Threat Management, Network Security

Law enforcement of cybercrime: Bringing justice


Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, wants to pursue small-time cybercriminals, reports Dan Kaplan.

Like many IT practitioners, one of Gary Warner's first professional encounters with cybercrime came in the form of a fairly benign website defacement – specifically, bouncing pumpkins.

It was October 2000, days before Halloween, and Warner was the IT director of Energen, an Alabama-based oil-and-gas company. A cyber vigilante, wishing to drum up support for Napster, then a free file-sharing service being sued by rock band Metallica for copyright infringement, hacked into a bill-paying website belonging to one of Energen's subsidiaries. The intruder posted images of bouncing pumpkins and scrawled the message: “Boycott Metallica. Napster Rules.”

Clean-up wasn't difficult, and Warner and his team promptly restored the web page to its original state. But Warner felt violated and desired justice, so he phoned the Birmingham police.

“The hacker didn't do any damage, other than some graffiti,” he recalls. “Hardly anyone saw it. I think seven people visited the site when it was defaced. But it was the principle.”

The local authorities, not familiar with how to probe such a crime, instructed Warner to call the FBI. The feds, though, also declined to investigate because Energen wasn't a government agency, government contractor or financial institution – therefore the offense wasn't covered under the federal computer crimes statute.

Warner (right) took the case on himself. First, he visited, a website that documents website defacements, which enabled him to track down other organizations that had fallen victim to the identical attack. He asked them for their web log files, which he used to confirm that the hacks emanated from the same IP address. Armed with this information, Warner next contacted the intruder, who, in an apparent gesture of appreciation for Warner's cunning detective work, voluntarily instructed Energen on how to fix the underlying bug that enabled the defacement. Then Warner called the authorities, who were more receptive this time around. The perpetrator was later prosecuted in California and received a prison term.

Warner and his gumshoe tactics may have been ahead of their time, but little has changed a decade later on the cybercrime investigatory front. Sure, law enforcement is more aware of threats, laws have been created or strengthened, and major cybercriminal busts are becoming common headlines. Yet, at the local and state levels, knowledge and capabilities needed to bring electronic fraudsters to justice are severely lacking.

“There is a known issue in the cybercrime space that when things are too small, nobody pays attention to it,” says Alexander Southwell, a partner at the law firm Gibson, Dunn & Crutcher, and a former cybercrime prosecutor in the Southern District of New York. “There is just so much of it out there, and the state and local [police] don't have experience to deal with it.”

But in one southern state, that's all about to change. Warner, 43, who left Energen three years ago to join the University of Alabama at Birmingham (UAB) as the director of research in computer forensics, is leading the launch this fall of a new initiative that he hopes will both empower residents of the Yellowhammer State and lead to the imprisonment of cybercriminals who may have up until now evaded the long arm of the law.

A first-of-its-kind undertaking, Operation Swordphish unites university researchers with local and state investigators. The goal is to investigate only those computer-based financial crimes – reported by Alabama residents or businesses – that have fallen below the federal threshold, usually because they didn't amount to enough money in damages or lacked high-profile appeal.

“[Federal authorities] are primarily tasked with national security, cyberterrorism and counterespionage,” Warner says. “Most of the cybercrime fighting is about keeping terrorists and spies out and protecting the intellectual property of classified contractors or working on behalf of multibillion dollar cases. The question is: ‘Who's taking care of the guy who had 600 bucks ripped off on eBay?' And the answer is: nobody.”

How will it work
Nearly 7,000 cybercrime cases go uninvestigated in Alabama each year because they simply are too small for federal involvement, according to legislation that appropriated $1.6 million in federal grant money for the project (another $3 million was slated for the fiscal year that began last month).

“If someone comes to your house and steals something from you, you call the police and you expect it to be investigated,” Warner says. “But if someone breaks into your bank account, the bank will give you your money back, and nobody is going to investigate it.

“You talk to a U.S. attorney, and they say, ‘As long as my courtroom is filled up with murderers and arsonists, I don't care if I ever work a cybercrime case,'” he adds. “I've had that one said to me.”

Operation Swordphish is a partnership that brings together computer forensic experts at UAB, the Alabama Department of Public Safety, the Alabama district attorney's office and the Alabama Fusion Center. The goal is to educate state residents on how to properly report crimes, aggregate cases to identify patterns among the complaints (a bunch of $50 losses can lead to a case), and provide law enforcement and prosecutors with the tools and training necessary to capture and prosecute the offenders.

“The public doesn't know how to report data,” says Warner. “But another problem is state and local [authorities] don't know how to work cybercrime.”

UAB will leverage its forensic lab team, consisting of mostly graduate and undergraduate students, who will review incoming complaints. It also will put to use the technology at its disposal, including its massive phishing database, which contains some 80,000 confirmed fraudulent sites, and its Spam Data Mine, which traps about one million pieces of unsolicited mail per day.

If ad-hoc cases in the past are any clue, the students will provide big help. In a recent case in Missouri, police were investigating a botnet. To help, one of Warner's students wrote a script that enabled authorities to crawl through 4,000 AOL chat logs to pull out only the pertinent information.

If successful, Operation Swordphish will force investigators to view cybercrimes as a different animal from the physical incidents they are used to probing. “They're not thinking of law enforcement problems as computer science problems,” Warner says. “That's a huge difference.”

Operation Swordphish mostly will concentrate on cases in which the perpetrator is an Alabama resident or the victim is a corporation based there, Warner says. Part of the funds will pay for a “roving” cybercrime prosecutor who will take on cases no matter which district in Alabama they fall under.

Bill Burch, director of corporate security at Regions Bank, based in Alabama, believes the initiative will compel law enforcement to investigate online banking fraud. And using the data culled from the probes, the project will deduce new methods being employed by cybercrooks, he predicts. In turn, this will lead to new warnings for corporations and additional countermeasures they can implement to protect themselves.

Burch adds that the project will help to eliminate “venue issues” related to which jurisdiction should take the lead on cases. “We plan on referring cases to Swordphish as our payment center is located in Alabama,” Burch says.

In the instances where individual victims are duped by someone from outside the state, the partnership will facilitate investigations by outside jurisdictions, Warner says.

“Our role will be that we help the local victim to document their case in a way that assists federal authorities,” he says. “In other cases, the state-to-state partnership will come into play. Local [police] on the receiving end of our documentation may get the bust in their jurisdiction, but we would hope to [extradite], when appropriate, to Alabama.”

While many of the complaints will be related to one-off phishing and other email-based crimes, the initiative could help crack some major cases, possibly involving terrorism, predicts Mark Rasch, former head of the U.S. Department of Justice Cybercrime Unit.

“If you are the Taliban and you want to engage in cyberwarfare, you're going to first put your toe in the water,” says Rasch, now director of privacy and cybersecurity consulting at CSC, a technology solutions and services provider. “A lot of the activity that you see is low-level, low-hanging fruit attacks that may actually be a precursor for a much larger attack.”

Complements federal efforts

The Internet Crime Complaint Center (IC3), a partnership between the National White Collar Crime Center and the FBI, serves as the nation's clearinghouse for cyber complaints.

The center accepts the complaints – 336,000 last year – reviews them and then refers those that have a monetary loss and identifiable jurisdiction to either local, state, federal or international agencies. Victims have reported incidents ranging from spam to computer intrusions and child exploitation.

While the goals of the IC3 are similar in scope to those of Operation Swordphish, IC3, because of its size and limitations, is unable to offer as much.

“We can provide [police] with additional information, but we don't have the ability to speed up the investigation for them,” says Charles Pavelites, a supervisory special agent at IC3. “It appears [Alabama] is trying to get a coalition of local resources to try and get a better response and a better ability to investigate the smaller crimes, which is obviously going to be beneficial.”

Key to Alabama's efforts will be citizen awareness. The university will work to develop public service announcements that are slated to appear on billboards, radio and television, informing residents of which information – such as the email header – they must include in their complaints to be taken seriously, Warner says.

That will help UAB students and staff better analyze the potential cases. And experts say the college may get a positive response from the public, especially because individuals and organizations typically feel more comfortable dealing with a university than a government or law enforcement agency.

“Almost without exception, when a small- or mid-sized business, and even in most cases large businesses, are victims of any kind of computer crime, they have no idea who to call,” Rasch says. “You need someone who can act as a trusted adviser.”

Warner says he expects efforts at Operation Swordphish to evolve to the point where state lawmakers can use the information obtained to devise an updated computer crime law. He also predicts that other states will create similar initiatives.

“We really think this could be duplicated out to other states,” Warner says. “That's the intention.”

Alabama is no stranger to being on the leading edge of cyber investigations. Three years ago, the National Computer Forensic Institute opened in Hoover, about a 15-minute drive from UAB's campus. The institute, the brainchild of Randy Hillman, executive director of the Alabama District Attorney's Association and a partner in Operation Swordphish, was designed to train local law enforcement from around the country.

For Warner, like Hillman, helping the police and prosecutors bring criminals to justice is now his career mission.
“That's why I'm here,” says Warner, who runs a blog aptly named Cyber Crime and Doing Time. “I want to provide law enforcement with the tools and techniques to make the bad guys go to jail.”


Investigations:By the numbers

1 in 7
The number of fraud cases reported to enforcement or regulatory agencies.
5 to 10
Number of new jobs expected to be
created by Operation Swordphish.
The percentage of the FBI's 12,000 agents dedicated to cybercrime investigation.
Number of cybercrimes in Alabama that go unprosecuted because they don't meet the federal threshold.
$3 million
Amount of federal funding that Swordphish is slated to receive in the fiscal year that began last month.
Sources:; 2009 IC3 Internet Crime Complaint; UAB

Follow Dan Kaplan on Twitter at @dankaps.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.