Some perpetrators of online crime and fraud don’t use advanced methods to profit at the expense of unsuspecting victims and to avoid getting caught.
While a lot of media coverage centers on how threat actors are becoming better at evading capture and generally deploy ever more sophisticated techniques, I wanted to tell a story where one criminal in particular was anything but sophisticated.
Before I joined ESET, I spent 14 years working in the UK police force working predominantly in the Cyber Crime Unit and the Digital Forensics Unit (previously known as the High-Tech Crime Unit. My job in this unit was to locate any sort of evidence left on digital devices, from laptops to phones, in order to then present such evidence in a report to the judge, jury and court. I would use a variety of forensic tools and have to find evidence that would support investigations from fraud to murder.
Back in 2011 I needed to buy a laptop but decided to purchase a second-hand one using eBay. As always with any new purchase, I conducted lots of research and knew what I wanted beforehand. I found an HP laptop that I wanted being sold on the site by a seller who had a good seller rating and had sold similar laptops and gadgets in the recent past. I placed my bid and came out on top winning the item for a little over £210. I paid by PayPal for ease of use and added security and entered my delivery address.
Due to the fact I was in the office between 0800 and 1700 during the week, I used the police station as my delivery address so deliveries could be signed for easily by the front desk. Furthermore, I liked using the police station as my corresponding address just in case I was ever dealing with a criminal and therefore, I assumed this particular address of the law would somewhat put anyone off sending out stolen goods. Especially as my address looked like this with the words “High-Tech Crime Unit” in there:Mr J Moore 6408
High-Tech Crime Unit
Ferndown Police Station
Oh, how wrong I was!
A few days later I received a phone call from the station reception stating they had just signed for a package in my name. I nipped down to collect it and there was a brown package, badly taped together with a poorly scribbled name and address on it. I quickly opened it up and true to the seller’s word, there was the HP laptop inside, as advertised. Phew. No bricks.
I then proceeded to turn on my new device only to be met with the following log on screen for a “sarah”.
Initially, I checked the advert again to see if I had missed anything. Maybe I had not seen that the wording in the description had stated that I would be met with this situation. Nope.
I then checked the seller’s name again to make sure he wasn’t called Sarah – although he could have been selling it on behalf of a Sarah – so I decided to contact him via eBay to check if he was sure that he had sent me the correct item. I was met with silence.
It then dawned on me that this laptop could in fact be stolen. But surely no one would send a stolen laptop to the “High-Tech Crime Unit” at a police station?! Sophisticated? I thought this required more digging.
RELATED READING: Common eBay scams and how to avoid them
At my disposal I had various tools to look at computers forensically, so I decided to investigate my new laptop. I removed the hard disk drive and plugged it into my workstation via a Tableau Forensic Bridge (Guidance Software) to preserve the evidence and effectively triage the drive. I used the digital forensics software EnCase, which easily enabled me to view the folder structure including all the documents and files. I was also able to bypass Windows 7 passwords by imaging the drive.
I went to the “Documents” folder and searched for any clues as to who the laptop really belonged to. I soon located a few Word documents relating to a Sarah but when I found her CV, I was able to locate more information on her. In her CV was her address and mobile number. Her address was not too far from the seller’s address, so this still stood up to the possibility that he was selling it on behalf of someone, but I felt compelled to check with her as I now had her phone number.
I rang the phone number and a very quaint, shy voice answered. I immediately told her my name and where I was from and asked her not to panic. She told me that her name was Sarah and that she did indeed live where her CV stated. I asked her if she had recently sold or lost any items to which she replied by telling me her house had been broken into a month ago and her laptop, digital camera and jewellery were all stolen. I asked her to best describe her laptop and of course I was staring right at it. She was naturally relieved to know she would get it back and I said I would arrange for it to be reunited with her after I had gone through the right channels.
As this laptop had been stolen in another county about 100 miles away, I contacted my counterparts in Wiltshire Police and told them the events of the last few hours. They were clearly excited to know how by sheer luck I had stumbled upon this laptop and then they asked me for the seller’s address. I forwarded all my information and the next morning a team was deployed to arrest the occupiers of the address I had given.
At the address, police found not only Sarah’s camera and jewellery, but one of Wiltshire’s most prolific handlers of stolen goods surrounded by what was described as a “treasure trove” of the county’s stolen goods from months of burglaries.
I also contacted eBay and within a month I was reimbursed on PayPal for the mishap. After this escapade, I also decided to buy a brand new laptop from another retailer. However, every time I hear of “sophisticated” cybercriminals I now also think of this story.
written by Jake Moore, ESET We Live Security