Monday 24 August 2015

What we know about Hamza Tzortzis and AshleyMadison.com

This blog post has moved here




It was the 20th of August when I downloaded the hacked Ashley Madison database. It wasn't long before I found an account that seemed to belong to Hamza Andreas Tzortzis. I contacted the email address registered against the account, sending my name + mobile number and asked the owner to call me, but received no reply.

The next day (Friday) I emailed Hamza on his iERA email address and informed him of what I had found. From the very start Hamza wouldn't believe me. He insisted I was playing a joke on him, and only started to take me seriously once I had revealed the last four digits of his credit card. From the outset Hamza has denied responsibility for signing up this account, and from the beginning I have told him I do not believe him but would continue to look at the data to see what I could find out. I suggested he should make a public statement explaining what I had found before someone else finds the same information and exposes him.

Over the next day or two Hamza sent me multiple requests to help him to understand the nature of the data associated with him in the database. Despite being on a long weekend holiday with my family I agreed to work on answering his questions.

Islam teaches us fairness. In no way can the Rationaliser be accused for anything concerning my ID fraud, he actually helped me a lot with access to the data and by interpreting it.Hamza Andreas Tzortzis - iERA

From there onwards a lot has been reported by the press, some of which I found a little misleading, and so I have decided to write this blog explaining what is and is not known about the whole affair. The approval of Mr Tzortzis was sought before publishing this blog.


Credit card information

The person who opened the account used a credit card registered to Andreas Tzortzis. To achieve this they would need to know his real name (readily available), home address (readily available at Companies House), his full credit card number, card expiry date, and the 3 digit security number on the back of the card. In addition to this it is possible the card issuer would have demanded confirmation this was not fraud by requesting the user enter Hamza's online banking password; this is a pretty standard security feature when using your card in an unexpected way or from an unusual location (the transaction was executed from Australia).

The first payment of £54 was issued to the site on the 22nd of October 2014. This would have been the initial membership fee. There were eight subsequent charges for £15 each taken on approximately the same date of each subsequent month, totalling £174 over 9 months.

From this payment information it is possible to assertain the following additional information.

  1. The membership number of the account (99904794).
  2. The email address used to sign up to the site (A_Tzortzis@yahoo.com).
  3. The IP address from which the payment was made (119.17.35.98), which is assigned to Sydney Australia.

Again, the email address is public information. It is possible that Hamza doesn't check this email address often (or at all), it is very likely an old email address as it does not include any indication of his chosen Muslim name "Hamza". However, Hamza certainly has used this email address since becoming a Muslim, for example, a quick Google search reveals content associated with this address from around 2008...but (it seems) nothing recently.

The interesting data here is the IP address. A quick IP -> Geo Location lookup shows it is in Australia. Hamza's public statement on FaceBook (now deleted) stated that £54 had been charged to his card while he was in Australia, and concluded that is where the account was opened from. The server time given for the account creation is 10:09 am, and the last time the account was modified was the same day at 11:43 am. As I don't know the time zone of the server I cannot check what time it would have been in Australia. This information could prove useful if anyone can answer.

The profile 

(Table name: am_am_member)
The profile for 99904794 lists the area in which the account owner can be found for sex as London N16 7TN. The map co-ordinates are 51.5543658, -0.073289 which, according to Google Maps, is Somerford Grove, London, N16 7TN. A check on the free electoral role website reveals Hamza's parents live on that street.

The profile lists Hamza's correct date of birth (21st of September 1980) but again this information is readily available. The profile caption read "Compassionate male seeks friendship" and the summary "I long for a sincere friendship with the ability to connect physically and mentally. I would consider myself compassionate, and someone who thinks a lot.". The profile lists Hamza as weighing 88452 grammes (13st 13lbs or 195lb) which I cannot verify. It lists his height as 178cm (5' 10"), which again I cannot verify but seems about right.

(Table name: aminno_member)
Searching by signup date, signup IP there is a single row matching the account information above. This reveals a profile number of 29425606. The alias for the website is set to AndrewT14, most likely a play on Andreas T, but I don't know for certain what the 14 represents.  The date of birth is the same in this table too, as expected. At the time of the hack this profile had no public photos and no private photos associated with it, so a subsequent release of hacked photos will probably not reveal anything (unless some were uploaded then removed, and the server does not physically delete the image files).

There are some dates indicating the last time certain events occurred that are empty, suggesting the account was not used to email anyone and the user didn't chat with anyone.

Mailing options & user activity

(Table name: amminno_member_email - I will use Y/N instead of 1/0 as per the data)

 email=a_tzortzis@yahoo.com, isvalid=Y, optin=Y, notify_newmail=Y, notify_newmember=Y, notify_login=Y, notify_offer=Y

From the developer comments associated with each of these fields it would seem that an email would be sent if there was a special offer, if contacted by another user, or if someone in the account owner's favourites list logged into the website. I cannot say whether any special offers were emailed out to accounts already paid in full or not, or if anyone nearby matching the criteria had signed up resulting in an email being sent, but if the system was working correctly and the dates in aminno_member were being updated then the data suggests no contact was made with anyone as there are no valid date/times set against the fields bc_mail_last_time, bc_chat_last_time, or reply_mail_last_time.

Observations

For this account to have been set up by anyone other than Andreas (Hamza) the account creator would need access to some publicly available information (date of birth, address etc). They would need to put in extra work to find his parent's address. My intuition says a frauster would use the same address that had already been entered during the billing stage. To use an address 1 hour drive away from Andreas's home suggests the account creator was trying to disassociate the account from him rather than bring attention to it. A malicious person probably would be more likely to use account details easily associated with Andreas so that the profile would be discovered. The same goes for the profile name, similar enough to his real name for Andreas to remember, but dissimilar enough to not associate it with him directly. Obviously there was no way this person knew the AshleyMadison.com database would be made public, so it is reasonable to assume this is information hiding rather than exposure.

This person would also require full access to information on both sides of his credit card (16 digit number, expiry date, 3 digit security code on the back) and to have been in Australia at the same time as Andreas in order to sign him up and make it look like he had done it himself.

They would really have had to have done some research to get his weight and height correct, or approximately correct. This high level of detail seems to have the purpose of accurately portraying one's self to attract a partner rather than to mislead the public into identifying Andreas as the account holder.

I can easily accept that Andreas's Yahoo email account is not checked any more. I can confirm that my attempt to contact Andreas via that email address was not successful, whereas an email to his iera account the next day received an immediate response. I have old email accounts I can no longer even access. I can also accept he did not notice the payments coming out of his account via his card. Personally I never check my card statements, I don't even look at my bank statements to see how much is being paid to my card account.

Clarifications

The website does not require you to click a confirm link in an email in order to get into the website. I have tried it myself, my profile name is DirtyJanet if you'd like to look me up ;-)

The flag in the database "isvalid" marked against an email address is stored against the user's emailing preferences. In my experience, flags to indicate the user has confirmed their email address via an email link are typically stored against an account table with a name like "Verified", and not in an email campaign preferences table as found in this database. The presence of a 1 (yes) against this flag on this account does not suggest a link in an email was clicked to activate the account.

An email address can be considered "valid" if it meets the Internet standard on structure. ThisEmailDoesNot@ExistInRealLifeBecauseIJustMadeItUp.com is a valid email address, it just doesn't exist. It isn't uncommon for email campaign scripts to assume an email address is valid and exists and then mark it as defunct when "does not exist" email responses come back.

To me the idea this flag is an email-bounce flag is the most plausible. If the flag were set to zero by default and only marked 1 when the user followed a link in an email then the system would have to send emails to people with emails marked as isvalid=0 in order for them to become marked as valid. I hope you'll agree, sending emails to people with addresses marked as invalid makes the whole purpose of the flag redundant. The expert in this article might be an expert in data analysis but that doesn't make him an expert on the writing of software. I've been employed writing business software for about 19 years now, and I disagree.

This isn't an important point in so far as Andreas not seeing emails to an old account, but I think it is beyond doubt that it has been demonstrated the person signing up did not also require access to the yahoo.com email account.

UPDATE (27 Aug 2015): I am currently looking at the schema and can confirm the default value for isvalid is in fact a 1, so my original conclusion was correct.

UPDATE (31 Mar 2016): After the libellous statements made against me by Dawah Man on Facebook regarding this issue I decided to re-read this article through. Regarding the information used from Andreas's credit card: obviously this would be very difficult for someone to obtain, unless of course it was a company credit card in his name, in which case a small number of people within iERA could have had access to that information. This would mean that it is possible someone who works for iERA, accompanied Hamza to Australia, and stayed in the same hotel chain could be responsible.

The third hypothesis

I find it a little annoying that the alternative to Andreas signing up is presented as someone else doing it and then hacking the website to expose him, and nothing else is considered. It would be possible that someone would sign up an account not identifiable as Andreas in the hope that at some point in the future the monthly £15 debit would be spotted by his wife and cause suspicions that could damage his marriage. Meaning that the hack was unexpected, and the only reason we got to find out about it. I don't subscribe to this hypothesis at all, I just wanted to put forward a more balanced article and point out the stupidity of some scenarios being proposed as the only alternative.

Conclusion

I strongly suspect that while in Australia Andreas decided to have a look around on the web and found this website. He signed up using an old email address he knew wouldn't be checked, entered his credit card details, and then spent the next 94 minutes looking around the website before giving up. He probably then forgot all about it and, because he doesn't check his old email or his card statements, had no idea this website was still taking £15 per month off him for a service he wasn't using.

The profile on the site is now marked as Unavailable. If there is a flag in the database indicating this state then it will be possible to determine whether it was hidden after the exposure or before. If before then it supports the above hypothesis that the account was only used for 93 minutes (assuming that hiding a profile will update the column in the DB recording when the profile was last updated). Frankly, I've had enough of looking through the DB so that can be an exercise for someone else.

I expect at some point he will give up the excuse he came up with while panicking and confess that he looked but did not touch, and then never went back. I seriously doubt this will hurt his career, only Allah can judge him after all, and it's not as if it is an offence that carries a death sentence.


Posted by at

9 comments:

  1. Greg24 August 2015 at 14:30

    Excellent detective work, and very fair and just efforts in contacting him first and with the isvalid issue today!

    A hoaxer looking to expose Hamza at some point in this way would have to gamble that Hamza wouldn't notice for months any emails, let alone card payments lest he get the account removed before whatever their exposé end game part of the plan unfolded. And why would they risk waiting >9 months before completing their plan, eventually being pre-empted by other hactivists dumping the whole db? They wouldn't know in advance whether Hamza checked this email account or bank statements, so wouldn't even attempt such a strategy even for a few weeks!

    Furthermore, a hoaxer wouldn't know that the whole database would be hacked by activists and shared online, so how would their end game possibly work? If they were able to hack into the database especially to post details just for his account that would naturally make people assume that this was a hacker who was capable of fabricating the whole thing. And who else could verify that the posted data was really on the db? Nor would it make sense for them to plan to just log in and post account screenshots and / or alert the family to check card payments. It would explicitly reveal that at least one hacker targeting Hamza was involved, undermining the credibility of the ruse, and would also make the use of a local Australian IP address a pointless complication as that would be hidden somewhere in the database. It makes no sense at all however you look at it unless it really was Hamza.

    It is at least good for his and his family to read that he apparently made no further use of the account soon after its creation. Again, not what you'd expect a fraudster trying to make him look bad to do, but probably a common real life use case for that website!

    ReplyDelete
  2. XXX24 August 2015 at 23:30

    I agree, I think he did it. However, if playing the long game it is far more difficult for Hamza to convince people of his innocence of an account paying out for 12 months than it is a one-off payment. As I said in the blog, the hack is coincidental regardless of which scenario is true.

    ReplyDelete
  3. Anonymous25 August 2015 at 04:41

    Of course, in no way was Hamza preparing the ground in case of further damning evidence of his lies and hypocrisy when he put this in his facebook post (before removing, and then deleting removing the entire post). Let that be absolutely clear to any doubters!

    "I have not pursued such immoral acts that the site promotes (this includes permissible acts, for instance the endeavour to find another halal wife [who can also be a non-Muslim] who wanted to be with a married man, which is allowed in Islam)."

    Damned CIA/Mossad/Atheists/Dawkinites/illuminati/Jinn!

    ReplyDelete
  4. Anonymous26 August 2015 at 03:20

    Your conclusion is sound, I think. A mischief maker would do just that.... make mischief. This would include a picture, etc, in order that it's noticed. If HAT thinks the entire the database was hacked to victimise him - he has delusions of grandeur (he may well....).

    He was the other side of the world, thought he'd have an opportunistic look at what's available relatively risk free, saw it was too much like hard work and forgot about it.

    When he saw the hack, his memory would certainly have been triggered, but probably figured he wouldn't be noticed. Maybe his first attempt at an explanation betrayed the little thought he gave it due to the perception of low risk.

    After all, these days, if you say you didn't do it enough, you'll convince your hard core supporters and even yourself (ie Mo Ansar) you didn't.

    As for the morality of all this. I wouldn't care if he didn't hold himself up as a paragon of moral supremacy. But he does......

    ReplyDelete
  5. Anonymous27 August 2015 at 01:58

    Go looking for a second wife ...on an adultery site? A fine exemplar to his son.

    ReplyDelete
  6. Unknown27 August 2015 at 08:42

    There's an unmentioned aspect of this from our point of view beyond the hypocrisy and the question of how much faith his supporters should have that he believes in what he preaches, both of which I find more amusing than annoying (genuine LOL when I first read about it!).

    Though he did it in one of the most entertainingly worded posts ever, I find it quite repugnant that in failing to admit his responsibility, he tried to lay an accusation he knew to be false at the door of his critics and opponents, encouraging his supporters to speculate that one or two of us has tried to frame him. There were comments before the facebook post was deleted where some of his supporters where trashing the atheists for stooping so low.

    On a lighter note again, this can only add to the hilarity!
    http://finance.yahoo.com/news/ashley-madison-bunch-dudes-talking-233158251.html

    ReplyDelete
  7. Unknown27 August 2015 at 10:11

    Having found a copy of his deleted fb post I should be fairer that he cast his (99% certainly) false accusation net a bit more widely, not just against those who dislike his dawah activities and general douchbaggery. Here are the relevant bits:

    "It could have been someone who knows me, someone who hates me, or a malicious person who found out who I was. It could be one person or two..."

    and

    "Unfortunately, some people will have a field day. This is not my concern at all, there’s already a lot of slander and hate online about me. I have my suspicions and unanswered questions too."

    I suppose he could also point out that his critics are individuals, and he was not smearing them collectively, though that was an effect amongst some of his fans, which would have been an obvious and foreseeable result of his decision to lie in this way.

    ReplyDelete
  8. Unknown30 August 2015 at 07:38

    You do know that you can change your IP by using a VPN in Australia to make it look more legit? It's not that hard to follow Hamza on Facebook and see his posts, so the Hacker obviously used a VPN to act as if he's in Australia. I think that the way the Hacker got his address and credit card details is that Hamza got ratted. When you get ratted, you can see the Address of the user, and you can spy on them remotely so the Hacker probably wrote down the credit card information. It's not that hard.

    ReplyDelete
    Replies
    1. Unknown30 August 2015 at 07:40

      A popular R.A.T. tool is: DarkComet. I think that he probably downloaded something off of the Internet.

      Delete

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)