The man opened his laptop and entered his password. His hard drive spun and programs flicked back on. The laptop re-established its network connection – wired only, the man didn’t trust wireless – and packets began to flow between his PC and the rest of the world. One consequence of that traffic was a notification that he had new email. The man noted that, while he had 12 new emails in his inbox, he had 2 in his “Action Items” folder.
As he was about to open the folder, he heard a crash of dishes from the kitchen. Without getting up, he demanded, “What is going on in there? Is anything broken?”
“Maddie opened the dishwasher too hard!”
“Nu-uh!”
“Uh-huh!”
The girls continued to argue as the man minimized his email and went into the kitchen. His voice was probably too stern for the occasion, but the man was under pressure. He had action items to address. “Get the dishes done, and get them done quietly. I am very busy and I don’t want any noise. Maddie, be more careful when you open the dishwasher. Laney, you are the older sister, so you should keep a better eye on Maddie and help her more.” The girls were about to cry. The man’s heart softened. “I’m sorry, I shouldn’t have yelled like that. I love you all. Let’s hug.”
And so, they hugged. Maddie, Laney, and the man resolved their issues through reassuring human contact and then went back to work. The girls on their dishes, and the man on his action items.
He first opened a text file. Then he opened the action item emails. In turn, he copied the contents of the emails and pasted them into the text file. Then he deleted the emails. Then he emptied out his deleted items folder. The man knew that this wasn’t a complete deletion of that information, since a digital ghost of it existed on his local hard drive, in addition to whatever the [REDACTED] picked up in its [REDACTED] program. And, since the emails came from Minsk, there were other agencies besides [REDACTED] that would have their copies.
But the data in motion on the Internet and the data at rest was encrypted, so the man knew that nobody would try to break into it unless it was on somebody’s radar, and that wouldn’t be until someone put the pieces together to a very difficult puzzle. After all, it wasn’t against the law to receive emails from Minsk.
That was the fun part about the United States legal system. The whole thing was built around either catching someone in the act of committing a crime, or amassing enough evidence to prove that a criminal act had been committed by a particular criminal. Just as corporations were more efficient at doing business than single proprietors or partnerships, they were also more efficient at committing crimes: no single person did anything that, of itself, was a crime. Instead, the actions of dozens of people had to be connected in order to demonstrate a pattern of behaviors that produced criminal activities. But could the law catch those people? Or did it want to keep to the easier crimes?
The man laughed to himself. Wall Street got the King’s Pass to perpetrate financial crimes on a grand scale, while those mom-and-pop operations, be they corner grocers or corner meth labs, got crushed by legal regulations and the big boys alike.
The man knew he was part of a big operation. He just didn’t know what it was. He liked doing the work. Criminal operations tended to be very libertarian and very agile. He felt empowered to make decisions, was glad his compensation was 100% salary, and had access to the best tools money could buy. The man didn’t need to submit expense reports but did so, anyway, as part of his cover story. The best part was that the cover story was no cover at all – he really [i]was[/i] an IT security consultant that worked from home.
There was the matter of who, exactly, the employer was. The man did not know and did not care. It was like the Algerian FLN. The man got messages from one source and sent his messages to another source. Given the level of obfuscation between the sources, the man felt it highly unlikely that he would meet the same fate as the FLN in Algiers after the French forces broke into the movement’s structure and methodically tracked down each cell.
Time was money. The girls had finished their post-lunch chore and were watching purple dinosaurs engaging in situational ethical discourses with red furry monsters or something like that. The man returned to his task.
The text file showed a list of IP addresses with notations beside them, a handy comma in between the addresses and the comments, in case he needed to view the information as a spreadsheet. The man just liked the text file because it loaded faster.
The information came from the boys in Minsk that scanned and probed IP address ranges. They asked no questions and desired no answers. They just ran their NMAP scans and followed up where they found interesting things, like open RDP ports or SMTP relays, both of which were of interest to the people that had employed the man to use that information.
The man was involved because some people were interested in employing someone with very good English language skills to send emails to some native English speakers. Since the man was both a native English speaker and in possession of an email client, he was a perfect fit for the job. The man also knew a thing or three about how to customize search strings and gathering intel from social media networks.
The man started to scroll through faces and resumes of men and women that worked at the two airports mentioned in the action items. Open RDP ports at DFW and LAX meant his employers would gain remote access to IT systems at those airports if they knew the accounts and passwords to use. Brute force attacks would fail, generate alerts, and generally lead to undesired consequences. The man disparaged such methods, as his were far more elegant and productive.
And that’s where the SMTP relay came into play. Thanks to small businesses constantly starting up, there was an infinitely regenerating supply of unsecured email servers that would allow anyone accessing them to impersonate anyone else with only a minimal knowledge of how to configure an email client. Yes, it could also be done from a command-line interface, but the man needed to send rich content with links and documents – it was a total pain to try and cobble those together in a command-line environment. The man hated programming and wanted to be as far from it as possible, preferring to send his carefully-worded emails from a GUI. It was simply more elegant that way.
As the girls shifted from animated philosophy to that damn game with the irritating soundtrack, the man tried to block the annoying tune from his consciousness as he looked over org charts for DFW staff assignments. The link to those PDFs had been deleted, but not before Google found it, indexed it, and indexed the document so linked, which was still open to the Internet even if the page that once linked it was now a 404 page not found…
And there she was! The man had the name he needed. He highlighted it, pressed CTRL+C, went back to the text document and –
– he saw his wife pulling into the carport. She was back from the grocery store, so the man knew he only had seconds. He clicked at the end of the text block, hit CTRL+V, then comma, and then “admin asst dfw”. CTRL+S saved the info and Windows+L locked his laptop.
The man got up to open the door for his wife, who had two handfuls of plastic bags. She said, “There’s ice cream on the back seat. And milk. Get that first.”
Once the groceries were in, the man went back to his PC while his wife put away groceries and got the girls started on sorting laundry. A password later, and he was ready to get started on his background research for his first email. Rhonda Emerson had a number of promising interests, wine tasting the most promising of them all. It was most promising because the man already had a bogus wine tasting club website set up, along with websites that dealt with beers, cigars, whiskeys, chocolates, travel, running, golf – all the vices. Funny thing was, a username and password to get into one would get into all of them, since they all had the same database driving them. The man didn’t mind. They were only there to gather usernames and passwords.
The best part was the follow-up email. That potentially gave him one of the most important pieces of information: the business email signature of his target. If the target didn’t put a sig on replies, he had another ruse to get the target to send a new email, but most people had a sig on every email.
Rhonda Emerson must have been thinking about the weekend, because that email and account info showed up awfully fast. The man copied and pasted the sig into a draft email that was going to bounce off the relay and into the inbox of one of the people that she served as an administrative assistant/coordinator to.
Hello Ryan,
Harvey Wright would like us to update his SharePoint with all the accounts we use for access to jump boxes, network gear, servers, etc. This is part of the Integrated Account Management initiative. The link to the SharePoint is here.
Kind regards,
Rhonda Emerson
IT Group Coordinator
214-555-1212
The man had composed this email in a second email client. In it, he specified the SMTP relay as his server and Rhonda’s address as the “to”. The man didn’t care about the replies. He just wanted the info to be sent to the SharePoint that was set up on a typosquatting website, and hoped that the admin would fall victim to the spear phishing.
Just to make sure, the man copied and pasted the email body to several other emails, each going to a member of the team that Rhonda supported – taking care to edit the name after “Hello”. The first one to submit the info would be the winner.
As things turned out, Samuel Wannamaker was the most prompt at supplying the information. He just posted the spreadsheet that he kept with all the system names, IP addresses, and shared accounts for getting into them. Thank you, Samuel.
The man got that info at 4:23. The wife leaned into the open doorframe and asked, “You almost done in there?”
“Just wrapping up a few things, hon.”
“You want to pick up something for supper? I’m tired.”
“Sure, what do you want?”
“Food. I don’t care. I’m going to go lay down for a while.”
“OK, I’d like to snooze a little myself before going out.”
“How about Chinese?”
“Sounds good.” The man started to drift back to work.
The wife moved into the foyer. “I’ll go ask Laney and Maddie what they want.”
As the wife asked the kids, the man already knew the answer. Chicken fried rice for Laney and beef lo mein for Maddie. He copied and pasted Samuel Wannamaker’s spreadsheet into an email from his first email client and sent it to someone who was interested in usernames and passwords for systems at DFW airport. The man didn’t know what exactly what was going to happen with that information, or the information he’d already collected for Atlanta or for the information he was about to collect for LAX. The man just planned on not flying anywhere for any reason for a few months.
The man responded to a few more emails and then watched a cat video on YouTube. Life was good, working for people that liked to collect usernames and passwords.