Cybercrime Roundup: Ex-Employees and a Serial Sextortionist

Information Technology Provider Holds Company Hostage

In 2011, a victim company wanted a website. Tavis Tso, a provider of information technology (IT) services for the company, set up a GoDaddy account for the company. Almost four years later, the company wanted access to its GoDaddy account in order to update the contact information. It reached out to Tso, who claimed he did not have the information.

Contrary to those representations, Tso logged in to the company’s GoDaddy account eight times in the following weeks. Ultimately, Tso changed the GoDaddy account so that the company’s website resolved to a blank page and staff were unable to receive incoming messages. That same day, Tso told staff that he would return everything back to normal for a $10,000 fee. The company declined, and Tso changed the account once again. This time, the company’s site resolved to a pornographic website.

On Dec. 13, 2016, Tso was indicted on one count of computer fraud (18 U.S.C. § 1030(a)(7)(c) and 18 U.S.C. § 1030(c)(3)(A)) and 10 counts of wire fraud (including a separate count for each time he logged into the GoDaddy account).

On Sept. 18, 2017, Tso pled guilty to one count of wire fraud. The following day, Tso was sentenced to 48 months’ probation and ordered to pay restitution over $9,000. While the sentence is rather low, this case demonstrates the government’s pursuit of lower-level cyber criminals.

Government Uses Network Investigative Technique to Reveal Identity of Sextortionist

A man operating under the pseudonym “Brian Kill” on Facebook was sextorting minor girls in at least ten federal districts, accruing a significant number of sensitive photos while threatening to physically harm his victims, their family members and members of their local communities. Although not all sextortionists distribute sensitive photos and videos of their victims, Kill routinely did.

In Kill’s interactions with his victims, he had successfully masked his identity. On Dec. 17, 2016, Kill issued a lengthy threat against one of his victims (called "Victim 1" in the indictment) and her school. The same day, Facebook started its own investigation of Kill. According to the indictment, Kill used a total of 24 accounts to mask his identity. Facebook was simply playing whack-a-mole, closing one account to see another open. When the FBI received the registration information from the first account used to post images of Victim 1, it discovered that the associated IP address was an exit node for the Tor network.

Eventually, the FBI used one of Kill’s victims, named in the indictment as Victim 2, to help discover his identity. When Kill wanted images or videos from Victim 2, he demanded that she upload them via Dropbox. The FBI, with judicial authorization, attached a network investigative technique (NIT), a bit of code that would reveal Kill’s IP address once he opened the file, to a video of Victim 2 (that did not contain any child pornography).

The NIT was successful. It revealed an IP address, and the internet service provider was quickly subpoenaed for the subscriber information. The IP addressed was associated with a Kimmie Francis in Bakersfield, California. A search of the county sheriff’s office revealed a police report for the address that listed the residents as Kimmie Francis, Audrey Francis and Buster Hernandez. In the police report, Hernandez said he was living at the address in question with his girlfriend, Kimmie, and her grandmother Audrey. The government then got a warrant to put a pen register and trap-and-trace on the IP address, which revealed that the address was accessing the Tor network.

Less than a week later, the government installed a pole camera near the address. It revealed two important things. First, Hernandez lived there (he came outside to take out the garbage). Second, during the times when the IP address was accessing the Tor network, Hernandez was present and Kimmie rarely was. Based on this evidence, Hernandez was arrested Aug. 3.

He was indicted on six counts of production of child pornography, three counts of distributing child pornography, four counts of threats to use an explosive device and 13 counts of threats to injure.

On Oct. 10, the district court in the Southern District of Indiana granted the defendant’s motion to continue. The case is now scheduled for trial on April 23, 2018.

Jury Convicts Defense Subcontractor of Inserting Malicious Code into Army Reserve Program

On Sept. 20, a jury found Mittesh Das guilty of knowingly transmitting malicious code with the intent to cause damage to a U.S. Army computer used in furtherance of national security. The redacted court documents are sparse in details, which leaves only the press releases to shine the light on the charge underlying the 3-week-long trial.

In 2012, Das was the defense subcontractor primarily responsible for an Army Reserve computer program that handled both pay and personnel actions. Das lost the contract rebid and a new company was to take the reins on Nov. 24, 2014. Several days prior to the changeover, Das inserted a logic bomb— small amount of malicious code that is triggered to activate at a certain date or when a preprogrammed condition occurs—into the computer program. Das’ code began its destructive work the day after the changeover. In mid-December, the Army Times reported that reservists’ pay was delayed by an average of 17 days. That delay was caused by a “glitch” in the computer system Das was previously responsible for. A further investigation of that glitch revealed Das’ logic bomb. According to the Army, it spent $2.6 million repairing the damage Das caused.

Das hired two new attorneys who were granted an extension to file a motion for a new trial; the deadline is now Nov. 28, 2017.

After Das’ arrest, Daniel Andrews, director of the Computer Crime Investigative Unit in the Army’s Criminal Investigation Command, used this case to highlight the government’s commitment to “root out” insider threats to national security and military operations.