Invasion of Privacy: A Deep Web Thriller #1 (Deep Web Thriller Series)
Page 5
“Credit card?” interrupted Jenny, spotting an angle to follow here. “You mean we can see the credit card details that were used to book the room on Friday?”
“Well, yes. That’s assuming it wasn’t an existing Flexbase tenant with an account. Like WMA here. If it was an existing customer, no credit cards are needed. Just their customer account number, phone number and email address of the person from the company. Then we add it to the company’s bill and invoice at the end of the month.”
“Can you get me the details of the booking for the room on Friday?” Jenny then forced herself to add, “Please.”
“Sure, I’ll just go and ask my assistant...”
Jenny picked up the phone on the desk and handed the receiver to Evans. “Will this work?”
“Uh, actually no. It’s an IP phone. It doesn’t work until someone logs into it first.”
Spotting the look of malice in Jenny’s eyes, Evans pulled out his mobile phone. He asked his assistant to pull up the records for meeting room eighteen-twelve for the Friday just gone. A pause, then, holding his hand over the mouthpiece, he said to Jenny, “Sorry, not a credit card booking. It was booked out to WMA using their account number...”
MacDonald exclaimed, “That’s not possible!”
Fiona placed a hand on MacDonald’s arm.
Evans continued, “...In the name of a William Webber. He booked it from 4:00 p.m. through to 7:00 p.m. He gave his phone number as the main switchboard number that WMA uses.”
“How do you request a room?” asked Fiona. “Phone? Email?”
“You can book by phone, email or even through our website. Whichever method you use, we always ask for an email address for the booking confirmation to be sent to.”
“Which method was used?”
Evans repeated the question into his phone. “They can’t tell. Perhaps the IT people in headquarters can tell?”
“Okay, we’ll check that later,” said Fiona. Jenny knew the DC was doing a far better job dealing with these technology-related issues than she ever could. “What email address was given?”
Evans relayed the answer: “William.webber@wmallp.co.uk.”
“But we don’t have a William Webber, I tell you,” MacDonald persevered. “Hold on, I’ll phone my IT guy to see if that address is on our email system.” MacDonald pulled out his mobile, dialled a number and started issuing instructions.
Fiona asked Evans, “Can you tell when the booking was originally made?”
Evans relayed it into his phone. The answer came, “Two days before.” His eyes widened. “No way! Apparently, the same person also booked the four other meeting rooms on the same floor for the same times. That’s the whole damn floor!”
A chill ran through Jenny’s body.
“I suppose being that late on a Friday afternoon meant they were all available?” Alan surmised.
“Well yes, I suppose. It’s typically the quietest time of the week. Everyone wants to get home for the weekend.”
MacDonald then spoke, “No, we don’t have an address with that name on the WMA email system. And my IT guy says that, as he doesn’t have it set up, it doesn’t exist and never has.”
Jenny summarised, to make sure she had it right. “So, two days prior, someone with access to WMA’s Flexbase account number booked the whole top floor on Friday from 4:00 p.m. onwards. And they gave a fake name and email address that made it look like it was someone from WMA.”
“So, what would happen if the email address used for the booking was fake?” Fiona asked Evans.
Evans said he didn’t know and relayed the question into his phone. “My assistant doesn’t know either. She’s just patching me through to IT in Head Office.” A minute later, Evans repeated the question and listened. “Apparently, we just type it into the booking system. As the domain name — you know, the bit after the ‘@’ sign in the email address — matches the customer’s, no one would have questioned it. The booking system sends out a confirmation email.” He listened some more and then relayed the next bit with a fatalistic tone. “But if the email address didn’t exist, it would bounce back to the booking system’s own email address and —”
“— no one ever looks at that,” finished Fiona for him.
Evans nodded.
MacDonald turned to Evans, indignant. “So what you’re telling me is that anyone could book a meeting room in my company’s name just by phoning in with a fake email address? Right, that’s it. I’m going through every invoice for the six months we’ve been here at Flexbase!”
“But they would have to know your Flexbase account number as well,” wheedled Evans, “and only your employees would know that.”
“And anyone working for Flexbase, Mr Evans,” said Jenny, firmly.
* * *
Brody’s fingers were shaking over the keyboard. He wasn’t sure if it was too much caffeine or an adrenaline rush from the challenge he’d foolishly got himself caught up in. He wondered whether Doc_Doom had manipulated him into taking on the challenge against Matt_The_Hatter. He scanned back through the chat logs but there was no real evidence of that. Like any hacker — white, grey or black — Brody’s reputation online was built up over time, through publishing new exploits, sharing code, blogging, tweeting and answering questions on the forums from other hackers. Brody had spent years getting his reputation as Fingal to its current elite status. And here he was putting it all on the line in a childish race to gain root access to a website. If he failed, then word would spread rapidly across the global hacker community. That was one of the downsides of the Internet; it only took seconds for news and gossip to spread. His online reputation would be in tatters.
Brody slammed the tablet PC shut, looked up and caught Stefan’s eye. The barista came over immediately.
“Ah, Mr Brody,” said Stefan, “Let me think . . . ”
“— same again,” said Brody, in no mood to play Stefan’s guessing game.
“Oh! Okay . . . as you wish, Mr Brody.” Stefan shuffled off.
Brody wondered if he could have avoided trapping himself in the challenge. The root cause was his perfunctory approach to reviewing Crooner42’s original request for help during the Atlas Brands pentest at that morning. He should have waited until he’d returned to London, when he would have gone thorough due diligence before offering to help. He would have carried out an initial set of penetration tests before responding to make sure that he knew there were some holes he could quickly take advantage of once he was formally given the job. He would also have devoted time to checking out Crooner42’s online background more thoroughly to make sure the request for help was legitimate. After all, no one other than Matt_The_Hatter and he had responded to the Crooner42’s unusual broadcast for help. Perhaps all the others had figured out this was a tough job and didn’t want to risk their reputation.
Now he was in the unpleasant situation where not only did he have to take on the challenge, but failure would be very public. He just hoped he had a few more tricks up his sleeves than Matt_The_Hatter.
A fresh cup of coffee was placed on his table. Brody looked up to say thank you to Stefan, but it was Stefan’s trainee waitress who had brought it over instead. Stefan was behind the counter, wiping it down and deliberately avoiding eye contact. Brody thanked the girl anyway and made a mental note to apologise to Stefan before leaving. Maybe a larger tip than normal would help.
Brody rolled up his sleeves and began.
The first step was to familiarise himself with the website in the way a normal online visitor would do. Well, not quite a normal visitor. First of all he would disguise who he was and from where he was connecting. He logged into TOR and two additional proxy connections, one in Russia and the second in Bulgaria. The proxies slowed down his speed a little, but it was worth it to make him impossible to trace. Anyone tracking his address would think he was accessing the Internet from Bulgaria rather than his apartment in Islington. And even if they somehow tracked him down through the first proxy,
they’d then think he was really from Russia. And after that, they’d have to take on hundreds of randomly selected relays within the encrypted TOR network.
Brody remembered Crooner42’s concern that police around the world might take an interest in the site. Double-proxying should handle that.
He clicked on the site.
The site Crooner42 had built was called www.SecretlyWatchingYou.com. Its name and description implied that it was serving live webcam footage without the knowledge of the inhabitants. Brody knew enough about webcam sites to know that this was very rarely the case. A whole new industry had popped up the day a redheaded American student called Jennifer Ringley chose to broadcast her day-to-day life over the Internet, clothed or naked. Fully aware that she was watched all the time, JenniCam had become an Internet phenomenon at much the same time that Big Brother was beginning to take off in the UK. Millions of voyeurs paid to watch and Ringley became very rich, spawning thousands of copycat sites. Brody couldn’t understand why anyone would want to watch someone else’s life like that, never mind allow it to be watched in the first place.
At first glance, SWY — the techie in Brody had automatically shortened SecretlyWatchingYou to a more usable acronym — seemed harmless enough. Brody was able to look at a few taster videos without registering any personal details. One of the teaser clips was of a girl taking a shower, with the camera directly above. Brody couldn’t see her face and the steam blocked out anything interesting. Another was of a man doing the washing up. His back was to the camera. There were five or six others. Big deal. It all seemed boringly innocuous.
He clicked through to the registration pages. Eight US dollars a month or $66 for a year. And that was just for the ‘basic’ locations. There were newly added ‘premium’ locations available where users needed to pay more. The site was quite expensive. Who the hell would pay these rates?
The fastest way for Brody to check out the website was to pretend to be a customer. He quickly registered with a brand new anonymous and untraceable email address. The default payment option was PayPal, which meant only needing to disclose his PayPal email address to the website. Although PayPal would never share those details with the website, it was traceable and so not something Brody wanted to use. However, there was one other payment method — bitcoin — and Brody was impressed to see it listed. It was a cyber-currency, which used a peer-to-peer network coupled with cryptography to control and secure the transactions. But most importantly, it was completely unregulated by any government. For Brody, bitcoin’s main benefit was that it was virtually untraceable, especially for smart people who masked their credentials when creating accounts. Brody always set up a new account for every job he took on, just to further confuse anyone who attempted a trace.
He pressed submit. His account was created. He was inside.
* * *
The man who called himself Crooner42 on the CrackerHack forums scanned the SWY system logs in real time. Every action that users took on the website was recorded in the system logs. Crooner42 often whiled away time watching the logs fill with the activity of tens of thousands of paying subscribers. It was amazing to observe how addictive the site was. His site. It made him feel proud.
It was also making him very rich.
A new entry appeared in the log. Damn, it was just one of the regulars logging back in. A few more entries appeared as the same user navigated through the site and chose a video feed. The log entries highlighted that this user had all the options turned on for the location he was viewing. Perfect, a high-paying customer. Crooner42’s favourite type.
But Crooner42 was growing impatient. He’d set the trap perfectly. Fingal had taken the bait and then he’d had no choice but to accept the challenge. He knew Fingal would waste no time.
Crooner42 was fully aware that the first step on any pentest was to passively scan the target. In the case of SWY the only information available in the public domain was the site itself. Unlike websites for bricks and mortar businesses, SWY had no published list of employees, office addresses or any contact details from the physical world.
That meant Fingal would have to jump to the next step and familiarise himself with the site itself. Crooner42 had set the site up so that some of the webcam locations had looping teaser video feeds, just enough to give future customers a taste of what was inside if they parted with their money. As a non-registered customer, Fingal wouldn’t really be able to find out much. Certainly not enough to pull together enough information to formulate an appropriate pentest strategy.
No, Fingal would have no choice but to register as a new user on the site. That’s what Crooner42 was looking out for in the logs: the creation of a new account. The only problem was that the site was becoming so popular that he was getting hundreds of new user registrations every day. But whoever registered in the next few minutes was bound to be Fingal, hiding behind a fake email address. After all, that’s what Crooner42 would have done.
So where the hell was he?
Crooner42 glanced at his Breitling. It had been thirty minutes since Fingal had accepted the challenge on the CrackerHack pentest forum. And, so far, no new users had registered in that time.
Crooner42 had snorted out loud when Fingal had tried to lighten the seriousness of the challenge with his impudent, “Sure, sounds like fun” acceptance. That hadn’t fooled Crooner42 at all. He knew that Fingal would be shitting himself.
And so he should be.
Public humiliation in the global hacker community wasn’t trivial. It takes months, if not years, to fully recover. Crooner42 knew this better than anyone. He’d been through it, and much, much worse. All thanks to Fingal.
Now it was payback time.
Come on Fingal. Register for fuck’s sake.
Crooner42 was in his two-bedroom penthouse apartment that overlooked the Thames to the south. Not that he ever went out on the balcony to take in the expensive views. He had used some of the income from the site to buy the flat. He’d hired an interior designer and given her the brief to design the world’s best bachelor pad. She’d not let him down. Everything was stone, leather or glass. The colour spectrum supposedly ranged between ecru and burnt umber, which turned out meant off-white to dark-brown. Huge prints of French art-house movies dominated the walls. A reconditioned Adams Family pinball machine sat next to classic Asteroids arcade machine. He enjoyed playing those. But the American-style pool table in the centre was purely for show.
The main bedroom had a huge circular bed, with masculine covers and cushions. It had seen plenty of action over the last few months. The second bedroom, however, was hidden behind a false wall. None of his guests even knew the room was there. He’d had the doors ripped out and replaced with a fake, modern looking bookcase. The interior designer hadn’t even asked why. She’d taken it as a challenge and had delivered a neat solution. When he keyed the code into an app on his iPhone or pressed the button on his key fob, the bookcases swung outwards to reveal a state of the art home office.
Here he observed and controlled every aspect of SWY via thirty-three LCD computer displays mounted floor-to-ceiling on the wall opposite his glass desk. He’d arranged it like a CCTV control room. The screen in the centre was a massive sixty inches. It was surrounded with smaller thirty-six-inch screens in a six-by-six grid. The displays slowly cycled through the hundreds of video feeds from the website, allowing Crooner42 the opportunity to freely survey what his customers paid for.
Most of the webcam locations held little personal appeal. His attention was generally focused on ensuring the feeds kept on working. But there was one location that held his interest. It was the one that had given him the idea for SWY in the first place and he retained a soft spot for it. For this location, he reserved the four top centre screens of the grid to permanently display its webcam feeds. On the public website, he’d assigned the moniker Student Heaven to it.
The log display on the large screen in the centre scrolled upwards. New lines of text appeared at the bott
om.
A new account had been created.
Just as Crooner42 was about to congratulate himself, more log entries appeared. Within two minutes there were eight new user accounts. Damn, which one belonged to Fingal? Or was Fingal being extra clever? Perhaps all eight were his.
Crooner42 rolled up his shirtsleeves. He had some work to do to check out the email addresses, payment details and IP addresses of all eight accounts to see if he could narrow down which of them belonged to everyday users, and which belonged to Fingal. Any typical Internet user should be relatively easy to trace back to the real world. Fingal's user account would be the one that was absolutely impossible to trace.
Crooner42 raised his hands in the air, as if conducting an orchestra.
One or more of the eight was Fingal, he was sure of it.
* * *
You slowly cycle down the affluent residential street as if you’re one of them. No one gives you a second look. You pass within inches of a woman pushing a baby stroller. She is under an umbrella and is plugged into some white earphones. You catch the tinny sound of music. You look back as you pass. Naturally, you want to see if the swivel of her hips has returned following childbirth. You want to see if she’s back on the market, asking for it already, but the music — and the baby, if you’re really honest with yourself — puts you off. You ignore her. You choose not to take an interest.
Yes, you choose. You are the one who decides. You’re like a Roman Emperor selecting who lives and who dies. Thumbs up or thumbs down? Regardless, you’ve already chosen your next one. She’s been really begging for it. She might even be The One. You can’t wait. The anticipation is a pleasure. You can feel it forming between your legs. You try to push it away, back down through your black cycle-shorts but, as usual, it seems to have a life of its own.
You spot a residential green on the corner opposite your destination. You dismount and sit on the bench under a tree. The tree gives a little shelter from the rain. You cross your legs and wait patiently for the hardness to subside. You try to take your mind off it. You look up and concentrate on the wind blowing through the branches. You focus on the dampness of the bench seeping through your Lycra shorts. You hear the slow tap tap tap of raindrops on your cycling helmet, larger for having first collected on the leaves and branches before falling.