Hacking Expert Witness: U.S. Charges Eight in Hacking Scheme

By Scott Greene

Digital Evidence / Computer Forensics Articles

In March of 2013, the United States District Court of New Jersey filled charges against eight people, who allegedly hacked into many big name banks and stole upwards of $15,000,000. This allegedly began in 2011, when several accounts in banks such as: Citibank, JP Morgan Chase, PayPal, the U.S. Military Defense Finance and 11 other banks had their accounts compromised. Once inside these accounts, a payment was sent to several pre-paid debit cards. The pre-paid cards were then used by an accomplice (aka “cashers” or “money mules”) to make ATM withdrawals or purchases to convert the card into cash. From here, the cashers took a small cut for themselves, while sending the bulk of the money to their employer via a wire transfer. They managed to avoid detection for some time by keeping the transfers below the $10,000 threshold set by the anti-money laundering laws of the U.S. However, they routinely made payments of $9,900. A $10,000 transaction sends up a big red flag, a $9,900 transaction sends up a smaller red flag.  It is these multiple $9,900 amount transfers along with a Gmail account the defendants use to talked with others about the scheme that was their downfall. In addition to the discussion about the scheme, there were many emails in this account that detailed the transfers to and from many of the banks. Currently only four of the eight defendants are in custody, the other four remain at large. They are charged with: conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. If convicted, each defendant will face large fines, and up to 55 years in federal prison. How these eight managed to hack into these banks is still unclear, but there is another case known as the Trident Breach which used similar techniques. Hackers used a computer virus known as  “ZeuS” to hack into over 400 different companies and organizations, making off with over $70,000,000. This virus helped the perpetrators gain access to the victim’s bank accounts. They would then syphon off the money and transfer it to bank accounts held by their cashers. The Trident Breach was pulled off by foreign students holding student visas. These cashers would then wire the money to Eastern Europe via Western Union or MoneyGram, never to be seen again.

Scott Greene is the founder and CEO of Evidence Solutions, Inc. which has been an industry leader in Computer Consulting and Technology Forensics since 1982.

Call us today with your Digital Evidence Questions: 866-795-7166 or  [email protected]

Related Articles:

Law Firms Must Step Up Cybersecurity!

Social engineering attack on GoDaddy

Howdy, I'm a Hacker!

Law Firm's Trust Account Hacked! Six Figures Taken!!!

Complex Electronic Evidence in PLAIN English.

Like Our Electronic Evidence Expert Witnesses on Facebook

Follow Our Digital Evidence Expert Witnesses on LinkedIn

Circle Up With Our Digital Evidence Division on Google+

Google+ Author

Google+ Publisher

Data Forensics Expert Witness: Trust the Data Not The Software, A Case Example

By Scott Greene

Digital Data / Computer Forensics Articles

Most people look at a report that comes from a software system and believe what it says. But not everything is as it seems. As I will explore in this article, data in a database can tell a much different story than the reports the software can print.

Background: First, let’s define a database. Databases are collections of similar data. Generally speaking databases are digital and allow for the creation, editing, maintenance, searching and reporting (among other functions), of the information contained within the database. A check register is a good example of a database. A standard check register would have columns: Type ( check or deposit ), Check Number, Date, Payee and Amount. Each check would be stored in a row or record in the database. Entries into one’s check register, whether in paper form or in electronic form, would generally be made in chronological order.

Next, let’s examine function of software. Software which uses a database can generally retrieve specific records from that database and report them in almost any order. So while data may be entered in the wrong order, the software that is retrieving and reporting the information actually filters and sorts the data before displaying it on the screen or sending it to the printer. Going back to our check register example, if some checks were entered in the wrong order, the reporting function of the software has the ability to sort the checks within a certain parameter. For instance, the user can sort by check number, date, amount, or any other sorting function the manufacturer allows the user to choose, regardless of the order in which data was entered.

The Case This case involves two companies: The Plaintiff company is a medical billing company that claimed it was owed fees by the Defense. The fees were calculated as a percentage of the revenues received by the Defense for which the Plaintiff did the billing. The Plaintiff also maintained that it performed in accordance with its contract and that it diligently performed its collection duties.

The Defense had contracted with the Plaintiff company to handle their billing. The Defense would package their paper records and deliver them to the Plaintiff for data entry and billing. The Defense filed a counter claim saying the Plaintiff didn’t perform their duties and that the Plaintiff neglected to diligently collect the fees for client services rendered by the Defense. In the beginning, Evidence Solutions, Inc. (ESI) was hired to perform services for the court, as appointed Special Master. ESI was instructed to determine what information was available from the software system used by the Plaintiff to perform the billing for the Defense. ESI was hired by the court to print reports from the software so that both sides could validate data already disclosed in the case. It seemed to be a reasonable request. Unfortunately, the request became more difficult because the Plaintiff company didn’t have the original software installation media. ESI encountered several problems and could not readily get the software working by simply copying it from the Plaintiff's computer. Evidence Solutions contacted the software manufacturer and attempted to obtain replacement software or information about making the software usable. Looking for alternatives while attempting to get the software working, ESI extracted data from the proprietary database format used by the billing software. The tables were examined to help determine what information might be available in each database. As we searched through several databases and extracted data for examination that appeared to be log or transaction files, we found data which was out of order:

Figure 1

The data in Figure 1 is in the order in which it was entered into the software system. The DATEENT column shows that data was entered out of order. The entries at the bottom of the example show that the date on the computer was 2006 when the data was entered. Since there is data from 2009 immediately above these records, we were able to determine this data was fabricated in 2009. We determined the computer system date was changed to indicate December 31, 2006 just before these statements were printed by the Plaintiff. Not only did the Plaintiff set the date to December 31, 2006 and run statements they also ran statements for each of January 31, 2007, February 28, 2007 and March 31, 2007.

ESI was able to determine that the Plaintiff created over 1900 false records related to the printing of statements. The software would report that statements had been printed for outstanding accounts monthly for a four (4) month period when it was found they had actually been printed on a single day in 2009. The software would list these entries in chronological order on each of the patient’s records. When viewing this information from the software, everything looked normal.

Shortly after the distribution of this data, the court determined that ESI and Scott Greene should be released from Special Master duties. Upon that release, ESI then became an Expert Witness for the Defense.

The Plaintiff’s data manipulation didn’t end with back-dating statements. They selectively created other records. For instance, for Patient ‘A’, the system reports the following entries:

Figure 2

The line items dated: 04/15/2006 & 05/05/2006 are forged entries in the data. The report in Figure 2, due to it’s coming directly from software system, displays all of the data in date order. When examining the actual data in the database, however, the data looks much different:

Figure 3

The line items actually are third and fourth from the bottom of the database of entries in Figure 3. They were not created on 04/15/2006 & 05/05/2006 as they appear in Figure 2, instead they were both created on November 3rd, 2006, several months later than the software report would presume to represent. It then became the Defense's position that most of the forged data was created by the Plaintiffs to bolster the Plaintiff’s position that they had diligently attempted to collect the funds due to the Defendant company.

The attorneys ESI worked with were integral to the discovery of several things in the data. ESI created a custom report sorted by type of claim that listed all of the claims for which there were no payments. Using the same reporting format on the page, the facility fees that had no payments spanned three (3) pages. The professional fees for the same time was more than 8 pages long.

The next issue examined by Evidence Solutions was the amount of activity there was for each type of claim. A custom report was created to evaluate the number of activity items per claim. Each electronic claim submission, bill or statement printing represented a single activity. These were then counted and those with minimal activity were defined as those claims with one or fewer attempts to collect. Again using the same format for each type of fee, facility fees were listed on a single page while professional fees filled three (3) pages. Once the data was compiled ESI was also able to determine just how fast claims were being submitted for payment by the Plaintiff. While the Plaintiff represented that claims were being treated relatively equally, ESI created a report that calculated the number of days between the date of service and the date the data was entered into the system for billing. Facility fee items which were the largest dollar amounts were billed in an average of 18.7 days, the smaller dollar amounts for professional fees averaged 34.3 days.

Based upon the custom report ESI created, a pattern emerged clearly showing large dollar facility fees were pursued. Several different methods were utilized by the plaintiff to pursue facility fees as a higher priority to the professional fees. This was especially evident in the key areas of: the time it took to submit the bill to the insurance carrier or patient as well as how many times the fee was pursued by the plaintiff.

While there were reports in the billing software utilized that allowed for someone to review the number of statements printed, it would have had to be printed, it would have had to be done for each individual patient. This would have created a mountain of reports needing an individual willing to take the time and summarize the information. By ESI creating a custom report, pulling the data together into a single report painted an easier to understand picture. Adding the statistics of averages created something that anyone could understand simply by reading the bottom line. See figure 4.

Figure 4

  Figure 4

The final report created from the raw data was a report showing each of the payment or credit types for the physician procedures which were not paid. There were two (2) types of writeoffs on professional fees that piqued the interest of the defense attorneys:‘Denied Medical Record Requested’ and ‘Contractual Writeoff’. In less than a year’s time, the Denied Medical Record Requested made up over $90,000. This was odd in that the plaintiff billing company had all of the medical records in their possession when the bills were submitted. They claimed to be well versed in which claims needed copies of the medical record and which claims did not need backup information. The ‘Contractual Writeoff’ category was curious because many of the claims that had little or no activity, and went unpaid by the insurance carriers, were written off using this type of transaction.

The final piece of data, which was not readily available when using the software, is the "Whoentered" field. This field, just like it sounds, records the initials of the user who was logged into the software system when the data was entered. In this particular case, the “Whoentered” was populated with the initials of one person for almost all of the forgeries. The initials happened to match up to one of the company’s owners.

Conclusion It is important, when dealing with data that doesn't seem right, to examine the data in its most basic form. This is usually the database itself. Hiring the right analyst who understands the data, who can create custom reports and help interpret both is critical. Finding an individual or company that understands Medical Billing systems, was critical to the Defense Attorneys who were able to utilize this expertise for their client’s benefit.

In short, evidence that may not appear to exist, will suddenly come into focus when you find data has been forged, altered or manipulated.

About the author:

Scott Greene is a Senior Technology Forensics Examiner for Evidence Solutions, Inc. He has been doing Data Recovery, Computer, Technology and Digital Forensics, and EDiscovery work for over 25 years. Scott is the CEO of Evidence Solutions, Inc. Scott and Evidence Solutions have been involved in Civil & Criminal Cases, for Plaintiff, Defense and Special Master in Justice, Superior & District Courts as well as Internationally. He is a frequent speaker for many regional and national organizations. Scott enjoys traveling to share his unique knowledge of technology and forensics.

Complex Electronic Evidence in PLAIN English.

  Call us today with your Digital Evidence Questions: 866-795-7166 or [email protected]

  Related Articles and Pages: Network Engineer gets 4 Years in Prison

Nosy Healthcare Employees Snoop Electronic Medical Records!

Healthcare Industry is Vulnerable to Cyber Attacks

Computer Forensics

  Like Evidence Solutions - Electronic Evidence on Facebook

Follow Evidence Solutions - Digital Evidence Division on LinkedIn

Circle Evidence Solutions - Digital Evidence Division on Google+

Google+ Author

Google+ Publisher

Email Forensics Expert: Managing the Risky Business of Company E-mail

Part 2 of 2

By Scott Greene

Digital Evidence / Computer Forensics Articles

In part one of this article we discussed how employees generally do not consider e-mail as it relates to the company’s legal standing. As an owner/supervisor, it is left to you to consider and take great care in educating your employees in what should or shouldn’t be put in writing. In addition, it is also up to you to make your employees aware how the written word is conveyed when read.

We have now asked and answered two very important questions. First, the majority of employees do not consider the legal risk of electronic communications. Second, as an owner/supervisor why it is crucial you understand the potential legal ramifications. The remainder of this article is devoted to assisting you in creating and/or updating your current policies.

In today’s litigious society, company’s both large and small should have company policies. These policies have traditionally covered areas from dress codes to vacation policies. Within the past five years companies have begun adopting IT policies, generally found within the employee handbook. As a professional Computer and Technology Forensics company, when we are called in to examine hard drives and/or servers due to a company suspecting the improper use of systems, we also discuss the company’s IT policies with the appropriate supervisor or IT manager.

In many cases we have found that most policies do not adequately cover what is necessary in the computer and electronic communication age. Companies should have a very clear e-mail and technology use policy. One of the more important ones usually not covered, and unfortunately to the detriment of the employer, is an e-mail retention policy. Since many industries are governed by different and specific federal and/or state statutes on how long information must be retained, your policy should reflect these guidelines.

The policy should be as specific as possible in what types of communications are kept and how long. Make it clear there are both business and legal reasons for the company keeping such information. Information from e-mails as well as other electronic systems can be used in many types of cases, including: harassment, discrimination, antitrust, retaliation, Americans with Disabilities Act, insider trading, accounting fraud, improper trade secret disclosure and more!

REMEMBER- The intentional destruction, of any kind, of evidence relevant to a current or pending lawsuit contained in the e-mail or e-mail attached document, is a felony, and if proven, could land one in jail.

As an owner/supervisor, take a moment to examine your current IT or company’s technology policy. If your company doesn’t currently have an IT or technology policy-get one! While you will need to insure the individual needs of your company are met, following are some topics of what you should consider including in your usage polices:

Electronic information ownership

Monitoring of technology use

Acceptable use of company technology

Acceptable content

If you currently hold meetings with your employees or publish a company newsletter, these are excellent venues to use to educate your employees. Utilize these opportunities to let them know there are certain things they should be aware of when sending or responding to e-mails. Employees should be counseled to be cautious and to not make statements that can be considered a legal conclusion. Let your employees know they should utilize the knowledge and expertise within the company by picking up the phone and calling their supervisor or Human Resource Department.

When educating your employees about the content of an e-mail or using other forms of traceable electronic technology, train the employee to ask themselves these simple questions:

Should I put this in e-mail or should I call?

Would I write this down knowing that it may exist forever?

Would I put this on a postcard and mail it?

Would I want to see this printed in the newspaper?

Would I want this to get into the hands of my company’s competition?

Would I want this to get into the hand of my worst enemy?

Electronic communications are not transient, temporary or untraceable. E-mail is evidence. Education and proper policies go a long way to keep both employees and the employer from ending up in a potential lawsuit trying to explain the written word.

  Scott Greene is the founder and CEO of Evidence Solutions, Inc. which has been an industry leader in Computer Consulting and Technology Forensics since 1982.

Please feel free to contact him with questions or comments at  [email protected] or toll free 866-795-7166

  Author’s note: The suggestions listed in this article are not meant to be all inclusive and are not legal advice. It is based upon our 30 plus years of experience in the industry as professional Computer and Technology Forensics experts, and how you, as an owner/supervisor, can potentially avoid legal pitfalls.

  Evidence Solutions, Inc.

Complex Electronic Evidence in PLAIN English.

Related Email Forensics Articles & Pages:

Managing the Risky Business of Company E-mail Part 1

Trends in Technology 2014

Who is Watching You Online?

Law Firms Must Step Up Cybersecurity!

Email System Forensics 

Sample Computer and Email Usage Policy

Employee Theft of Intellectual Property

  Like Evidence Solutions - Electronic Evidence on Facebook

Follow Evidence Solutions - Digital Evidence Division on LinkedIn

Circle Evidence Solutions - Digital Evidence Division on Google+

Google+ Author

Google+ Publisher

Managing the Risky Business of Company E-mail Part1 - Email Forensics Expert Witness | E-mail Forensics Expert

Part 1 of 2

By Scott Greene

Digital Evidence / Computer Forensics Articles

As an employer, Human Resources Director, or Risk Management Supervisor, ask yourself this question: “Do our employees think about the legal risk of sending communications over the internet?” If you are like the majority of companies, your answer would be, “It is highly improbable”. It is a very common problem amid the work place, for an employee to believe their electronic communications are transient, temporary and, once deleted, untraceable and therefore, harmless.

The fact is e-mail, faxes and even cellular phones leave a trace. Just one e-mail sent from your employee to the employee of a different company passes through an average of four different computer systems. This creates a trail making e-mail real, traceable, and permanent.

As an industry leader in Computer and Technology Forensics for the past 20 plus years, we have documented, during the examination of electronic systems, employees who frequently say/save things into e-mails or store on a computer, things they would never say anywhere else. Either having an employee delete a potentially damaging or inflammatory e-mail or even an employee deleting an e-mail on their own, does not protect anyone. In fact, it could in the end harm everyone involved.

If a complaint or inappropriate conduct of an employee has risen to the level where you as an owner/supervisor, need to consult a Computer and Technology Forensics expert, one of the first areas checked is for deleted documents and/or e-mails. These items cause red flags during an examination of equipment, and the original items can and most likely will be found and/or reconstructed. It is very important to understand that the intentional destruction of evidence is a felony, and if proven, could land one in jail.

An example of computer message in a court case dates back to the infamous trial of some of the Los Angeles Police being tried in the 1991 beating of Rodney King. One of the officers created a computer message stating, “…….I haven’t beaten anyone that bad in a long time.” This obviously became admissible in court.

A more recent example, is one in which we as a company were hired in a libel case. The libeler was using the internet to post messages on a public bulletin board that were both slanderous and libelous against a competitor in the same field. This person felt that by using “anonymous” e-mails and postings, this would increase their own standing within the same professional community. What the libeler didn’t count on was the traceability of the e-mails to their home, cell phone and company computer systems. We were able to locate the electronic trail, and with this information obtain, on behalf of the client, a court order to confiscate the equipment in order to create image copies of the electronic systems. As a result, in order to keep the issue private, the libeler agreed to a significant out of court settlement.

Part Two: How To Manage the Risky Business of Company E-mail.

Author’s note: The suggestions listed in this article are not meant to be all inclusive and are not legal advice. It is based upon our 30 plus years of experience in the industry as professional Computer and Technology Forensics experts, and how you, as an owner/supervisor, can potentially avoid legal pitfalls.

Scott Greene is the founder and CEO of Evidence Solutions, Inc. which has been an industry leader in Computer Consulting and Technology Forensics since 1982.

Call us today with your Digital Evidence Questions: 866-795-7166 or  [email protected]

Related Articles: Trends in Technology 2014

Who is Watching You Online?

Law Firms Must Step Up Cybersecurity!

Email System Forensics

Sample Computer and Email Usage Policy.

Employee Theft of Intellectual Property

  Complex Electronic Evidence in PLAIN English.

Like Evidence Solutions - Electronic Evidence on Facebook

Follow Evidence Solutions - Digital Evidence Division on LinkedIn

Circle Evidence Solutions - Digital Evidence Division on Google+

Google+ Author

Google+ Publisher