Jan. 31, 2013 at 5:01 PM ET
Responding to a report about a hostage situation that included one dead, police officers descended on a home in Oviedo, Fla. late Wednesday night, guns drawn. Inside they found a terrified family of four, who had been asleep — and safe — at least until they heard the doorbell ring and saw the rifle barrel poke through the front door.
Seeing what appeared to be “an arsenal,” the father of the unidentified family told Orlando’s Channel 9 that he and his wife assumed they were victims of a home invasion. “They have rifles, they have guns, and I said, 'Let's get out of the house,' so we ran down the hallway and got our two boys up."
The family were not hostages, but they were victims, people who mistakenly ended up on the receiving end of a dangerous hoax called “swatting.” The criminal prank — the type of which is increasingly common — all began because the address where the family lived was scraped from an out-of-date Xbox account.
Earlier that evening, police received a call from another Oviedo resident, a teen reporting that his Xbox had been hacked.
Lt. Mike Beavers, the Oviedo police spokesman, told NBC News that prior to accessing the Xbox user's account, the hackers attempted to extort the teen for one of his map packs, a downloadable extension gamers can purchase to add functionality to popular multiplayer games.
"They they were trying to get the young man to give them a copy of what he had purchased, and they said if he didn't, they were going to cause the police to come to his house by calling in a bomb threat," Beavers said. When the teen didn't comply, the Xbox player’s tormentors apparently accessed his account where they found an address.
Shortly after the gamer reported his encounter with the hackers to the Oviedo police, AT&T contacted the department, stating the company had received online messages from someone claiming to be at an unrelated home. The messages said that “someone had been killed at that location and others were being held hostage,” according to the police report.
Police later confirmed that this was the former home of the harassed gamer. The hackers, having obtained the old address, had called in the threat as retaliation, sending police to the unsuspecting — and totally unaffiliated — family.
Lt. Beavers told NBC News that this is the first time his department has encountered this sort of crime, which led to some very tense moments for both the police and the family. "We were told someone had been killed, and others were still held hostage," he confirmed. "This really puts the responders on high alert.
Unfortunately, this dangerous hoax is not uncommon. In 2008, the FBI issued a warning about “swatting,” which it describes as “faking an emergency that draws a response from law enforcement — usually a SWAT team.”
“Needless to say, these calls are dangerous to first responders and to the victims,” the FBI report reads. “The callers often tell tales of hostages about to be executed or bombs about to go off. The community is placed in danger as responders rush to the scene, taking them away from real emergencies. And the officers are placed in danger as unsuspecting residents may try to defend themselves.”
"This sort of prank — and I hesitate to call it a prank, because it’s very scary — seems to be a rising trend among malicious teenagers," Chester Wisniewski, senior security adviser at Sophos, a security firm, told NBC News.
”The only thing new in this case is the Xbox,” said Wisniewski. "Most often, it’s people forging a caller ID phone number and calling emergency services." Then, for example, the 911 operator sends responders to the address connected to the forged caller ID. Accessing an Xbox account and then emailing a false crime report via AT&T just makes it seem more high tech.
Wisniewski warns that we digitally store plenty of vital information such as street addresses that can easily be exploited for material gain or malicious intent. The danger, he says, is not keeping all your online accounts as secure as possible. “People don’t realize that your Amazon account or Xbox account has a lot of information that can be used against you.”
However, perpetrators of hacks and hoaxes may be just as vulnerable to inadvertent information leak.
“When you’re talking about kids pranking kids, the attackers are not all that sophisticated,” said Wisniewski. In the case of the Oviedo attack, the Xbox user was able to furnish police with Twitter accounts and gamer tags associated with his victimizers.
According to Lt. Beavers, the Xbox victim in this case, "had already done a little work of his own and provided the officers with information, including Twitter names, game accounts and IP information." Once the computer behind the extortion and hoax are identified, it comes down to "putting the person behind that computer and actually proving he did it."
— via Gizmodo