Darlene Storm

Secret Service laced honeypot with seduction to catch hackers

June 11, 2012 1:37 PM EDT

The Ultimate Guide to Social Engineering [PDF] states “social engineers offer free gifts of favors” counting on the fact that reciprocation is a human impulse. An example is to give a “plate of cookies,” but what if the bait goodies were more along the lines of a plate of nookie?  

We don’t often hear too much about U.S. Secret Service cyber investigations, but since its beginning in 1865 the USSS mission had to evolve from “its original counterfeit currency investigations to also include emerging financial crimes.” The 2011 Verizon Data Breach Investigation Report [PDF] included data from 257 Secret Service cybercrime investigations. In fact, the agency is extremely good at getting the job done and frequently investigates electronic crime, data theft and security breaches. But what if hacking the hacker was less high-tech, less about following a cyber-trail, and more about good old-fashion seduction to find a chink in the cybercrook’s armor? USSS social engineering using sex as bait helped lure Romanian hackers to America where two men were immediately arrested upon their entry to the United States.

Last December in a multimillion-dollar scheme, four Romanian hackers were charged with hacking point-of-sale (POS) systems which targeted more than 200 U.S. merchants including 150 Subway restaurants. The indictment said they remotely scanned for vulnerabilities in POS computer systems, guessed or used password-cracking programs, installed keystroke loggers and backdoor Trojans before stealing the credit card data of 80,000 U.S. customers. The Romanian hackers “used public filesharing services to transfer credit card data to fraud-minded customers.” They were charged “with conspiracy to commit computer fraud, wire fraud and access device fraud.” Adrian-Tiberiu Oprea was arrested in and extradited from Romania, but that left the Secret Service with figuring out how to nab Iulian Dolan, Cezar Iulian Butu and Florin Radu.

CTOvision reported the Secret Service successfully lured Dolan and Butu into the United States by using one of the oldest tricks in the book, by “using a female agent as a honeypot. In espionage, a honeypot refers to an agent or plan that uses seduction as bait for entrapment, and is one of the oldest and most successful tricks in tradecraft.”

It took social engineering and a woman’s wiles to bring down the 27 year-old Dolan. A female Secret Service agent pretended to be working at a resort and casino. She and Dolan developed a “rapport” before offering Dolan a free flight and a complimentary weekend of casino “fun.” The USSS and the casino had “set up a dedicated line for the female ‘employee’ and gave her an email with the casino’s domain name,” Krebs on Security reported. When Dolan checked it out, even the airline ticket had been purchased by the casino. It seemed legit and Dolan took the bait, hook, line and sinker.

Brian Krebs spoke with Michael Shklar who is the public defender appointed as Dolan’s attorney. “U.S. Secret Service agents tricked his client into voluntarily visiting the United States by posing as representatives from a local resort and casino that was offering him a complimentary weekend getaway.” Shklar added, Dolan “arrived in the U.S. with some clothes, a cheap necklace, a little bit of money, and three very large boxes of grape-flavored Romanian condoms.” He was arrested upon his arrival to Logan International Airport.

The USSS used a different targeted honeypot to catch the 26 year-old Butu. It started by subpoenaing Yahoo!, GoDaddy and other communications providers to study Butu’s emails. Then USSS investigators posed “as an attractive female tourist” who Butu had previously met in France. Alex Olesker reported, “Despite their in-depth information, the USSS didn’t need to make their story particularly believable for it to work, claiming to be an independently wealthy Hooters waitress working at the restaurant chain for the health insurance and a love of people. That was enough to get him to fly to Boston to meet her, where he was arrested on the spot.” Attorney Shklar told Brian Krebs, Butu “gets off the plane and they nab him and the handcuffs don’t even have fur on them.”

As CTOvision pointed out, a lot can be accomplished using hackers and honeypots. “As the FBI’s veteran cyber cops have noted, that’s how you get things done. Investigating cybercrime is rarely a pure battle of wits between white hat and black hat hackers.” Arresting the Romanian hackers required neither “advanced technical expertise or capable and willing international partners.”

Radu remains at large, but might also fall prey to a social engineer using a sexual undertone. Social engineering is lethal to corporations and individuals as has been proven time and again, such as when security specialist Thomas Ryan created the fictional American cyber threat analyst Robin Sage. By setting up social networking profiles, claiming to be from MIT, and using photos from porn sites, the fake Sage was able to dupe security, military and intelligence people. Ryan compiled his research and then presented “Getting into bed with Robin Sage” [PDF] at BlackHat USA.

Women are thought to be better social engineers than men; it will be put to the test this year with Battle of the SExes. The stakes are different than what the USSS was out to achieve. It’s highly doubtful that either male or female social engineers will dangle nookie as bait at Defcon.