There’s an update to the case involving Billy Anderson, aka AlfabetoVirtual, who was pretty busy defacing sites for a year or more. From the U.S. Attorney’s Office, Southern District of New York earlier this week:
Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that BILLY RIBEIRO ANDERSON, a/k/a “Anderson Albuquerque,” a/k/a “AlfabetoVirtual,” pled guilty today to two felony counts of computer fraud for obtaining unauthorized access to and committing defacements of the websites for the Combating Terrorism Center at the United States Military Academy in West Point, New York (“West Point”), and the Office of the New York City Comptroller (the “NYC Comptroller”). ANDERSON pled guilty before U.S. District Judge Laura Taylor Swain.
U.S. Attorney Geoffrey S. Berman said: “Billy Anderson hacked the websites of the New York City Comptroller and West Point, one of the most prestigious military academies in the world. He has now pled guilty to those crimes and faces time in federal prison. This case demonstrates that those who seek to commit cyber intrusions of government websites will be prosecuted to the fullest extent of the law.”
According to the allegations contained in the Information to which ANDERSON pled guilty and statements made at the plea proceeding:
Website defacements are acts of computer intrusion in which a hacker obtains unauthorized access to computers hosting Internet websites and then replaces the publicly available contents of the website with content generated by the hacker, thereby “defacing” the website. Hackers frequently claim responsibility for defacements by listing their online pseudonyms as part of the defaced content.
From 2015 through at least March 13, 2018, ANDERSON took responsibility for obtaining unauthorized access to, and committing more than 11,000 defacements of, various U.S. military, government, and business websites around the world under the online pseudonym “AlfabetoVirtual,” including websites for the Combating Terrorism Center at West Point and the NYC Comptroller.
On July 10, 2015, a website owned by the NYC Comptroller was defaced, and ANDERSON, using the online pseudonym “AlfabetoVirtual,” claimed responsibility for the intrusion and defacement. The contents of the NYC Comptroller website were modified to display the text “Hacked by AlfabetoVirtual,” “#FREEPALESTINE” and “#FREEGAZA.” The defacement was performed by exploiting security vulnerabilities associated with the version of a plugin being used on the website.
On October 4, 2016, a website for the Combating Terrorism Center at West Point was defaced, and ANDERSON, using the online pseudonym “AlfabetoVirtual,” claimed responsibility for the intrusion and defacement. The content of the Combating Terrorism Center website was modified to display the text “Hacked by AlfabetoVirtual.” The defacement was performed by an unauthorized administrative account that exploited a known cross-site script vulnerability, thereby enabling ANDERSON to bypass access controls and target an internal Combating Terrorism Center website address.
ANDERSON also committed unauthorized intrusions of thousands of web servers located around the world by surreptitiously installing malicious code on victim web servers that provided ANDERSON with administrative rights to the victimized web servers, thereby enabling ANDERSON to commit defacements and to maintain persistent unauthorized access to the victimized web servers.
* * *
ANDERSON, 41, of Torrance, California, pled guilty to two counts of computer fraud for causing damage to a protected computer, each of which carries a maximum sentence of 10 years in prison. Sentencing before Judge Swain is scheduled for February 13, 2019, at 2:00pm.
The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.
Mr. Berman praised the outstanding investigative work of the FBI. Mr. Berman also thanked the Computer Crime Investigative Unit of the United States Army Criminal Investigation Command and the Brazilian Federal Police Cyber Crime Unit for their assistance with the investigation.
This case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant United States Attorney Sagar K. Ravi is in charge of the prosecution.