Cybercop Fights Organized Internet Crime
Steve Santorelli gets computing experts and law enforcers to cooperate in a global fight against organized Internet crime.
It was August 2005, and Steve Santorelli had recently left Scotland Yard to join Microsoft's Internet Crimes Investigation Team. He was camping in the forest near Redmond, Wash., with some of his team members, trying to escape their technology-dominated existence, when a call came in from the Microsoft lab. Other team members had just cracked the code to the notorious Zotob computer virus.
"At the campsite, I overheard one of the guys mention the nickname C0der, and uniquely spelled C-Zero-D-E-R, being identified as the author of this virus. I almost choked on my coffee," Santorelli says. "I knew exactly who it was. It was someone we'd been tracking."
At the time, Zotob was making international headlines. Among other things, it had infected the computer services of major news organizations and governmental institutions, including ABC News, The New York Times, the U.S. Senate, the Centers for Disease Control and Prevention, and U.S. Immigration and Customs Enforcement, where, Wired.com reported, the U.S. border screening system was slowed to a crawl and some computers rebooted themselves every five minutes. In an ironic twist, as news of the virus was being reported on CNN, the screen behind an anchor went blank. Zotob had overtaken the broadcaster's computer network on live TV.
Zotob hit during a transitional period when the first truly malicious and widespread botnets — that is, networks of computers infected by a virus that calls "home" to a central command-and-control server run by the botnet's creator — were being unleashed on the Internet, Santorelli says. In an effort to crack down on them, the Microsoft team had devised a decoy, a technological undercover agent. "It was like the classic vice-squad sting where a cop dresses up like a call girl to entice a john, and in this case, an infection," he explains. Simply put, the Microsoft investigators created a computer network in the lab at Redmond that no red-blooded botnet could resist. Once infected with Zotob, the Microsoft team's double-agent computer would routinely call out to the botnet's commander, asking for directions.
"It just sat there in our lab like any of the genuinely infected machines around the world," Santorelli says. "Eventually, when a human being logged in to issue his commands to his botnet, Microsoft was very discreetly in the background eavesdropping — which is when we identified the suspect C0der along with a second suspect, who went by the online handle Diabl0."
After rushing back from the campsite, Santorelli and his team raced to track down the location of the suspects before the electronic trail they'd left behind evaporated. It took two weeks of 20-hour days, Santorelli says, but his team finally was able to send the FBI a detailed, 30-page report. From there, the case went from cyberchase to FBI manhunt, with agents boarding Lear jets and, with the assistance of local authorities, arresting 18-year-old Farid Essebar in Morocco and 21-year-old Atilla Ekici in Turkey.
As a detective with Scotland Yard, as an investigator for Microsoft and now as an executive at a nonprofit cybersecurity firm, Santorelli has devoted his career to identifying, tracking and apprehending cybercriminals in a new cyber-environment in which police chases are clocked at light speed and villains drive on a global superhighway congested with 1.8 billion law-abiding commuters. Through his efforts, Santorelli has become recognized internationally as one of the most vocal proponents of a unified stance that would improve Internet security and fight the efforts of organized crime on the Internet around the world.
"Since everyone in the security business knows Steve, he has become an integral person to bring the right people together and lead them in the right direction. He is a valuable and crucial part of the small global group of people who take the fight against cybercrime seriously," says Bernhard Otupal, who, until recently, was an executive with the Financial and High Tech Crime Sub-Directorate at the General Secretariat of Interpol in Lyon, France. "Without him and others with a similar mindset, the statistics of cybercrime would look much worse than they already do."
The son of a Reuters journalist, Santorelli found himself uprooted with each of his father's postings. Born in the U.S., he was raised in London and Australia, and the expat experience may have helped hone his diplomacy skills at a tender age. Fascinated with exploration, Santorelli's higher education revolved around studying the final frontier. "I studied physics and space science at Southampton University, fully expecting this would be my life's work," he says.
But space became a mere hobby when he was introduced to his real passion: the chase. "I was on summer break from university when I got an opportunity to spend two weeks with my uncle, who was a senior detective with an East London police station," he says. "I was hooked."
After graduating from the police academy in London, Santorelli joined Scotland Yard. It was 1994. "Hackney was my first beat, a neighborhood in East London notorious for crack cocaine, violence and murder," he says. "We called it 'murder mile' because it had the highest rate of fatal shootings in the country." After two years as a street cop, he went on to hone his detective skills in several branches of Scotland Yard, joining the Computer Crime Unit in 1999. His work there garnered recognition from international law enforcement agencies and judges. It also caught the attention of Microsoft, which eventually lured him away from Scotland Yard.
In 2004, Santorelli moved with his family from London to Redmond, Wash., Microsoft's global headquarters. There, he devoted the next three years to countering cybercrime, particularly the proliferation of botnets. He played a key role in the creation of the International Botnet Task Force, a business organization made up of law enforcement and industry professionals from 35 countries who share best practices and case studies. In 2007, Santorelli quit Microsoft to join Team Cymru Inc. (pronounced kum-ree), an Internet security research firm that engages in both nonprofit and for-profit activities; he's now director of global outreach for the firm. Although the organization is headquartered in Burr Ridge, Ill., team members are stationed around the globe and include former U.S. and European law enforcement agents, as well as attorneys, information technology engineers and software writers.
Team Cymru Chief Executive Officer Rob Thomas worked with Santorelli on several cases when he was with Scotland Yard and sought him out to join the Cymru team. "As the team's director of global outreach, Steve has a natural knack for bringing together like-minded people," Thomas says. "But more important, he gets organizations that perceive themselves to be at odds to communicate and cooperate."
Santorelli and Thomas are cautious about sharing details of Team Cymru's activities, but they do acknowledge that it has relationships with police forces in more than 60 countries, including Interpol and the FBI. The team, they say, is available around the clock to respond to major cyberthreats anywhere in the world. "We disrupt Internet criminality on a massive scale," Santorelli says, "and in a way that government, law enforcement and software vendors on their own couldn't possibly hope to do."
Team Cymru also provides technical services to the exclusive cadre of specialists who operate and govern the backbone of the Internet and to the credit card, banking and security software industries. "For this we charge; it's what keeps the lights on," Santorelli says. "But we also have an altruistic side."
That side of the operation — the nonprofit Team Cymru Research NFP — can spend weeks tracking the computers and individuals behind a cyber-attack and putting together an intelligence report to turn over to law enforcement. And the team knows there will be no billable client at the end of the chase. Santorelli says the organization's focus on doing good is what attracted him to Team Cymru and its collection of computer experts, who have the ability "to design the next great video game or operating system and garner fame and fortune. Instead, they're using their proficiencies to advance the greater good."
The common wisdom about hacking and cybercrime is, in Santorelli's view, severely out of date. He says cybercriminals aren't lone wolves; they are financed and directed by international criminal syndicates. Joe Menn, author of Fatal System Error, a book that traces the evolution of cybercrime, agrees, contending that the Russian and Italian mobs, the MS-13 (also known as Mara Salvatrucha) in Central America, Japan's Yakuza and the Chinese Triads are all now active in a wide variety of cybercrimes. These groups are stealing huge sums of money by penetrating personal, corporate and government computers using traditional computer-hacking tools with colorful names: Trojans, keyloggers, malware, botnets and phishing expeditions. But Santorelli says they have something that yesterday's thrill-seeking hacker never possessed: an army of foot soldiers able to intimidate victims in the real world. Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world. There is even evidence that some syndicates are investing in research and development, looking to create proprietary, next-generation hacking tools, Santorelli says.
Organized crime has moved onto the Internet in a big way, Santorelli says, because that's where the money is. Prosecutors' filings in federal court in Brooklyn claim that associates of New York's reputed Gambino crime family were involved in cyberfraud that generated more than $650 million in just seven years. Part of the scheme involved a pornographic website that offered visitors a free tour — as long as they could prove they were adults by providing credit card numbers. But in fact the credit card numbers were repeatedly put through and charged for services, using merchant numbers that the crime syndicate routinely changed, keeping one step ahead of credit card companies' fraud-detection systems. They laundered their profits and hid their tracks through 64 mob-controlled shell companies and a host of foreign bank accounts.
Santorelli says this kind of money laundering expertise is what makes organized crime syndicates such a force on the Internet. "Unlike the early hackers who could only boast about their take," he says, "these guys are able to convert massive amounts of virtual Internet dollars into real euros, pesos, yen or any other currency, and then launder it through the global economy."
The impact of cybercrime is huge, but exactly how huge is much debated. Valerie McNiven, a consultant to the U.S. Treasury, has said that revenue from cybercrime exceeds international drug trafficking and is now the No. 1 source of revenue for organized crime. That claim has been a target of high ridicule from critics who note that if she were correct, cybercrime's take would be bigger than the entire information technology industry's, and almost double the gross domestic product of Saudi Arabia.
Even so, it's clear that organized crime is moving seriously onto the Internet, and Santorelli is, as Menn says, "at the center of one of the most important and least understood fights of our era."
"A cybercrime investigation is very much like a traditional police investigation," Santorelli says. "You have to turn over 10,000 tiny rocks looking for fleeting clues, all the while working against the clock."
He gives an example: During a recent investigation, he and his team at Cymru were able to link a piece of malware to a Southeast Asian team by hunting down a lead extracted from a single obscure detail. "After infecting one of our 'lab rat' computers to observe what the virus would do, we found that it was connecting to a specific website set up for the sole purpose of giving the virus directions. …" Santorelli says. "When we looked up the website's domain registration, we found that all of the identifying particulars were bogus, including the name, address and even the e-mail, which we quickly realized when the e-mails we sent out bounced back as undeliverable."
Recognizing that there was something uniquely odd about the string of characters that made up the cybercriminal's fictitious e-mail address, Santorelli and his team kept probing. Eventually, they found that exact string of characters on the social networking page of a middle-aged female in Southeast Asia. Reading the postings on her page, they discovered they had just found the cybercriminal's mother. The unique string of characters was the son's family nickname. "Despite the fact that he had been meticulously careful not to leave any digital fingerprints anywhere, it was the mundane chitchat of his mom and her friends that ratted him out," Santorelli says. "We also got his first name, family name, country of residence and date of birth from our analysis of the mom's social networking page." The case has been handed over to law enforcement.
If there is to be any chance of curtailing the growth industry known as cybercrime, Santorelli says, there will need to be global collaboration between the information technology world, often stereotyped as über-geeks with poor interpersonal skills, and the policing community, often accused of being an insular brotherhood. "What's the use of well-intentioned IT people doing the drudge work of identifying the miscreants, who may be on the other side of the planet, if there isn't somebody with the authority and willingness to break down their front door, pull them off the keyboard and arrest them?" Santorelli asks. "And what's the use of arresting them if the policing community isn't supported by local prosecutors, who, in turn, need legislation that enhances the probability of convictions and demands sentencing that reflects the seriousness of these crimes?"
Otupal, the former Interpol official, says Santorelli may be one of the few people who can influence organizations and governments around the world to take heed of the seriousness of the global cybercrime explosion. "Steve has a global network of trusted experts on his side," he says.
Edward Gibson, a former FBI special agent and now a director of the Forensics Technology Group at PricewaterhouseCoopers in Washington, describes Santorelli's work at Cymru in a slightly different way. "Steve was part of one of the most prestigious law enforcement agencies in the world and employed by one of the most successful corporations globally," Gibson says. "He left all this to join an organization where he would be made virtually obscure, which to me speaks volumes about his integrity and why he's doing this."