The quantity of data obtained by the FBI was immense. As Norm Sanders, the Seattle FBI CART (Computer Analysis and Response Team) examiner, Marty Prewett, Mike Schuler, and Steve Schroeder began examining the downloaded data, they found a nigh-overwhelming array of evidence. In their personal accounts on the Russian computers, Gorshkov and Ivanov had numerous computer hacking tools such as programs, “scripts,” and computer code, which were used to compromise or gain control of computers and computer networks in a variety of ways. Among other things, the tools were designed to scan computers and networks for vulnerabilities, exploit those vulnerabilities to obtain users’ passwords and to gain complete control of the computers, decipher or crack encrypted or encoded passwords, and convert the compromised systems into relays or “proxies” that allow the hackers to mask their identities on the Internet. Many of these tools were found on Ivanov’s seized Toshiba laptop computer, as well.
FBI headquarters and the FBI-centered National Infrastructure Protection Center (NIPC) offered their support, and the investigation team gladly took them up on the offer. Mike Schuler and Marty Prewett sent copies of the downloaded data to Washington D.C. and, within a short period of time, the trial team began receiving analyses. Because the bureaucracy can be cumbersome and unresponsive, the promptitude and meticulous nature of the analyses and reports was gratifying. The original trial date for Gorshkov had been set for the end of April, and the Seattle team was feeling a great deal of pressure to winnow out the kernels of essential evidence to be presented to the jury.
Late that winter, FBI headquarters arranged for its expert analyst to fly to Seattle and explain his findings and conclusions. Among other things, he had written a program to identify credit card account numbers located on the systems and preserve the file tree location for each one. When the analyst arrived, Steve, Marty, and Mike were favorably impressed. He was very bright, knowledgeable, and articulate. He was also very likeable, and he had the knack—rare among technical experts—to explain how he had reached his conclusions. In short, Steve knew that he would be a formidable and believable witness and looked forward to putting him on the witness stand. The only odd thing was that he had traveled to Seattle with two FBI Special Agents who, seemingly, never left his side. Steve also learned that the analyst was not an FBI employee but did work for the FBI under a contract. For purposes of this narrative, I will refer to this gentleman as Fred, which, of course, is not his real name.
Over the ensuing weeks, Fred continued his analysis of the data and sent prompt, thorough, and clear reports to Marty and Mike. Needless to say, his stature continued to grow in the eyes of the members of the trial team. He made at least one other (accompanied) visit to Seattle, during which he continued to impress. Two or three weeks prior to the trial date, Steve called FBI headquarters to make arrangements for Fred to come back to Seattle for trial preparation and testimony. Early in the conversation, the FBI supervisor said to Steve: “You know, of course, that Fred cannot testify.” Steve’s response was, “What are you talking about?”
The FBI supervisor then explained that Fred’s primary duties were in the intelligence field, and that he spent most of his time analyzing electronic data relating to domestic intelligence and counterintelligence. The FBI could not allow him to testify in a public trial, where he might be subject to cross-examination about his duties, training, and activities. Suddenly, the omnipresence of the two attendant handlers made sense to Steve. Fred was a man who knew too much.
Exasperated that he had not been warned of this reality, Steve rather querulously pointed out that the trial was mere weeks away and asked what he was supposed to do for an expert witness. The response of the FBI supervisor exposed his background in intelligence where the rules of evidence do not apply. “Can’t someone else,” he asked, “simply testify about what Fred found?”
“No,” Steve replied, and then explained. In the criminal justice system, an expert witness is expected to state conclusions and opinions, and must be able to explain how those conclusions and opinions were reached. This was a classic example of the uncomfortable interface between the intelligence community and the criminal justice system. The first gathers information that is classified and, as a general rule, is never publicly exposed. The latter gathers evidence that is to be fully exposed in a public and transparent proceeding. The first is, of necessity, jealously protective of its sources and methods. The latter exposes its sources and methods to full scrutiny and cross-examination in a public forum. In any event, the FBI was unwilling to expose Fred in a public criminal trial for fear that intelligence programs might be compromised.
With the original trial setting only weeks away, Steve and the FBI agents working on the case were in a tight place. Steve had recently recruited a colleague, Floyd Short, to help on the case. Floyd Short was a tall, good-looking young man with a chiseled countenance and an impressive academic record. He had received a B.A. in Political Science from Williams College, graduating magna cum laude with highest honors in 1985. In 1990, he received his J.D. from Yale Law School, where he had been Editor of The Yale Law Journal. He then clerked for a year for Betty B. Fletcher, a Judge on the Ninth Circuit Court of Appeals in Seattle. After working for a local law firm for three years, Floyd joined the Seattle U.S. Attorney’s office as an Assistant United States Attorney. Once there, he soon gravitated toward computer crime cases and became that office’s second member of the national Computer Crime program.
Once assigned to the case, Floyd hit the ground running and promptly got a hold of Kirk Bailey, the enthusiastic and multi-talented head of the Agora, explained the situation, and asked for Kirk’s help in finding a local expert. The Agora, named after the ancient Greek public space used for meetings and assemblies, is a network of computer security professionals in the Pacific Northwest, who work both in private enterprise and in Government. It meets quarterly in Seattle and provides a forum where like-minded IT professionals can exchange information in confidence. The brainchild of Kirk Bailey, the Agora has, over the years, proven to be an invaluable asset to the community. In this instance, it saved our bacon, because Kirk knew a guy who might be able to help out.
The guy was Phil Attfield, who was then the chief researcher for the Boeing Company in the area of computer and network security. Phil’s job at the Boeing Company was to evolve strategies for computing and network security in an environment that required collaboration with a far-flung network of business partners and contractors who had to share access and information in order to conduct research and business. The job was complex due to the need to share information with collaborators, but, at the same time, strictly limit access to data on a need-to-know basis. The system needed to have audit capabilities built-in so that the company could contemporaneously determine that each system was accessed with appropriate authorization by the right person.
Phil had an impressive background, starting with both a bachelor’s and master’s degree in electrical engineering from Queen’s University in Kingston, Ontario, Canada. Phil had worked in the research division of Northern Telecom in Ottawa, developing software to automate the design of chips used in telephone equipment. He also had worked with Digital Equipment Corporation, helping to develop secure computer environments for use by the Canadian lotteries as well as the Canadian military. Then, Phil and some partners formed Signal Nine Solutions and developed a firewall and security package for PCs. In 2000, that company was sold to McAfee, the company best known for its anti-virus software.
For several years, Phil had also been a facilitator to the G8’s conference on crime in cyberspace. As such, he chaired discussions on the international aspects of auditing, tracking, and preserving data that constituted evidence of computer crime. Membership in the “Group of Eight” or G8 includes most of the world’s largest democratic economies in the world (France, Germany, Italy, Japan, the United Kingdom, the United States, Canada, and Russia). Recommendations from the group that Phil facilitated often became the genesis for legislation back in the individual member nations.[1]
Once Floyd contacted Phil and asked for his help, the Boeing Company generously offered to make him available without charge. There is, however, an obscure statute on the books that prohibits Government employees from accepting gifts of services to the Government.[2] Intended to protect Government employees from being coerced into “donating” overtime, the statute was interpreted by the Department of Justice as prohibiting the acceptance of Boeing’s offer. Consequently, the U.S. Attorney’s office in Seattle would have to hire and pay Phil as an expert. This triggered further complications because Phil was a citizen of Canada and could not work in the United States without the specific authorization of what was then the Immigration and Naturalization Service (the permission that Phil had received in order to work for Boeing was not broad enough to allow him to work as a contractor for the Government). Steve then began the rather arcane and protracted process of obtaining the proper permissions. In the meantime, Boeing agreed to let Phil take a leave of absence while he worked on the case.[3]
Once on board, Phil jumped into the case with both feet. He met with Floyd, Steve, and the FBI agents and received four CD-ROMs containing some 2.5 gigabytes of highly compressed data that had been downloaded by Mike Schuler and Eliot Lim from the two Russian computers, tech.net.ru, and freebsd.tech.net.ru. An initial (and major) task was to reconstruct the file systems as they existed on the two Russian machines. The machine called tech.net.ru operated on a Linux operating system, while freebsd.tech.net.ru ran on BSD Unix, and Phil knew the default locations of various files on both of those types of systems. In addition, Phil had copies of all of the logs that the systems had generated during the downloads and was able to use those logs to determine the original location and size of the downloaded files. From the file attributes, Phil was also able to establish the ownership[4] and control of the files (that is, which account on the system had been used to create and control each file) as well as which users had what privileges on the systems.[5]
Phil was able to determine from the download logs that some 40,000 files had been successfully copied without alteration. Although two files had been altered by Mike Schuler’s initial efforts to use FTP, those files (wininfo.exe and valleynational.txt) played no role in Phil’s reconstruction of the systems. The “tar” command used by Eliot Lim in conjunction with the FTP command had preserved the permissions or ownership, the creation date for each file, as well as the complete path to where the files were located on the target systems. In addition, one of the tarred files from the kvakin_nt directory on freebsd.tech.net.ru was truncated during the transfer, resulting in the transfer of 240 megabytes of a file that contained approximately 320 megabytes of data. Phil was able to determine, however, that the information that was successfully transferred was intact. Finally, internal references from the downloaded files indicated the presence on the systems of two databases called mm and mm1. Those databases had not been downloaded.[6]
Phil examined the password file from the tech.net.ru system and noted a number of user accounts, including ones for subbsta, Ivanov’s known username, and one for kvakin with the name “Vasily Gorshkov” following. The results of Phil’s reconstruction for tech.net.ru were illustrated in the exhibit shown in Figure 6.1.
Similarly for the freebsd.tech.net.ru machine, Phil determined from the password file that this computer had four user accounts, including subbsta, further identified as “Alexey Ivanov,” and kvakin, identified as “Vasily Gorshkov.” The password file’s contents were as follows:
subbsta:*:1000:0:Alexey V. Ivanov:/home/subbsta:/bin/csh kvakin:*:1001J:Vasily V. Gorshkov:?home/kvakin:/bin/csh undoer:*:1002:0:Sergey A. Suhorukov:/home/undoer:/bin/csh deniz:*:1003:0:Deniz B. bukharov:/home/deniz:/bin/csh
Phil also recreated the directory tree for freebsd.tech.net.ru, which is shown in Figure 6.2.
From the messages file on freebsd.tech.net.ru, and the bash history file on tech.net.ru, Phil could determine that kvakin and subbsta each had root access on both machines, because both accounts had successfully executed “su” (switch user) commands to become root users. A user with root access, of course, could access any file on the system, as well as other accounts.[7]
It is an axiom of trial practice that charts and graphs ought to be kept simple. If they are too busy, the jurors simply swim aimlessly in the overwhelming sea of information. As the proverb states, however, it is the exception that puts a rule to its proof, and this chart was such an exception. Figure 6.3 demonstrated that Gorshkov, as user kvakin, had unlimited access to an enormous quantity of files and programs, many of which were either used in criminal trespass and theft, or were evidence of that activity.
Figure 6.3. The /home/kvakin directory on freebsd.tech.net.ru. Phil meticulously reconstructed the directory tree to demonstrate the files that Gorshkov could access.
Although in theory Phil had taken a leave of absence from Boeing, in fact, he continued his important work at that company while he worked on the case. As a result, Steve, Floyd, and the FBI agents Mike Schuler and Marty Prewett commonly received emails from Phil that bore time stamps of 3:00 AM. Indeed, the entire trial team had begun working 15-hour days attempting to winnow through the massive quantity of evidence in preparation for the looming April trial date. At the same time, Floyd had to leave town for a week in order to fulfill a long-standing family commitment, a situation that put further pressure on the trial team.
Tempers became frayed and the trial machine began to emit smoke and sparks from its bearings. Fortunately, Ken Kanev, the veteran criminal defense attorney who had been appointed to represent Mr. Gorshkov, as well as Robert Apgood, a local attorney and computer security specialist who had been appointed by the Court to assist him, were well-nigh overwhelmed by the volume and complexity of the evidence, as well. Consequently, in the midst of the frenzy of preparation, Mr. Kanev called Steve and floated the idea of a joint motion to continue the trial date. Steve graciously acquiesced and the parties soon had an Order from Judge Coughenour setting the new trial date for the end of May. Audible sighs of relief could be heard coming from the Government offices.
Meanwhile, Phil Attfield and the other members of the trial team continued to pore over the logs. They soon discovered that a number of other computer programs or “scripts” located in kvakin’s home accounts seemed to implement a fraud scheme against the online auction company eBay and the online credit card payment company PayPal. eBay has a website on which users can auction items to other users. Payment can be accomplished by credit card through online accounts at PayPal that are opened with an email address and a credit card. The scripts found in Gorshkov’s accounts generated thousands of spurious email addresses, at websites offering free email accounts, opened corresponding accounts at PayPal with stolen credit cards, generated fraudulent or “virtual” auctions at eBay, and initiated payments from one PayPal account to another using the stolen credit cards.[8]
At the time, if a legitimate individual customer wished to open a PayPal account, he or she would log onto the PayPal.com site and register with an email address, mailing address, and credit card number. The PayPal system would then verify the credit card account from the card issuer and would receive back simply a street address and ZIP code registered with the account. If the address and credit card number were the same as those maintained by the card issuer, the account would be verified and allowed to conduct transactions. During the time period covered by the summer and fall of 2000, PayPal had approximately five million customers and processed up to 50,000 transactions per day.[9]
The Government’s trial team, including the technical experts, found scripts in the tech.net.ru and freebsd.tech.net.ru data that were written in PERL (Practical Extraction Report Language) and were designed to automatically open the email accounts (including numerous accounts in the variants of the name Greg Stivenson) and to create PayPal accounts with those email addresses and stolen credit card information. In addition, files and fragments were identified from several systems that were linked with numerous transactions at PayPal—including Lightrealm and the St. Clair County, Michigan, Intermediate School District. Those systems had been hacked from IP address 195.128.157.66, registered to tech.net.ru. The intruders took over these systems and used them as proxies[10] to make other connections to the Internet. Evidence was also found on the tech.net computers that demonstrated that an IP address registered to the Musashi Technical Institute in Japan and others also belonged to systems that the defendants had compromised.[11]
Shortly after the analysis began, Special Agent Marty Prewett placed a telephone call to PayPal, where he spoke with someone in the Security Department. John Kothanek, the Senior Security Investigator for PayPal, was working in an adjacent cubicle and overheard the mention of a name that he recognized as one of the scoundrels whom he had been investigating. (The name was either Greg Stivenson or Murat Nasirov. John does not remember which.) When John learned that his colleague was speaking with the FBI, he joined the conversation. Marty explained that the FBI had downloaded numerous files from two Russian computers, and they had found PERL scripts and other files that indicated that Gorshkov and Ivanov had been systematically accessing the public PayPal interface and had been effecting transactions using stolen credit cards. John was thrilled, as he had been jousting with someone using variants of the names “Greg Stivenson” and “Murat Nasirov” for several months. In a follow-up email to Marty Prewett, John wrote: “I must say you guys definitely made my decade with that news yesterday. I have worked and obsessed over this group for the last 10 months.” John, on behalf of PayPal, also pledged full cooperation. “We, of course, will challenge our database in any way necessary to find what you need.”[12]
Marty invited John Kothanek to come to Seattle in order to identify the PayPal transactions. A few days later, John Kothanek, Max Levchin, the co-founder of the company, Erik Klein, a systems engineer, and Sarah Imbach, VP for Fraud Operations, were seated around the FBI’s big conference table in Seattle. Max Levchin was a computer programmer who, as a teenager, had migrated with his family from Kiev, Ukraine, of the former Russian Republic. He had been educated at the University of Illinois at Champaign-Urbana. Mr. Levchin was an expert on secure electronic transactions utilizing encryption, and he had done a masterful job of securing PayPal’s huge and growing database of customer credit card information. Indeed, it became clear that the Russian hackers had not succeeded in breaching what would have been a bonanza of credit card accounts.
What the hackers had done, however, was to use the PayPal public interface in precisely the manner for which it had been designed. What the PayPal founders had not anticipated was that the interface would be manipulated by means of automated scripts or “bots.” Several weeks after this meeting, a Seattle newspaper reporter encountered Special Agent Prewett’s affidavits in the public Federal court records, and wrote a story about fraud committed against PayPal from Russia. In that story, he erroneously stated that PayPal’s huge database of credit card information had been stolen. This assumption on the reporter’s part was the kind of misinformation that could have a severe negative impact on PayPal’s business. If potential customers thought that their credit card numbers would be exposed at PayPal, they would not do business there.
Max Levchin was appropriately furious, thinking at first that the incorrect information had come from someone at the Department of Justice. This misunderstanding had the potential to put a chill on PayPal’s cooperation with the Government. As soon as he saw the story, Steve Schroeder called the reporter and told him that his assumption that the credit card database had been exposed was mistaken. Together, Steve and the reporter went over the language in the affidavit upon which the reporter had based his assumption, and the reporter acknowledged that he had made a mistake. The next day, the newspaper published a prominent correction, stating that there was no evidence that PayPal’s credit card database had been breached. Max Levchin was satisfied, and the cooperation from PayPal continued. Indeed, later that year, PayPal’s fight against fraudsters was spotlighted in a Newsweek story captioned “Busting the Web Bandits.”[13] In the feature story, Max Levchin stated that PayPal had decided to fight fraud with technical innovations[14] and an augmented anti-fraud team. In other words, criminals would commit fraud at PayPal at their own considerable risk.
On the cover of that edition of Newsweek was a photograph of John Kothanek. Looking down at the camera from his six-foot-five-inch, 250-pound frame, John looked exactly like the former Marine that he was. Behind the formidable exterior, however, John possessed a quick intelligence and finely tuned tactical judgment. When he arrived in Seattle, he came prepared. He had brought with him an extensive spreadsheet, captioned “Stivenson Query,” that documented 10,796 fraudulent transactions at PayPal. Curiously, those transactions had been entered mere seconds apart and had originated primarily from three IP addresses.
In July 2000, John Kothanek, had learned that an unknown individual was sending email messages to PayPal.com customers stating that they had received a bonus from PayPal.com and requesting that they log onto the site listed in the email in order to receive the bonus. When customers logged onto the specific website, they were asked to input their usernames and passwords. Once the information was entered, the website informed them that there had been a computer problem and asked them to please enter the information again.
The website that customers were asked to log onto turned out to be a fake or mirrored PayPal.com site, named PayPaI.com, which was used to capture the required information from the customer. When customers were asked to reenter their information, the first website redirected the customer to the proper PayPal.com website. Hence, the customers were unaware that their log on names and passwords had been stolen and could be used to purchase items from the Internet utilizing their highjacked accounts.
Mr. Kothanek obtained permission from a PayPal customer to take over his account in order to test the mirrored, bogus site. First, of course, the account was locked so that no financial transactions could take place. Mr. Kothanek then responded to the bogus email and logged onto the mirrored site. There, he entered the account name and password. Shortly thereafter, Mr. Kothanek noticed that someone had logged onto the account from IP address 133.78.317.28, registered to Musashi Institute of Technology near Tokyo, Japan.[15]
Mr. Kothanek identified two additional IP addresses connected to the fake or mirrored PayPal.com website: 216.122.89.110 and 212.57.129.2. The first resolved to www.lightrealm.com, a Seattle-based ISP, and the second resolved to www.surnet.ru, located in Moscow, Russia. Using those IP addresses as search criteria, PayPal then queried its customer database and identified hundreds of connections to PayPal from those addresses. In addition, by searching on usernames and patterns, Mr. Kothanek determined that there had been hundreds of accounts opened at PayPal from several other IP addresses; namely 140.239.225.222, registered to popstick at Harvardnet; 63.70.149.190, registered to the St. Clair County, Michigan, Intermediate School District; 202.155.*.*; registered to an Internet Service Provider located in Jakarta, Indonesia; and others. Because most Internet users connected to the Internet via dynamically assigned IP addresses that generally changed every time they connected, it was highly unusual to see multiple account openings coming from the same IP address.[16] Additionally, the accounts were opened seconds apart by what seemed to be an automated process. Many of the fraudulent accounts used variants of the names “Greg Stivenson” and “Murat Nasirov.”
Mr. Kothanek queried the PayPal database for IP addresses 133.78.216.28 (Mushashi) and 216.122.89.110 (Lightrealm) and prepared an Excel spreadsheet. This spreadsheet, Government’s Exhibit 614 (see Figure 6.4), reflected 2,789 connections to PayPal. Accounts were opened using free, web-based email accounts, and a stolen credit card was associated with each account.[17]
Figure 6.4. Excerpt of Government’s Exhibit 614. Note the connection times at 10- to 15-second intervals from a single IP address. Account numbers have been masked for privacy.
The Government, after examining the data downloaded from tech.net.ru and freebsd.tech.net.ru, found approximately 56,000 credit card accounts that had been stolen from various online merchants in the United States. Those credit card numbers were furnished to PayPal for the purpose of searching the customer database. As a result of a query using the stolen credit card account numbers, PayPal learned that thousands of those stolen credit cards had been used at PayPal by the person or persons who had opened the accounts discussed previously. Although PayPal managed to block some of the transactions, it suffered a minimum loss due to the conspirators’ activities of approximately 1.2 million dollars in charge-backs from the card issuing banks.[18]
During October 2000, Mr. Kothanek had engaged in a series of email communications with someone using the handle “Greg Stivenson” concerning the fraudulent activity at PayPal. When Mr. Kothanek first engaged “Greg Stivenson” in an email correspondence, it did not occur to him that the messages would ever be offered into evidence in court. Consequently, they had been preserved out of order. Mr. Kothanek simply opened a message at random and replied to it whenever he wished to communicate with the hacker. Before the messages could be presented at the trial, they had to be cut apart and rearranged in chronological order.[19]
The first preserved message is dated October 13, 2000, and is from Investigations at x.com (Mr. Kothanek’s email address at PayPal) to “Greg Stivenson. It reads: “Hey buddy me again … Some of our customers say you have been emailing them asking for your shipments. Guess what they aren’t coming. SO basically if you don’t get a shipment it is because we stopped it. Better luck next time.” “Greg Stivenson” replied promptly: “Are you here or this is NULL email address? Please reply i want talk with you about you security.” Mr. Kothanek replied, “how about lets talk about your fraud activity on our system.” Greg Stivenson agreed, and a series of emails ensued, sometimes taking on a rivalrous tone.[20]
In these emails, Alexey Ivanov, who was using the “Stivenson” handle, made a number of statements that corroborated the admissions that the defendants made during the Invita undercover meeting. At that meeting, you will recall, they admitted that they had attempted to get the systems administrators at companies that they had hacked into to pay them to reveal their techniques and to refrain from doing further damage. “Stivenson” admitted, for example, that he had compromised Nara Bank, a bank in the Los Angeles area, thus: “Did you remember www.nbna.com or www.narabankna.com? (Nara Bank National Association). Impressed?”
John Kothanek responded that he was impressed and that he knew that the hacker had stolen a lot of money. “I think I haven’t taken a lot of money,” Alexey replied. “Enough for living but there is Bill Gates (he got much more :),” Alexey went on. “I don’t think it’s all about hacking. It’s just human factor. Hacking unix boxes more interesting but less profitable.” He then accurately summarized what the PayPal PERL script did. “Automated account opening/adding cc#/bank accounts/money transferring/etc. is now a completed system, with user interface/database/statistic/account management.” Alexey also let John Kothanek know that as PayPal changed its system, he, too, changed the script so that it would continue to work.
Finally, Alexey left John with this teaser: “My question is: what do you want from me? I can stop my activities with PayPal. I can sell this complete system to third parties. I can help to stop such activities as mine. Best regards.”
After John Kothanek informed Alexey that the CTO of PayPal was also from Russia, Alexey sent the following message to Max Levchin in Russian (but using the Latin alphabet):
Hello. You probably already understand that we have an entire system worked out here to pay for goods via PayPal.
It may seem strange, but more time is spent on the analysis and evaluation of the human factor (precisely because of it I can work via PayPal, so that, for example, nobody has been able to countermand human filth). Your steps in defense of the company can be viewed as several steps forward. In addition, we begin on the assumption that the basic mass of people are legal users and therefore after each and every change I simply try to act in such a way that your system also thinks that I’m a legal user.
With regard to your latest changes, in the very near future such changes will take place on other Internet sites (stores, banks, etc.) A change like that will only win you some time (I think not more than 2 months).
Now with regard to questions of security, I can help, but all security questions will be decided not by a mere “thank you”, because a “thank you” does not put food in your mouth. Meanwhile everybody does their own thing… You yours, I my own. I hope you understand me well.
With best wishes.[21]
In another communication, Alexey admitted to creating the paypai-spoofed site in order to steal customer usernames and passwords. “Did you remember www.paypai.com ? ;) It’s me too ;)”
John Kothanek was a former Marine who had worked in the intelligence field. He had also worked for Macy’s as a fraud investigator. To the FBI agents, John was a kindred soul—a law enforcement officer at heart. John’s responsibility was security and fraud prevention and he, at times, found himself at odds with the business managers. Anti-fraud measures on the Internet, of necessity, hamper customer interface and, at times, block legitimate transactions. Achieving a workable balance between security, on the one hand, and ease of access for customers, on the other, is a delicate dance. At times, John’s suggestions for blocking certain types of transactions were blocked by the business side of the house. Some level of fraud was deemed to be simply a cost of doing business.[22]
John Kothanek paid at least one more visit to Seattle, and Steve and Marty Prewett made arrangements to go to PayPal’s offices in Palo Alto, California, to get a tour of the layout. Consequently, later in the year, Marty and Steve flew to San Jose, rented a car, and drove to Palo Alto. John met them at the PayPal offices that evening. Even though it was after hours, Marty and Steve were surprised by the number of mostly young and casually dressed people who were still working. The dot-com gold rush work ethic was obviously not confined to the Microsoft campus. That evening, the three men began to evolve strategies on how to approach the massive amount of evidence contained on the PayPal servers. The immediate problem was to identify which of the millions of transactions at PayPal had been initiated by the Russian hackers, and to do so with a sufficiently high assurance to ensure that the results would be admissible in Federal court.
Steve realized that it was necessary to establish relatively conservative criteria for the data that were to be offered in court, even though that high standard would certainly result in an under-inclusion of fraudulent transactions for which Gorshkov and Ivanov had been responsible. Nevertheless, it was decided that only transactions that fit a pattern of multiple criteria would be included. The factors that were emerging as indicia of fraud included: the known compromised IP addresses; the stolen credit card numbers; the use of known, free, web-based email providers; the use of email addresses that followed the pattern of stringing alternating consonants and vowels as randomly generated by the PERL scripts; the use of known email usernames (such as Greg Stivenson); and the creation of accounts seconds apart by scripts.[23]
Early the next morning, Marty and Steve returned to PayPal where they were introduced around by John Kothanek. By the morning light, the PayPal facility was seen to consist of a sprawling single story building set amongst other high-tech enterprises. At the rear of the building was a large, park-like yard with mature trees and an expanse of lawn. Picnic tables had been set up to accommodate employees who wished to take breaks or meals in the sunshine. A complimentary commissary offered quality coffee, juice, muffins, and fruit for breakfast. Every noon, a caterer brought in an impressive spread of sandwiches, salads, and fruit for the employees. Non-alcoholic beverages were available at all times. These free amenities not only were a valuable perk for the workers, but also seemed to contribute to the relaxed atmosphere and high morale at the company. The place seemed to buzz with satisfied, productive workers.
It is a common phenomenon for law enforcement officers that their presence at a company causes a certain chill to descend upon the scene. PayPal was not an exception, at least at first. Dot-com companies were magnets for bright, young, and vaguely anti-establishment people. They tended to embrace casual dress (after all, they did not deal face-to-face with their customers) and alternative lifestyles that would not have endeared them at older, well-established, traditional businesses. They often viewed the authorities with a low-level suspicion, and Marty and Steve were greeted by some with nervous smiles and anxious explanations that they paid their taxes. John was enthusiastic about the job at hand, however, and his endorsement, together with Marty’s invariably polite, low-key manner and infectious chuckle, soon won over the skeptics. Marty and Steve were both very experienced in the field, and they responded to the tension with undisguised good humor. When co-founder Max Levchin went out of his way to welcome Marty and Steve to PayPal and pledge his support, all barriers seemed to melt away. Soon the place was abuzz with activity by people who wanted to help. For the balance of the day, the conference room where John, Marty, and Steve were brainstorming was visited by people popping in with ideas or information.
The one issue that continued to puzzle the trial team was how the hackers transferred money out of PayPal to their own use. PayPal did allow customers to trigger ACH (Automatic Clearing House) transactions whereby money would be transferred to their individual bank accounts by means of electronic funds transfers. In order to receive ACH transfers, the customers had to furnish PayPal with their bank account numbers and the routing numbers of their banks. PayPal would then verify that the accounts were active by transferring a few cents to the accounts and having the account holder verify the deposit amount in an email to PayPal. Only then would PayPal actually transfer meaningful amounts of money to those accounts. In addition, PayPal required that accounts receiving ACH transfers resided at physical (brick and mortar) banks where the accounts had been opened in person and not over the Internet. Mr. Kothanek discovered that a few thousand dollars’ worth of ACH transfers had been made to an account at Nara Bank in the Los Angeles area. Nara Bank’s own security personnel had discovered those transactions, however, and managed to reverse them before the money actually left the bank. Consequently, it appeared that the Russian hackers had been unable to directly turn their fraudulent credit card transactions into money.[24] What they had done was to use the stolen credit cards to buy huge quantities of computer components, CDs, DVDs, and other expensive goods. Many of those purchases had been made through the eBay auction site. In addition, the hackers had subverted several servers, including one at the K-12 St. Clair County, Michigan, School District, and turned them into spam servers. Through those machines, the hackers then sent out hundreds of solicitations directed to online sellers who accepted PayPal payments. See an example in Figure 6.5. They identified themselves as a small firm in Kazakhstan and asked to purchase processors and other components. Payment was guaranteed prior to shipping. (During the Invita undercover meeting, Gorshkov explained that they had the goods sent to Kazakhstan because they could pay smaller bribes to get the goods through Kazakhstan customs.) Numerous U.S.-based sellers took the swindlers up on this solicitation, accepted payment via PayPal, and shipped their goods as requested. By the time that it was determined that the credit cards had been stolen, it was often too late, as the goods had already been shipped.[25]
Over the next several weeks, John extracted data from the customer and transaction databases and sent them to Marty as Excel spreadsheets. Steve was pleased at the speed and comprehensiveness of the information. Prior to the advent of the information age, that kind of review and analysis of voluminous business records had taken months and resulted in hand-written spreadsheets that were difficult to amend or expand. Those spreadsheets would then have been mailed as hard-copy pages that could be searched for individual transactions only by means of a visual scan. In this case, however, the summaries were produced quickly and then sent to the FBI electronically. Once in hand, they could be searched and sorted easily in response to the needs of the case.[26]
Back in Seattle, Marty and Steve continued to worry that the hackers’ scheme had netted them payments and other things of value far beyond what had been found so far. The possibility that the hackers used ACH transfers to send money to offshore bank accounts was troubling. It was known that the hackers had compromised the servers of several banks, and the possibility that they used that access to effect transactions to and from existing customer accounts was real. In other words, had the hackers caused PayPal to make deposits to legitimate bank accounts and then, taking advantage of their root control of the bank’s server, immediately transferred those monies to themselves outside of the country? After all, during the Invita undercover meeting, Gorshkov, in describing the modus operandi of his business, explained: “It’s a, it’s a question of ah what do you need? … If you need money, you scan banks.”
As John continued to delve into the details of the suspicious transactions, he discovered that the hackers had attempted to obfuscate the records left behind by their dealings in order to make an audit trail extremely difficult to follow. Hence, they would cause one of their fraudulent accounts to be debited to the credit of another such account. That one, in turn, would be debited to the credit of a third account, and so on, until they thought that a sufficient layer of debits and credits had been created. At that point, the penultimate hacker-created account would be used to make a payment to a seller’s PayPal account at the top of the pyramid. The email addresses used in the scheme used free, web-based providers that had millions of customers, and the hackers often used some of their accounts for multiple purchases. Consequently, in order to verify each step of the multi-layered transactions, John had to examine every individual account involved in the chain in order to ensure an accurate tracing of the debits and credits. This greatly complicated what would normally be a routine audit trail, turning it into a time-consuming process.
Mr. Kothanek prepared Government’s Exhibit 620, displayed as Figure 6.6, among others, to illustrate how a payment to a seller of computer components, one Tad Brooker, was layered through a score of different accounts. With the exception of one account that was opened from the IP address of the St. Clair County, Michigan, K-12 School District, each of the accounts in the hierarchy had been created from IP address 133.78.216.28 (Musashi Institute of Technology). Likewise, each of the account names either used variants of “Greg Stivenson” or were based upon the alternating consonant and vowel pattern generated by the PERL scripts. In addition, the debit to each credit card in the chain had resulted in a charge-back to PayPal.[27]
Figure 6.6. Government’s Exhibit 620. The results of John Kothanek’s audit of a single payment to Tad Brooker, an online seller of computer components.
By both contract and Federal regulation, consumers have the right to challenge charges made to their credit card accounts. Such challenges may be based upon dissatisfaction with goods or services actually purchased or, more pertinent to this case, an affidavit of fraud in which the cardholder states that the charge or charges were not authorized. When a cardholder files a fraud claim, the credit card issuer credits the disputed amount back to his or her account. In card-not-present transactions, that is, online or telephone orders during which the cardholder is not dealing face-to-face with the merchant, the ensuing losses are thrown back on the merchant. While the rules governing charge-backs are complicated, varied, and subject to change, PayPal at the time in question assumed the losses stemming from the fraudulent use of credit cards on its system.[28]
Federal judges bring to the bench a wide array of experience, biases and, at times, idiosyncrasies. Steve had often appeared before John Coughenour, the District Judge to whom the case had been assigned, and knew that, with his business law and litigation background, he was a stickler on the admissibility of business records. Unless those records could be authenticated with a high degree of probability, he would not admit them into evidence, at least in a criminal case. Consequently, Steve instructed John Kothanek to prepare two Excel spreadsheets reflecting the losses that PayPal incurred as a direct result of the Russian hackers’ activities.
The first requested spreadsheet was to show losses (charge-backs) that stemmed from transactions involving any of the stolen credit card account numbers that had been recovered from the Russian computers, plus one other factor, the origination from a known compromised IP address, or the use of an email address that was either a known name or that fit the consonant-vowel pattern called for by the PERL scripts. The known losses that PayPal incurred from those transactions amounted to $1.2 million. This number certainly understated the actual losses, because it was highly unlikely that Mr. Kothanek had identified all of the fraudulent transactions attributable to the hackers. In addition, the PERL scripts downloaded from the Russian computers referred to a database called mm that contained credit card information. Because that database had not been recovered, it was probable that many more stolen credit cards were used than were captured during the download sessions.
The second spreadsheet was to reflect only those fraudulent transactions that reflected a coincidence of three factors, namely, the use of a known, compromised IP address, plus the use of a recovered stolen credit card account number, plus the use of a known or patterned email address. The total losses from those transactions amounted to $683,140. This number was very conservative and grossly understated the actual losses.
Nevertheless, Steve’s anticipation of Judge Coughenour’s conservative habits relating to the admissibility of business records turned out to be prescient. At the trial, only the spreadsheet reflecting the smaller number was admitted, although John Kothanek was allowed to testify that the attempted frauds against his company amounted to $1.2 million.[29]
Tad Brooker was one of the online sellers who conducted business with Gorshkov and Ivanov. Tad worked as a senior network administrator in Boulder, Colorado, for a manufacturer of tape drives. On the side, he also owned an online business called Creative Business Solutions. This business sold computer hardware and software, among other things. On August 9, 2000, Mr. Brooker received an email from someone using the name “Michael Nilson.” This message (see Figure 6.7) purported to be from a small firm in Kazakhstan and contained a solicitation to buy an initial shipment of five to seven computer processors, with the suggestion that the firm would be interested in an ongoing business relationship involving the purchase of 20 to 50 processors per week thereafter. Payment was to be made using PayPal and would be made prior to each shipment.
Figure 6.7. Excerpt from Government’s Exhibit 651. Note the similarity to Figure 6.5, the Murat Nasirov spam. Tad Brooker forwarded this email to the FBI.
Mr. Brooker responded that he was interested in doing business and, subsequently, began corresponding with “Greg Stivenson.” Mr. Brooker did not notice that “Greg Stivenson” was using an email address at the domain memphis.k12.mi.us. The initial sale was for five Celeron processors at $106 each, plus $36.50 for UPS international shipping. When Mr. Brooker received a message from PayPal that his account had been credited with $566.50, he shipped the goods to Kazakhstan. Subsequent shipments brought the total value of goods sold to Kazakhstan to approximately $5,000. Initially, Mr. Brooker was able to transfer the funds from PayPal to his bank account, but the last $618 or so was frozen by PayPal, and he did not receive those funds. When John Kothanek’s investigation established that the credit card numbers used to pay Mr. Brooker were stolen, PayPal also demanded the repayment of the $4,449, which he had successfully transferred to his bank account. The matter remained a contentious one between Mr. Brooker and PayPal. The hackers had caused financial loss to both businesses.[30]
[1] Phil testified as to his background and training at RT, 894-900.
[2] Title 31, United States Code, Section 1342 (Anti Deficiency Act) provides in pertinent part: “An officer or employee of the United States Government … may not accept voluntary services for … Government or employ personal services exceeding that authorized by law except for emergencies involving the safety or human life or the protection of property.”
[3] RT, 1140-1141.
[4] The term “ownership” in the context of computer files is a term of art that identifies the user account on the system from which the file was created or added.
[5] RT, 1141-1145.
[6] RT, 1146-1151.
[7] RT, 1160-1162.
[8] Phil described the functioning of those scripts in general at RT, 1202-1218; and in detail at RT, 1247-1251.
[9] John Kothanek, Senior Security Investigator for PayPal, described the functioning of the PayPal system at RT, 1559-1563.
[10] The word “proxy” in common usage is used to designate someone who acts on behalf of someone else. In computer usage, a proxy is a computer system or router that breaks the connection between sender and receiver, so that it appears that a client machine and the server are communicating with one another. In fact, however, they are communicating only with the proxy machine.
[11] RT, 1212.
[12] Telephone interview of John Kothanek by the author.
[14] Although many of the technical innovations that were inspired by this case remain proprietary, one has become commonplace on the Internet. That is the Gausebeck-Levchin test to prevent automated account openings by machine. This procedure requires the user to read several irregular letters that a computer cannot read and enter them by keyboard strokes.
[15] Testimony of John Kothanek, RT, 1563-1565.
[16] As the Internet has evolved, the duration of dynamically assigned IP addresses to machines running DHCP (Dynamic Host Configuration Protocol) has increased. Today, a client computer with a high-speed connection may be dynamically assigned an IP address under a “lease” that can endure for up to several months. In 2000, this semi-permanent assignment of IP addresses to individual clients was highly unusual.
[17] RT, 1565-1566.
[18] RT, 1596-1597.
[19] RT, 1574-1575.
[20] Email quotes are from Government’s Exhibit 640, which was admitted during the testimony of John Kothanek.
[21] Government’s Exhibit 640. This Russian language message was translated by Dr. Derbehshire.
[22] Telephone interview of John Kothanek by the author in 2009.
[23] John Kothanek described those criteria at RT, 1564-1572 and 1596-1597.
[24] RT, 1603-1605.
[25] RT, 1589-1590.
[1] In United States v. Booker, 543 U.S. 220 (2005), the U.S. Supreme Court ruled that the Sentencing Guidelines were not binding on sentencing judges. At that point, the Guidelines became guidelines, indeed.
[26] The spreadsheets prepared by Mr. Kothanek and his staff were admitted during the trial as Government’s Exhibits 610-1, 611, 611C, 614, 615-1, and 615-2.
[27] RT, 1592-1595.
[28] Id.
[29] RT, 1601-1603.
[30] Mr. Brooker’s testimony concerning these facts is found at RT, 1542-1558.