Information Technology Reference
In-Depth Information
Criminal activities in the “U.S. vs. Gorshkov” case took place during 1999 and 2000.
Several complaints were filed with the F.B.I. in multiple jurisdictions including
computer intrusion, system outage and attempted extortion. The coordinated effort of
several offices and investigating agents ultimately resulted in an undercover operation
that took place during November 2000. Two suspects were arrested in Seattle as a
result of the FBI undercover operation that involved fictitious international job
advertisements and interview offerings. They were subsequently charged with
numerous offences.
The internet-connected computers at the undercover operation were fitted with
keystroke recorders. One of the suspects logged in to their “home system” and the
keystroke recorder obtained the system name, username and login password. FBI
subsequently reconnected to the remote system and downloaded approximately
2.3GB of compressed data. The downloaded data was analyzed in conjunction with
data obtained from victims' systems. This revealed the true nature and the extent of
the criminal activities that had been conducted. Seized evidence and victim data
revealed that the following types of incidents took place during the 1999-2000
timeframe:
Numerous computer intrusions including the subversion of systems and networks,
for example ATM connected systems at a school district in Michigan
•
•
Computer outage, for example at an internet service provider in Bellevue,
Washington
•
Credit card fraud, for example at online retailers and internet payment systems
•
Attempted extortion, for example at a bank in Southern California
•
Large-scale identity theft
Compromised systems were frequently used as web relays/proxies. If the
compromised system had “business value” then it was also used for other purposes. In
one instance a system connected to a high-bandwidth ATM network was employed as
a Domain Name Server (DNS) and Internet Relay Chat (IRC) server. In another
instance the web site of an online bank had undergone creative enhancements that
bypassed the normal user log-on procedure.
The evidence also contained numerous Perl programming language software
scripts and temporary file residuals resulting from their execution. The Perl scripts
implemented a virtual web browser and were customized for email, auction and
payment functions. The Perl scripts appeared in numerous forms of developmental
evolution ranging from simple connection test scripts, SSL connection test scripts
with embedded links to X.509 certificates through to connectivity to a fully integrated
backend database. Thousands of email addresses were mined from the seized
evidence. These addresses were correlated to activity at a web email service provider.
The Ebay auction scripts represented a full-function user account
creation/management and auction creation/bid/close capability. The auction
management capability also included a feature that limited transactions to below the
$500 PayPal threshold. Support for the automated generation of Ebay buyer and seller
feedback was also incorporated. The $500 threshold check and automated feedback
represent a deliberate “fly below the radar” strategy.
The PayPal scripts demonstrated the capability of being able to create and
manipulate PayPal accounts. The PayPal accounts were associated with stolen credit
