If you think the recent data thefts reported in the news, such as one at LexisNexis, are the work of criminal masterminds, think again. Details are emerging about a federal law investigation called Operation Boca Grande that resulted in raids on nine homes in Minnesota, North Carolina, Massachusetts, and California on May 16, 2005. The information taken from LexisNexis may have ended up in the hands of methamphetamine drug users. In a yet another surprising twist, one of the suspects is also thought to be responsible for the Paris Hilton T-Mobile Sidekick security breach last February. The suspects questioned in Operation Boca Grande (Spanish for "big mouth") range in ages between 16 and 23, are members of a loosely confederated online gang known as Defonic Crew and used relatively low-tech methods, such as remote-access Trojan horses and social engineering to acquire personal data about individuals. As of yet, no charges have been filed.

The story thus far...
Here's how they did it. Sometime early this year, the individuals involved sent out an adult themed e-mail poisoned with a remote-access Trojan horse. Anyone who opened the attached file automatically provided the online gang with backdoor access to the contents of their computer.

The suspects questioned in Operation Boca Grande (Spanish for "big mouth") range in ages between 16 and 23.

According to interviews conducted by Kim Zetter at Wired News, an online friend of one of the suspects questioned in Operation Boca Grande was posing as a 14-year-old girl in an online chat. The suspect, identified by Wired News as "Krazed," then sent a Florida law enforcement officer investigating online chats e-mail with an adult-themed attachment. Instead of containing images of a minor he was communicating with, the Florida law enforcement officer actually opened a Trojan horse, which created a remote-access backdoor into the contents his computer.

Krazed found account information for LexisNexis on that Florida law enforcement officer's PC. Soon after, Krazed and others started using Texas and Florida state law enforcement accounts to look up various celebrities. According to an Associated Press story, one member of the group, Zachary Mann, 18, of Maple Grove, Minnesota, even went so far as to post "a long string of identifying information about an individual" on an online chat, a feat which may have inspired the name of the investigation. Another gang member in Massachusetts, identified in the Wired News article as "Null" (named after a law enforcement account at LexisNexis) called up Seisint, a subsidiary of LexisNexis, and posed as a tech administrator. Null then created several new accounts for each of his friends to use. Using fake accounts, the gang members were able to log in to the front door of the LexisNexis data warehouse and obtain the records they wanted.

Jason Hawks, 23, of Winston-Salem, North Carolina, told Brian Krebs of the Washington Post (free registration required) that he called 911 when he first saw people surrounding his house. Turned out they were federal agents who questioned Hawks extensively about his involvement with the LexisNexis break-in.

If there's any good news, it's that the individuals connected with Operation Boca Grande claim they didn't sell the LexisNexis information to anyone.

Yet another individual questioned as part of Operation Boca Grande told both the Washington Post and Wired News that he was a part of the Paris Hilton T-Mobile Sidekick theft, as well. For that, the suspect posed as a T-Mobile supervisor to get an employee of a T-Mobile store in Southern California to provide details about the company's account Web sites, including usernames and passwords. From there it was a matter of guessing the password information about Paris Hilton to access her text messages and video archive.

Mea culpa
However, the Wired News interview claims that Null soon saw the light. After hacking into a gay-themed Web site--and getting caught--Null realized his life was out of control. He stopped messing around with his computer and eventually threw it into the ocean. Null further claims that some "Russian kids" then erased his account information from LexisNexis. According to Wired News, Null apparently thought any evidence trail against him had been subverted and began looking into the possibility of free college classes with an eye toward obtaining a computer science degree.

But physically destroying a computer won't necessarily stop authorities from advancing their investigation. Back in 2001, Canadian authorities successfully convicted a youth, Mafiaboy, of launching a denial-of-service attack against CNN and other sites in 2000. Mafiaboy is believed to have thrown his hard drive, which has never been recovered, into a lake in Ontario, Canada.

If there's any good news, it's that the individuals connected with Operation Boca Grande claim they didn't sell the LexisNexis information to anyone. This news is tempered, however, by an independent investigation in Hayward, California, last week in which law enforcement agents raided several homes in connection with a methamphetamine bust and, unexpectedly, discovered several LexisNexis documents which may or may not prove related to Operation Boca Grande. The link between methamphetamine drug users and identity theft has been known for several years. In short, why should a drug addict rob a convenience store for small change when he or she could score big cash by stealing someone's identity instead? I wouldn't be surprised if we find that the abovementioned kids were lying about selling IDs.

Prevention
The flaw here, if any, lies with the Florida law enforcement agent who should have known better than to open an e-mail file. Even if the e-mail was part of an investigation into adult content on the Web, the law enforcement agent still should have had a firewall and antivirus protection installed on his PC. Had this been done, the data access at LexisNexis might not have occurred. Let this serve as a potent reminder that we should all take precautions to safeguard our PCs. Who knows? You might have already inadvertently aided and abetted a criminal by not removing a Trojan horse.

If no IDs were sold, as the suspects claim, what do you think should happen to the young perpetrators? Talk back to me.