by Jonathan Castillo
From April 1 to 3, multiple Philippine-based websites have been defaced. The attacks came from Pinoy LulzSec, a black hat hacker group, and their intention is to celebrate what they call the “April Lulz event.”
A member of Pinoy LulzSec who calls himself “Lolo” and claims to be only 15-years-old has shared some insights to MB TechNews about their group and what April Lulz is all about.
According to Lolo, Pinoy LulzSec originated from LulzSec – the international group of hackers, which also happens to be the same group that claimed responsibility for several high-profile hacks, including the breach of Sony’s PlayStation Network in 2011.
“Hindi talaga siya galing Pilipinas,” Lolo said. “Gumawa lang kami ng Filipino version.” It didn’t originate from Philippines. We just made a Filipino version.
Pinoy LulzSec has no political stance, no agenda to send messages to public. Their primary objective is to “Hack for fun” and “for the ‘lulz.’”
“We destroy everything,” Lolo said. “Yung gusto namin mapagtrip-an, kahit ano, kahit gusto namin pag-tripan to, sisirain namin ang buhay nito, kung trip namin to.” Which roughly translates as: Our target can be anything or anyone, as long as they got our attention, say we pick this person, we can choose to ruin his life.
Lolo has likened the April Lulz event to Anonymous’ Million Mask March, where they spread amusement for their fans. According to Lolo, the event has many backgrounds: Hacking websites, corporate websites, government websites, government servers, private IPs, and computers and IP addresses they can get access to.
Pinoy LulzSec shuts down targeted websites using DDoS attacks, which prevents real visitors to enter the site. According to Lolo, they are satisfied with the disruption of traffic to these websites.
“Hindi naman naming gusto na kami lang yung tatawa, diba?” Lolo said. “Gusto din namin tumawa ang mga taga hangga namin, gusto namin tumawa yung mga nakiki subaybay saamin, gusto naming sila bigyan ng nag papasaya sakanila.” It can’t just be us laughing, right? We also want the people who admire us to laugh, the people who follows us, we want to give them something that can make them happy.
Pinoy LulzSec also does Facebook account hacking, using phishing attacks, where users are tricked into giving away information.
“Nakakatuwa naman talaga para saamin,” Lolo said. “Mga database? I-leak talaga naming yan kasi, wala eh, wala din naman kami magagawa kung hindi i-deface lang. So, what? Na deface lang namin. Kita lang message namin. Why not, diba? Leak talaga naming database nila para mapansin pa lalo.” We find this really fun. The database? We’ll really leak that cause there’s nothing else we can do but deface it. So, what? We just defaced it. Only our message will be seen. Why not, right? We’ll really leak the database so it will be noticed even more.
Lolo added: “Kasi minsan kapag na deface na namin, hindi kami napapansin. Eh ngayon papansin na ng IT department.” Sometimes after defacing it, we’re not noticed. But now (after leak) the IT department will notice it.
In short, Pinoy LulzSec finds amusement in shaming websites—especially government websites that have weak security.
Lolo claimed to learn how to hack through reading various materials. His inspiration was the hacktivist group, Anonymous. When he was younger, he claimed to have been bullied in school and started with Facebook hacking to get his revenge. From there on, he started studying website hacking, database hacking, exploits, and so forth. All of it, he learned through online.
When asked how many local websites are vulnerable, Lolo responded with, “Sobrang dami.” So many.
Most of their hacks into websites are done with simple SQL Injections. It is an old method of hacking that is easily learned online. And government websites still haven’t secured themselves.
“Wala sila paki,” Lolo said with a laugh. They do no care.
We asked if they would help the government secure their sites if asked and Lolo responded with: “Kung humingi ng tulong, oo! Kung cyberattacks yan, pwede pa eh. Pero kung babayaran kami, okay din! Siyempre okay din! Pero kung hahawakan yung buhay namin, yung freedom, yung hahawakan kalayaan namin, no!”
According to Lolo, Pinoy LulzSec has atl east 10 active members out of 19. Lolo claimed that they do not use any hacking tools to scan for vulnerabilities, simply Google Docs and information gathering through Google.
Lolo also said that there are many zero-day exploits. Zero-day exploits are exploits an old vulnerability that was never discovered. It is also a term used for exploiting vulnerabilities on the same day said exploit becomes widely known. Lolo claimed that there many websites where their zero-day exploits still work.
On how to prevent sites from being defaced, Lolo said to use less extensions and plugins in web servers. He specifically cited PHP being highly vulnerable despite the constant updates. He also said to learn how to prevent SQL Injections.
“Ang payo ko lang para hindi kayo ma deface,” Lolo said. “Siguro mas ok na yung baguhin niyo yung .htaccess niyo.” My advice to prevent being defaced, maybe it’s better to change your .htaccess.
HTaccess is a configuration file that can enable or disable additional functionalities.
“We are not attacking for politics or for any cause but for fun,” Lolo said. “And we will continue sailing around this boundless ocean for information and leak everything, whether it is highly confidential or not. So, people of the Republic of the Philippines, expect the ‘lul’ we will bring.”
Lolo adds, “Greetings sa lahat ng members ng Pinoy LulzSec. Greetings sa umambag sa LulzSec United at sa Pinoy ClownSec.”