The history of one hack and the result of the work of department "K"

The attacker, having intercepted traffic, gained access to email information. Watching the correspondence, I found a domain registered for this mail, which belonged to a small company. The attempt to gain control of the company’s website was accompanied by a statement to department “K”, who then searched for an attacker for several months, and on New Year’s, to execute the plan, successfully closed the case. And now about everything and more ...

Information leak

Like most of these stories, this story began with a leak of email account information. Presumably, the source of the leak was a Wi-Fi access point in one of the hotels in St. Petersburg. The email address information about which the attacker received belonged to a small Moscow company.


Access to mail and monitoring correspondence provided the attacker with additional information, among which, in addition to internal information about the company’s activities and personal information about the company’s director, was information about the company’s domain, which was registered to this email address.

Getting access

Using the password recovery system, the attacker obtained the details of access to the company's FTP site. After copying all the information, the attacker decided to create a copy of this website in order to profit from the ads placed on it. Since the company’s website existed since 2003, the citation index value sufficient for profit was already accumulated on the domain. To steal this index, the attacker changed the robots.txt file hosted on the company's server. It was this change that was noticed by the owner of the company's website.


Turning to the hosting support service (Hosting Center), information was received about the access logs to the website via FTP, as it turned out, the Hosting Center stores logs only for the last 3 months. But the information received from the logs was enough to detect the IP address of the attacker. Judging by the behavior of the attacker, he did not have much experience working on a computer, comparable to the experience of the owner of the company's website.

Police application

The information received formed the basis of the statement to the Central Internal Affairs Directorate of Moscow, as it turned out, statements of this nature are accepted only at Petrovka. In addition to the above information, the statement mentioned damage that the company received as a result of the domain disappearing from search engines. The application was accompanied by a copy of the access logs for the hosting of the company’s website indicating unauthorized activity related to copying and changing information. Some information is copyright proof.

The fate of the statement

The application lay on Petrovka for 30 days, after which the applicant was informed about the transfer of the application to the hosting location. After several more weeks of considering the application, it was redirected to St. Petersburg at the location of the IP address of the attacker. After receiving the application, the investigator of the local department “K” contacted the applicant to clarify a number of issues, and also asked to fill out the testimony form and send it by mail. The testimony was dated December 22, 2010. The letter was sent on December 23, and as it became known from a recent letter, on December 24, 2010 the case was closed due to the lack of corpus delicti.

Case is closed

The applicant has in his hands a recently received letter with information on the passport details of the attacker, his registration address in St. Petersburg and the number of the contract with Nevalink, the services of which the attacker used to access the Internet. The strange fact is that immediately after the transfer of the case to St. Petersburg, the copy of the website on the attacker's domain was changed to other content.

I hope that the law enforcement authorities, even if they seized the computer of the attacker, even for their own needs, but the injured director of a small Moscow company will probably be convinced of this by visiting the attacker at the indicated registration address in St. Petersburg.

Also popular now: