From Wikileaks with Love

In the 1990’s, when I first started doing computer forensics and investigating Internet crimes as a police sergeant, it was not unusual to sometimes to use my knowledge for slightly evil v. good. I recall having a co-worker giving me some good natured ribbing, and it was only right that I reciprocate. I turned to my computer, typed a few lines into a Russian website, and asked him if he had seen his new webpage. He stated he didn’t have a web page. I told him he did now, and I had him type his full name into the address bar. Immediately an unusual fetish website appeared with his name in the address bar. He learned two lessons. One, it will cost him lunch to have me remove it from the Internet, and two, you do not mess with someone who can put your name on the world-wide web forever, and on a Russian server no less.

It broke up a tedious day of tracing bomb threats, child pornography websites, and a host of other criminal cases involving computer forensics, emails and the Internet.

Upon retirement, I was engaged to review Phishing emails sent to customers of a major bank. I’d trace them around the world to the source, contact the network service provider, and get the web address and webpage shut down. The schemes were always the same, an email purporting to be from a bank would be sent to a victim, informing them they must click on an embedded link to change their password or some catastrophic event would happen to all their accounts and money. While the link appeared to be from the bank, a close inspection always showed it was not. These schemes were traced to Romania, Brazil, Russia, Germany, Spain, and a host of other countries. Typically, aided by the Phisher hacking into a server of a middle school, café, or other legitimate business without their knowledge and then using their server for the scheme. I remember one Phisher using Korean school servers exclusively. I named him Kimchi. I could always tell a Kimchi Phishing email. Like most Phishers, he always used the same code and text, just repeating it on a new website after he was shut down on the last one. Kimchi had a habit of urging the customer to “earnestly” change their password. Not a word in common use. The embedded code was always the same except for the redirect to his new phishing webpage. Picture placement, formatting and other code always matched Kimchi’s previous attempts. The embedded code would also show an email address where the Phished information was being redirected.

Whenever I was asked to do presentations on the Internet, the obvious signs of a Phish and how to prevent being a victim, such as checking the originating email address to see if it was different from the bank’s, would be emphasized. Directions not to click on the email hyperlink, but use your own bookmark to go to the bank website, etc. were taught. Simple precautions.

So it was with great interest to me this past year when WikiLeaks started producing emails from a Gmail account that involved major players in the presidential election. It was not a typical “hack” as routinely reported, it was a simple Phishing email. As simple as any that have been around since Internet financial transactions started. Instead of going to a known Gmail website, someone apparently clicked on a link and gave up a user name and password allowing for the Phisher to access the account and download documents and emails. I have seen no information in the email that it contained a Trojan virus or other malware that would indicate a more traditional hacking scenario. There are some clues in the Phishing email that should have sent it to the junk folder by the user.

Initial observation of the email showed some Capitalization, punctuation, and grammar errors. As an example sign in to your account instead of using into. The email text states that an attempt was made at signing into the user account from a Ukraine Internet Protocol address and a date and time was provided, except the year was missing from the date. The signature salutation “Best” could routinely be used by Gmail, but I’ve only seen it in emails from my friends in the UK. Hovering a mouse over the Click Here icon showed a Bitly tiny URL, not a Google secure link (https).

Many countries have developed sophisticated programs for obtaining information by hacking or Phishing. As an example, numerous computer programmers and engineers in Russia were primarily involved in the industrial military complex until the 1991 fall of the Soviet Union. Suddenly they found themselves out of work as the need for their skills decreased. During the same time period, IT and network security was not a high priority with companies expanding into e-commerce or institutions. Using their skills for evil, not good, became a viable transition. Groups of programmers developed hacking tools and software that were shared on the dark web with others. Sometimes the programs were sold or just provided free for others to use in schemes. Eventually, governments realized the value of having these specialists back on the payroll. Better they work for us, rather than against us.

Eide Bailly LLP’s computer forensics have investigated a significant number of Phishing cases. In some incidents, an employee opened an attachment in a Phishing email which contained a virus that accessed the company network, in others, fake emails from a company executive caused an employee to transfer funds to the suspect’s bank account. In some cases, client companies and banks, more extensive computer and network forensics were required to ensure/validate that HIPAA information and data of concern to the FDIC was not obtained by the schemes. Thus saving the businesses from the expense of customer notifications, credit monitoring fees, and possible fines.

Based on our Phishing investigative experience, we have provided prevention tips to prospects and clients to protect themselves from these schemes. As an example, networks can be configured to lock out certain Internet Protocol addresses or flag certain emails for closer scrutiny. Employees receiving unusual requests to transfer funds should verify the requests by calling the source or emailing using contact information from the company server, not the suspicious email. Updating policies as it relates to Phishing and suspicious emails to ensure all employees are on alert on the latest schemes all can help to prevent breaches of the systems and data theft.

The schemes seen today are not much different than those in the 1990’s. Perhaps the software is more sophisticated, the Phishing emails having a more professional look or using a slightly different twist to the scheme, but the preventative measures remain the same.