For over two years a company was the target of a dangerous hacker and extortionist which threatened the reputational and eventually financial well being of the company. Embarrassing e-mails containing derogatory and sexually explicit attachments were being sent to the company’s clients with spoofed (i.e. faked) e-mail addresses to make the e-mails appear to have come from senior executives within the company. The recipients of these disturbing spoofed e-mails became increasingly upset, particularly when the company and the FBI appeared incapable of stopping them. The company lost thousands of dollars as clients took their business elsewhere. After two years of this damaging e-mail campaign, the company turned to Stroz Friedberg for help in determining whether the Wi-Fi Spoofer was one person or a group, a malicious insider or outsider, and what motivated the harassment. Most of all, the company wanted the damaging e-mail campaign to stop.
The Stroz Friedberg team used sophisticated forensic tools to scour the client’s computers and network covertly for evidence that any insider had access to the attachments or was in contact with any of the hijacked e-mail accounts used by the perpetrator. This helped to rule out a malicious insider as the perpetrator of the e-mail campaign, but revealed a network security mis-configuration allowing any Internet user without proper authentication to access the client’s internal corporate network and access data that was otherwise confidential and proprietary. The Stroz Friedberg team discovered a number of unauthorized logins to the company’s server over a four-month period in 2003 with originating IP addresses used at local universities. Steps were taken to lock down the security of the company’s network.
A detailed analysis of the e-mail header information on the offending e-mails showed the originating IP addresses led back to random home users’ wireless access points to which the perpetrator had gained access. This was accomplished by a practice known as “war driving.” The perpetrator would drive his car around residential neighborhoods with a laptop equipped with a Wi-Fi card and antenna, searching for unprotected wireless access points to which he could connect. By the time the FBI was able to obtain the subscriber information and location of the Wi-Fi point used by the perpetrator, the perpetrator was, of course, long gone. Even when access points that the perpetrator co-opted were examined, there were no logs of his particular computer having connected to them. This provided a perfect anonymizing method for the perpetrator.
In addition to war driving, this perpetrator also sent spoofed e-mails from computer labs at various universities, using false or stolen student accounts, also making him difficult to trace. He used the hijacked student accounts to access a proxy server to conceal the originating IP address of the computer he was using within the university computer lab, and use that proxy server to gain unauthorized access to e-mail accounts at AOL and Yahoo, from which he sent spoofed e-mails.
Through a combination of interviews with people in the industry, including competitors and former employees, plus e-mail header analysis, use of a clinical psychologist with expertise in developing detailed profiles based upon text and e-mails, within several weeks the Stroz team was able to identify a primary suspect, who had been denied employment by the client. The interview process also uncovered the fact that senior executives at the client’s sister company had been sent e-mails from a person complaining about the client. Textual and psychological analysis by a clinical psychologist demonstrated that the author of the spoofed e-mails was the same author sending the complaining e-mails (under a fake name) to the sister company. This analysis further determined that a single author, not a group, was involved.
Under the direction of the Stroz Friedberg team, a communications channel was re-opened between the anonymous complainer and representatives of the sister company. In order to capture the IP address of the computer where the e-mail was opened, a technical tool, called a web-bug, was used. This tool also provided timing information about when the perpetrator opened the e-mail, how long the e-mail was kept open, and how long it took the perpetrator to respond after opening the e-mail. This information is useful for building a profile of the perpetrator and anticipating how to interact with him effectively and identify him.
After a carefully calibrated series of exchanges designed to test the motivations of the perpetrator, he sent a multi-million dollar extortion demand to the client threatening to unleash a denial of service attack. The e-mail appeared to come from the client and would use confidential information on the company and its clients – that he had obtained through “dumpster diving” of the company’s trash bins – as a payload. The perpetrator revealed many additional details about his past activities that were consistent with the information on the primary suspect the Stroz team had already developed. At the same time, the Stroz Friedberg team coordinated with the FBI to put the primary suspect under surveillance, which successfully placed him in the same place at the same time – at a university computer lab – that certain harassing emails were sent.
Through use of technical tools, physical surveillance, analysis by a clinical psychologist and good interviewing techniques, the Stroz Friedberg team worked with the FBI to develop evidence showing that the primary suspect was the perpetrator of the damaging e-mail campaign and extortion demand. The FBI then arrested him and executed search warrants. When the suspect’s residence was searched the FBI found numerous firearms, explosives and chemicals, as well as a recipe for the production of a deadly toxin. At his arraignment, the defendant was remanded based on his dangerousness, and remained remanded through his guilty plea to violations of the Computer Fraud and Abuse Act.