Investigating Cybercrime

Deb Radcliff

September 01, 2010

The real-life tales of how authorities hunted down some of the nation’s most dangerous digital crooks, as reported by Deb Radcliff.

For the most part, cybercrime cases turn out to be much larger than they first appear. This was the case 10 years ago when a lone Honolulu police detective tracked a thief to more than 100 stolen identities spanning many states. It is true as well today, for example when the New York State Attorney General’s (AG) office tracked a spammer that led to a multimillion dollar securities fraud case.

What’s different between now and a decade ago is there is exponentially more cybercrime – and more types of cybercrime – requiring investigations.

Over the past five years, investigators reported a 69 percent increase in computer devices being used to directly perpetrate crime, according to a 2010 survey by the High Technology Crime Investigation Association (HTCIA) that drew 429 respondents from its 3,100 members.

“The most significant trends we see today are the Zeus malware and the use of ACH [automated clearinghouse] fraud to take over and transfer funds from the accounts of small to midsize businesses and municipalities,” says Special Agent Russ Brown, chief of the FBI’s East Coast and Eurasian cybercrime unit.

The following are true stories of investigations over the internet and on devices, as told by the chief investigators in these cases. These cases highlight just how far investigators have come in solving today’s digital crime cases – and also how far they have to go to even the playing field (and then gain the advantage) against their cyber opponents.

An early case of ID theft 
Identity theft and computer crime were unheard of in most of Hawaii until early 1999, when personnel at Gateway Computers found online credit applications being taken advantage of by someone they tracked to Maui. The criminal was logging into the Gateway site from locations around the Hawaiian Islands and using stolen identities to open new Gateway credit accounts and buy computers. When the card owners were notified, they denied ever making the purchases.

The case got pushed from the county of Maui to the state of Hawaii’s attorney general (AG) white-collar division, who turned the investigation over to Honolulu Police Department’s self-made cybercop, Detective Chris Duque (left).

“Once I got started in the case, Gateway asked me to investigate other cases,” says Duque, who is now a consultant. “Turns out, someone was using AT&T Worldnet IP addresses throughout the Hawaiian Islands, Texas, California and even New York to register the new credit card accounts.”

The case ballooned to more than 200 stolen identities. Duque got additional resources, including a new partner, Detective Erwin Okita. After a lot of leg work, they were able acquire pictures of the perpetrator signing into a hotel room shortly before that room’s internet connection was used to register a new Gateway credit account.

They knew of the perpetrator already, Pyong Kun (Peter) Pak, a 33-year-old from South Korea with a history of methamphetamine arrests. But to get a conviction, Duque still needed irrefutable proof that Pak was at the computer.

When Gateway alerted Duque’s team in real time to a modem connection fitting Pak’s MO, Honolulu Police Department plainclothes officers were already tailing Pak and moved in. He was arrested exiting a Waikiki noodle shop. The noodle shop owner told officers that Pak had just finished using the telephone in his office, the number matched the modem number Gateway was tracking, and Pak had a PC in his backpack.

They’d found a smoking gun: In December of 2002, Pak was sentenced to 10 years in Hawaii state prison and ordered to pay $109,000 in damages.

Tracking a spam king
Fraud and malware distribution over the internet are the fastest growing fraud types being investigated by HTCIA members. Yet Duque’s methods of using manual processes of tracking down suspect IP addresses to registration pages and working with the ISPs hasn’t changed much since then. It is still a manual process of monitoring the underground, developing relationships with services providers and cyber savvy law enforcement agencies. In fact, internet tracking rated as a top area that needs improvement in the HTCIA survey.

“The disk forensic market is strong with products from Guidance, Access Data and other sound imaging and searching tools available to our members,” says Todd Shipley (right), HTCIA president. “Following crimes online and trying to document evidence is less understood. The process has yet to be formally defined to develop standards around.”

Manual processes took up the bulk of work when Michael McCartney set out to find a spammer selling penny stocks.

“In 2006, the Anti-Spam ListServ was tracking a spammer who was talking a lot about proxy bot networks to send out the spam from home computers,” says McCartney, who was the senior investigator with the New York State Attorney General’s office at the time. “The zombie virus was known at the time as Mitglider 32.”

Aided by two members from the Anti-Spam ListServ, McCartney’s team set up honeypot decoy computers that looked like new broadband user machines waiting to be taken over. It didn’t take long for the machines to become bot infected and start sending messages to their controllers, all of which resolved to the same ISP provider block at the same dedicated hosting service provider in Denver.

Working with the ISP in Denver, the investigators were able to track down the suspect, Eddie Davidson, to a remote area in Arapahoe County.

“Our suspect got sloppy and we got lucky,” says McCartney (left), now a forensics consultant and president of the Northeast chapter of the HTCIA. “Normally it’s much harder to track through all the hoops and ISPs professional criminals usually hide behind.”

Once they subpoenaed Davidson’s bank records, McCartney’s team also tracked down the source of several large deposits. That led into a larger investigation by the U.S. Securities and Exchange Commission (SEC) involving $4.6 million in securities fraud perpetrated by the nephew and uncle team of Darrel and Jack Uselton.

Interestingly, the SEC’s investigation also began with the spammer, in this case from an email that landed in the mailbox of James Valentino, an attorney with the SEC.

“The email blasts seemed to be associated with the promoters of a stock dump and also the actual trading of stock to make it appear the stock was being maintained at an artificial level,” Valentino explains. “That led to our investigation.”

Domain registration lookups on the penny stock sellers led to an elaborate scheme in which the Useltons and the companies they controlled would receive shares from penny stock companies for little or no money and then manipulate that stock to sell at a few pennies up.

In May 2008, Eddie Davidson was sentenced to 21 months for falsifying email header information, as well as tax evasion, and was ordered to pay back more than $700,000. Three months later, he walked off a minimum-security prison in Florence, Colo., and shot to death his wife, 3-year-old daughter and himself while sparing his 8-month-old son.

The Useltons, meanwhile, agreed to pay $4 million in penalties and fines to the SEC and were given 10 years of deferred adjudication for first-degree charges of engaging in organized criminal activity.

Another case involving the use of honeypots and manual tracking over the internet was conducted by researchers at security firm NetWitness – in this case to find the source of Zeus fund transfer bots targeting businesses and municipalities.

Using domain registration lookups, the NetWitness investigative team tracked most of the bot controllers to a single registrant named Hilary Kneber (which is why this version of Zeus was called the Kneber bot).

Unfortunately, the team was unable to get domain services to shut down the bot controllers because too many were hosted in shady, international jurisdictions that are uncooperative with U.S. investigations.

Instead, NetWitness investigators tracked down and notified more than 400 U.S.-based businesses and government organizations whose login credentials, identities and other sensitive information had been funneled to criminal entities.

“Looking up organizations through their domain registrations was limiting,” says Alex Cox, principal research analyst at NetWitness. “Getting the right person at the right time is key to control damage, so it would help if organizations kept their domain registration information up to date.”

Disk forensics 
In cases like Zeus, the time to act is of utmost importance because of how quickly business accounts can be drained once spear phishers gain access.

When it comes to evidence on computers and phones, forensically sound mirror images need to be taken as soon as possible to capture not only the evidence, but also the state of the computer, say experts. Once the PCs are imaged properly, the evidence is often locked up for months. The average backlog for examining the imaged disks for evidence is six months, according to the HTCIA survey.

How evidence is handled at the scene of a crime is critical. Take, for example, a cold case in which Marine Sgt. James Bryson, just back from a tour in Iraq, was murdered by a gunshot to the head in the entryway of a home in Cherry Hill, N.C. on Feb. 16, 2006.

Bryson was on his cell phone talking to a female at 10:20 p.m. when she heard a knock on the door, then a male shouting profanity, the phone dropping and scuffling before it went dead. Several callbacks went straight to voicemail. Someone had turned Bryson’s phone off. The woman called 911.

The case was handled by the Craven County Sheriff’s Department, which found the cell phone at the scene. Its investigators scoured the phone for obvious data in contacts, texts, pictures and phone records. The department told the media that Bryson was prolific in texting, phone calls and in internet groups. Sheriffs also kept the phone hoping someone still calling for Bryson might become a lead.

On March 22, the county called in law enforcement-trained digital forensic investigator Giovanni Masucci (left), who imaged and analyzed a laptop, two USB drives and a PDA he was given from the crime scene. Masucci was able to retrieve contacts, but unable to find substance of anything more than a large interest in women and hookup sites (via Bryson’s web history), and an inordinate amount of X-rated, but not illegal, content on three of the devices.

What they couldn’t find was evidence of the victim’s killer.

What gnaws most at Masucci in this case is that he was never given the most critical devices in evidence to forensically investigate – the phone and, it turned out four years later, a missing Dell computer.

“It was our first homicide case and we wanted to find out what happened to him, but we weren’t given all the evidence,” Masucci says. “Then, a year-and-a-half ago, when the case was cold, the department showed me new pictures. One of them had a Dell computer cord that was different than the laptop cord we had. In the picture, the cord was laying across the kitchen table and still plugged into the wall.”

Someone had obviously taken a computer from the crime scene, a fact he would have known back in 2006 had he seen the picture then. At that time, he would have had the means to track that computer down with the help of the Sheriff’s Department, the manufacturer and the ISP.

Further, the phone itself was tainted because it was not backed up at the crime scene. Rather, the sheriff continued to keep it charged, use it and access applications and content with every process changing, thus tainting the phone’s evidence.

If the phone had been imaged at the scene, for example with a tool Giovanni uses today called Cellbrite, it could have been examined for erased pictures and other data, just like on the computer.

Accidental spoiling of data is a key problem for organizations trying to prove a crime, say forensic investigators. On the other hand, evidence of spoliation also can be used to get a conviction, says Jefford Englander (left), vice president of computer forensics for Lightstone Solutions, a litigation support and investigative firm.

Prepare for the worst 
Cases like these represent a tiny snapshot of what cybercrime investigators are dealing with today. Organizations of all sizes are under advanced persistent threats aimed at getting access to their systems and information, says Kevin Mandia, president of Mandiant, an incident response firm. In the case of internal breaches, organizations often don’t even know anything happened until an external party notifies them.

Once notified, organizations need to be able to quickly collect data, determine the scope of compromise and remediate in parallel with notification when required, he says.

Above all, keep good records, adds the FBI’s Brown. Odds are that, someday in the not-too-distant future, cybercrime investigators will come knocking on the door with evidence implicating your organization’s systems in a crime.

Wipeout: Too much cleaning

This forensic case started in 2006 at the onset of the recession, when competition for cheap flights among the Hawaiian Islands was brutal.

Hawaiian Airlines was filing for bankruptcy and seeking investors, one of which was the newly emerging Go! Airline by Mesa Air, which was setting up its own inter-island flights at the time.

Hawaiian Airlines recovered enough to pull the acquisition possibility off the table, at which point Mesa was legally bound to shred the data and not use it in any form for competitive purposes. Instead, Mesa used the Hawaiian Airlines’ secrets – including figures on route profitability, fares, passengers and plans for expansion – to raise its shares by more than 27 percent and nearly push Hawaiian Airlines over the brink.

“The Mesa CFO went to great lengths to erase the hard drives of his work and home computers, then set the system clocks to look like nothing had ever been deleted,” says Jefford Englander, vice president of computer forensics for Lightstone Solutions, who was hired to investigate. “Unfortunately for [the CFO], he deleted too much.”

Examination of three computers belonging to the CFO showed traces of wiping software called System Mechanic in their registries. However, the computers’ clocks had been set back to before the particular wiping software even existed. Mesa’s CFO also was using his browser to shop on eBay and elsewhere during the long wiping processes, which left records of the actual time the systems were being expunged.

In addition, there was only two weeks of data on the CFO’s work computer. Typical files, photos, messages, histories and other data one would expect to build up on a computer in use for several years simply didn’t exist. This and other evidence erasure was enough to end in a $52 million judgment against Mesa in April of 2008.

– Deb Radcliff

http://www.scmagazine.com/investigating-cybercrime/article/177107/

Comments/Questions for DIGITS LLC?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s