Feds Out-Hack Russian Hackers

computer keyboard key stroke tracking spying snooping, JM
CBS/48 Hours
Even for the FBI, it was an audacious sting, reports CBS News Correspondent Wyatt Andrews.

With the help of some new computer spying software, FBI agents were able to out-hack a pair of Russian hackers who had stolen thousands of credit card numbers to make purchases on Ebay and then defraud Pay Pal, the leading online bill payer.

(Editor's Note: An earlier version of this story said that Pay Pal had been broken into. That was incorrect. Pay Pal itself was not hacked, its security was not compromised.)

The challenge, said Assistant U.S. Attorney Floyd Short, was that the suspects, Alexei Ivanov and Vasily Gorshkov, were Russians. And their server – where Short says they kept thousands of stolen credit card numbers – was also in Russia.

The game -- which was successful -- was for authorities in Seattle, Wash. to steal the passwords and codes to the Russians' server in Russia.

"Gorshkov went on the Internet," said Floyd. "We obtained the name of the server in Russia, his user name and his password. … It was critical to the case.''

How exactly did the FBI record an encrypted password and codes? With a $100 piece of software invented by Richard Eaton of Kinnewick, Wash.

Eaton's program, WinWhatWhere Investigator, has revolutionized computer snooping with what's called keystroke logging. The software secretly records everything a user types, coded or not, and sends a report to a third party who is spying on the user.

"The Russians just sat down and entered their passwords. It couldn't have been any better than that," said Eaton.

"The principle, I think, is a very dangerous one," said Gorshkov's lawyer John Lundin.

Click here to read the Department of Justice summary of the sting operation.

What the FBI did, Lundin said, should make Americans afraid. Using the keystroke logging program, agents lifted the Russians passwords, and used them to enter the main server in Russia and copy files. Only then did the agents get a search warrant to read what they downloaded.

"They consciously bypassed that legal requirement and used an intercepted password to unlock a safe to get into and access private papers," said Lundin, comparing the Russians' server in Chelyabinsk to a locked safe.

"The problem, I think, is a misuse of information obtained from the keystroke technology."

Lundin lost his attempt to have the stolen evidence kicked out of court. Prosecutors were able to fend off the privacy challenge by pointing out how precisely the FBI lured the Russians into the trap.

The FBI set up a bogus computer security company named "Invita" in downtown Seattle and let it be known they needed hackers as consultants on computer security. In an elaborate scheme, FBI agents posing as Invita employees made phone and e-mail contact with Gorshkov and Ivanov, and offered them consulting work as Internet security experts.

While demonstrating their hacker skills, the Russians also took time out to use an Internet connection to tap into their server in Russia. What they didn't realize was that the keystroke logging program was copying everything. FBI agents used those passwords to tap into the Russian server and copy what was there.

Gorshkov was convicted on Oct. 10, 2001 of 20 counts of fraud and computer crimes. Ivanov, who has other charges against him in Connecticut and California, is still awaiting trial.

Legal experts stress that the Russian case is an exception, that even now as keystroke spying grows more pervasive, the FBI still needs a warrant to raid a private computer.

Part 1: The Ultimate In Cyberspace Spying -- New computer spyware is increasingly being used by police, parents and employers. The ethics and legality of it is still being worked out.
  • David Hancock On Google+»

    David Hancock is a home page editor for CBSNews.com.