, which they took down for a matter of hours in April. They bypassed Google two step, hijacked 4chan’s DNS and redirected it to their own Twitter feed, and repeatedly posted Mayor Michael Bloomberg’s address and Social Security number online. After breaking into one billing agency using social-engineering techniques this past May, they proceeded to dump some 500,000 credit card numbers online. Cosmo was the social engineer for the crew, a specialist in talking his way past security barriers. His arsenal of tricks held clever-yet-idiot-proof ways of getting into accounts on Amazon, Apple, AOL, PayPal, Best Buy, Buy.com, Live.com (think: Hotmail, Outlook, Xbox) and more. He can hijack phone numbers from AT&T, Sprint, T-Mobile and your local telco.
One of their initial targets was UFC.com–the website of the Ultimate Fighting Championship–in retaliation for its support of SOPA. (They did the same to Coach.com.) Once Cosmo gathered the necessary background information on UFC’s president, Dana White, they were able to get into the company’s account with Network Solutions. Via Network Solutions, they redirected the DNS to one they controlled. Bang.
SOPA, of course, died. But UGNazi lived on. They took down the websites for the states of California and Washington and the cities of New York and Washington D.C. They took out Papa John’s website after it failed to deliver a pizza in a timely manner. They hacked into MyBB.com, the back-end that many websites use to power forums, and then hijacked its domain. They were pure mayhem.
“UGNazi was also remarkable in how they apparently had no limits on who to attack–the U.S. government, CIA, Wounded Warrior etc.” says Hypponen, “and no apparent [sense of] self preservation, which led to their demise. In this regard, UG and Lulzsec were similar.”