A US bloke was jailed for 13 years on Wednesday for sharing pictures and videos of child sex abuse on the dark web.
He was tracked down by pedo-hunting Feds who managed to lure him outside of the anonymizing Tor network, or similar, with a link to the public web. Clicking on that URL was enough to reveal his home IP address, which lead the FBI to his front door – and through it.
Crucially, rather than relying on surveillance software – such as the NIT used in the Playpen cases – the g-men relied on good old fashioned psychology and a video file format trick to catch the perp. That’s handy because NIT-assisted prosecutions have hit brick walls as defense lawyers question evidenced gathered by the tool.
Roy Harvender Jr was a member of, what is referred to as, Website 19, a site on the dark web that operated between early 2012 and December 2014. It had 105,651 registered users. Pervs had to offer fresh child pornography in order to maintain their access to the site. Under the username “ricenbeans,” Harvender, 59, of New Castle County, Delaware, was an active member of Website 19, and posted images of kids as young as four years old.
According to FBI special agent Michael Lipsner [PDF], in June 2014 an unidentified foreign law enforcement agency – codenamed FLA 1 – arrested a member of Website 19 and used his account information to identify the location of the server hosting the website. Police in a second country seized the box and cuffed the operator, who agreed to cooperate.
The cops then continued to run the underground website to snare other perverts.
“Acting independently and in accordance with its own national laws, FLA 1 assumed control of Website 19 in September, 2014 and began operating the site from a computer server in its own jurisdiction,” the Delaware court was told. “Website 19 operated under control of FLA 1 until the first week of December, 2014, when Website 19 ceased to operate.”
There’s nothing new in police operating these kinds of sites. The FBI briefly ran Playpen and other kiddie porn sites, after seizing the server hardware. The agents used their newly found administrator privileges to infect visiting browsers with NIT trackers to unmask those using Tor – a move that landed the Feds in some legal bother, and led to some suspected pedophiles walking free.
Video killed the anonymity star
But FLA 1 tried a different technique. In November 2014, the agency posted on Website 19 a link to a child abuse video hosted on a police-managed computer outside the anonymizing network. When users hit the URL, they were warned they were leaving Website 19’s hidden service: at least one person clicked through.
From what we can tell, when the video loaded up, it referenced another URL on the public web, which was automatically accessed via the user’s media player. This secondary connection did not go through the anonymizing network, and thus leaked the public IP address of the cloaked viewer. The cops were in a position to monitor these side connections and ultimately identify the perps’ source IP addresses.
It is, of course, possible the video contained malicious code that exploited a security vulnerability within the media player to open this unprotected connection when the vid was played – but this is perhaps a little too high risk and too unreliable for this operation. It’s likely to be a URL embedded in the video or page, or something like that, which when automatically fetched caused public IP addresses to leak to the plod.
“FLA 1 advised the FBI that in early November 2014, acting independently and according to its own national laws, FLA 1 uploaded a hyperlink to a file within a forum on Website 19 that was accessible only to registered members of Website 19,” court documents read.
“The hyperlink was advertised as a preview of a child pornography website with streaming video. When a Website 19 user clicked on that hyperlink, the user was advised that the user was attempting to open a video file from an external website. If the user chose to open the file, a video file containing images of child pornography began to play, and FLA 1 captured and recorded the IP address of the user accessing the file.
“FLA 1 configured the video file to open an internet connection outside of the [Tor] network software, thereby allowing FLA 1 to capture the user’s actual IP address, as well as a session identifier to tie the IP address to the activity of a particular Website 19 user account.”
At least one of those public IP addresses was located in the US, so FLA 1 got in touch with the FBI, who got an administrative subpoena requesting subscriber information from Comcast for that address. After a series of investigations, the FBI fingered Harvender as the source of the connection, and applied for a search warrant of his home.
Inside they found a laptop and two USB drives containing hundreds of images and videos of children being sexually abused. They arrested Harvender, who waived his Miranda rights and admitted being a member of the website, but denied knowing that possession of child pornography was illegal.
In October last year, Harvender pled guilty to one count of distribution of child pornography. On Wednesday he was sentenced to 13 years in prison, followed by 10 years’ probation. He will have to pay $5,000 in restitution to each of his victims – if they can be found. ®
Source: SANS ISC SecNewsFeed @ May 4, 2017 at 06:06PM