LulzSec is at it again. Today the hacker group has defaced hundreds of Philippine websites, including government sites and Facebook accounts. Their intention is to celebrate what they call the “April Lulz event.”
Last year, Manila Bulletin was able to interview one of the LulSec members who called himself "Lolo." Pinoy LulzSec has no political stance, no agenda to send messages to public. Their primary objective is to “Hack for fun” and “for the ‘lulz.’”
“We destroy everything,” Lolo had said in the 2018 interview. “Yung gusto namin mapagtrip-an, kahit ano, kahit gusto namin pag-tripan to, sisirain namin ang buhay nito, kung trip namin to.” Which roughly translates as: Our target can be anything or anyone, as long as they got our attention, say we pick this person, we can choose to ruin his life.
Lolo has likened the April Lulz event to Anonymous’ Million Mask March, where they spread amusement for their fans. According to Lolo, the event has many backgrounds: Hacking websites, corporate websites, government websites, government servers, private IPs, and computers and IP addresses they can get access to.
“Hindi naman naming gusto na kami lang yung tatawa, diba?” Lolo said. “Gusto din namin tumawa ang mga taga hangga namin, gusto namin tumawa yung mga nakiki subaybay saamin, gusto naming sila bigyan ng nag papasaya sakanila.” It can’t just be us laughing, right? We also want the people who admire us to laugh, the people who follows us, we want to give them something that can make them happy.
Pinoy LulzSec also does Facebook account hacking, using phishing attacks, where users are tricked into giving away information.
“Nakakatuwa naman talaga para saamin,” Lolo said. “Mga database? I-leak talaga naming yan kasi, wala eh, wala din naman kami magagawa kung hindi i-deface lang. So, what? Na deface lang namin. Kita lang message namin. Why not, diba? Leak talaga naming database nila para mapansin pa lalo.” We find this really fun. The database? We’ll really leak that cause there’s nothing else we can do but deface it. So, what? We just defaced it. Only our message will be seen. Why not, right? We’ll really leak the database so it will be noticed even more.
Lolo added: “Kasi minsan kapag na deface na namin, hindi kami napapansin. Eh ngayon papansin na ng IT department.” Sometimes after defacing it, we’re not noticed. But now (after leak) the IT department will notice it.
In short, Pinoy LulzSec finds amusement in shaming websites—especially government websites that have weak security.
Lolo claimed to learn how to hack through reading various materials. His inspiration was the hacktivist group, Anonymous. When he was younger, he claimed to have been bullied in school and started with Facebook hacking to get his revenge. From there on, he started studying website hacking, database hacking, exploits, and so forth. All of it, he learned through online.
When asked how many local websites are vulnerable, Lolo responded with, “Sobrang dami.” So many.
Most of their hacks into websites are done with simple SQL Injections. It is an old method of hacking that is easily learned online. And government websites still haven’t secured themselves.
“Wala sila paki,” Lolo said with a laugh. They do not care.
We asked if they would help the government secure their sites if asked and Lolo responded with: “Kung humingi ng tulong, oo! Kung cyberattacks yan, pwede pa eh. Pero kung babayaran kami, okay din! Siyempre okay din! Pero kung hahawakan yung buhay namin, yung freedom, yung hahawakan kalayaan namin, no!”
According to Lolo, Pinoy LulzSec has at least 10 active members out of 19. Lolo claimed that they do not use any hacking tools to scan for vulnerabilities, simply Google Docs and information gathering through Google.
Lolo also said that there are many zero-day exploits. Zero-day exploits are exploits of an old vulnerability that was never discovered. It is also a term used for exploiting vulnerabilities on the same day said exploit becomes widely known. Lolo claimed that there many websites where their zero-day exploits still work.
On how to prevent sites from being defaced, Lolo said to use less extensions and plugins in web servers. He specifically cited PHP being highly vulnerable despite the constant updates. He also said to learn how to prevent SQL Injections.
“Ang payo ko lang para hindi kayo ma deface,” Lolo said. “Siguro mas ok na yung baguhin niyo yung .htaccess niyo.” My advice to prevent being defaced, maybe it’s better to change your .htaccess.
HTaccess is a configuration file that can enable or disable additional functionalities.