It’s always been fashionable in the cybersecurity industry to throw up our hands and call cyber crime an intractable problem. We don’t have the technical skills to match hackers, attribution is impossible in cyberspace, we don’t have the legal framework for Internet crimes, or international cooperation is insufficient to go after the shadowy, transnational cabal of cyber criminals. When I hear this cyber defeatism, I wonder which of these computer crime pundits have any experience with the broader field of criminal investigations. Attribution isn’t only a challenge when a criminal breaks into a computer network, it’s difficult in any sort of break in. Up to 50% of residential burglaries go unreported in the United States and those that are have a clearance rate of less than 15%. Sometimes even having a picture of the burglar doesn’t help. And if you think examining malware to find its author is difficult, try getting incriminating information out of a violent gang with no tolerance for snitches.
Yet while many of these issues remain challenges in regular policing, we’ve developed investigative methods that generally keep crime in check and give citizens a reasonable expectation of law and order. There’s no reason we can’t do the same in cyberspace, often with similar methods involving informants, undercover operations, forensics, and detective work. One great example of this was the honeypot that brought two Romanian hackers accused of stealing millions from American credit cards to the U.S. for prosecution.
From 2008 to 2011, four Romanian hackers were accused of making millions of dollars of purchases with the stolen credit card data of 80,000 customers in the United States. As is typical for most organized cyber crime, their operation wasn’t particularly sophisticated. They scanned for vulnerable commercial point-of-sale or “checkout” computer systems which store your credit card information for tips and processing, then either guessed or cracked their passwords to gain access, all of which can be done with tools available on the black market for download. Though all four men were indicted, only one was extradited from Romania, leaving the Secret Service, which investigates major fraud for the Department of Treasury, to somehow bring the others in to the United States themselves.
While one of the hackers remains at large, the Secret Service successfully brought two into the country using a female agent as a honeypot. In espionage, a honeypot refers to an agent or plan that uses seduction as bait for entrapment, and is one of the oldest and most successful tricks in tradecraft.
Working with a Hawaiian resort and casino, a female Secret Service agent pretended to be an employee offering one of the men a free weekend getaway after they developed a rapport. She convinced him that, having learned of his online gambling, the casino wanted to bring the Romanian in to establish a cosmopolitan feel, and that, she was really hoping to meet him in person. Her story checked out – the casino gave her an official email address and phone number at the resort and even bought the ticket. But when 27-year-old Iulian Dolan landed in the United States with, as his public defender recounts, “some clothes, a cheap necklace, a little bit of money, and three very large boxes of grape-flavored Romanian condoms,” he was immediately taken into custody.
For the second hacker,26 year-old Cezar Iulian Butu, the Secret Service launched an even more targeted honeypot operation. By subpoenaing Yahoo!, GoDaddy and other communications providers, they obtained Butu’s emails and used information on his travels, friends, and routine to impersonate an attractive female tourist he met in France a year earlier. Despite their in-depth information, the USSS didn’t need to make their story particularly believable for it to work, claiming to be an independently wealthy Hooters waitress working at the restaurant chain for the health insurance and a love of people. That was enough to get him to fly to Boston to meet her, where he was arrested on the spot.
As the FBI’s veteran cyber cops have noted, that’s how you get things done. Investigating cyber crime is rarely a pure battle of wits between white hat and black hat hackers. Neither arrest required advanced technical expertise or capable and willing international partners, Since Internet criminals are most often petty gangsters, traditional investigations buttressed by subject matter experts and some forensic specialists with a background in code rather than ballistics can be effective at combatting cyber crime. Just as with any crime, challenges persist, but they are not as insurmountable or revolutionary as naysayers would have you believe.