Microsoft, Mexican drug lords and the Fight for New York
By David Phelan
In a corner of Microsoft’s Redmond campus there sits a plain, unremarkable building. Slip inside, and a black wall sports a map of the world pin-pricked with lights so bright that you can’t stare at them for long. The lights spell out Microsoft Cybercrime Center. And it’s the last place you’d expect to find a trophy taken from a Mexican drug cartel.
Just to the right of that map you’ll find that trophy – an Xbox game, DefJam: Fight for NY. But this is no ordinary game. This is criminal evidence. It even bears a logo, not proof of authenticity, but rather an indication that it was produced by La Familia, the drug cartel known for its predilection for extreme violence.
Glance around and you’ll spy a large glass-walled booth in the middle of the building, with people milling around inside. As you watch, the see-through glass walls slowly turn opaque, a sign that the business inside has suddenly taken a turn for the top secret.
Patti Chrzan is the senior director for strategic programs at the Digital Crimes Unit (DCU). She walks me around the building, and begins by explaining why the DCU is so important. “We opened this centre two years ago, and this building isn’t connected to our corporate networks. Every second 12 people are victims of cybercrime online. Today, the median number of days that malware can sit on a network before being detected is 200. As we look at the average cost of a breach, there’s one figure for the direct remediation of a breach ($3.5m) but it doesn’t count for the hundreds of millions it can can cost a company that has a large data breach as you think about loss of revenue, loss of customers, loss of talent.”
It’s not just multi-million companies that are at risk, however. Chrzan notes that there are some parts of the population that are more vulnerable than others. “Consumer fraud disproportionately affects senior citizens.”
I ask why. “Most of the people with landlines at home are senior citizens. Also they tend to be at home during the day. And when it’s happening via a targeted ad or a pop-up on a machine they’re disproportionately impacted because they’re less technically savvy.
“These frauds work because when they call you, they call saying they’re from Windows support, for instance, saying they believe you have malware on your device and ask to take over remote control. Once they’ve got that they look for anything on your device to sell. Financial, passwords, identity information and so on.”
I ask Chrzan how you can solve such an ongoing, widespread problem. “You have to look at education. Because this is a population that’s not always online you have to look at non-traditional means to educate people. So we have unique partnerships with associations for retired people to help educate them about how to avoid these types of scams.”
There’s another population that’s particularly impacted: children who’ve been exploited online. “One in five girls and one in ten boys under the age of 18 are sexually abused,” Chrzan explains. “Out of those abusive acts images are taken. Known abusive images – those determined as abusive by law enforcement – are uploaded to the internet at a rate of 500 images per minute.”
Microsoft’s answer has been to partner with other organisations to create something called Photo DNA. “It’s a technology we developed, we provide it free to law enforcement and it’s built into many of their tools like Netclean and others. When law enforcement finds an abusive image of a child they provide it to the National and International Centre for Missing and Exploited Children and Photo DNA is used to a unique digital fingerprint and a unique hash. It’s not facial recognition and uses a complex algorithm to develop that fingerprint.”
Malware is another big focus of the centre, and Microsoft has an unusual view of its creators. “Whoever is creating malware or a bot, they’re like the CEO of a startup: they had a great idea, in this case something that makes money illegally, such as click-fraud advertising, financial theft, identity theft or other ideas. They still have to have a way to distribute it, like any other startup. But here the organisation’s workers are not workers at all but millions of infected devices acting on their behalf, unbeknownst to the owners of those devices.
“When malware is injected onto a machine, the one thing that all malware has in common is that hard-coded into it is a communication piece that’s always trying to communicate back home to ask what other harm it should do. What we do here is look at legal strategies to sever that communication. If the court gives us permission to act, we identify those known bad domains that the criminals are using to provide instructions and we redirect those to a sinkhole here at Microsoft so those devices get no instructions in return. That’s what severs the communication.”
So, suddenly the bad domains are talking to just one set of computers, Microsoft’s, and they’re not talking back. It must be lonely, being a bot. Chrzan tells me that this was how Microsoft was able to intercept a spambot called Rustock (Alphr wrote about it here: http://www.alphr.com/news/security/366100/microsoft-knocks-massive-spambot-offline) which was responsible for sending out spam on topics including lifestyle drugs.
Though she doesn’t say so, by lifestyle drugs she’s doubtless referring to Viagra, because Microsoft worked with Pfizer Pharmaceuticals to do test purchases and analyse the results. “They found they contained a variety of drugs, sometimes laced with arsenic. Our novel approach leveraged a 1946 US civil law, the Lanham Act, around trademark infringements, so we presented evidence at court that our customers and their customers were being harmed by this malware.” The sinkhole strategy was used as a result.
Microsoft also works with outside companies and enforcement agencies. “We have officers in Pfizer’s offices or officers from Interpol or Europol come and work here.” But lest they think of getting too comfy, she adds, “That’s for the life of an operation only – think of it as a hotel room, not an embassy.”
Malware and counterfeit software are linked, too. “Globally, unlicensed software 30 per cent of the time is pre-infected with malware.”
Ms Chrzan turns to the Xbox game I’ve been eyeing up. “This is the case where organised crime got into the business. La Familia is a notorious drug cartel in Mexico known for its violence. Primarily they were dealing in heroin and cocaine but in fact got into all types of software because of the low cost of goods, high profit margins and, when caught, the penalty for this versus drugs being pretty insignificant. We worked with Mexican and US law enforcement. This is a piece of software that was obtained in the raid and La Familia, just the same as with drugs, everything they have, they stamped it with their family logo. FMN is the crest and logo. And they do that because it warns people off from stealing from their shipments and interfering with their distribution points because they’re so well known for their violence. But as we started to look at this we began to see the convergence between unlicensed software and malware being pre-infected onto software itself.”
Inside the glass-walled booth (it’s turned transparent again now but I’m not allowed to take pictures here) I’m told how Microsoft used product keys to catch criminals. “A product key is the 25-digit code you’d use to activate a product. One thing common to counterfeits is the need to use a product key. We saw a sudden use of keys that were meant to be used only in the case of re-installation of Windows 7 or something like that. We found key stickers on particular rolls where not 2 per cent were activated, as we’d expect, but 90 per cent were activated.
“We sent our investigators out to a plant in south China. There was a guy stealing these keys one by one, writing them down, getting paid a dollar a piece. Those were sold to developed markets for between $35 and $100. We allowed some keys to activate multiple times because one of them could have been the original purchaser and we wouldn’t restrict the genuine user. The person doing the theft is now doing eight years in prison.”
In the US, Microsoft spotted four computers activating 2,800 keys, testing them for quality in the same way a drug dealer tests the purity of a drug before paying for it. In that instance, five individuals decided to plead guilty and Microsoft learnt they’d made $20 million from their behaviour.
More than anything, though, the centre’s success depends on its tools. “We knew what we wanted to look for four years ago before cloud use was so prevalent, and since we’ve moved into the cloud it’s got easier, both from the point of view of analytics and visualisation. We can visualise and tell a story with data to spot patterns. We’re pretty lucky where we sit in the spectrum of what’s available now. Technology like this has come so far in just four years. ”