, SecurityFocus 2004-02-26
FBI agents arrested a Louisiana man last week for allegedly tricking a handful of MSN TV users into running a malicious e-mail attachment that reprogrammed their set-top boxes to dial 9-1-1 emergency response.
Known as WebTV before it was acquired by Microsoft, MSN TV works with television set-top boxes to allow users to surf the Web and send and receive e-mail without using a PC.
The boxes connect to the Internet through a local dial-up number. The malicious script changed the dial-up to 9-1-1. If a victim didn't go online again after being infected, the box would summon help anyway when it tried to make an automatic daily call to the network at midnight.
The code also crossmailed itself to the 18 targeted users, so it would appear in some cases to have come from someone the victim knew. Additionally, it posted victims' browser histories to a particular website, and e-mailed their hardware serial number to the free webmail account "[email protected]."
According to an
Jeansonne is
Playing it safe, prosecutors included a second count in the indictment charging Jeansonne with causing over $5,000 in damage.
According to court records, the hack resulted in police responding 10 times to false alarms at subscribers' homes, either in person, or by phoning them back. It's unclear what happened to the other 11 calls to 9-1-1.
In 2000, the FBI issued a public warning about a Windows virus circulating in the Houston area that similarly phoned for help though victims' modems.
Jeansonne appeared in federal court in New Orleans last week and was released on $25,000 bail. Another court appearance is scheduled for Friday. The case is being prosecuted in the San Francisco Bay area, where Microsoft's MSN TV unit is based. A company spokesperson said nobody was available for comment Thursday. Jeansonne could not be reached for comment.
Correction: The original version of this story reported that Jeansonne was charged under the 2001 USA PATRIOT Act. In fact, the "threat to public health or safety" language was added to the computer crime law by the 1996 National Information Infrastructure Protection Act. The "cyberterrorism" provisions of USA PATRIOT reorganized that section of the statute without changing its substance. SecurityFocus regrets the error.