Computer Forensics – Swine `Flu Scammers: 3 Live Case Stories
The US Better Business Bureau [BBB] says more than 250 website domain names have so far been registered with the term “swine flu”. The fear is that many of these will be used to commit fraud and scam consumers. The BBB is especially warning internet users not to take up offers to purchase swine flu vaccines as no such thing exists.
As the internet continues to make the world smaller and allows us to communicate with each other around the globe, scammers utilize the same networks to infiltrate computer systems. The scammers quickly seize upon world events in the news as a means to mount their attacks on unsuspecting victims. Recent examples include phishing attempts by sending emails with the subject titles of `Italian Earthquake latest news’ and of course `Swine flu latest news’ as an inducement to get the recipients to view the email and open attachments posing as images.
Wikipedia defines phishing as “the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication”. The Scammers also seek to infect computer systems with viruses, trojans and key-stroke logging programs as a method to steal information. This activity can result in the unauthorised copying, manipulation & deletion of files or logs on a computer system. There is now an established industry seeking to combat these attacks, including companies such as Norton and AVG.
Attacks using phishing or trojans applications are usually discovered only after the event. This often results in the system administrator or users being the first to note that files have been altered or deleted, or else data have been copied without authority. At this point, administrators often turn to experts in computer forensics or digital forensics to ascertain the extent of the compromise, what information has been altered / deleted / moved / copied.
Computer forensics is often referred to as the methodology of gathering evidence in a systematic manner and it has now found its way as an everyday operation with modern computer networks. In the past, computer forensics is often aimed at gaining evidence in relation to a criminal act or a civil litigation matter. Increasingly, however, computer forensics has more to do with other issues, some of which include:
1. Gaining insight into the actions of specific users on a system that may not involve any type of legal proceedings;
2. Tracking competitors which are engaged in electronic intelligence gathering; or
3. Overseas based cyber-criminals who operate well outside the effective control of most law enforcement agencies and where no viable means of prosecution can be employed to identify and deal with offenders.
A common notion is that computer forensics principally involves retrieving deleted data from hard drives. However, computer forensics often involves wading through a huge number of transactions and accounting records (forensic accounting) in order to piece together and unearth fraud trails. Sifting through a myriad of data records in order to isolate and map otherwise undetectable fraud patterns is an everyday computer forensics activity. Chances are, there exist beforehand a reasonable suspicion that an intrusion, compromise of information or crime has already been committed, precipitating the examination and analysis activity.
With the potential for scammers to innovate new ways to compromise data and cause losses to legitimate businesses, we have drawn from our case files a few interesting and not so commonly understood ways that computer forensics are being employed.
Case 1. E-mail Hate Campaign
The new CEO of a multi-billion dollar oil and gas company was keen to change its entrenched working culture from the bottom up; one that was characterized by parochialism, non-acceptance of those recently appointed employees and an unwillingness of its middle management to accept change.
The roll out of changes by the new CEO was met with a number of its newer personnel receiving vexatious and malicious emails from anonymous email accounts (Yahoo, Hotmail, mail.com, mailusa, etc.) or else via the contact page on the corporate website. All of the emails evidenced operational and proprietary details that were specific to the daily activities within the company, indicating that the authors were working in the HQ offices. As a rule, the emails had been sent between 8.00pm and 11.pm on weekdays with the content relevant to an event that occurred on that or the prior day.
Investigations and interviews revealed that some victim employees had also received hard copy copies of internal emails mailed to them at their home and office addresses. This introduced the fact that some managers’ email accounts had been compromised and were being read by unauthorised persons.
A review of the access logs to these suspected compromised email accounts revealed that different ISPs had been used to access the email outside office hours. A comparison between the originating IP address for the compromised access with the IP addresses used to access other email accounts showed some common patterns. It transpired that some rogue employees had acquired the passwords of other personnel and were logging in to the email system to read others emails. A further review found a match between the MAC address of then suspect managers’ home machines and those logging into accounts without authority.
When the rogue personnel were confronted with this information during interviews, they admitted monitoring the email accounts of personnel in different divisions because they felt threatened by new changes initiated by the CEO. All resigned from their positions and the CEO continued with his plans to shake up the organisation.
Case 2. Screen Scraping – Quote Harvesting
A mid sized general insurer noticed a dramatic upsurge in the number of online motor vehicle and home insurance quotes being sought from its website. The increase in traffic had caused the servers to crash on a number of occasions, inconveniencing their potential customers.
The insurers’ website provided a facility to allow quick comparative quotes and immediate ability to progress through to premium payment. The quote also allowed for the user to enter variations such as different engine size, sunroof, age of vehicle, where it was usually parked, etc. This meant that the number of permutations for each vehicle or household quote was considerable. This information, although publicly accessible, was the proprietary information of the insurer. This information was usually updated by the insurer every few days and was market sensitive.
On analysis by our forensic investigation team, it was found that there had been a surge in the number of quotes on the insurer’s website over the previous six months, by tens of thousands of hits per day. The frequency and methodology of the quote requests [at times over 10 quotes per second] indicated that around one in every two quotes, totaling several millions, were being harvested electronically through the use of bots [“robots” – automated computer application]. Examination and mapping of the IP addresses revealed that the same two dozen or so computers were being used to access the client’s web server.
Essential to the attack was a method commonly known as screen scraping program, used to target each individual display output on the quote webpage. The elements of information provided during the quote were automatically harvested by bots so that a matrix could be constructed detailing the values of the various quotes for a third party.
This screen scraping activity was harming the insurer not only by procuring their pricing information but also by consuming bandwidth, slowing down the server and inconveniencing genuine prospective clients through denial of service.
Analysis of traffic from the suspect IP addresses revealed the hours after midnight were most commonly being used for the attack. Investigation of the addresses indicated that the host computers being used to surreptitiously obtain quotes. The computers had been compromised and the owners were unaware their machines were being used as proxy servers (a spoofing technique). Working with the owners of the compromised servers, tracking code was sent from their computers to those IP addresses that in turn were the ultimate recipients of our clients’ insurance premium information. This in turn revealed a local software company had been harvesting many of the major insurers’ websites and on selling the live data to unscrupulous brokers.
Case 3. Scam emails – advice from a CEO
A notable investment bank with offices overseas and a well known & regarded CEO began to be notified by people in Europe and Asia that they had received an email claiming it had been sent by him. The email was seeking investors to contribute to a new investment fund and played on the reputation of the CEO.
The investment bank was alarmed that their CEO’s name was being used in an email scam and was concerned that any negative news could sully their reputation.
Replies were made to the originating email addresses and those provided as the desired response address [often spoofed yahoo or mail.com accounts]. A dialogue was entered into with the scammers to elicit more information. The scammers stated that they were based in South Africa and gave cell phone numbers in that country as a point of contact. A review of the originating IP Addresses for the emails confirmed that some of the emails were sent from South Africa but others were coming from West Africa.
A case file was compiled and submitted to the authorities in South Africa with the contact details of the scammers. The authorities took up the dialogue with the scammers and made efforts to track them down via their mobile phones. Some of the scammers were tracked down by the authorities and eventually deported from the country after being detained for some months.
Please tell us if you would like to see more case histories…….
