How Miss Teen USA's sextortionist got caught



This week, the FBI arrested a 19-year-old computer science student named Jared James Abrahams for tricking young women into installing malicious software on their computers, software that let him covertly operate their webcams and microphones, as well as capturing their keystrokes and plundering their hard-drives. Abrahams captured nude photos of his victims, then threatened to release them to the victims' social media accounts unless they performed live, on-camera sex-acts for him. At least one of his victims was a minor. Another of his victims was Miss Teen USA Cassidy Wolf, who turned him into the FBI.

Ars Technica's Nate Anderson has a spellbinding account of Abrahams's crimes, and the way that the FBI tracked him down, and he places Abrahams in the larger context of "RATers" (crooks who operate Remote Access Trojans — the kind of malware used by Abrahams). This phenomenon is also the subject of one of the chapters in Anderson's excellent book The Internet Police: How Crime Went Online, and the Cops Followed, and few journalists are better qualified to write about the subject.


On May 17, 2012, he told the RAT community at hackforums.net, "Recently I infected a person at my school with darkcomet. It was total luck that I got her infected because I suck at social engineering. Anyway, this girl happens to be a model and a really good looking one at that :D. I was hoping I could use her and her facebook account to further spread my darkcomet rat. I want to mass message all her friends on facebook but I have no idea what to message them to get them to download the rat. Any ideas or suggestions would be greatly appreciated :)."

The "model" in question appears to have been Wolf, whose machine was infected in mid-2012. Abrahams used DarkComet to snap lots of nude photos of Wolf, whom he watched until March 21, 2013. That day, Wolf received a message from Facebook saying that someone was attempting to change her password. Then came a similar message from Twitter—then messages from Tumblr and Yahoo. Suspicious, she checked her profiles; her Twitter account now displayed a "half nude" photo of Wolf.

Thirty minutes later, she received an e-mail from her attacker. He demanded that Wolf either send him "good quality" nude pictures through Snapchat, that she send a video of herself, or that she "go on skype with me and do what I tell you to do for 5 minutes." If she didn't, the attacker pledged to release his many nude photos widely—and he attached a few just to prove how many he had.

Instead, Wolf went to the FBI, and the Bureau's LA cyber squad swung into action. On March 29, the FBI looked at Wolf's laptop and found evidence of both DarkComet and another RAT known as Blackshades, which confirmed how the attacker had taken his photos. But who was he? The IP addresses behind the attacker's e-mails resolved back only to a VPN provider which purposely kept no logs. But the RATs themselves had connected back to the attacker by accessing no-ip.org, a service which allows users to dynamically map their IP address to a domain name (in this case, to cutefuzzypuppy.zapto.org and schedule2013.no-ip.org), thereby allowing the "slaves" to phone home, even when the attacker was using a dynamic IP address from a home Internet account. No-ip.org did keep records, and the FBI obtained them.

How the FBI found Miss Teen USA's webcam spy [Nate Anderson/Ars Technica]