There’s a new twist in the way feds are seeking to penalize bad actors for making and distributing software used in crimes, suggest recent arrests by Justice Department and FBI officials.
“There’s a more concerted campaign to go after go after those folks who are distributing in the underground,” said Tom Kellermann, chief cybersecurity officer at Trend Micro.
“People who are distributing capabilities have become a point of focus,” he told TechNewsWorld.
The government’s cybercrime strategy in this case is comparable to campaigns waged against child pornographers, observed Kellermann.
“You don’t go after the consumers,” he explained. “You go after the distributors to go higher up the food chain to destabilize the reputations of individuals and forums.”
The case in question involves two men charged with creating an app to steal credentials and content from online photo and video community Photobucket.
DoJ and FBI agents last month arrested Brandon Bourret, 39, of Colorado Springs, Colorado, and Athanasios Andrianakis, 26, of Sunnyvale, California, and charged them with conspiracy to commit computer fraud and abuse, access device fraud, identification document fraud and wire fraud.
Bourret and Athanasios sought to enrich themselves by selling passwords for and unauthorized access to private, password-protected information, images and video, and by selling that content themselves on the Internet, according to an indictment filed in federal court in Denver.
In addition to trafficking in stolen credentials and content, the pair developed, marketed and sold a malicious tool that allowed others to steal content from Photobucket that was private and password-protected, the indictment notes.
The conspirators used their malicious tool to obtain guest passwords that they used to break into password-protected albums on Photobucket. Further, they sold guess passwords to purchasers of the bad app so they, too, could break into the online photo albums, it alleges.
Can’t Hide Behind Computer
“It is not safe to hide behind your computer, breach corporate servers and line your own pockets by victimizing those who have a right to protected privacy on the Internet,” said U.S. Attorney John Walsh, who is prosecuting the case for the federal government.
“The U.S. Attorney’s Office is keenly focused on prosecuting those people for their theft — and for the wanton harm they do to innocent Internet users,” he added.
“Unauthorized access into a secure computer system is a serious federal crime. The arrest of Brandon Bourret and his co-conspirator reflects the FBI’s commitment to investigate those who undertake activities such as this with the intent to harm a company and its customers,” said Special Agent in Charge Thomas Ravenelle.
Bourret and Andrianakis both face one count of conspiracy, which carries a penalty of up to five years in federal prison US$250,000 in possible fines; one count of computer fraud, aid and abet, which also carries the same possible penalties; and two counts of access device fraud, which carries a penalty of up to 10 years in prison, and the possibility of a $250,000 fine for each count.
However, the new focus on the tools employed could have some unforeseen consequences for white hat researchers.
“So far, no one has been arrested for creating a tool. It was more the using of the tool that has been the issue,” noted Johannes B. Ullrich, chief research officer at the SANS Institute.
“This does more than affect the underground. This affects thousands of [penetration] testers who make a living testing the defenses of companies with their permission,” Ullrich told TechNewsWorld.
“If creating and distributing a tool is considered a crime,” he continued, “then many of them are out of a job.”