 |
Email this Document! |
Tracing in Internet Fraud Cases: PairGain and NEI Webworld
Christopher M.E. Painter
Deputy Chief, Computer Crime
and Intellectual Property SectionFraud, including stock manipulation and the full panoply of other deceitful schemes, has found a comfortable home on the Internet. Many of these crimes are simply age-old schemes being committed over a new medium -- so called old wine in new bottles. Others, like Internet auction fraud or the easy dissemination of digital copyrighted works, are novel and have been spawned by the new technology. In either case, crimes committed over theInternet pose special challenges for law enforcement.
Investigative agents and prosecutors must be technically savvy and react very quickly in tracking down Internet criminal perpetrators. Unlike traditional fraud cases that might have been investigated for many months or even years, crimes committed on the Internet must be tracked promptly or the digital trail will run cold. Indeed, many Internet Service Providers (ISPs), to whom investigators must go to get computer logging information, email and other vital pieces of evidence, retain such logging and other information for a very short period -- in some cases less than a week. Because these cases are fast-moving and special legal process is needed to obtain much of the digital evidence successful investigation requires, to an unprecedented degree, close teamwork between the investigators and the prosecutors. The old model of agents conducting the investigation with little input from the prosecutor until an investigative report is generated simply does not work when an investigation is highly reactive and takes place in days rather than over a protracted period. Also, the inherently technical nature of the Internet and the anonymity it often affords criminals requires investigators to possess unprecedented technical sophistication. Technically trained agents who know how to trace illegal conduct over the Internet and who can effectively discuss the evidence they need with Internet communications providers are essential. Technically and legally trained prosecutors who can prepare the correct legal process and guide the investigation are also indispensable. Moreover, because these cases have no simple geographic boundaries, with victims spread around the country and facilities that often span many states and foreign countries, agents and prosecutors must cooperate with their counterparts in many jurisdictions. Nearly seven years ago, the Computer Crime and Intellectual Property Section in the Department of Justice set up a network of Computer and Telecommunications Coordinators ("CTCs") in every United States Attorney's Office (USAO) to facilitate this kind of coordination and cooperation for high tech crimes. This group of technically-trained Assistant United States Attorneys (AUSA) provides a network response to what are necessarily network crimes. Even where the CTC is not personally involved in a particular matter, he or she serves as a point of contact and expertise. Finally, traditional investigative work should not be ignored. Cases involving the Internet always combine cyber-investigative methods with traditional gumshoe techniques. Indeed, unlike many hacking cases, Internet fraud cases almost always involve money. Despite the Internet's increasing anonymity, following the money trail is an age-old investigative method that still yields high dividends.
In order to illustrate some of these principles, and to highlight some of the information that can be obtained in these investigations, I will briefly discuss two Internet stock manipulation cases that I prosecuted with agents of the Federal Bureau of Investigation (FBI) in Los Angeles. The first, United States v. Hoke (PairGain), CR 99-441 (C.D. Cal. indictment filed April 30, 1999), illustrates how a wrongdoer can be traced over the Internet despite the seeming anonymity it offers. The second, United States v. Aziz- Golshani, CR 00-7 (C.D. Cal. indictment filed January 4, 2000) illustrates the combination of traditional and cyber-investigative methods. Both show the need for speed and teamwork when the Internet is involved.
In the morning of April 7, 1999, users of Internet bulletin boards hosted by Yahoo! Finance and other companies devoted to the discussion of a company named PairGain saw a message from an individual identifying herself as Stacey Lawson of Knoxville Tennessee. The message reported that PairGain, a telecommunications equipment company located in California, would be purchased for 1.35 billion dollars by an Israeli company. The message contained a link to what it stated was the Bloomberg News story reporting the impending merger. Other messages, purportedly from other individuals, also discussed the news in excited terms advocating that readers purchase the stock immediately. When users clicked on the link in the first message they were taken to what appeared to be a legitimate Bloomberg News web page containing a detailed story on the merger. Although the page looked exactly like a real Bloomberg page, even to the point of including other links that took the reader back to the real Bloomberg service, it was, in fact, bogus and the story of the merger was false. Because the message was reported early east coast time, no one could reach PairGain for comment because of the time difference. No one could reach the Israeli company because it was an Israeli holiday. In just two hours, the false news triggered a buying spree -- PairGain stock rose over 31% on NASDAQ with ten times its normal volume. When the hoax was exposed the stock fell causing thousands of victims to lose substantial amounts of money.
Almost immediately after the hoax was discovered, the USAO in Los Angeles and the Los Angeles division of the FBI began to investigate. The traditional side of the investigation, coordinated with the Securities and Exchange Commission (SEC), looked for unusual trading activity in PairGain stock to see who stood to profit from the hoax. This proved to be a dead end. Meanwhile, the cyber side of the investigation started examining the electronic footprints. In less than a week, the perpetrator was tracked and arrested.
The cyber investigation focused on messages posted to Yahoo! and on the bogus Bloomberg web page. The Yahoo! messages were unrevealing, containing screen names such as Stacey LTN that were clearly false. Examination of the bogus web page revealed it was hosted on an Internet web hosting service named Angelfire. Angelfire is a free service that allows users to create their own web pages asking only that they provide subscriber information and an email account so that a password can be emailed to the user. Subscriber information, usually obtained by a subpoena, was unhelpful. Angelfire does not validate this information and the user provided obviously false information -- listing his first name as "headlines" and last name as "99." The email account provided to Angelfire was a Hotmail account. Hotmail is another free service that does not validate user information. Not surprisingly, the information provided by the target to Hotmail was also false. The perpetrator had tried to cover his tracks by falsifying his identity and, at first blush, had apparently succeeded. Nevertheless, because of the technical expertise of the agent and the prosecutor, additional material was sought from Angelfire and Hotmail that was a gold mine of evidence. Both Hotmail and Angelfire maintained logging information pertaining to the use of their services. This information is ordinarily obtained using a specialized court order under 18 U.S.C. § 2703(d). This court order is also called an articulable facts order because it must be based on articulable facts that the evidence is relevant to a criminal investigation. See generally, Computer Crime and Intellectual Property Section, United States Department of Justice, Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (2001) for further discussion of § 2703 and other legal requirements for obtaining electronic evidence).
Unbeknownst to the target, Angelfire logged the Internet Protocol ("IP") number of the computer accessing it every time the target logged on to Angelfire to create or modify the bogus Bloomberg page. An IP number is a unique identifier for every computer connected to the Internet. An IP number can be either static or dynamic. A static IP is usually connected with a computer that is always on and directly connected to the Internet such as company or university computers. A dynamic IP is usually assigned to an Internet Service Provider ("ISP") such as America Online or Mindspring. In the case of a dynamic IP, the IP number is assigned to a user when he or she dials into the ISP through a modem and is unique to that user for that particular session. When the user signs off the IP number is assigned by the ISP to a new user. Angelfire logs showed that the target accessed his account 11 times in the month and one half prior to the date the false page was sprung on the Internet. These accesses came from several different IP numbers. By looking these numbers up in publically available listing services, it was determined that the numbers corresponded to computers at PairGain (static IP numbers) and at Mindspring, a large ISP (dynamic numbers). Hotmail also maintained logs that also indicated accesses to the Hotmail account used to set up the Angelfire account. Again the logs showed accesses from PairGain and Mindspring.
For a number of reasons, including uncertainty as to whether the target was a PairGain employee, possibly in a position to destroy data on learning that law enforcement was on his trail, the company was not initially approached. Rather, a careful list of IP numbers, dates, and exact times was presented to Mindspring with a request (pursuant to subpoena) to identify the user account who made the accesses to Angelfire and Hotmail. The account was identified in every instance as the "ghoke" account. This did not necessarily mean that the owner of this account was responsible because the account could have been hacked or used without the user's permission. Nevertheless, Mindspring had additional logging information called "radius logs" that, on each occasion, identified the phone number used to dial into Mindspring's service. These caller-ID type logs indicated that the calls were placed from a phone belonging to Gary Hoke, a PairGain employee in a Raleigh, North Carolina branch office, and the owner of the "ghoke" account on Mindspring. This, of course, provided probable cause to believe that evidence of the crime was at Hoke's residence. Through close cooperation of FBI agents in Los Angeles and Raleigh and AUSAs in those jurisdictions, a search warrant was obtained. The search turned up a laptop that contained portions of the fake Bloomberg web page despite the defendant's attempts to erase the data following the news reports of his misdeeds. The defendant, Gary Hoke, later pled guilty to securities fraud.
Although Hoke intended to trade in PairGain stock, he got "cold feet" and never capitalized on the hysteria he created. Accordingly, traditional investigative methods alone would have never succeeded. If the investigation did not move swiftly the cyber trail would also have been unavailing. Although Angelfire, Hotmail, and Mindspring all had very useful logging information, that information is only held for a short time. Title 18 U.S.C. § 2703(f) provides that such services can be requested to freeze relevant logging and other information for a period of ninety days (extendable for another ninety days), while legal process is obtained. Yet, even using this section, unless the logs are obtained promptly, the next link in the chain (here Mindspring) might not be discovered until after the relevant logs are no longer available. This emphasizes the need for the prosecutor and agents to work as a team and to know what types of electronic evidence might exist and how to obtain that evidence.
Another Internet stock manipulation case illustrates the value of combining cyber and traditional investigative methods. Following Gary Hoke's arrest, many people were surprised by the logging information that was available. Some mused that a criminal could evade apprehension if he used computers that were difficult to trace to a particular individual, such as the public computers at a library or Internet caf‚. This is precisely what happened in the investigation of the manipulation of NEI Webworld stock. In that case, the defendants bought a large volume of a bulletin board stock that traded for between thirteen and fifteen cents during a two week period. After the market closed on Friday, they sent out hundreds of messages on hundreds of Internet bulletin boards reporting a merger and the promise of huge profits. On Monday, based on orders made by those who believed the fake postings over the weekend, the stock rose to fifteen dollars a share before plummeting to less than a quarter. Again the FBI and SEC rapidly began to trace the Internet postings. This time, however, the trail led to public computers at a University of California at Los Angeles library. Now traditional techniques made the difference. Following the money trail revealed that only four individuals bought the stock in the week preceding the scam. All, conveniently, sold their holdings on Monday reaping huge profits. A security camera video from outside the library showed the individuals entering the library during the period the fraudulent posts were made. The FBI also approached one of these individuals, then a UCLA student, and he agreed to cooperate and to wear a wire. That led to a number of incriminating statements cementing securities fraud charges and eventual guilty pleas against Arash Aziz-Golshani and Hootan Malemed.
Like PairGain, speed and coordination (both between agents and prosecutors and between criminal authorities and the SEC) were keys to a successful outcome. Knowledge of cyber tracking methods also played an important role both in the investigation and in making sense of the false postings that constituted the bulk of the evidence. Accordingly, both prosecutors and agents interested in doing these cases should seek out specialized training. The National Advocacy Center offers several basic computer crime courses each year that provide a good foundation in the law and technology of network investigations. The CCIPS web site, www.cybercrime.gov, contains a wealth of information including a comprehensive manual on obtaining electronic evidence (soon to be published by the Office of Legal Education). Also, AUSAs should avail themselves of the expertise of the CTCs in their offices. Armed with this expertise, Internet cases, while challenging, are rewarding and send a strong deterrent message that law enforcement is on the Internet beat.
ABOUT THE AUTHOR
Christopher M.E. Painter is a Deputy Chief of the Computer Crime and Intellectual Property Section at the Department of Justice. From 1991 to March 2000, Mr. Painter was a criminal prosecutor in the U.S. Attorney's Office for the Central District of California (Los Angeles). Since taking that post, Mr. Painter specialized in the investigation and prosecution of high-tech, intellectual property and computer crimes and served as a Computer Crime and Internet Fraud Coordinator for his office.
Mr. Painter has investigated and prosecuted some of the most significant and high profile high-tech cases in the country, including the prosecution of notorious computer hacker Kevin Mitnick, the prosecution of the first Internet stock manipulation case involving the posting of a bogus Bloomberg News page falsely reporting the sale of a company called PairGain that caused its stock to soar, prosecution of another internet stock manipulation case, involving former and present UCLA students who hyped stocks on Yahoo by posting false spam messages, and the prosecution of one of the first Internet auction fraud cases. Mr. Painter co-chairs an ABA subcommittee concerning high-tech crimes and serves on several Department of Justice and interagency working groups relating to computer and Internet hackers, Internet fraud investigations and prosecutions, electronic evidence, intellectual property crimes, and thefts of trade secrets. He has frequently lectured to private groups and at the National Advocacy Center, appeared on 60 Minutes, CNN, CBS Morning News, the BBC, and has testified before Congress concerning computer crime issues.
Go to . . . CCIPS home page || Justice Department home page