Poor Opsec Led to Spyware Developer's DownfallReused Nicknames and Accounts Enabled Outing of Zachary Shames to FBI
If there's a cybercrime truism, it's that so many bad actors appear to play the short game - amassing cash, real estate, fast cars and indulging in wild parties and fancy getaways - whereas law enforcement agencies play the long game. Institutionally speaking, the likes of the FBI can wait for criminals to make mistakes, then move into action.
Shames, who's from Great Falls, Va, admitted to selling his malicious keylogger to more than 3,000 users, who used it to infect 16,000 PCs or more. He's due to be sentenced June 16 and faces up to 10 years in prison.
Prosecutors say Shames first developed Limitless Logger while at a high school in northern Virginia, which awarded him the school's "programmer of the year" award in 2013. He then continued to refine it from his dorm room at James Madison University, where he's currently a junior, majoring in computer science. According to his LinkedIn profile and press reports, Shames has also interned for defense contractor Northrop Grumman.
By that reckoning, Shames would have earned $105,000. It's not clear how or if he spent the money.
Mephobia Goes to College
Shames' outing traces, in part, to January 2014, when the original developer of Limitless Logger, using the handle Mephobia, announced that he'd just started college and decided to "sell the project to my support member" - another Hack Forums user - who rebranded the tool as "Syndicate Keylogger."
By November 2014, the keylogger was most deployed in Malaysia - followed by India, Australia, Denmark and Turkey - and targeted victims in the manufacturing, services and the hospitality industries, according to a report into Limitless Logger released that month by Trend Micro.
FBI, Interpol Received Tipoffs
But more was happening behind the scenes. "Prior to that, we passed on details that correctly identified Shames as the creator to the FBI," Trend Micro says, adding that it also shared related details with Interpol, resulting in the arrest of another suspect by Nigeria's Economic and Financial Crimes Commission. Trend Micro says the suspect, a 40-year-old Nigerian national referred to as "Mike," masterminded multiple business email compromise and romance scams, as well as advance-fee fraud, aka 419 scams.
Trend Micro said it validated Shames' identity thanks to his inadvertently using his real name in a series of Hack Forums posts in January 2012 while logged into the Mephobia account.
Before then, however, researchers say they used biographical details divulged by Mephobia and traced Skype, PayPal and other accounts listed in Mephobia's Limitless Logger advertisements, as well as linked accounts at Github, Pastebin and Photobucket.
Other clues came from dumps of alleged Hack Forums user data, purportedly obtained via SQL injection attacks, which revealed various other, more personal-looking email addresses for Mephobia. "While the authenticity and validity of such dumps is difficult to verify, repeatedly seeing the same email addresses associated with a nickname at least merits the possibility of a true connection," the Trend Micro researchers say.
One email account used the nickname "RockNHockeyFan," which Trend Micro found linked to a profile on Quizlet - an online study support site - by the name of "Zach Shames." Likewise, a post to an online forum for the game Runescape was from a user nicknamed Z3r0Grav1ty who had advertised a tool for stealing Runescape accounts. According to Trend Micro's analysis of the tool, it included a string that read "Mephobia." Tracing back the Runescape forum post, it found "an AOL account listing including the nickname 'RockNHockeyFan' and an MSN Live account" with the username "zman81895" that "led to a number of social network profiles associated with an individual named Zach or Zachary Shames."
The FBI didn't immediately respond to my request for comment on Trend Micro's tipoff, and whether it led the bureau to first open its case against Shames.
Opsec Lessons from Sabu
But this wouldn't be the first time that someone making a buck via online-enabled crime was unmasked because they failed to compartmentalize their identity or otherwise practice good operational security. One of the most famous examples involves former LulzSec leader Hector Xavier Monsegur, aka Sabu, who was quietly busted by the FBI in 2011. He immediately turned informant, pleaded guilty to numerous charges and helped the bureau build cases against other accused members of LulzSec and Anonymous, according to court documents. He was released in May 2014, with a judge lauding his "extraordinary cooperation."
Some reports suggested that Monsegur had failed to use the Tor anonymizing browser or a VPN to mask his activities online. Security researchers had been attempting to unmask Sabu, and some posted incorrect information. Hours before his arrest, however, information was posted that showed Monsegur's real name and address, gleaned from a previous domain registration for "prvt.org," which Sabu had occasionally mentioned in his chats, according to some reports.
But Monsegur has claimed that his identity had been compromised and shared with the Feds long before then, thanks to his having participated in a group that waged "war" against EFnet, which was once the largest IRC network.
Criminals Take the Anonymity Challenge
Here's a second cybercrime truism: It's not clear how many cybercriminals remain both successful and unknown to authorities.
But as the arrests of both Shames and Monsegur show, the longer criminals operate online, the more they risk making errors - or having previous errors come to light - that could be used to unmask them.