From Wikileaks with Love

In the 1990’s, when I first started doing computer forensics and investigating Internet crimes as a police sergeant, it was not unusual to sometimes to use my knowledge for slightly evil v. good. I recall having a co-worker giving me some good natured ribbing, and it was only right that I reciprocate. I turned to my computer, typed a few lines into a Russian website, and asked him if he had seen his new webpage. He stated he didn’t have a web page. I told him he did now, and I had him type his full name into the address bar. Immediately an unusual fetish website appeared with his name in the address bar. He learned two lessons. One, it will cost him lunch to have me remove it from the Internet, and two, you do not mess with someone who can put your name on the world-wide web forever, and on a Russian server no less.

It broke up a tedious day of tracing bomb threats, child pornography websites, and a host of other criminal cases involving computer forensics, emails and the Internet.

Upon retirement, I was engaged to review Phishing emails sent to customers of a major bank. I’d trace them around the world to the source, contact the network service provider, and get the web address and webpage shut down. The schemes were always the same, an email purporting to be from a bank would be sent to a victim, informing them they must click on an embedded link to change their password or some catastrophic event would happen to all their accounts and money. While the link appeared to be from the bank, a close inspection always showed it was not. These schemes were traced to Romania, Brazil, Russia, Germany, Spain, and a host of other countries. Typically, aided by the Phisher hacking into a server of a middle school, café, or other legitimate business without their knowledge and then using their server for the scheme. I remember one Phisher using Korean school servers exclusively. I named him Kimchi. I could always tell a Kimchi Phishing email. Like most Phishers, he always used the same code and text, just repeating it on a new website after he was shut down on the last one. Kimchi had a habit of urging the customer to “earnestly” change their password. Not a word in common use. The embedded code was always the same except for the redirect to his new phishing webpage. Picture placement, formatting and other code always matched Kimchi’s previous attempts. The embedded code would also show an email address where the Phished information was being redirected.

Whenever I was asked to do presentations on the Internet, the obvious signs of a Phish and how to prevent being a victim, such as checking the originating email address to see if it was different from the bank’s, would be emphasized. Directions not to click on the email hyperlink, but use your own bookmark to go to the bank website, etc. were taught. Simple precautions.

So it was with great interest to me this past year when WikiLeaks started producing emails from a Gmail account that involved major players in the presidential election. It was not a typical “hack” as routinely reported, it was a simple Phishing email. As simple as any that have been around since Internet financial transactions started. Instead of going to a known Gmail website, someone apparently clicked on a link and gave up a user name and password allowing for the Phisher to access the account and download documents and emails. I have seen no information in the email that it contained a Trojan virus or other malware that would indicate a more traditional hacking scenario. There are some clues in the Phishing email that should have sent it to the junk folder by the user.

Initial observation of the email showed some Capitalization, punctuation, and grammar errors. As an example sign in to your account instead of using into. The email text states that an attempt was made at signing into the user account from a Ukraine Internet Protocol address and a date and time was provided, except the year was missing from the date. The signature salutation “Best” could routinely be used by Gmail, but I’ve only seen it in emails from my friends in the UK. Hovering a mouse over the Click Here icon showed a Bitly tiny URL, not a Google secure link (https).

Many countries have developed sophisticated programs for obtaining information by hacking or Phishing. As an example, numerous computer programmers and engineers in Russia were primarily involved in the industrial military complex until the 1991 fall of the Soviet Union. Suddenly they found themselves out of work as the need for their skills decreased. During the same time period, IT and network security was not a high priority with companies expanding into e-commerce or institutions. Using their skills for evil, not good, became a viable transition. Groups of programmers developed hacking tools and software that were shared on the dark web with others. Sometimes the programs were sold or just provided free for others to use in schemes. Eventually, governments realized the value of having these specialists back on the payroll. Better they work for us, rather than against us.

Eide Bailly LLP’s computer forensics have investigated a significant number of Phishing cases. In some incidents, an employee opened an attachment in a Phishing email which contained a virus that accessed the company network, in others, fake emails from a company executive caused an employee to transfer funds to the suspect’s bank account. In some cases, client companies and banks, more extensive computer and network forensics were required to ensure/validate that HIPAA information and data of concern to the FDIC was not obtained by the schemes. Thus saving the businesses from the expense of customer notifications, credit monitoring fees, and possible fines.

Based on our Phishing investigative experience, we have provided prevention tips to prospects and clients to protect themselves from these schemes. As an example, networks can be configured to lock out certain Internet Protocol addresses or flag certain emails for closer scrutiny. Employees receiving unusual requests to transfer funds should verify the requests by calling the source or emailing using contact information from the company server, not the suspicious email. Updating policies as it relates to Phishing and suspicious emails to ensure all employees are on alert on the latest schemes all can help to prevent breaches of the systems and data theft.

The schemes seen today are not much different than those in the 1990’s. Perhaps the software is more sophisticated, the Phishing emails having a more professional look or using a slightly different twist to the scheme, but the preventative measures remain the same.

Digging Deeper – How Computer Forensic Investigations can reveal a Treasure Trove of Information

In a previous career, I remember returning from an NICB conference and sitting down at my desk at the St. Paul Police Auto Theft Unit. I was excited to pick up fresh cases and put my new knowledge to work.

One of the first files I picked up was a case in which the auto theft report had more red flags than a Bolshevik convention. It turned out the vehicle had never seen a Minnesota winter. Purchased in Oregon, it immediately went on a container ship to Osaka, Japan. Two weeks after registering it in Minnesota, the suspect filed the auto theft report. Working together with an insurance SIU agent, we traced the vehicle and it was located by Japanese police. Eventually, the suspect was charged. Since the suspect owned an import/export company, I thought it was only fair to also discuss the case with U.S. Customs and tax revenue authorities. He likely is still being audited.

Eventually, my career led me out of the auto theft unit and into our police SIU. I performed computer forensics for a wide variety of cases as part of my duties. It took years for the various units to realize the value of computer forensics in their investigations, which now is something that is taken for granted in law enforcement. Every once in a while, on an auto theft case, an examination would discover forged insurance cards, identifications, vehicle titles, and emails between co-conspirators. Extracting computer evidence is much easier than checking under the hood for EPA stickers and matching seatbelt dates against the vehicle year.

Upon retiring, I was approached by a public accounting firm, Eide Bailly LLP, to do computer forensic examinations for their fraud and forensic accounting unit. They made me an offer to exit retirement that my wife couldn’t refuse. I found the cyber hunt for fraud, embezzlers, hidden assets, co-conspirators, and forged documents were only limited by the engagement hours. The cases, though, can be much more interesting and entertaining. Some case examples include:

  • The soon to be ex-husband who claimed poverty in the divorce proceedings, but revealed in a recovered Skype chat with his girlfriend that he was hiding assets in bank accounts set up in her name and sending loaded pre-paid credit cards to her.
  • The company accountant who was embezzling funds to support his addiction to gentlemen clubs and prostitutes. Information recovered from his work computer included hotel reservations, multiple 40l(k) loans, and even video files of him with the prostitutes. All ATM deposits using stolen funds and withdrawals came from the same gentlemen’s club location.
  • A manager discussing a loan fraud who stated in an email, “I’m not going to jail over this!”
  • An insurance SIU case where they wanted detailed information from the cash registers’ hard drives. Employees’ names, receipts, and most important to SIU, the last use time/dates on the registers were all obtained using computer forensics.
  • In a non-compete case, finding that the respondent tampered with computer evidence during the discovery process allowed for a client not only to win the case, but also have the court order the respondent to reimburse for all legal costs and expenses because of the spoliation of evidence.
  • Emails, deleted two years prior to a computer forensic examination, show a conspiracy to hide information from a college internal investigative authority. The presence of romantic chat that was found also was documented for corporate counsel. This was done to assist the college (and vicariously the insurance company) in any future litigation arising should a quid pro quo civil suit result from the supervisor/subordinate romance between two employees.
  • In a voter fraud case, a district attorney had only three weeks before and election to verify if an individual running for public office had committed voter fraud. The suspect’s live-in companion had been deceased for over five years, but her absentee ballots had been mailed in after her death. The district attorney was comfortable have the forensic examination done by retired law enforcement. In less than a week, deleted emails were found in which the suspect admitted the offense to several individuals. The emails identified local witnesses to be interviewed and identified them as grand jury witnesses. The suspect dropped out of the campaign and subsequently pleaded guilty to voter fraud.

Computer forensics pairs well with forensic accountants. Inventories, income, and expenses all can be compared to other data. Typically, audits and accountants only look at the 20 percent of information that is structured, ignoring the 80 percent of the unstructured information. Chat, deleted data, emails, and metadata showing forged documents are all unstructured in nature. A complete fraud investigation should attempt to gather both structured and unstructured information.

Computer forensics is a cyber hunt. It is different than data recovery performed by information technology specialists. In computer forensics, one red flag leads to a second and a third. In many cases, the results of computer forensic examination can uncover evidence immediately that cause a third party to the litigation to give up the suit or settle.