About Me

Tuesday, 24 April 2012

"The hidden side of your soul": How the FBI uses the Web as a child porn honeypot

The e-mail arrived in James Charles Cafferty's inbox on July 14, 2011. Unlike most unsolicited e-mail on the Internet, the message did not pitch mortgages, get rich quick scams, or penis pills. Instead, it provided a link to an under-the-radar child pornography website and the password needed to access it. Cafferty, a diplomatic security officer working for the US government at its London embassy, waited for three days, then clicked on the link. This is what he saw:

"Welcome to the hidden side of yur soul, where you view the yung and innocent. We have been around since 2002, offering the best of private and series Child Pornography (CP), (hardcore/soft core) all for FREE! All you have to do, enter in the password, and you'll be viewing free CP for days. We move around when we have to... congratulations for finding us. Yur old password won't work, so get the new one and you are IN!!!"

The e-mail picked its target well; Cafferty did have a hidden side of his soul. An online dating profile he created at the site Plenty of Fish said that he was looking for "a relationship with someone who can enjoy the 'simple' things of life such as walking in the park, enjoying a nice sunset, engaging in good conversation or go people watching at a café." But he also craved child pornography. Cafferty owned a Drobo backup device that he stuffed with twin Western Digital hard drives in a RAID configuration to guard against data loss. On the drives, he kept his tens of thousands of child porn files.

Sometimes he did more than look at them, too. Cafferty would also fire up image editing software on his computer and splice his image into some scenes.

Below the website's promotional copy sat a “law enforcement note”; the kind that used to feature on warez sites as a talisman that might keep the cops at bay. "If you happen to be in Law enforcement, FBI or Interpol and are viewing this website, it's called free speech," it said. "There is nothing illegal about this website. Our servers are located in a country that has no Child Pornography laws. Even if you are able to shut us down, we pop up again somewhere else..."

Cafferty stared at the screen, then typed in the password found in the e-mail. He was in. Another page popped up listing 35 free videos with names like "Full version of known video. 3 10-12 y.o. girls and man" and an explicit description of the action. Beside each video was a "download" button that provided one-minute previews of each video. Forty-nine seconds after entering his password, Cafferty clicked on video number four, a 71-minute file that claimed to feature a "9-10 y.o. girl and man." A third webpage opened to display the video, which appeared to buffer—but the connection soon slowed and then stopped altogether. Eventually, Cafferty abandoned the site.

But thousands of miles away, deep in the belly of a data center, his online visit had tripped a silent alarm. That click on the "download" button had logged his IP address, the video file he attempted to view, and the number of times he tried to watch site videos. The law enforcement warning on the site's front page had done nothing to keep the FBI away; indeed, the FBI ran the site.
And now they had Cafferty.
Totally a legitimate website

Spear-phishing, FBI style

The e-mail had not arrived in Cafferty's inbox by accident. Back in 2006, Immigration and Customs Enforcement (ICE) had opened a major investigation into a string of child porn websites. As part of that work, ICE learned that the sites used PayPal to receive money and disguised the nature of the purchases by using odd subject identifiers. A website called Sick Child Room 2005, for instance, used as its PayPal subject identifier the phrase "SickCR Package v.5.06 Build 3638"—which makes it sound like a software purchase. Instead, the site served up sections with names like "Door 1," "Door 5," and "Medic's Corner." Behind the doors waited 150 videos and 20,000 child porn images.
Cafferty's mug shot
ICE went to Paypal and obtained a list of 5,000 people who had subscribed to these sites. The priority was of course getting at those who ran the sites, but the subscribers weren't off the hook. One of the e-mail addresses that had purchased access to the Sick Child Room was Travelerva88@yahoo.com. Investigators served an administrative subpoena to Yahoo, which turned over subscriber information for the account. It belonged to someone who also used the address caffertyj@gmail.com and who worked in London—but who listed a Largo, Florida home address. The information from Yahoo also contained, surprisingly enough, a link to the user's Facebook profile.
Putting Cafferty's name to the account wasn't particularly difficult after this. Investigators eventually realized that their target was a US government employee working as a Bureau of Diplomatic Security Special Agent in London. But by this point it was July 2011, and the child porn purchases had happened 5+ years before. Investigators decided that, before pursuing Cafferty, they wanted to know if he was still involved in the CP scene.
The case went to Corey Monaghan, a detective in the Largo, Florida police department and a member of the FBI's nationwide Innocent Images Task Force. On July 14, 2011, Monaghan contacted his colleagues at the FBI's Innocent Images Operations Unit in Maryland and asked them to deploy an "investigative tool" to determine Cafferty's continued interest in child porn. In initial court documents, all descriptions of the tool were redacted—but the Smoking Gun got its hands on the unredacted original and published several key pages.
The FBI had set up its fake CP site for precisely this situation. When investigators had a lead on someone specific, they e-mailed the person with a custom password and the site URL. The strangely explicit front page discussion about the "Child Pornography" within made sure that visitors could have no confusion about what they were accessing. As Monaghan's unredacted affidavit makes clear, "nowhere on the website home page indicates [sic] any adult pornography or anything other than child pornography is available through this website." In reality, the site offered no child porn; the video loading screen had been purpose-built to fail in such a way that visitors believed their Internet connections to be the culprits.
Soon after Cafferty's visit to the site, the Innocent Images task force knew they had found their man. Not only had he used his custom password—he had logged in with a London IP address. Time to pay him a visit.


Post a Comment