No no, I'm not saying to go calling some ghost catching scientists. Call us Instead! Check out the contact page for more info on reaching out. We do a wide range of work for various reasons and I believe this is an essential ability to offer that makes FeemcoTechnologies stand out above the rest for home and small business. This post is a recollection of a series of events involving a customer, no details given to expose or inform about the customer and events may be changed similarly to protect them.
My Phone is acting up
...and I think my ex hacked me
One of the most popular things that IT people anywhere see today is "hack my ex" to get back at them for whatever, or to verify whatever excuse. That is rarely legal and generally is a giant waste of time and money, if you wanted that instead of asking your partner, your relationship is doomed anyway.
Just shy of that in popularity is the classic belief that the above did happen. Mind you, this is often, VERY OFTEN, not the case. However I want to tell you about a client that did have these issues and didn't know where to turn. Private investigators often lack the skills to identify if this is case. Leaving them to assume based on the end-user whats going on.
For these cases what we need NEED to do a proper investigation, is a list of everything going on, and how. "My phone goes slow" isn't going to be as helpful as more "I see multiple sign-ons on my facebook, email, bank accounts, and my phone keeps glitching by being mid song and the sound quits or being on snapchat and suddenly it closes the camera and snap crashes." This level of detail we need to start the investigation. If we don't have this, we will request consultation to work out this data before ever even looking at your phone. This is not just because of a clear picture of what's going on, but also something to compare to when we see the device.
Now we understand people don't have money to deal with these things, and can respect the idea that sometimes people just want help recovering their accounts and kicking out bad guys. While that depends on all the accounts, consultation to prepare is free, we'll go with you one by one through each account locking out any bad guys and setting up the best available 2fa options to put you back in control. We'll charge our hourly fee of $50/hr for that, first hour guaranteed.
This case was not one of those. We hoped it would be and so did the user. Apparently, we'd found their malware and cleared it, as well as helped recover accounts, only to then be a week later all accounts compromised and phone again acting up.
YOU DIDN'T FIX IT!
... NOW ITS WORSE THAN EVER!
This is another problem that often happens in the realm of IT support, especially in security related events. Resolving the issue at hand, may not have stopped a larger issue, or from it re-occurring. They proceeded to tell us that now their roommate's phone has been accessed as well, but they were having trouble proving it other than saying things started happening on their accounts. Such as their bank accounts.
Hold up, full stop! This breached into something actionable by regular police. Finally, a chance as justice!
This is a struggle a lot of people get involved in and it can financially bring nearly anyone to ruin. Just trying to fight to prove it wasn't them who did fraudulent charges is a losing battle cause it's based on likelihood that bank will believe you, and at their whim. So we ask for a sit down review, free, of everything going on. After looking over everything we came to the conclusion that something allowed them back into their email accounts, from which was leveraged to change passwords on their other accounts, such as bank accounts, and cloud storage accounts. I don't know how many people realize this, but in private cloud storage I'd roughly estimate 1 in 3 people keep licence, ssn, birth certificate, credit cards, or bank account numbers, saved as images. It is believed this is how spending began.
We talked to the bank and they directed us to talk to companies who used the credit cards, found that accounts open for some of these came in as false names, but they depicted the names were kind of alterations of the real name. Without a court order, you can ask for this stuff on your own. Most would reject anything more than this without court order, which is where you'd provide this info to the police and tell them they're waiting for order to release this information. Anyway, this clue about how the names worked helped us know that the person didn't know the roommate well, but was using them as a tool to hurt the client.
Checking the IPs associated to the login activity on the various accounts, they were clearly using a set of vpn hosts belonging to a well known vpn vendor, asking them for contact information for the user at that time of day due to abuse rejected it without court order, again these situations, bring to police. We did find however, that they logged in using google in order to exfiltrate google drive and google photos data (re: cards, accounts, passwords, etc all find ways to be saved either in screenshots or as images) of both the client and their roommate. So we have a physical location in which matched the ex as originally assumed. Now about that malware.
Building the case
...so the cops won't sit on it for 2 years
I gave them a half off price for the malware analysis as the cleaning didn't keep them safe the first time, as well as info gathering charge, and a set them up with antimalware for their phone. The malware analysis however is the fun part. We broke open the androrat (copy? unsure of what it's name was but it looked and functioned like androrat) only to find plain as day, the ip address it connected to. Doing some public scans, apparently they'd hosted their minecraft server from the ip.
So you know we had to test it.
We found the minecraft server was still available, with only one user running. Well, we don't know that this username is him... exactly. Its not his old one the client knew. So we pull up his xbox page, which is the same username as his instagram, where he showed off stollen guns and phones (one of which matching an old phone of the client, which was his first point of entry based on google's logs). We then go through a tool called sherlock to find the username on other sites and correlate them. We found a few more things here and there.
But wait, we didn't stop there, the badguy here works for a major company. They monitor logs of all their employees using the work wifi. We went to them and asked if they would be able to check their logs, before police involvement but for use in a criminal case, for activity during the times he was intentionally harassing and stalking the client and their roommate. We then provided this to the police with that contact relevant to their work, and ensured that everyone had their accounts setup with 2fa and cc cards reset and all the standard stuff.
... I'm the reporting party, not my client
After going back and ensuring that evidence was properly linked, dated, stored, hashed, cached, and tracked, the police continued to try to deal directly with my client to tell case information to. We had to inform the police department that they weren't actually the complainants at this point, it was me filing charges of fraud and cfaa. The client and their roommate moved, but outside of that, haven't dealt with ex since. The police on the other hand, as of today, more than 6 months later, they have issued a restraining order (handled in difference case, but referenced this) and pressed state felony, and federal felony fraud charges. Case appears to be awaiting arrest.