How to Catch an Internet Cyber Thief

They’re out there, says security researchers: the Chinese hackers attempting to break into U.S. enterprises, and jihadist terrorists that brazenly post videos of sniper killings, while stealing credit-cards to launder money for funding nefarious campaigns in Mideast or Caucasus hot spots.

More: Rapidly evolving low-cost mobile technology keeps the military up at nightWebsite operator pleads guilty to terrorist threats

It’s just a matter of finding them, and Dell SecureWorks researcher Joe Stewart described at the RSA Conference this week how he caught one by laboriously collecting information related to a Chinese hacker. He’s calling the incident the “Sin Digoo Affair” after the misspelling of San Diego in Internet domain registrations under the fake name of “Tawnya Grilth” that he saw over and over again, which was but one clue, including many others such as malware signatures, he followed in his quest to track down an attacker based on a case of industrial espionage and botnets.

“We know we have a set of domains exclusively used for espionage activity,” says Stewart. After months of sleuthing, Stewart managed to link the email jeno_1980@hotmail.com used to register those domains to a multitude of other clues to follow a trail that led him to believe “Tawnya” is a Chinese hacker whose probably part of a group promoting SocialUp.net, a site that accepts payment, including PayPal, for delivering “artificial likes, often through bots” so people can get promoted on Facebook.

What’s hot at RSA 2012

Tracking this laboriously amassed evidence, including known Chinese hacker websites, Stewart thinks he has identified the espionage hacker he set out to find through his real Chinese name. Undisclosed publicly, this name and what’s known about him has been turned over to the FBI, though the outcome of any meaningful prosecution of espionage activity through China may at the moment be slim. Still, Stewart wants to make the point that criminal activity related to bots can be investigated, though he emphasizes what he’s found is simply evidence of an individual’s activity.

Another session at RSA talked about what jihadist extremists are doing today on the Web and how they launder money for terrorist causes. Mikko Hypponen, chief research officer at F-Secure, says he spent time combing the Internet to find evidence of what extremists, mostly Arab speaking but also Chechens from the Caucasus who have made terrorist attacks on Russian civilian targets, are doing in terms of sophisticated use of technology online.

“My first impression is high-tech terrorists don’t exist,” said Hypponen in a media briefing today. But after considerable online research, his opinion has changed. He has found evidence of a growing amount of interest in technology, encryption and hacking in online jihadist publications that now include topics such as an “Open Source Jihad” section to “Technical Mujahaden” which tells how to hide files using rootkits and steganography. He said he’s also analyzed what he thinks is probably British intelligence counter-efforts to trojanize fake versions of these publications so that if they’re downloaded, monitoring of possible terrorist activity could take place on whatever computer it’s downloaded to.

One of the biggest cases linking Islamic terrorists to high-tech operations like stealing credit cards through botnets that controlled thousands of victims’ computers was that of London-based Tariq Al-Daour, sentenced a number of years ago after his gang was caught playing at the Absolute Poker site with stolen credit cards, mainly to launder $3.5 million in poker games, says Hypponen. He spent the money he stole on satellite phones, sleeping bags and lot of other gear he sent to support terrorist activity connected to Al Qaeda. He paid a Russian to build his software, Hypponen noted.

The situation today with extremist groups using high-tech hacking and bots “isn’t out of hand,” Hyponnen says. But there’s mounting evidence that extremist groups are increasingly interested in high-tech, writing in their slick multimedia online publications about Apache, PGP, NMAP, and creating their own public crypto keys, right alongside instructions for bomb-building. He says it may be time to pay more attention to it.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World’s Wide Area Network section.