Skip Links

How to catch an Internet cyber thief

Devoted cyber-sleuths fight industrial espionage and botnets

By , Network World
March 01, 2012 09:24 AM ET

Network World - They're out there, says security researchers: the Chinese hackers attempting to break into U.S. enterprises, and jihadist terrorists that brazenly post videos of sniper killings, while stealing credit-cards to launder money for funding nefarious campaigns in Mideast or Caucasus hot spots.

More: Rapidly evolving low-cost mobile technology keeps the military up at nightWebsite operator pleads guilty to terrorist threats

It's just a matter of finding them, and Dell SecureWorks researcher Joe Stewart described at the RSA Conference this week how he caught one by laboriously collecting information related to a Chinese hacker. He's calling the incident the "Sin Digoo Affair" after the misspelling of San Diego in Internet domain registrations under the fake name of "Tawnya Grilth" that he saw over and over again, which was but one clue, including many others such as malware signatures, he followed in his quest to track down an attacker based on a case of industrial espionage and botnets.

"We know we have a set of domains exclusively used for espionage activity," says Stewart. After months of sleuthing, Stewart managed to link the email jeno_1980@hotmail.com used to register those domains to a multitude of other clues to follow a trail that led him to believe "Tawnya" is a Chinese hacker whose probably part of a group promoting SocialUp.net, a site that accepts payment, including PayPal, for delivering "artificial likes, often through bots" so people can get promoted on Facebook.

What's hot at RSA 2012

Tracking this laboriously amassed evidence, including known Chinese hacker websites, Stewart thinks he has identified the espionage hacker he set out to find through his real Chinese name. Undisclosed publicly, this name and what's known about him has been turned over to the FBI, though the outcome of any meaningful prosecution of espionage activity through China may at the moment be slim. Still, Stewart wants to make the point that criminal activity related to bots can be investigated, though he emphasizes what he's found is simply evidence of an individual's activity.

Another session at RSA talked about what jihadist extremists are doing today on the Web and how they launder money for terrorist causes. Mikko Hypponen, chief research officer at F-Secure, says he spent time combing the Internet to find evidence of what extremists, mostly Arab speaking but also Chechens from the Caucasus who have made terrorist attacks on Russian civilian targets, are doing in terms of sophisticated use of technology online.

"My first impression is high-tech terrorists don't exist," said Hypponen in a media briefing today. But after considerable online research, his opinion has changed. He has found evidence of a growing amount of interest in technology, encryption and hacking in online jihadist publications that now include topics such as an "Open Source Jihad" section to "Technical Mujahaden" which tells how to hide files using rootkits and steganography. He said he's also analyzed what he thinks is probably British intelligence counter-efforts to trojanize fake versions of these publications so that if they're downloaded, monitoring of possible terrorist activity could take place on whatever computer it's downloaded to.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News