FBI New Haven Field Office Computer Analysis and Response Team:

Tracking a Computer Intruder

Facts
> In the header information the 'From' address was different when compared
to the 'Reply-To' address
> This was being passed through a hosting site called hosting4u.net
> FBI traced the owner of the IP address of hosting site to CommuniTechNet
> Discovered that site hosted an e-mail spoofing site to hide sender identity
> Court order to Hotmail.com for information on boatingct@hotmail.com
FBI's Top three National Security priorities
Protect the United States from terrorist attacks
To counter foreign intelligence operations against the United States
Protect the United States against cyber-based attacks and high
technology crimes
Additional Information
- boatingct@hotmail.com account belonged to:
Jason Smith (Name changed to protect ID)
Location - Los-Angeles, CA
from IP - 210.120.192.30
IP source: Seoul, Korea
Registration Date: 23 April, 2001
(1 day prior to e-mail being sent)
FBI Seal curtosy of
https://pbs.twimg.com/profile_images/1706110925/fbi_logo_twitter_400x400.j
pg
EVIDENCE!!!
Off Shore Support
- IP belonged to BORANet
In Seoul, Korea
- New Haven contacted Legal, FBI
Foreign liaison office in Seoul, Korea
Additional Observations

> FBI noticed a suspicious string "../../../../../../../../"

> After research, it was found that the string allowed an exploit on the
WebStore software which BoatingCT.com was using for their store
> FBI notified BoatingCT.com of this exploit and the patch available (released
6 months prior) to fix vulnerabilities
> IP's from various countries were used to access the order log files of
BoatingCT.com using this vulnerability
More Digging
> Combining the details from Hotmail and BoatingCT.com logs it was found
that a proxy server in California was used to access the "orders.log" files
> The IP address of proxy server was registered to Road Runner in Herndon,
Virginia
> Subsequent court orders were filed for that location and the results found
were:
-Subscriber: Student at University of Akron
CASE SOLVED
Warrant Issued
> FBI in Connecticut drafted a warrant for student in Ohio and sent to local
unit
> FBI found student in a frat house and the computer partially disassembled
> After interviewing the student admitted to hacking BoatingCT.com
> FBI recovered broken (unreadable) master drive as well as readable slave
drive
> On slave drive data was found proving intrusion into BoatingCT.com
- June 13, 2002 the student entered guilty plea
- Title 18 US Code 1030 a(4)
- Sentenced to: 12-months in prison and $20,000 in restitution
- Served only 6-months of sentence
Other FBI Priorities include :
Protect Civil Rights
Combat significant violent crime
Combat major white-collar crime
Company affected : BoatingCT.com