Well-known criminologist Edmond Locard once said that every contact leaves a trace, and that's also true when talking about online crimes. We leave behind our IP addresses at every site we visit. We have posts to newsgroups that are still accessible via Google. And there's that embarrassing MySpace page that was started but abandoned years ago. So when a person suddenly decides to commit an online crime, as one security researcher suggests, all that prior online history follows them, and, as we shall soon see, that history may help investigators eventually identify the perpetrator. But positive identification of online miscreants might not be enough. It seems real-world law enforcement doesn't yet know what to make of online crimes or their perpetrators. And that might explain why the thieves sometimes get away with their crimes.
Too often I report on online crime stories and don't follow up. In this case, both the initial attack and its follow up was brought to my attention by Chris Boyd, director of malware research at Facetime Security Labs. You'll note that for the last two weeks I've been writing about Chris' research into shadowy economics behind botnets. In last week's column, Boyd took a simple Trojan horse file and expertly followed its online links back to servers located in the Middle East, to a group ostensibly raising money in support of some extremist views. Not one to back away from a good chase, Chris has recently applied himself to yet another online mystery.
It seems real-world law enforcement doesn't yet know what to make of online crimes or their perpetrators. And that might explain why the thieves continue to get away with their crimes.
A few weeks ago I wrote about an attack using a YouTube video
. The video (no longer available) promotes a mod called Hood Life for the popular game Grand Theft Auto
. The attack didn't involve the YouTube video itself; it used a URL displayed at the end to download an associated malicious file. At the time of the story, Chris, an avid gamer, was livid that people would fall
for the shoddy graphics in the video and actually download the file. Apparently at least 54 people did download the malicious file.
Starting with YouTube
For someone to post to YouTube, he or she first needs an account. A lot of people fake information in their accounts, but Boyd decided to take the information available on the Hood Life GTA mod as fact: someone named "YoGangsta50" uploaded the file. In his personal blog, Boyd details the steps he used in his research behind who placed the video on YouTube, and who might also be responsible for the malicious code file download.
As an obvious next step, Boyd used Google to find YoGangsta50. From the results, Boyd learned that this person once posted on the Young Buck forum, and in 2005 the person using that name created another GTA virus. Comments to the post mention that the person using the name YoGangsta50 had previously hacked the 50cent accounts, but soon had a falling out with the forum. It's from these posts that Boyd learned a geographic location for YoGangsta50: Hartford, Connecticut.
In reviewing other online postings, Boyd writes that he found on sites attributed to YoGangsta50 an obsession with the comic strip and cartoon The Boondocks. Elsewhere Boyd finds other evidence: "we now have a first name--'John.' It also mentions he's black, which might also be useful for future reference."
I do agree with Boyd that "we need to focus more on who is hiding behind the veil of supposed anonymity...and drag them kicking and screaming into the light."
Using a different search engine, Boyd next finds a profile page on Bolt.com, then another profile on Xanga.com, the latter containing a reference to yet another page going up on FreeWebs.com MySpace Protect very soon. On all of these pages there are references to The Boondocks
, age 19, and Connecticut--all consistent with the details so far learned elsewhere. This looks now to be a positive ID. Boyd concludes: "How many black youths do you think are aged between 16 and 19, are living in Hartford, Conn., with a supposed real name of 'John,' are into The Boondocks
(and spend every other moment telling you about it online), and also just happen to be called YoGangsta50?" So why isn't this person now behind bars?
Response from the law community
Boyd says he sent all this research to law enforcement, but hasn't heard back. "I'll be sending them a follow-up mail today, but generally this kind of thing can be vaguely frustrating, in my experience. Each state's law agencies operate in different ways...some will reply, some will get back to you long after the initial contact, and others will ignore you completely. There's just no way to know in advance what reaction you'll get."
It's entirely possible that law enforcement doesn't yet know what to make of Boyd's research. After all, who were the victims? And do their losses exceed the $5,000 minimum required by the FBI and Secret Service before either agency will investigate? I doubt it. So, on the one hand, you have state agencies that are overworked as-is and don't have the means to investigate on their own, and, on the other, federal agencies that can investigate but can't be bothered with such petty crimes. In this case the criminal might go free simply because no one wants to prosecute.
The answers are out there
I do agree with Boyd that "we need to focus more on who is hiding behind the veil of supposed anonymity when pushing infections (and less on the infections themselves) and drag them kicking and screaming into the light." This case was easy since the alleged individual didn't do much to obscure his online identity. But I caution against vigilante justice. It's also possible for online searches to generate false positives, to follow the wrong person and end up with some innocent person who chose an unfortunate online nic.
Last summer I wrote about Neal Krawetz's research. Krawetz has identified those creating computer malware just by looking at a person's use of words, keystrokes, even keyboards in chats, blogs, and e-mail. Just because you're online doesn't mean you are anonymous. There are ways of identifying criminals. Now, if we could get law enforcement interested, we'd be set.
A few days after this column originally appeared, Boyd posted an update on his blog. It appears John from Hartford is giving up the Internet. In a post, Yogangsta50 writes, "you all can say goodbye to me. mabye the internet was not for me! I Dont want to do this anymore. Somebody help me!" He goes on to explain how to remove the virus he created--go into Safe Mode in Windows, find C:\\Program Files\GTA Hoodlife, then click and run the Unins000 file to delete the virus.
Yogangsta apparently saw the news about him, and it affected him. "How does it feel to see your name all over the Internet!!!! i could not sleep for 2 days. i have been crying all day. am so sorry that i did those things. i learned my lesson." Let's hope that's true.
Anyone have other examples of how online information has helped smoke out an online criminal? TalkBack to me.