by Nirmal John
The Verizon Data Breach Investigation Report 20174 said that over half the computer technology breaches in the previous year—2016—included some sort of malware. According to the same report, 66 per cent of the malware was installed via malicious email attachments. There is no reason why emails and messages wouldn’t continue to be popular vehicles for distributing malware, considering their ease of execution and their proven track record of well-executed attacks.
It was exactly these features of the email that did the businessman in. What he obviously didn’t realize when he opened the attachment was that he had not clicked on a word document, as he had assumed, but on an executable file used typically to instal programmes in computers. The malware that was being executed had been disguised as a word document, and the moment he opened it he unwittingly triggered a domino chain of code that chugged along quietly in the background, installing programmes that would ultimately transmit information—in this case valuable business secrets—from his computer. These secrets would start getting transferred to a remote server. It was that simple.
The malware now installed on his system was powerful for the times. It could worm its way into his input devices and record key strokes, turn on the microphone and record conversations, collect saved passwords, search for files by keyword, take screenshots and upload and download all these to remote servers—dumpsites, as they are often referred to by computer nerds. The malware was so sophisticated that it could do pretty much everything a person sitting in front of the computer could, without giving itself away. There was nothing stopping it, except if the system itself was turned off.
The geeks would have called it a classic case of spear phishing. Spear phishing is defined as a type of phishing scam that targets a specific individual, organization or business. According to the dictionary, phishing is when those with malicious intent ‘try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one.’5
The businessman probably knew that clicking random links on the Internet, unless one is absolutely sure of their authenticity, leads to danger, but chose to click nonetheless. In his case, the malware triggered the installation of a software that started transmitting data from his computer rather than link his computer to a website. That double click on the attachment meant that everything on his system was now compromised.
Remember, this wasn’t an ordinary work computer used by a foot soldier in the company. This one was used by a man who ran businesses worth billions. Some of the information stored in the computer was the secret sauce that helped him make those billions. This computer was way more valuable than a computer used by the average Joe.
The stolen information could potentially be used to manipulate the stock market into volatile swings that the perpetrators of this attack could use to make more than a neat wad. Worse still, the company was involved in many deals at that point, and its competitors could use the information tucked away in the hard drive to undermine the interests of the company in the global marketplace.
But it took some time for the businessman to realize he had made a mistake by clicking on the link. It took time for him to realize that the con was in the code.
* * *
‘I’ve a friend who’s in a real messy situation. He’s been accused of hacking into this mighty businessman’s computer. You guys have to help him,’ the urgency of the situation was unmistakable in the tone of the voice. It was imploring Sahir Hidayatullah and Raviraj Doshi to help the journalist out.6 The voice belonged to a mutual friend of theirs and the journalist’s.
The two young men were white hat hackers (the good guys, the antonym of white hat being black hat, a term used to describe those who hack for malicious reasons) who used their programming skills to fight those who used computing to operate beyond the arm of the law. If the tone of their friend’s voice was not enough reason, they were also fascinated by the case itself and the names involved. They looked at each other. They knew there was no way they could say no to the plea for help.
Hidayatullah and Doshi converse with each other with the familiarity of childhood buddies. They had met in their late teens while attending a computer security course conducted by Vijay Mukhi, a tech wizard, in the neighbourhood of Worli in Mumbai. They had joined the course at a time when they were fresh out of college and pretty clueless about their future.
What they did know was that they liked messing around with their computers. Both the boys knew their way around the web—even its darker alleys. Programming came naturally, and they used their skill to fool around on the Internet. What they weren’t quite sure about was if this love for hacking would help them when it came to chiselling out a career for themselves. They didn’t know how to build on those skills to make some dough.
Enter Vijay Mukhi. His tutelage was the catalyst that helped Hidayatullah and Doshi realize they could channelize their skills and earn decent money in the process. The wizened Mukhi has been acknowledged as an early adopter when it comes to new technologies. He took to programming early in its curve in India, and ended up writing over eighty books on it. The description of what he does, as showcased on his website, ‘Vijay Mukhi’s Technology Cornucopia’, is particularly telling as an expression of his geekiness, and by extension explains why Hidayatullah and Doshi look up to him as a mentor.
And then there were the days when a good old desk used to be a wastepaper basket with drawers where you could conveniently lug around slitting wrists at the edge of the piles-a-files. The first glitch is we, as human beings, have made too many wrong mistakes. Like inventing the outlandish gadget, which does little more than redefining a desk to a wastepaper basket with circuits, popularly known to mortal souls as a computer. Sooner than you could spell the word ‘integrated circuits’, it became another paraphernalia of the Kooky. The second glitch is that computer technology has begun to move faster than anything else. Which brings us to the amorphous blob of the Internet and the vast scaffold of the World Wide Web. One of my idiosyncrasies is to be on the dashboard of state-of-art techie lore and, like it or not, that can be as intoxicating as a goblet of golden ambrosia. So, while my human equivalents out there cavil over Gulf wars and gorky WhiteWaters, I am cosily ensconced in my chair, blanket and all, lurking in the rigorous techno-wilderness of cyberdom.7
That would read unusual, to say the least, to most ordinary people. But it was this kind of extreme geekiness that made Mukhi’s mid-town Mumbai classroom nerd-central. It was just about the perfect place for young souls entranced by cyberspace and coding—like Hidayatullah and Doshi—to flock to. For Mukhi, in turn, the computer institute was a way of passing on his knowledge to young geeks.
The skinny Hidayatullah and the chubby Doshi hit it off over conversations on hacking and over the course of the Mukhi course, became thick friends. So much so that after the course was over they decided to work together. They would call their collaboration ‘Dead Pixel Security Research’.
The latter half of the first decade of this millennium was a great time to start out in the cybersecurity business. Crime was just starting to move online and there was plenty of mystery around the Internet to make it attractive enough to commit them. Cops throughout the country were struggling from technological lethargy. Companies couldn’t turn to them for help when something fishy happened, and help from anyone who had an idea of what was afoot was appreciated. Businesses that were at risk needed advice and guidance, and that meant cybersecurity was slowly becoming a viable career path for young hackers who did not want to fall foul of the law and go black hat.
Vijay Mukhi, with his network of contacts, introduced the young men to the police and other investigating agencies around the country, as well as to businesses that were looking for help in shoring up their cybersecurity. Mukhi knew that hacking skills dovetailing with an investigative bent of mind was
a rare combination, and that Hidayatullah and Doshi had both in spades.
Combined with these skills were the two men’s eccentricities and odd obsessions. Hidayatullah, for example, was obsessed with war strategy and loved to read up on and analyse battle strategies of every great warrior down history, from Chengis Khan to Napoleon. He wouldn’t know it at the time, but this obsession would enable him to put himself in the shoes of his online adversaries as his career progressed. After all, defending against breaches is as much about getting inside the mind of the hacker as it is about finding vulnerabilities in lines of code. Building on these skills, the two set about forging their careers.
The reputation they had built among companies as young hackers of substance in Mumbai was going to be put to intense test when it came to clearing the name of the journalist in the spear phishing case.
After the desperate call for help from that mutual friend, the two decided to talk to the journalist over the telephone before taking on the challenge. That call was set up soon enough. A few minutes into the call and Hidayatullah and Doshi could both sense the journalist was innocent. For one, he clearly lacked the programming nous.
‘This guy just didn’t have the ability to do what he was being accused of,’ Hidayatullah remembers thinking.
But then, it clearly wasn’t enough that they could deduce his innocence. What mattered was how they were going to prove it and convince the businessman and his company that while there was a clear breach, this wasn’t the man behind it. Cybercrime was still new and most people hadn’t really figured out that on the Interwebs, what you saw wasn’t always what you got. Deception is at the heart of cybercrime, but that knowledge hadn’t yet percolated through to law enforcement.
To the police, the name and the email address appearing on top of the email was as good as clinching evidence—the modern-day equivalent of a fingerprint on the loot, if you will. Hidayatullah and Doshi needed to break the perception that the cops and the company had of what constituted evidence when it came to cybercrimes such as this one. That was going to be a hard task, but a challenge they were eager to take up.
* * *
News of a possible data breach in the major corporation was starting to make its way through the grapevine. To defuse the situation, the company issued a statement saying that while someone did try to find their way into their system, nothing untoward had happened and that there had been no collateral damage either. At least, that was what the company sought to project to the world.
That is the typical response of corporate houses in India when news leaks out that they are at the receiving end of a hacking attempt or an act of corporate espionage. The emphasis was, and remains, to keep any such news hushed up. For a company, loss of data or a breach of its defences by hackers is considered extremely damaging to its reputation, and nipping in the bud any conversation around such news is seen as crisis communication 101.
It is in the aftermath, however, that this becomes a dangerous practice. Far too often, this sort of guarding and protecting of the corporate reputation with an external audience assumes more importance than bringing the perpetrators to book. Because breaches are hardly ever talked about, they are not on the top of the business community’s mind or the society’s as a whole. Conversations are important because it allows others to take precautions and not fall into the same trap. The absence of disclosures, in effect, often leads to more breaches.
Internally, though, now that the breach had happened, there were plenty of worried faces. After the businessman had called him into his room to query him as to why the attachment wasn’t opening, it had taken the IT guy an inordinate amount of time to figure out the gravity of what had happened. He had fooled around with the computer, fiddling with the attachment for a while without realizing what was going on. By the time it dawned on him that this may be a case of phishing, precious time had elapsed.
The IT guy called for reinforcement and his senior marched in. Once they concluded that the big boss’s computer had been compromised, they were in a tizzy. They knew little about how the malware was working. They did not know the extent of the damage it was causing or whether it had spread through the network. They cut the computer’s connection to the Internet but had no idea as to how much information had already been taken away.
It was not as if there were many in the organization with training in cyber forensics who could help an internal investigation along. The only clue they had was the name headlining the email—the name of the journalist who had purportedly sent it.
That was the lead they chose to pursue. That was what had set off the chain of events that eventually led to the journalist getting arrested in New Delhi. The company could get this done while keeping things quiet, and few came to know what was afoot. This was a company with massive clout in law enforcement.
* * *
After agreeing to help the journalist, Hidayatullah and Doshi didn’t waste much time. They immediately got in touch with the company, thanks to their connections in the police force as well as within the organization. They had helped the company with some security issues earlier and there was some cache of good will they enjoyed within the secretive company system that they could tap into.
It didn’t take them much to convince the company that they should investigate the breach. The intervention from outside was welcomed because the company needed all the cyber forensic muscle they could summon if they were to get to the bottom of the episode.
Forensic investigation is painfully slow work—whether offline or in the digital world. Cyber forensics, in a nutshell, is usually a geeky looking guy in front of a computer typing commands into it and staring at code for hours together, considering various parameters, trying to tease out as much information as possible. The results usually come after hours—sometimes days—of laborious work. It is far from the glamorous and snappy treatment given to investigations in your average crime thriller or television series in Hollywood.
Hidayatullah and Doshi involved a few of their programmer friends in the investigation and starting working on the case. They needed all the muscle they could possibly muster if they were to crack this case, and crack it on the bounce.
They started by attempting to reverse-engineer the malware. They needed to do this at the outset to figure the exact nature of the beast they were grappling with—what the malware was all about, how much information had been stolen, where it was being siphoned off to and, of course, who was behind it all. There could be clues hidden within the lines of code that constituted the malware. Based on what they could uncover, they had to see whether there was a way to bring the real intruder to justice and clear the name of the journalist.
With a team of coders working in tandem, peeling the malware in layers, it didn’t take them long to make significant headway. They soon realized the malware was designed in such a way that it had different modules, each intended to mine for a specific piece of information and transfer it to the intruder over the Internet.
In other words, they had to wait and observe how the malware connected to the Internet and to the location of the server to which it was trying to transfer the data. That could potentially help them narrow the field geographically—if not to a city, then to a country at the very least. They would then have something concrete to build on to prove the innocence of the journalist.
Even while they were investigating the malware, the geeks in Hidayatullah and Doshi couldn’t help but admire the handiwork of whoever had created this particular malware. What made it cool and challenging for them was the innovativeness with which it was siphoning off the information it was mining from the businessman’s computer.
The malware, they figured, was coded in such a way that it would periodically trawl through the comments section of a select few videos on YouTube. Some of these comments would have links to dumpsites—the Internet equivalent of storage boxes where you could store information in bulk. The malware would look for the latest comment with the newest such link
under these YouTube videos and then connect and transfer the information it was mining immediately to those dumpsites.
The genius of its design was that even if cyber investigators blocked one of these dumpsites, the programme would just move on to another site by finding a new link among the YouTube comments, making it difficult to cut the flow of extraction and dumping unless the plug itself was pulled.
The only thing the infiltrator had to do was to key in a new URL as a comment to one of the videos that the malware would connect to on YouTube. Thus, unless the computer that was infected was taken completely offline, nobody would be able to stop the malware from connecting to the link. The obvious disadvantage for investigators was that if they were to disconnect the infected computer from the Internet, it would take out the only possible route they had to attempt to triangulate where the infiltration was coming from.
Despite their awe for the design of the malware, Hidayatullah and Doshi didn’t have the time to dwell on the handiwork of the hacker. The two started analysing the dumpsites the malware was connecting to for vulnerabilities that could potentially lead them to the perpetrator.
If they could potentially establish that the spying originated from a place other than Delhi—the place where the journalist was located—then that, along with a crash course on how easily emails could be spoofed, would be enough to convince the company and the cops of the journalist’s innocence.
Umpteen cans of Red Bull, scores of half-eaten sandwiches and many hours later, Hidayatullah and Doshi found the breakthrough they were desperate for. They discovered that one of the sites the malware was connecting to and dumping the stolen data into happened to have a vulnerability because of a misconfiguration. The site had enabled directory browsing in its settings, which for programmers like them meant a loophole through which they could now try to establish, among other things, the region where it was being hosted.