Arresting Bits and Bytes
Every now and then, a denial-of-service (DoS) attack from cyberspace disables a local 911 emergency communications system. The U.S. Secret Service now responds to these cyber-crimes. “You can imagine the problem,” says Larry Johnson, special agent in charge of the Secret Service criminal investigation division in Washington, D.C. “In these cases, an Electronic Crimes Task Force (ECTF) comes in and restores the system before the attack can cause the loss of life.”
Best known for protecting the nation’s leaders, the U.S. Secret Service has also traditionally investigated crime related to America’s financial infrastructure. For years, this work primarily involved pursuing counterfeiters. In the information age, however, the agency’s responsibilities have grown to include critical electronic infrastructures of all kinds.
In 1995, the Secret Service created a New York Electronic Crimes Task Force. Designed as a prototypical collaborative model for fighting cyber-crime, the task force included Secret Service agents as well as members drawn from state and local law enforcement agencies, corporate security operations, and computer academics.
The broad task force membership provided a host of resources. Trained Secret Service agents provided investigative expertise. Local law enforcement officers contributed personnel and knowledge of the local area. Business members provided insight into commercial transactions and how those transactions might be corrupted. Academic members supplied advanced technical expertise important to keeping up with cyber-crooks.
After Sept. 11, with the passage of the U.S. PATRIOT Act, Congress authorized the Secret Service to expand the ECTF concept into a nationwide network of task forces based on the New York City prototype.
Task forces have since been organized in Atlanta, Boston, Charlotte, N.C., Chicago, Columbia, S.C., Dallas, Houston, Las Vegas, Los Angeles, Miami, Philadelphia and San Francisco. Including New York, the Secret Service now manages 13 of these operations.
“We selected these cities because of their high concentration of local infrastructure,” says Johnson. “We have also established smaller quasi-task-forces called electronic crimes working groups in smaller cities such as Louisville, Ky., and Sacramento, Calif.
In the past three years, the ECTF network has closed more than 1,400 cases involving electronic crimes and made more than 1,000 arrests. Cases include well-known virus and DoS attacks as well as a host of other computer crimes.
To date, ECTFs have dealt mostly with cyber-crime aimed at commercial rather than government systems. “Crimes against government systems make up only 5 percent to 15 percent of what we look at,” Johnson says. “Most cyber-criminals want to retrieve data that will be profitable to them. That kind of data is mostly on commercial, not governmental, sites.”
Last May, for example, the Charlotte, N.C., ECTF initiated an identity theft investigation, when a large national bank requested task force assistance. The bank’s IT manager had detected an unusual amount of traffic at the institution’s Web sites. “Our examiners came in, did the forensics, and discovered the problem,” Johnson says.
E-mail had been sent to a number of customers, directing them to a fake Web site to update their passwords. Approximately 420 people responded, and the fake Web site captured their social security numbers, dates of birth, bank account numbers and passwords. No arrests were made, but the systematic thefts of identity were stopped.
With 200 members drawn from 46 government agencies and 42 corporations, the Miami ECTF is among the largest of the Electronic Crime Task Forces. According to John Large, assistant special agent in charge of the Secret Service’s Miami Field Office and supervisor of the Miami ECTF, cyber-crime has proliferated in South Florida. “We’ve worked on cases involving missing and exploited children and counterfeit currency cases involving computers,” he says. “Skimming, ‘phishing,’ and network intrusion are also rampant.”
Skimming is a credit card crime in which retail clerks use a scanner to steal and sell customer credit card information.
A phishing criminal sets up a fake Web site that looks and works just like a legitimate site. The only difference is a keystroke in the Web address. Sooner or later, someone will type in the phony address by mistake, end up at the fake site, and freely reveal personal information and other data useful to criminals.
A recent network intrusion case investigated by the Miami ECTF involved an international shipping company and an employee that knew he was about to be fired. Operating from his home computer, the employee shut down the company’s entire computer network and committed over $300,000 in fraud. Large says: “We did an analysis, traced the transactions, got a search warrant and hit the guy’s residence.”
The suspect confessed, pled guilty in court, paid $80,000 in restitution fines and is serving a year’s sentence.
