RCMP dives into phishing probe
In effort to crack down on cybercrime, asking victims to report cases
What do you do when a hacker comes phishing, threatening to spill your photos, videos and online secrets unless you pay a hefty ransom? The Royal Canadian Mounted Police want you to call them so detectives can get a handle on the magnitude of this growing crime. “Anybody who wants to monetize criminality has found a niche on the dark web,” said Staff Sgt. Maurizio Rosa, a senior detective at the RCMP’s national cybercrime unit in Ottawa. “We definitely have an appetite to go after these people.” RCMP records show 21,000 reported complaints of phishing attacks against Canadians in the past three years, but Rosa and his growing team of cybercops believes the number is grossly under-reported. Most people receive an extortion attempt and press delete. Some pay and never speak about it. Thousands more are reported to local police, and not captured in the RCMP’s files.
“This crime is definitely growing,” Rosa said. “We are seeing physical crime decreasing, cybercrime increasing.”
Conventional belief is that these attacks come from overseas. But Rosa was the lead officer in a case before the courts next week, in which a 27-yearold Thornhill man is alleged to be behind a domestic scheme that offered to sell portions of three billion email accounts and passwords for a fee. Jordan Evan Bloom is charged with “trafficking in identity information” and “mischief to data” in relation to LinkedIn, Twitter, MySpace and other sites that fell prey to major hacks. None of the charges have been proven in court. Bloom’s preliminary hearing begins in Toronto on Monday and is expected to run for three days.
One phishing attack making the rounds in Canada this fall is using stolen credentials from breaches at LinkedIn and numerous other sites. The email extortion scheme demands that targets pay hundreds or thousands of dollars in untraceable Bitcoin, or the hacker will expose their “secret life” online, including photos, videos and browsing history.
Joyce Litster of Dundas, Ont., was happily settled into retirement from a career at McMaster University when she received one of these emailed threats last month. She found it particularly chilling that the hacker had a password which she had used in the past. She called local police, who assured her it was a scam and that the hacker did not actually have access to her phone and computer. “How many 76-year-old women waste their time looking at salacious garbage on their computers?” Litster said. Still, it was “very unsettling to receive something like that.”
Arecent Star story delved into these phishing attacks. Hackers purchase passwords from the dark web from data breaches at previously attacked sites. The RCMP’s Rosa described the dark web as a “marketplace for all sorts of commodities, including stolen credit card numbers complete with expiry date and CCV, and login credentials including passwords.”
“I was struck by the sites of intimate content that you often visit,” the hacker wrote in one of a series of emails to a Star reporter. Like the email to Litster and thousands of others, it showed up without warning. The hacker includes a password the recipient used, putting it forward as “bait” to show he has, or could gain, intimate knowledge of your electronic history.
“I am in shock of your fantasies! I’ve never seen anything like this!” the hacker writes, then explains that he is actually a hacker with a soul, and will return your secret life to you for a payment in bitcoin.
When the Star published the story, roughly 300 people came forward to report receiving a similar phishing email. Some said they were panicked, some took it in stride and some said they had been unable to get police interested in pursuing what clearly seemed to be a crime. Readers had a lot of questions. Who had obtained their password? Where was the hacker — in Canada, or overseas? Had the hacker uploaded “malware” as he/she said had been done? Did the hacker have the ability to control a cellphone camera and take intimate photos?
Gerry from Saskatoon (who did not want his last name used to preserve his cyber safety) told the Star he had received a series of these phishing attempts, beginning with a request for $7,000 in bitcoin, and when he refused to bite, the “ransom request” dropped steadily, ending up at $899. In his mind, the phisher was a “poor miserable sad soul.”
Marvin Zuker, an associate professor at the Ontario Institute for Studies in Education, said he received a threatening email from a hacker demanding $857 in bitcoin within 50 hours or “that was that.” Zuker changed all of his passwords as a precaution and had his IT department scan for viruses. Around the same time, he received calls from a person saying he was from the Canada Revenue Agency (another current scam where fraudsters try and get people to pay money to avoid going to jail.) In that instance, Zuker said he called the “CRA agent” back to show the fraudster he was not scared by the scam.
Typically, email phishing attacks appear to come from the recipient’s own email, a scheme known as “spoofing” — making it appear that the hacker has control of your email.
Some readers said they had been playing detective, trying to figure out where the breached password came from. Peter Draksler, who works in information technology in Hamilton, said he is always very careful to use different passwords. Back in 2000, he created a discreet email and password to en- ter a popular magazine’s contest. Bingo, he thought when the hacker referenced those credentials in a phishing attack this year. Even though it was a one-time password and email, Draksler said it was “concerning” that someone had accessed those credentials.
While some people use a distinct password for each site, many people reuse passwords containing, perhaps, their last or first name, dog’s name or street address.
James Heeringa from Mississauga showed a phisher’s threatening email to his IT people at work and was told to “delete and ignore them.”
“I must say I felt very threatened by them because he had a password of mine,” Heeringa said.
Policing cybercrime is a far cry from pursuing suspects of physical crime. The team Rosa has assembled in Ottawa includes 12 police officers and nine civilian members, the latter including people hired right out of university with strong computer or engineering backgrounds. They lack the resources to investigate individual phishing attacks, but want all Canadians to report phishing and ransomware attacks so they can discover patterns that will aid larger investigations.
What he has discovered is that “unsophisticated criminals” are purchasing a variety of credentials stolen by sophisticated criminals and placed on the dark web marketplace. Often, credentials are sold a multitude of times and that means one individual may be targeted by a multitude of phishers.
And he said there is a sort of honour among thieves approach on the dark web. When someone pays $2,000 for a batch of credentials, say credit card information, the seller warrants that while some may no longer be valid, a decent number will be.
When Project Adoration hits court next week, Rosa said “all the complexities” of this type of case will be on display. In that case, the RCMP was tipped off by Dutch authorities in 2016 to the alleged involvement of the Lamborghini-driving Bloom, who police allege earned $247,000 through involvement in Leakedsource.com, which housed billions of stolen credentials in a computer server farm located in Quebec.
RCMP officials say they are encouraging people who receive a phishing or ransomware attack to contact the Canadian Anti-Fraud Centre at 1-888495-8501 or go online at antifraudcentre.ca to make a complaint using their secure reporting system.
“And people have to take precautions,” said Rosa, including creating difficult passwords, not reusing passwords and not opening documents that seem suspicious.
“Make yourself a harder target.”
“Anybody who wants to monetize criminality has found a niche on the dark web. We definitely have an appetite to go after these people.” STAFF SGT. MAURIZIO ROSA SENIOR DETECTIVE, RCMP NATIONAL CYBERCRIME UNIT IN OTTAWA