April Fools' Day - The Hacker Way

by xinit

Normally, I'm not the kind of guy that goes around pulling off practical jokes all day, but two years ago, I set up a really nice joke on April Fools' Day.

At the time, I worked for a small media company that also hosted some of their customers' websites.  Some of those customers were pretty big and pretty important, or at least, my company made some good money of these sites.

Since my boss, the CEO of the company, was always in for a laugh, I decided to really pull one off that year.  If you're the CEO of a company that is responsible for the security of customers' websites, your biggest fear has to be that one day you'll receive a phone call from one of your biggest customers telling you that the customer's site has been defaced.

I decided to exploit that fear and make it the subject of my joke.  I wanted to pretend that all sites that we hosted had been cracked and defaced, but of course without causing trouble for our customers by really taking their websites off line.  My only target was the CEO.

In the earlier years of the company, I had designed the network and I still had access to all of the servers and routers.  Since hosting was becoming a bigger and bigger part of our business, I migrated our network from a single provider uplink to multiple uplinks to different providers.

This allowed us to be completely independent of any ISPs and gave us the freedom to do our own routing.  Because of this, I was able to do whatever I wanted with our incoming and outgoing traffic.

That year, the 1^st of April was on a Sunday, which was perfect.

Since I hoped that my boss would be at home in the morning, I could setup our routers in such a way that all website requests coming from my boss's home DSL connection would be routed to a single page.  This page would then contain some cracker gibberish.

Since we used Quagga on Linux boxes for routing, I was able to setup some simple iptables rules to forward all traffic coming from my boss's static home IP address to a single server running Apache.

On this server, I setup a rewrite rule so that all requests - no matter which domain, page, whatever - would be answered with one single page.

In my case, the page only contained one sentence: "yOu h4v3 b33n h4x0r3D By d4 \/\/1z4rd!"

This sounds kind of cheesy, but I'm not really a 1337-speaker.  So, the trap was set.  Now I needed some bait.

As I was the main IT guy at the time, I figured that it would be too obvious if I called the CEO on April 1^st to tell him that we had been cracked.

I needed an accomplice.

After having done some projects for one of our biggest customers, I knew some people from the board of directors.  In the week before April Fools' Day, I called the customer's IT director, told him about the joke, and asked him if he was willing to cooperate.  He really thought that this was a nice joke, so he was in.

So, April 1^st arrived, and it was time to execute my master plan.

On the Sunday morning, I made a cup of coffee, turned on my computer, and logged in to the routers and web server I had prepared.

Here, I setup some traffic monitoring and called my accomplice.  I asked him if he could call my boss and tell him that our customer's website had been defaced.

First I showed our customer that his website was still online.  I also showed him the page that my CEO would see.

I hung up the phone and waited.  Of course, I really hoped that my boss would be at home; otherwise, the whole joke would be over.  A couple of minutes went by and suddenly I saw a GET request from his IP for our customers website.

The routers nicely routed the traffic to my Apache server and the specially crafted page was returned!

Two seconds later, my mobile phone rang; it was him.  "Our customer's website has been hacked," he said, sounding all tense.  I could hear the sweat dripping on the floor on the other side of the telephone line.

"What?", I responded, faking my disbelief.

"Tell me what you see, while I start my browser," I said, to leave him in agony just a bit longer.  He read the gibberish to me.

In the mean time, I put a big ASCII art on the page which said "APRIL FOOLS!"

I then asked him to check if our own company website was giving him the same crap.

He typed in the URL of our website and got the same page.

Since our website was running on a separate machine, I could hear him thinking "Oh my... everything is hacked..."

"Yes, yes, the same page!" he responded, sounding very, very concerned.

Obviously, he didn't quite see my nicely-crafted ASCII art.

To put him out of his misery, I asked him to read very, very carefully.  When he noticed the message in the ASCII art, he started laughing, and the only thing he could produce for over five minutes was a constant stream of "Ohohoooh, you, you... ohooo, you, you dirty... ohoohoo..."

Luckily, after five minutes, he could talk again.  He took the joke very well, so I still had a job.

Of course, he got me back - not on the 1^st of April, but on the day I left the company.  But that's stuff for another time.

For me, the fun thing about this joke was that it worked out completely as I had planned.  Also, the tech and social parts of the joke were really fun to combine.

I hope this has inspired you to pull one off next year!