Hackers sometimes do wonderful things. Earlier, a hacker group named Anonymous use to swamp government websites with fake data whenever they posted something which was indigestible. Now we have individual hackers who do this job for us.
Ohio Department of Job and Family Services (ODJFS)
The Ohio administration put out a form on Ohio’s unemployment insurance website for bosses to report employees who quit their jobs during the dreaded coronavirus pandemic citing fear of contracting the COVID-19 virus. The form was made available on this website and allowed the employers to report coronavirus-related “employee fraud.”
Employee fraud means employees who quit their jobs or refuse to work because they’re concerned about contracting the COVID-19 virus. The form was supposed to be a tool for removing such workers permanently from the payrolls and blacklisting them for future employment. The employers in Ohio include top names like Wendy’s, Macy’s, and Kroger.
In the dread coronavirus environment, nobody had guts to report or protest (protests are not allowed) against this move by the Ohio government. Finally, a hacker came to rescue. The hacker released a script that DDoSes the Ohio’s government’s Employee Fraud reporting website.
A Distributed Denial of Services attack or DDoS attack is sending fake requests to the server with the intent of inundating it and bringing it down. The hackers’ script submits junk data through the form, aiming to drown out the real reports from employers. Ohio’s unemployment insurance website is now offline as the script became viral on social media and was used by hundreds of US citizens.
“It’s easy enough to go to the page and fill it out, but that wouldn’t amount to enough data to make these particular gears of the state grind to a halt,” the anonymous hacker told Motherboard. “It needs to be so much data that their ability to investigate these ‘fraud’ cases is hampered.”
The script works by automatically generating fake information and entering it into the form. The script fills in the names and names and addresses from the freely-available generators found online. Once all the data is entered, the script easily defeats the CAPTCHA at the end of the questionnaire by storing a list of common questions and their respective answers.
The Ohio board immediately upgraded the CAPTCHA but our hacker was up to the mark. He also uploaded an updated script allowing users to crack the latest CAPTCHA.
Software engineer David Ankin has repackaged the script into a simple command line tool which allows more users to run the script in the background of their computer, continuously submitting fake data to the Ohio website.
At the time of writing this article, Ohio’s unemployment insurance website was down.