Investigation of the Day: To Catch a Thief


Cybersecurity Padlock

I thought you might be interested to follow along with an investigation into a cybercrime I’m currently working on. I am not going to discuss the specifics of the case, but even in broad strokes, I think it is interesting because the investigation is a little more detective work than I usually get to do.

My client, which I’ll call Ficus for typographical reasons that will become clear in a bit and will imagine as a gardening company, fell victim recently to a wire transfer fraud. It had a vendor, which I’ll call WXYZ Production, which had a six-figure outstanding invoice. My client typically communicated with WXYZ Production via email, say at “john@wxyzproduction.com.” Well, some wrongdoer with knowledge of the invoice sent an email to my client’s accounts payable office from “john@wxyzproductions.com,” with false wiring instructions. Notice that the domain name on the email has an “s” on the end of it. Easy to miss. My client wired the money to pay the invoice, and poof! Just like that, the money is gone.

There seem to be two angles of attack: can we find out where the money went? and can we identify the owner of the fraudulent domain name? I’m going to focus today on the second issue.

First, let’s try to figure out who registered the wxyzproductions.com domain name. One of the unfortunate side effects of data privacy laws is that the WHOIS database is a lot less useful than it used to be. The database generally doesn’t let you see the name of the registrant or any information regarding him. Instead, if you want to contact the registrant, you can use an email address provided by the registrar, which then forwards the communication for you. But the name of the registrar is publicly available. So I filed an action against John Doe defendants, in a jurisdiction where you can serve subpoenas immediately upon filing an action. I issued a subpoena to the registrar, a well-known US company in this case, and served the subpoena on the registrar’s registered agent for service of process in the jurisdiction where I filed the case. The eventual answer was that the registrar would only comply with subpoenas issued by a court in its home jurisdiction. Rather than have a fight about that (which I think I would have won), I went through the process of obtaining a subpoena from the other jursidiction and served that subpoena on the registrar. After some delay, the registrar eventually produced to me information about the registrant. The registrant was a US company in another state, call it Acme LLC. Acme LLC appears to be a legitimate company in good standing, and I have no reason to think it knew about or had any involvement in the fraud. The wrongdoer apparently registered the domain using Acme’s name, but the email address of used to register the domain was not an “acme.com” address. Instead, it was from another newly registered and apparently nonsensical domain, call it giughj.com. That domain, it turns out, is registered with another well-known US registrar, but this time, again with privacy protection. So I am going to need to serve a similar subpoena on the second registrar.

The registrar of wxyzproductions.com was also an email service provider, and as the subpoena required, it also produced the email headers (that is, the metadata) for all emails sent by “john@wxyzproductions.com.” Of course, in light of the Stored Communications Act, it did not produce the contents of the emails, but in any investigation, sometimes the metadata is just as important or more important than the data.

One of the interesting emails was an email between “john@wxyzproductions.com,” the scammer, and “payables@flcus.com” Did you catch the typo in the second email address? My client is Ficus, and it uses ficus.com. But someone has registered a fake domain, flcus.com instead of ficus.com, which is hard to see if you’re not looking for it. It turns out there are a bunch of emails also between “john@wxyzproduction.com” and “john@wxyzproductions.com,” or in other words, between Ficus’s real vendor and the scammer. I can imagine innocent and not-so-innocent explanations. The metadata also included the IP addresses from which emails sent by the scammer originated. So of course we’ll be seeking information about this second fraudulent domain name and will probably be seeking to have it canceled or transferred, in order to protect Ficus’s customers from falling victim to similar scams.

A DNS query of the MX record for the giughj.com domain shows that it uses the same email service provider as wxyzproductions.com uses! So we’ll need another subpoena to that registrar, too. The email metadata also include IP addresses from which the wrongdoer sent emails, and so I’ll want to serve subpoenas on the companies, presumably virtual server hosting companies, that have the IP addresses.

What are the lessons of all this? First, just because it involves The Internet doesn’t mean it’s hopeless! I’m not sure we’ll be able to unravel the knot, but maybe we will, especially if the wrongdoers are not super-serious. Second, it pays to know a little about DNS, domain name registration, and the like. Letters Blogatory may not have the most advanced website on the planet, but I administer the server myself, and it’s been good for me as a litigator to see how log files, DNS queries, and email servers work. It helps me to be smart about discovery. Third, with a little elbow grease and subpoena power, you can make pretty good progress yourself, without having to turn to experts. We might need to get an expert eventually in my case, but for now, I’m seeing where the subpoenas take me.


Leave a Reply

Your email address will not be published. Required fields are marked *

Thank you for commenting! By submitting a comment, you agree that we can retain your name, your email address, your IP address, and the text of your comment, in order to publish your name and comment on Letters Blogatory, to allow our antispam software to operate, and to ensure compliance with our rules against impersonating other commenters.