by Jack Davis
These investigations also had the cards being used widely with no apparent commonalities. The only link would not become apparent until the sixty-three thousand-plus credit card numbers in the Nova Scotia case were added and analyzed. The numbers were run against the Service case using link-analysis. Only then was it revealed that one of the credit card numbers had been used to deposit money into a WU account that was being used to pay for the WoW account of MichaelTAA.
This was just one more piece of evidence tying the WoW and WU accounts to other credit card fraud cases and the hacking. Those associations allowed the agents to use the losses in the cases against the suspect MichaelTAA and drive up the actual and potential loss. These numbers would be used in the prosecutorial guidelines to increase the range of jail time the defendant would face. The US Attorney could also use the actual losses as an important bargaining chip in negotiations for any settlement in the prosecution of the case…but that would become a consideration only if they caught MichaelTAA.
State University Systems
After the initial problem with the computer borne improvised explosive device code, or CBIED—as the NYFO agents were referring to the program that had destroyed their UC machine—Swann and Posada had put it in a “sandbox.” In this sterile test environment, they analyzed it with the care of an Army Ordnance Disposal Unit defusing a 10,000-pound bomb.
Over the course of the next few days, they were able to understand it, dissect it, fingerprint it, and fully appreciate it. Once they had figured it out, they knew how to avoid any unwanted consequences.
Analysis revealed the program was designed to have two basic functions in addition to defending itself. It was to receive data at 9:45 every morning, package that data along with information about the machine it had infected, then, phone home, every day at ten a.m. The program would send any pictures and videos in small chunks, to avoid being caught by most firewalls or intrusion detection systems, back to two specific IP addresses. A quick check revealed those IP addresses resolved to a server at the University of Massachusetts, in Bridgewater and a machine at the State University of New Mexico at Albuquerque.
Since Swann and Greere were inundated with other aspects of the case, Posada had Pencala assist in working this angle. Over the next few days they spent a third of their waking hours sorting out the network puzzle MichaelTAA had put together through the state university systems.
Not knowing anything about the owner of the Bridgewater or Albuquerque machines, Pencala and Posada treated them as hostile. They monitored them surreptitiously, without notifying their systems administrators. With a limited scope subpoena from AUSA Carpenter, they monitored the boxes, and specifically the CBIED program and files associated with the data that had been sent by Alvaro’s machine.
Watching the Bridgewater box, the following day they were able to determine that an hour prior to the time when it should have received data from Alvaro’s machine, it too created a digital image, or snapshot, of itself. Then fifteen minutes after it received the data from Alvaro’s machine, it received data from another machine. Fifteen minutes later, it sent both sets of files along with the digital snapshot, to a computer connected to the Florida State University server in Gainesville.
The paperwork requesting authorization to monitor the Gainesville box was on Carpenter’s desk within an hour. Knowing generally where to look and what to look for made the paperwork and process go quickly. Pencala and Posada determined the program was identical to the one in Bridgewater, just set to kick off fifteen minutes after the Massachusetts-based program. The one other difference was that it also received data from a machine at the University of Arizona at Tucson.
In this way, one by one, the agents found that all the boxes were connected to other machines in various state university or college systems.
Swann explained that it made sense to use the state systems as a mechanism for sending information. The universities were much more concerned with allowing people access than security. Each state system had reciprocal agreements with other state systems. Once a user was admitted to one network, they had access and privileges to the others, and vice versa. It made them easy targets for malicious actors who wanted to exploit their inherent freedoms.
The agents also surmised that the redundant nature of MichaelTAA’s system was in case one box was eliminated. Having all the boxes connected to at least two others ensured there would always be another path for the data if one computer was taken out.
Later, when Swann analyzed the program, he determined that in addition to having redundancy, it was designed to seek out another path if one of the two designated boxes did not respond. It was a very simple yet efficient system that was self-healing.
Another feature the author of the program had included was a complete changeover every week. Every seven days, the systems would all receive two new input machines and a new destination machine. Pencala and Posada found that feature the hard way, when on the Sunday the twelfth they logged into their computers and saw that all of the machines had been redirected. It forced them to start their network diagram from scratch. They speculated that the functionality was designed to thwart just such a trace-back exercise.
What the author didn’t take into account was the speed at which the agents could work with the US Attorney’s Office. Knowing they had at least a fifteen-minute window to get the correct paperwork, they put a plan in place to conduct a month’s worth of trace-backs in one day. From their previous effort, the agents knew six of the boxes to start with, they set up teams to monitor each one. The teams consisted of two agents in contact with an AUSA. As soon as information was received regarding a machine, it was passed to the AUSA and the correct paperwork—boilerplate—was generated. Then the agents used prearranged programs to look at the machine. The new information from that machine was sent to the AUSA, another set of paperwork was generated, and the process started all over again.
By the end of the day, the entire system had been mapped by hopping from one machine to the next. There were loops, redundancies, and dead-end paths, but there were also two commonalities. The first was all the machines finally ended up sending their information to a server in the library at the University of California at San Luis Obispo—Cal Poly. The second and more important commonality was the State University of New York network. The SUNY system was initially overlooked, as the author had hoped. It wasn’t until Posada counted all the systems that he realized there were only forty-nine. It only took another minute to identify the one missing system—SUNY.
A more thorough look at the Cal Poly computer revealed that while it didn’t download information automatically to any other system, it was accessed by someone regularly. The files on the Cal Poly machine were divided into three folders and given the unremarkable titles: systems, students, and faculty. All were AES 256-bit encrypted.
Knowing that such a high level of encryption would take too long to break, if it could be broken at all, they decided to attack the problem from another angle. The work-around to the encryption problem was to look at the data prior to it getting to the server, hoping the information wasn’t encrypted while it was in transit. To the agents’ relief, it wasn’t; it was only password protected.
The agents set the Service’s distributed network to work to crack the passwords. The first password it cracked was for the systems file.
Using the password, the agents determined that the documents going into the systems folder contained the weekly or daily system updates for all of the machines owned by MichaelTAA. Later analysis showed that the author had an executable program in the systems folder that did a daily comparison of each computer in the network. Any changes would be identified, flagged, and then the author could look more closely at those changes rather than having to review the whole computer from scratch each day.
While the distributed network churned away on the other passwords, and the log files were still being analyzed, the agents set up an operation to determine where the networ
ks were being accessed from. Since the systems files were being accessed daily, timing was not the overriding concern, but stealth was imperative. It was here they employed Swann’s bot. They implanted it inside a Microsoft Excel patch going into the file folder feeding the University of Hawaii at Hilo, which was the last hop that month before Cal Poly.
After Swann’s file had been successfully accepted into the system, the team had to wait for it to be accessed and downloaded to see where it ended up. They believed that final destination would be MichaelTAA’s computer.
The system log review was a mixed bag. It showed the systems files were accessed daily or at least every other day. It appeared that MichaelTAA was paying close attention to the steady state of his machines.
The logs for the student files showed access almost every day of the week. Access as expected was in the evenings and on weekends. The pattern was consistent with someone who had a day job, someone who couldn’t access the files while at work.
The access logs of the faculty file showed a much different story. Those files were rarely accessed. There were periods of months where the files were not accessed at all and then periods where they were accessed for three or four days straight. There was no discernable pattern any of the agents could identify.
The next password cracked was the one for faculty. It was populated with pornographic images and video files of middle-aged women—wives or mothers.
The password for the final folder, student was cracked last. Opening that folder revealed the most obscene child-porn images the agents had ever seen.
They had the evidence. They’d built the case. Now they just had to find disgusting creature that called himself MichaelTAA.
49 | The Un-Contacted Pile
NYFO, 10/08–09/09, 0700 hours
The next morning was overcast and gloomy in the “City that Never Sleeps.” Grey clouds and rain squalls from a tropical storm just off the Atlantic seaboard blanketed the five boroughs.
On the rain-extended commute, Greere and Swann, who commuted in together, had time to develop a scope for their porn site search. They were at Morley’s door just after 0900 hours.
Morley looked at his watch as the two entered. “Do you want to get a cup of coffee, orrr just go straight to lunch?”
“Real funny” replied Greere. “Traffic was brutal. Took us almost three hours.”
Swann just slumped into one of the chairs opposite the desk. “In your glass-half-full universe, the horrible fuckin’ commute did give us time to come up with a plan for searching the porn sites.”
“Now you’re comin’ around to the positive attitude club,” said Morley, his voice dripping with derision.
“I think the term ‘loath’ doesn’t do justice to how I feel about you right now.” Swann gave a look of scorn.
“Let’s hear this plan.”
Swann sighed before he started. “The universe of porn sites is too large for us to just go out randomly to try and find what they were looking for. So like Agent Peyton suggested, we’ll start our search by looking at the types of sites our suspect hacked, in the past.
“The site in Virginia featured an amateur housewife. We’d like to split up the search. Murray and I focus on the sites featuring amateurs while Ron and Kruzerski take the sites with housewives.
“We’re gonna further narrow the search by only looking at sites hosted in the United States. We can expand later if needed.”
“Sounds logical,” commented Morley.
“Once we see how many sites there are in any of the categories, we’ll rank them by the number of customers. We figure the biggest sites got that way by being the best,” said Greere. “We’ll concentrate on them first and work down.
“We’ll send the sites’ webmasters a generic email indicating we have an investigation and that we need to speak to the sys admin for the site. It’ll give our names, but the Duty Desk phone number.”
“I’ll notify the front office. One of you write up a sheet for the folks at the Duty Desk with instructions on what they should do when they get these calls.”
“Will do.” Swann sat up and stretched. “Once we see what kind of response the emails get, we’ll follow up with targeted phone calls.
Morley nodded again. “Do you need any other resources?”
“We might,” said Greere. “There are some mega porn sites that have multiple categories. If possible, we’d like Fatchko or someone else available to review them.”
“Sure. Anything else?”
“Can you guarantee we won’t have a three-hour commute home?”
“Yes, I can,” said Morley confidently. “If you leave somewhere around zero two hundred hours, I can guarantee you’ll make it in less than three hours.” Morley smiled.
Swann and Greere sneered.
A quick review by Greer’s favorite search engines revealed the team indeed needed to look at major porn sites with multiple categories. They grabbed Agent Fatchko as he headed for the lab and pressed him into service.
Within an hour they had completed the first phase of the plan. The initial search revealed forty-six sites that specialized in amateurs and thirty-nine that focused on housewives. Fatchko found thirty-one sites with multiple categories of pornography including amateurs and housewives.
All that day and through the night the NYFO Duty Desk received calls asking for the agents.
By the following morning the agents had heard back from three-quarters of the sites. Eleven had emailed back they would not cooperate without either a subpoena or telephonic contact with their lawyers. Those were put on the back burner along with the seven sites they could not convince that they were actually federal agents investigating a case.
With these sites temporarily out of the mix, the team had a group of just over fifty others to focus on for the day. Of those sites, when they reached the sys admins, the agents found a wide spectrum of technical ability on the other end of the phone ranging from the amateurs, who knew next to nothing about the computers they used, all the way to an MIT graduate who ran a huge California site.
Swann and Greere had anticipated as much and developed a script to read to the sys admins, along with screenshots to walk them through the search procedures.
The sixth contact Greere made was a medium-sized MILF site from Texas. The owner was annoyed at having to take time to look for a program he was sure was not resident on his server. He only continued the search after Greere explained, “It’s up to you—either you do it, or within an hour three agents from the Dallas Office’ll be there with a warrant and do it for you.”
To the Texan’s amazement and Greer’s satisfaction, the program was there. The webmaster was further shocked when told exactly how volatile the program could be if not handled properly. Greere assured him the intruder was just there for free porn and that his network wasn’t in any immediate danger. Lastly, the agent warned the site owner not to try and remove the program; the Service would send technical experts for that task.
After the initial enthusiasm of finding the program “in the wild” Greere asked the Texan how long the current server had been in place and was told twenty-one months. With that information the agent realized he only knew the program was between one and twenty-one months old. What he didn’t know for sure was if the author was still using it. That would be determined later.
Flush with success, Greere looked forward to continuing his efforts after the 1630 hours daily case brief.
By the time the group met for the case briefing, sites eight, nine, and fourteen had been identified as having been compromised with the same code. The middle site was large and had multiple categories, while the other two were both housewife sites. Only one of the new sites had a server newer than the Texas site, and it was sixteen months old. Two administrators had indicated they would cooperate.
At the briefing, the agents discussed next steps. The decision was made to monitor as many of the infected sites as possible and determine if the programs were still active. S
wann felt with a little time, he could develop a program to surreptitiously track the accounts and any outbound traffic.
Morley asked for any other updates. Posada and Pencala, on a conference bridge, provided a status from Mexico.
“Our CI sent the ‘in-game’ message about the cards being compromised. MichaelTAA replied acknowledging the problem and that ‘new mats’ would be sent soon,” explained Pencala.
“He said payment should be made through the OLE ELO guild bank.”
“What bank,” asked Morley.
Posada explained, “It’s not a real-world bank. In WoW there were two types of banks. One is the game bank run by Blizzard and one is what they call guild banks. The guild banks are banks run by the players themselves, for other players to trade in-game gold or items. They’re exclusive to members of the guild, and to gain access, a character has to apply and be approved.”
“From what we know about the recent financial shitstorm, that’s a more stringent vetting process than most big banks these days,” joked Greere.
When the laughing died down, Pencala continued, “Our CI told us that messages referring to ‘the bank’ meant a PayPal account, while the ‘Rat Hole’ guild bank meant to pay him via an e-gold account and the ‘OLE ELO’ guild bank meant a predetermined Western Union account was to be used.”
“The CI is expected to make payments within three days of receipt of the numbers,” added Posada. “The CI seems to be holding up their end of the agreement. The information they are providing has been confirmed by the game company’s security team. Everything seemed normal here. Kay and I fly back later tonight.”
“Thanks, guys. Safe travels. I’m gonna have Kruzerski and Murray to follow up with e-gold and PayPal.”
