The United States Department of Justice (DoJ) this week announced that a California man has pleaded guilty to hacking the websites for the Combating Terrorism Center at the United States Military Academy in West Point, New York, and the Office of the New York City Comptroller.
The man, Billy Ribeiro Anderson, 41, of Torrance, California, also known as “Anderson Albuquerque” and “AlfabetoVirtual,” admitted to obtaining unauthorized access to the two websites and to defacing them by replacing publicly available contents of the website with hacker-generated content.
According to court documents, from 2015 through at least March 13, 2018, Anderson took responsibility for accessing various U.S. military, government, and business websites around the world, all without authorization.
Using the online handle of AlfabetoVirtual, he also committed more than 11,000 defacements of said websites, including websites for the Combating Terrorism Center at West Point and the NYC Comptroller.
The NYC Comptroller’s website was defaced on July 10, 2015. Anderson, who took responsibility for the incident, replaced the contents of the website to display the text “Hacked by AlfabetoVirtual,” “#FREEPALESTINE” and “#FREEGAZA.”
The hacker gained access to the website and was able to deface it by exploiting security vulnerabilities associated with the version of a plugin being used on the website.
Anderson defaced a website for the Combating Terrorism Center at West Point on October 4, 2016 and modified the site’s content to display the text “Hacked by AlfabetoVirtual.” He gained access to the site via an unauthorized administrative account that exploited a known cross-site script vulnerability, which allowed the hacker to bypass access controls.
Anderson also committed unauthorized intrusions of thousands of web servers worldwide through malicious code installed on the victim web servers. The code provided the hacker with administrative rights to the servers, which then enabled it to commit defacements and maintain a foothold on the compromised servers.
“The defendant pled guilty to two counts of computer fraud for causing damage to a protected computer, each of which carries a maximum sentence of 10 years in prison,” the DoJ announced. Anderson is scheduled for sentencing on February 13, 2019.