Anti-Phishing, DMARC , Card Not Present Fraud , Cybercrime
Hacker Who Sold Financial Data Receives 10-Year SentenceGrant West a 'One Man Cybercrime Wave,' Judge Says; Bitcoins Still Missing
An English man who hacked into more than a dozen businesses, stole payment card information, ran phishing campaigns that spoofed 100 different businesses, sold people's financial details and published "how to" guides for hackers and fraudsters has been sent to prison.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Grant West, 26, from Sheerness, England, admitted to multiple offenses, including conspiracy to commit fraud, computer misuse, as well as various drug offenses.
On Wednesday at Southwark Crown Court in London, Judge Michael Gledhill sentenced West to serve 10 years and eight months in prison. Gledhill called West a "a one man cybercrime wave" and noted that £1.6 million ($2.1 million) of cryptocurrency into which he converted his illicit profits remains unaccounted for, BBC reports.
"When such inadequate security is confronted with a criminal of your skills and ambition it is totally unfit for purpose and worthless," the judge reportedly told West on Friday. "This case should be a wake-up call to customers, companies and the computer industry to the very real threat of cybercrime."
West admitted to targeting more than 100 businesses worldwide via phishing attacks in a bid to steal their customers' email addresses and passwords.
Police say West began trading on darknet sites in March 2015 and ultimately logged more than 47,000 sales from his online shop.
"This prosecution was able to prove that Grant West was the prolific cyber hacker known as Courvoisier. West was caught by police conducting attacks on company websites," says Sarah Jennings, a specialist prosecutor in the London Crown Prosecution Service's complex casework unit.
"He sold the lists of financial information to make money and even used stolen credit card details to pay for holidays, food and shopping," Jennings says. "In the end, West had no alternative but to plead guilty due to the overwhelming evidence."
Brute-Force Attacks via Sentry MBA
Prosecutors say West used Sentry MBA, a popular credential-stuffing attack tool, to launch brute-force attacks against the websites of Uber, grocery store chains Asda and Sainsbury's, mobile phone giant T-Mobile, the British Cardiovascular Society, bookmakers Coral Betting and Ladbrokes, as well as a Finnish bitcoin exchange, among others.
Using the online handle "Courvoisier" - a brand of cognac - West sold stolen information on various dark web sites, including Alphabay, police say. Such dark web, aka darknet, sites can only be reached using the anonymizing Tor browser. But they are not immune to being monitored and seized by authorities, as the takedown of Alphabay and Hansa in July 2017 demonstrated (see One Simple Error Led to AlphaBay Admin's Downfall).
Prosecutors told the court that information sold by West led to the theft of £84,000 ($112,000) from accounts held at Barclays, leading to cleanup and remediation expenses of £300,000 ($400,000) for the bank; and that his actions also led to losses of £400,000 ($533,000) for British Airways after accounts for its Avios reward program were hacked, BBC reports.
London's Metropolitan Police Service says West illicitly profited from these deals in the form of bitcoin cryptocurrency, which he stored in multiple accounts.
Arrested on a Train
Following a two-year investigation, West was arrested in September 2017 while traveling in a first-class rail carriage to his home in Kent, after visiting his then girlfriend, Rachael Brookes, 26, in Wales. Authorities said West was accessing darknet marketplace sites at the time of his arrest.
After arresting West, police raided his home and various storage units he'd rented, where they found an SD card containing 63,000 credit and debit card details, 78 million email addresses with passwords and information stolen from more than 500 businesses. Police also seized half a kilogram (1.1 pounds) of cannabis, £25,000 ($33,000) in cash, and more than £500,000 worth of bitcoins.
"This is the first time we have seized a cryptocurrency and we are determined to remain one step ahead of cybercriminals who believe they can act with impunity," says Detective Chief Superintendent Mick Gallagher, head of the Met's organized crime command.
Earlier this month, Brookes - now West's ex-girlfriend - pleaded guilty to using two people's stolen details to buy a bikini online, the Guardian reported. She received a two-year community order, meaning she'll avoid jail time in return for community service and meeting an imposed curfew.
Phishing Attack Spoofed 'Just Eat'
One of West's corporate victims was Just Eat, an online food order and delivery service. In the last six months of 2015, West ran a phishing campaign - disguised as legitimate communications from Just Eat - that he targeted at 165,000 individuals whose email address details he'd obtained. Just Eat said it had to spend £200,000 ($266,000) in response to the attacks.
West launched some attacks from Brookes's laptop, on which he stored stolen usernames, email addresses and passwords - known as "fullz" - for more than 100,000 individuals, police say.
The Met Police say they launched their investigation into West's activities after receiving a referral from Action Fraud, the U.K.'s national fraud and cybercrime reporting center (see FBI to DDoS Victims: Please Come Forward).