How the FBI found Miss Teen USA’s webcam spy
RAT user "cutefuzzypuppy" wasn't all that cute.
RATer's moniker was "cutefuzzypuppy."
Aurich Lawson / Thinkstock
Watching all of those webcams to see when a young woman changes her clothes takes a serious time commitment, and Abrahams made one; he "was always at his computer," according the FBI complaint against him. Abrahams yesterday turned himself in after the complaint was unsealed, and a federal judge released him on a $50,000 bond.
Anatomy of a RATer
How did Abrahams get his start learning the intricacies of remote administration tools (RATs), the malware used to spy on his victims? Not surprisingly, he was a regular user of hackforums.net, which features a large RAT forum that I profiled earlier this year. As cutefuzzypuppy, Abrahams asked for plenty of help distributing software like DarkComet to victims, since he "suck[ed] at social engineering" and needed to find better ways to spread his spyware.He also announced his successes. On May 17, 2012, he told the RAT community at hackforums.net, "Recently I infected a person at my school with darkcomet. It was total luck that I got her infected because I suck at social engineering. Anyway, this girl happens to be a model and a really good looking one at that :D. I was hoping I could use her and her facebook account to further spread my darkcomet rat. I want to mass message all her friends on facebook but I have no idea what to message them to get them to download the rat. Any ideas or suggestions would be greatly appreciated :)."
The "model" in question appears to have been Wolf, whose machine was infected in mid-2012. Abrahams used DarkComet to snap lots of nude photos of Wolf, whom he watched until March 21, 2013. That day, Wolf received a message from Facebook saying that someone was attempting to change her password. Then came a similar message from Twitter—then messages from Tumblr and Yahoo. Suspicious, she checked her profiles; her Twitter account now displayed a "half nude" photo of Wolf.
Thirty minutes later, she received an e-mail from her attacker. He demanded that Wolf either send him "good quality" nude pictures through Snapchat, that she send a video of herself, or that she "go on skype with me and do what I tell you to do for 5 minutes." If she didn't, the attacker pledged to release his many nude photos widely—and he attached a few just to prove how many he had.
Instead, Wolf went to the FBI, and the Bureau's LA cyber squad swung into action. On March 29, the FBI looked at Wolf's laptop and found evidence of both DarkComet and another RAT known as Blackshades, which confirmed how the attacker had taken his photos. But who was he? The IP addresses behind the attacker's e-mails resolved back only to a VPN provider which purposely kept no logs. But the RATs themselves had connected back to the attacker by accessing no-ip.org, a service which allows users to dynamically map their IP address to a domain name (in this case, to cutefuzzypuppy.zapto.org and schedule2013.no-ip.org), thereby allowing the "slaves" to phone home, even when the attacker was using a dynamic IP address from a home Internet account. No-ip.org did keep records, and the FBI obtained them.
Wolf detailing her experience.
CNN/WPIX
With the Abrahams family in its sights, the FBI went... to Facebook.
Facebook revealed the existence of a Jared Abrahams and listed the
college he attended, so the FBI staked out Jared at his school, where
two agents recognized him from his driver's license photo. They then
checked with the school's IT department, which confirmed that Abrahams
had accessed the "no logging" VPN from the school's network. Bingo.As the investigation progressed, however, Wolf still had no assurance that her nude images wouldn't leak all over the Web. On May 27, Wolf had been contacted by her attacker yet again, who continued to threaten her unless she complied with his demands. He promised to post her picture to hacked accounts of her friends on Facebook, and said that nothing she could do would stop him. "Block all the people, delete your account, whatever, just know that I finally decided I have enough facebooks and will upload your picture on all of them," he wrote.
The FBI began to find other victims in Baltimore, Canada, Ireland... the list went on. Some had complied with Abrahams' demands and stripped for him on Skype. "Please remember I'm only 17. Have a heart," wrote an Irish girl. "I'll tell you this right now! I do NOT have a heart!!!" Abrahams responded.
Those who did not comply did have some of their photos released. While an FBI agent was on the phone with one victim on May 29, the victim logged into her Instagram account only to find that "nude photographs had been posted of her."
On June 4, a federal search warrant was executed at the Abrahams' home in Temecula, California, where agents seized Jared's digital devices and found numerous videos of victims and RAT tools. Abrahams voluntarily agreed to talk and admitted that to everything; he also noted that Wolf was the first of his RAT victims that he knew personally from when the two were in high school together.
Abrahams told the FBI that he was "not normally aggressive."
A RAT user spying on a girl from Malaysia. In the background is a complete list of "slaves" this RAT user controls.
We’re sorry
After the complaint against him was unsealed yesterday and Abrahams had his initial court appearance, his family issued a statement saying that it "wants to apologize for the consequences of [Abrahams'] behavior to the families that were affected.”As for Wolf, she has made the issue a signature one of her year as Miss Teen USA. She appeared on the Today show yesterday to say that "it makes me feel really good to know I helped [other victims] out as well... I just think it’s sad he chose to do this and kind of put himself in this big dilemma."
Wolf said her webcam light never went on, which is why her suspicions were never aroused. It may well have been true; in his hackforums.net posts, cutefuzzypuppy shows himself to be an avid student on specific webcam models and drivers, posting lists about which camera lights are "bright as f--k" and which produce "no light, no software, [and are] 100% incognito."
Updated to correctly characterize no-ip.org's service as dynamic DNS rather than IP masking.
No comments:
Post a Comment