(Special thanks to Jake Moore, Security Specialist at ESET UK. The content of this article has been edited for length.) The image of the cybercriminal is sort of burned in to our collective mind’s eye. He’s the brooding, anti-social, techno-hoodie with no other outlet for his considerable talents. Turns out that may not be 100% accurate. Read on:
A lot of media coverage centers on how threat actors are becoming better at evading capture. Not only that, They are getting generally more sophisticated. I want to tell a story about one criminal in particular who was anything but.
Before joining ESET, I spent 14 years working in the UK police force. I worked predominantly in the Cyber Crime and Digital Forensics Units. My job was to dig up any evidence I could find on digital devices. Anything from laptops to phones. And that evidence was then presented in a report to the judge, jury and court. I would find evidence to support investigations for anything from fraud to murder.
Back in 2011 I decided to purchase a second-hand laptop on eBay. As always, I conducted lots of research and knew what I wanted beforehand. I found an HP laptop from someone who had a good seller rating. This person had sold similar laptops and gadgets in the recent past. I placed my bid and won the item for a little over £210. I paid by PayPal for ease of use and added security and entered my delivery address.
Exploding the cybercriminal stereotype
Because I was in the office all day during the week, I used the police station as my delivery address. Furthermore, I liked using the police station as my address in case I was ever dealing with a criminal. Naturally, I one assumes this particular address would put anyone off sending out stolen goods. Especially as my address had the words “High-Tech Crime Unit” in it. Oh, how wrong I was!
A few days later I received a call from the station reception stating they had just signed for a package in my name. I hopped down there to get it, and there it was – a brown package, badly taped together with a poorly scribbled name and address on it. I quickly opened it up and true to the seller’s word, there was the HP laptop inside. Phew. No bricks.
I then proceeded to turn on my new device. Only I was met with a log on screen for someone named “sarah.” I checked the advert again to see if I had missed anything. Nope.
I then re-checked the seller’s name to make sure he wasn’t called Sarah. Nope. I decided to contact him via eBay to make sure that he had sent me the correct item. Silence. It then dawned on me that this laptop could in fact be stolen. But surely no one would send a stolen laptop to the “High-Tech Crime Unit” at a police station?! Seriously?
Tracking down the evil-genius cybercriminal
At my disposal I had various tools to look at computers forensically. So I decided to. I removed the hard drive, plugged it into my workstation via a Tableau Forensic Bridge, and basically triaged the drive. Then I used forensics software EnCase, which easily enabled me to view the folder structure including all the documents and files. I was also able to bypass Windows 7 passwords by imaging the drive.
Then, I went to the “Documents” folder. I searched for any clues as to who the laptop really belonged to. I soon located a few Word documents relating to a Sarah. But when I found her CV, I was able to learn more about her. For example, I got her address and phone number. Her address was not too far from the seller’s address, so maybe he was selling it on behalf of Sarah. But I felt compelled to check with her as I now had her phone number.
I called her and a very quaint, shy voice answered. Immediately I told her my name and where I was from. I asked her not to panic. She told me that her name was Sarah and that she did indeed live where her CV stated. Had she recently sold or lost any items? She replied by telling me her house had been broken into a month ago and her laptop, and other items were all stolen. I asked her to describe her laptop and of course I was staring right at it. She was naturally relieved to know she would get it back, of course. I said I would arrange for it to be sent to her after I had gone through the right channels.
Sheerluck Holmes, at your service
As it happens, this laptop had been stolen in another county about 100 miles away So I contacted my counterparts in Wiltshire Police and told them what all had happened. They were clearly excited to know how by sheer luck I had stumbled upon this laptop. They then asked me for the seller’s address. I forwarded all my information and the next morning a team was deployed to arrest the aforementioned.
At the address, police found Sarah’s camera and jewelry. They also found one of Wiltshire’s most prolific handlers of stolen goods surrounded by a “treasure trove” of the county’s stolen goods from months of burglaries.
I also contacted eBay and within a month I was reimbursed on PayPal for the mishap. After this escapade, I also decided to buy a brand new laptop from another retailer. However, every time I hear of “sophisticated” cybercriminals I now also think of this story.
We hope this interesting account had been helpful and informative. Our thanks to Corporate Armor partner ESET and Jake Moore. If you have any questions on how to protect yourself from the more sophisticated forms of cyber-crime, please email us. You can also call 877-449-0458. We have years experience partnering with ESET, AVG, Fortinet, Meraki, Palo Alto, and many other security vendors. Thanks for reading!