Lessons Learned from Trident Breach

​OPERATION TRIDENT BREACH, announced late last year by the Federal Bureau of Investigation (FBI), was one of the largest cybercrime take-downs to date. It culminated in arrests of about 40 individuals in the United States, United Kingdom, and elsewhere, all of whom were suspected of involvement in a major criminal ring that had stolen more than $70 million from bank customers’ accounts.

A panel of FBI agents and other law enforcement experts who spoke at the recent FOSE conference in Washington, D.C., discussed some of the operation’s key lessons as well as the current state of law enforcement’s anti-cybercrime efforts. Reasons for Trident’s success range from continuing improvement in international law enforcement cooperation to the use of social networking sites to track down suspects, the panelists said.

Information gleaned from networking sites, particularly Facebook, helped locate 17 suspected money mules—or people who use bank accounts to transfer funds. Facebook helped the investigators gain information about the suspects’ relationships and locations.

Sites like Facebook can provide “a face and a picture,” for example, to help flesh out information on suspects, said Michael Eubanks, an FBI agent who worked on the case. In some cases, law enforcement was able to gain personal details, such as nicknames, that could then be further researched through Google or other search engines, he said.

Social networking sites can be particularly valuable in locating suspects when the sites are combined, as they were in this case, with open source tools that can scan and automatically collect information, instead of requiring a human to sift through the data, said panelists. There are many valuable tools available that can accomplish this, said Eubanks.

The use of social networking sites, like Facebook and Twitter, by law enforcement is also especially valuable when information from the sites is combined with information from databases available only to law enforcement, according to Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham and a contributor to Trident Breach and many other investigations. “You might take 10 friends [of a suspect] and ask which of them have criminal records,” Warner later told Security Management. When tools can be used with both social media sites and law enforcement databases, “their value increases astronomically.”

There are limits to the use of social media to track suspects, a few panelists noted. When suspects use their privacy settings, it becomes extremely difficult to use scanning tools or to gain much other useful information, said Warner. But he added that this doesn’t happen often. “The good news is that criminals, just like most other social networking users, leave themselves open in terms of privacy settings.” In certain cases (such as in Trident Breach), law enforcement can also gain a warrant to bypass such settings.

With regard to international cooperation, panelists noted that the FBI has placed legal attachés in U.S. Embassies in Ukraine, Romania, Estonia, and The Netherlands. In the past year, the United States has participated in five or six major investigations with Ukrainian authorities.

With successes, such as Trident Breach, subsequent investigations have proceeded “more smoothly,” he said. Panelists also attributed the success of the operation to strong cooperation with the private sector, including with certain financial institutions that were able to spot suspicious transactions and accounts.

A few panelists also cited people’s ongoing vulnerability to phishing attacks, in which victims are tricked into downloading malware by clicking on an attachment or link in an e-mail message. Law enforcement may be making some headway in fighting cybercrime, but “if you click too quickly, you’re had,” said panel moderator Paul Joyal, a managing director in the public safety and homeland security practice at the consulting firm National Strategies.