Attacks/Breaches
12/14/2012
11:56 AM
Connect Directly
RSS
E-Mail
50%
50%

How U.K. Police Busted Anonymous Suspect

Operation Payback operators' identities unearthed largely through "social leakage" -- highlighting differences between U.S. and British hacker investigations.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Are U.S. authorities focusing too much on busting low-level hacktivist operators, at the expense of taking down the leading lights?

The difference in style can be seen in the approach that U.K. investigators have taken to prosecuting the ringleaders of Operation Payback, which was the Anonymous-branded attack campaign that targeted businesses, including PayPal and MasterCard, with distributed denial of service (DDoS) attacks for their having blocked payments to WikiLeaks. PayPal said the attacks resulted in losses of £3.5 million ($5.6 million).

According to Ray Massie, a freelance computer forensic and open source training consultant who led Britain's Operation Payback investigation as a detective sergeant with London's Metropolitan Police Service, his team focused on the people who organized the attacks and picked the targets, rather than low-level operators. "We went after organizers and facilitators rather than foot soldiers. U.S. authorities went after a mix," Massie told The Register.

[ For more about busting bad guys based on digital tracks, read How Digital Forensics Detects Insider Theft. ]

By comparison, U.S. authorities have ended up prosecuting a large number of people who downloaded a DDoS tool promoted by some of the leaders of Anonymous, and which attacked targets selected not by the downloader, but by leaders of Anonymous. The DDoS tool in question was known as the Low Orbit Ion Cannon (LOIC), and less advanced LOIC users didn't seem to realize that the tool often coded their IP address into the packets it generated. Many of the attacked organizations recorded these packets and shared them with authorities, who used service providers' subscriber records to identify LOIC users' real identities, then began making arrests.

Of course, U.S. authorities have also busted multiple alleged leaders of the supposedly leaderless Anonymous hacktivist collective, including Sabu -- real name: Hector Xavier Monsegur -- who also served as the leader of LulzSec.

But British authorities have limited their efforts to prosecuting the organizers behind Operation Payback, as highlighted by the case of Northampton, England-based Christopher Wetherhead (aka "Nerdo"), 22. Last week, he was found guilty in Southwark Crown Court of one count of conspiracy to commit unauthorized acts with intent to impair the operation of a computer, in violation of the U.K.'s 1990 Computer Misuse Act.

In his defense, Wetherhead maintained that he only moderated the AnonOps IRC channel. But Scotland Yard's Police Central eCrime Unit had studied numerous Anonymous IRC logs and found nickname (NIC) clues that helped them identify the British leaders of Operation Payback

"In a nutshell we identified Weatherhead via the IRC network," former detective constable Trevor Dickey, who now works in the private sector, told The Register.

"We identified their IRC channels and captured several weeks of chat. During that time we looked at the status of NICs such as admins and operators," he said. "We then did some keyword searching and spent a lot of time looking [at] social leakage. Combining all these elements we then identified the NICs of interest and did open source research on them. Weatherhead was easy to identify as he had been using the NIC of 'Nerdo' for quite some time."

The other suspects likewise were also identified in large part via social-network leakage. "We were able to tie their digital identities to real life identities," Massie told The Register. "Now that the suspects are in their 20s, they are security conscious, but they were using the same nick when they were a kid on gaming forums or elsewhere. They made mistakes."

Prosecutors also found evidence that Wetherhead had contracted for services with bulletproof hosting provider Heihachi in Russia, on behalf of Anonymous. The prosecutor described Heihachi as providing a "safe haven" for cybercriminals.

Thanks to that police digital forensic work, a jury of six men and five women took just two hours to return a guilty verdict against Weatherhead, saying he'd had an "integral role" in the attacks, reported The Guardian.

Three other men -- Jake Alexander Birchall, 18, of Little Neston, Cheshire; Ashley Rhodes, 27, of Bolton Crescent, London; and Peter David Gibson, 24, of Hartlepool, Cleveland -- earlier this year pled guilty to the same charge.

Judge Peter Testar told Wetherhead that he and his co-conspirators might do jail time as a result. All four men are due back in Southwark Crown Court in January 2013 for pre-sentence reports.

Stay ahead of the eCommerce technology curve. Watch our webcast, Next Generation e-Commerce Strategies for B2B Sales and Marketing, to learn the strategies and tactics you can use to more efficiently give your clients what they want, keep them happy and increase sales. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.