and/or bank account information. BoatingCT.com had not sent these
e-mail messages to their customers. The company contacted the FBI New
Haven field office for investigative assistance, and at the FBI’s request, it
provided a copy of several e-mails received by its customers, along with
its Web server logs. Figure 6-1 shows the text of an e-mail message
received by a customer. Figure 6-2 shows the e-mail header information.
FBI Analysis
The e-mail header information shown in Figure 6-2 provided some impor-
tant information (see Appendix A). Although the message appeared to be
sent from orders@boatingct.com—the victim company’s legitimate e-mail
FBI Analysis 167
Dear Mr. or Mrs. D,
We apologize for any inconvenience this may cause you, but our system has
flagged your order most likely due to an unauthorized credit card transaction.
Ordernum: WEB11369
Visa: XXXX-XXXX-XXXX-1234
Exp: 09/02
In order for your items to be shipped we first need some verification. For our
safety and security, BoatingCT requires that you respond back with your card’s
verification number, if one is available. The verification number is a 3-digit
number printed on the back of your card. It appears after and to the right of
your card number.
The second method is bank account verification in case fraudulent credit card
information was provided. We require the routing number, which is located at
the bottom of your check in between the |: and |: symbols, as well as the
account number which comes before the ||’ symbols. Exact location and
number of digits varies between banks.
All information is private and confidential. Again, we apologize for any
inconvenience and hope you continue to shop with us in the future.
FIGURE 6-1
Text of e-mail message sent to BoatingCT.com customer.
Source: Special Agent/CART field examiner, FBI New Haven Field Office, January
21, 2005.
38190_CH06_FINAL_.qxd 3/25/06 8:42 AM Page 167
address—the Reply-To address (boatingct@hotmail.com) was not the same.
This indicated that the individual sending the e-mail confirmations to the
company’s customers was using a Hotmail account to obtain additional
financial data from those customers. In addition, the presence of
hosting4u.netin the Received headers indicated that the e-mail had passed
through a Web hosting site. The CART field examiner used the ARIN site
(http://www.arin.net/whois/) to determine that the owner of the IP
addresses for hosting4u.net was CommuniTechnet. The system adminis-
trator of CommuniTechnet was interviewed. During the interview, it was
disclosed that CommuniTechnet hosted a site called Haxors.com, an e-mail
spoofing site that could be used to hide an e-mail sender’s identity.
168 Case 6 FBI New Haven Field Office—CART
Received: from ntmail1n.interaccess.com ([207.70.121.238])
by gas-fs1.interaccess.com with SMTP (Microsoft Exchange
Internet Mail Service
Version 5.5.2650.21)
id JAYAG6ZX; Tue, 24 Apr 2001 03:04:45 -0500
Received: from janus.hosting4u.net ([209.15.2.37])
by ntmail1n.interaccess.com (Post.Office MTA v3.5.3 release 223
ID# 0-52801U100L2S100V35) with SMTP id com for
<dand@abc.com>;
Tue, 24 Apr 2001 03:16:06 -0500
Received: (qmail 8371 invoked from network); 24 Apr 2001 08:00:26 -0000
Received: from scorpius.hosting4u.net (209.15.2.32)
by mail-gate.hosting4u.net with SMTP; 24 Apr 2001 08:00:26 -0000
To: dand@abc.com
From: orders@boatingct.com
Date:
Subject: Order Verification
Reply-To: boatingct@hotmail.com
FIGURE 6-2
E-mail header.
Source: Special Agent/CART field examiner, FBI New Haven Field Office, January
21, 2005.
38190_CH06_FINAL_.qxd 3/25/06 8:42 AM Page 168
A court order was issued to Hotmail.com, requiring them to pre-
serve the subscriber information, billing information, logs, and e-mail
related to boatingct@hotmail.com. The information provided by Hot-
mail showed that the boatingct@hotmail.com e-mail address had been
registered to an individual named Jason Smith from Los Angeles, Cali-
fornia, using IP address 210.120.192.30 (Figure 6-3). Searching the
APNIC WHOIS database (http://www.apnic.net), the CART field exam-
iner found that the owner of this IP address was BORANet, an Internet
leased-line service located in Seoul, Korea. Hotmail’s records showed
that the boatingct@hotmail.com address had been set up from a com-
puter in Seoul, and the account also had been checked from a computer
in Seoul. The FBI New Haven field office contacted the Legat (FBI for-
eign liaison office) in Seoul, Korea, to obtain BORANet’s Web logs.
Meanwhile, the CART field examiner began to search the web logs
from BoatingCT.com for entries with specific reference to BORANet or
its IP address. Figure 6-4 shows one of those entries, which contains the
FBI Analysis 169
Login: boatingct@hotmail.com
First Name: Jason
Last Name: Smith
State: California
Zip: 90210
Country: US
Timezone: America/Los_Angeles
Registered from IP: 210.120.192.30
Date registered: Mon Apr 23 20:54:21 2001
Reply To Address: Not available
Init Locale: EN_US
FIGURE 6-3
Information from Hotmail.com regarding the
boatingct@hotmail.com account.
Source: Special Agent/CART field examiner, FBI New Haven Field Office, January
21, 2005.
38190_CH06_FINAL_.qxd 3/25/06 8:42 AM Page 169

Get Information Security: Contemporary Cases now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.