An Australian Federal Police (AFP) operation to rescue a hacked database of 60,000 domain names' usernames and passwords and 13,000 credit card numbers — to use as evidence — was almost foiled when the hackers were tipped off and went into a "deletion frenzy".
AFP investigator Colin Dix from the Australian High Tech Crime Centre (AHTCC) talked about the incident at the AusCERT 2010 last week.
"It actually started when [my colleague] was lurking in one of the forums and identified a post of someone selling a database," Dix said. "As usual, the database contained personal information, some usernames, passwords [and] credit cards."
Defacing websites, delivering malware via drive-by, man-in-the-middle attacks, and live alterations of transactions, Dix said, were amongst many attacks that could be performed by buyers or users of the hacked database.
"Our internet policing team engaged the person selling it, offered to purchase it, and at the same time [us] investigators went about our business of attempting to identify who it was and where he was located," Dix said. "It was your standard negotiation for sale."
The hacker was careful. "He was quite cautious, understandably, and actually went to the point of actually asking whether we were police," Dix said. "Of course we said no."
The AFP had been able to identify who the offender was, but there was one catch: the gentleman was based in Western Australia (WA), and not even the police were allowed access to his driver's licence photo. Dix said the AFP needed to know what he looked like in order to continue its investigation.
"West Australian law ... has a bit of a funny quirk in that they're not allowed to give out driver's licence photographs, not even to police," Dix said. "It's sort of a bit funny, so we had to go back to our secondary intelligence database."
That database was, Dix said, social networking websites Facebook and MySpace. "[The offender] had plenty of photos — like so many people in his age group do — of himself on the internet," he said. "So we used those later in the investigation to our benefit."
AFP surveillance was sent to his house to confirm that he lived at the address the police had on record. The physical surveillance team found confirmation.
The offender had been carrying out some of the negotiations with the police from his workplace. Due to this, the AFP didn't know whether other people were involved and didn't want to go into his place of work during business hours.
"We couldn't just go in there because of a potential loss of evidence there, so what we ended up doing was going in and speaking to the company owner," Dix said. The AFP decided to conduct a search warrant at his place of work after hours.
The AFP didn't find what it was looking for.
"Unfortunately, they all used laptops there as their desktops," Dix said. "[And] he had taken [his laptop home]. We found a bit of evidence that we were looking for, but we didn't actually find a copy of the database on his work computer."
Some evidence that was found, and was able to be confirmed by the company's owner, included screenshots of the database that had been sent to the AFP from the offender's work computer.
The next day, the AFP collared him outside of the workplace.
"Again, we didn't know if there were other people involved so we waited until he left the company, saw him and identified him from the photographs we had on the internet, and had a chat with him," Dix said.
That chat identified a second suspect, still inside the workplace, who the AFP subsequently questioned.
The AFP then searched the houses of both of the suspects, which together contained about 8 terabytes of data. "The analysis of the data took a very long time."
The police then encountered difficulties. "Unfortunately, [the suspects had] been tipped off that we were looking [into them] and went on a deletion frenzy overwriting everything they could get their hands on," Dix said.
According to Dix, while the AFP were carrying out their investigation at the workplace, every time the police logged into PCs to search them, a root log-in alert was sent to the network admin group, which included one of the people involved. "He was actually online at the time, [logged in via a virtual private network] and doing some work from home and was just getting a series of alerts [and] thought something was a bit up."
Dix said the police had worked out a cover story with the owner of the company, but the offender hadn't believed it and had started deleting in a panic.
But all was not lost, Dix said. "We did, however, still manage to recover basically the smoking gun from the first offender's computers... He was a bit lax in his overwriting deletes, so we pretty much recovered everything there including copies of the database, chat logs from discussing the sale of the second hack, and that they should delete everything including the logs that we recovered."
"Overall, I consider it to be a very close near miss," Dix said.
The first offender, Dix said, got an 18-month suspended sentence, a fine and a bond. The sentence was suspended because the offender cooperated with the police. The second suspect is yet to be dealt with by the court.
Ben Grubb attended AusCERT 2010 on the Gold Coast as a guest of AusCERT.
Update at 10:51am, 25 May 2010: Changed the word "overriding" to "overwriting".