Invasion of Privacy: A Deep Web Thriller #1 (Deep Web Thriller Series) (49 page)

BOOK: Invasion of Privacy: A Deep Web Thriller #1 (Deep Web Thriller Series)
4.51Mb size Format: txt, pdf, ePub

And no damage done. Now that really was impressive.

He allowed his thoughts to return to the bonus that Toomey had mentioned. Maybe he’d also be able to buy Daniella that professional low-drag racing swimsuit. She’d be even faster. 

In the meantime, he decided to treat himself to another Hershey Bar. The sugar would help him stay awake.

* * *

Brody almost felt sorry for Manuel Cortez. He’d been far too easy to dupe. Just like every help-desk support engineer in the industry, he
so
wanted to help.

After a brief search, Brody had found a couple of video interviews of Toomey on the Internet from around the time he’d sold his company to Agincourt. He had a deep Texan drawl that reminded Brody of John Wayne. During the call, Brody, wearing his wireless headphone mic, had stood up, hunched his shoulders and compressed his neck to make it easier to channel the American icon’s distinctive voice as the basis for his impersonation of Toomey. Despite feeling foolish, especially when Brody caught himself pacing the room with Wayne’s off-balance swagger, it had gone well.

Cortez had immediately dropped all protocols when he’d heard his CEO’s voice. The story about a frozen computer was a good one, especially the idea of taking a photo of it; Brody would use that again. It was believable enough, especially these days with everyone having camera-phones. But its real purpose was to disarm Cortez into opening an attachment in an email, something he was trained not to do. 

It had been safe to assume that Cortez would be familiar with email phishing. The scam involved mass fake emails pretending to be from a trusted source and designed to trick people into doing something foolhardy; either opening an attached file, which would install a deadly payload on their computer, or visiting a fake website masquerading as a legitimate one, but that ultimately persuaded victims into divulging personal details, enabling the phisher to steal entire identities. The crime’s close cousin, spear-phishing, involved carefully targeted singular emails using readily available online information.

Brody had only one chance with the HomeWebCam help desk and he didn’t have the time necessary to craft a legitimate-looking email, which Cortez may well have spotted and deleted. 

Instead, Brody decided to combine spear-phishing with his favourite social engineering technique of ‘hacking the human’. The phone call from ‘Toomey’ had predisposed Cortez to receiving the email and not looking too closely at its headers. Brody had gone for simplicity and speed, and had only changed the display name and reply address to match Ken Toomey’s. However, the actual address he’d sent it from had nothing to do with Toomey. Fortunately, Cortez hadn’t noticed in his fervent desire to help his CEO and keep his job. 

And then there was the attachment. Again, because of the phone call, Cortez was all set up to believe it was a real JPG. But in reality it was a malware program. When Cortez had double-clicked what he thought was a picture file, it had installed its payload, the freely available remote access tool, Poison Ivy, customised to Brody’s specifications. Once installed, it had ‘called home’ over the Internet. In this case, ‘home’ was one of Brody’s untraceable proxies acting as a command and control server, to which Brody had also connected into anonymously.

The last step of the malware’s installation was to open the computer’s standard image viewer and display the photo Brody had embedded within the installation of Poison Ivy. When Cortez had seen exactly what he’d expected to see after double-clicking, a photo of someone else’s computer screen, he’d had no idea that he’d unwittingly installed malware. Brody had deliberately blurred the picture he’d snapped of one of his own laptops, not wanting to leave any clues. Once the Poison Ivy payload had successfully been installed and called home, Brody had rapidly brought the phone call to an end.

Brody was particularly proud of the second phase of the hack.

With Poison Ivy installed, Brody now had full, remote access to Cortez’s computer. But he still did not know the correct credentials to gain access to the firewalls. So, Brody had done something he’d never done before: he’d used his private botnet of servers hidden all over the world to launch a distributed denial of service attack against HomeWebCam. He was definitely straying into black hat territory doing this, which was disconcerting. But he’d deliberately constrained it to be noticeable rather than damaging. A real DDOS attack was designed to overload a network, overpowering the servers completely, so much so that they’d crash. Brody had only wanted to set off the alarms.

Coupling the DDOS attack with another fake phone call, this time from ‘Mike Baker’, the Service Desk Manager from Agincourt – at least according to LinkedIn – had been risky but necessary. Brody had gambled that Cortez had not met or talked with Baker previously. He’d noticed that they weren’t connected to each other on LinkedIn. Convincing Cortez that Agincourt was also under attack, he’d been able to talk the engineer into logging into the firewalls. In the background, Poison Ivy’s keystroke-logging feature recorded the account names and passwords that Cortez had used to gain administrator access.

And now Brody had all the access he needed.

Via Poison Ivy, Brody ran a series of background commands on Cortez’s computer and connected to each firewall in turn. He spent time browsing the logs, analysing the flow of data in and out of HomeWebCam. He was searching for any reference to SWY or any of its native IP addresses.

After some time, Brody concluded that the webcam feeds were not actually flowing in from the network video recorders in every webcam location around the world managed by HomeWebCam, which had been his initial working premise. As this finally became clear, Brody bashed his forehead with the heel of his hand, berating himself because he should have worked this out without hacking into HomeWebCam; breaking God knows how many laws in the process. With the benefit of hindsight, he now realised he could have analysed the outbound network traffic passing through the router at Derek Saxton’s house — after all, he had full access. Yesterday, he’d even traced the traffic on the Saxtons’ home network, but because he’d been so focused on looking for packets going to SWY, he hadn’t considered what did or didn’t flow through to HomeWebCam. Had he looked more broadly, the Saxton network traces would have shown him that the webcam feeds only left the Saxton local network for HWC whenever Derek or Hilary were logged into HomeWebCam, viewing the video footage. It was a classic case of his assumptions getting in the way of the data.

Sometimes he was such a fool.

It did make him wonder about the purpose of HomeWebCam. After all, it was technically possible to connect to network video recorder PCs directly. After some head-scratching and further research, Brody concluded that the site’s function was to centralise and simplify the way its customers gained remote access to the network video recorders located in their own homes and offices. Without the full HomeWebCam service, their customers would be required to figure out how to reconfigure their routers to remotely access their network video recorders from the Internet as well as set up the security on them. HomeWebCam did all this for them and provided a full twenty-four-hour help desk. 

Moreover, Brody realised, there was the recurring revenue. Rather than just make a one-time sale of webcams and a network video recorder, HomeWebCam was able to charge monthly for its on-going service, a far more profitable arrangement. 

But all this clarity left Brody completely stumped. Dwight Chambers had been right: SWY wasn’t gaining access to the video feeds through HomeWebCam. And he knew from his work yesterday that SWY was not connecting directly into the network video recorder PC in the Saxton house.

How the hell was SWY gaining access to the video feeds?

He buried his face in his hands. It made no sense. Crooner42 had thought of everything. Brody only had twenty-four hours left. At this rate, he would never pwn SecretlyWatchingYou.com by tomorrow.

And then, inevitably, as if his day couldn’t get any worse, Brody heard the key turn in the front door of his flat. The door opened and Leroy ambled in.

“Hello, darling,” he greeted cheerfully.

“Fuck off Leroy. I’m not in the mood.”

 

 

 

 

 

 

CHAPTER 17

 

DC Fiona Jones pressed the button on the empty reception desk and waited. Presumably somewhere behind the secured inner doors a bell had gone off, announcing their presence. 

Jenny had parked her car in the only visitor space outside the single storey, converted factory building. It was one of many similar buildings in the Slough Trading Estate; a sprawling industrial business park situated just west of London, built around its own power station – two mammoth brick chimneys visible for miles around. The only indication they’d chosen the right building was a small plaque just outside the front doors announcing the company’s name, McCarthy Security Ltd.

Jenny studied the bare reception area. There was a complete absence of marketing; nothing to verify the sign outside was still valid. There were just two posters, both framed, one on fire alarm procedures and the other on health and safety laws. Three uncomfortable looking oval chairs were lined up against the back wall, under a television showing a muted BBC News channel. On the plain wooden reception desk sat a signing-in book. Jenny flicked through its blank sheets and commented, “I don’t think they get many visitors.”

“You’d think there’d be some CCTV cameras, given what they do,” said Fiona.

“Maybe there’s a load of secret cameras watching us right now,” suggested Jenny, suddenly self-conscious.

“Where?” asked Fiona, lifting the picture frames containing the posters and bending down to look underneath. “There’s nothing here.”

Jenny recalled the Saxtons’ kitchen. “I bet that smoke alarm on the ceiling is one.”

“That’s clever. Okay then, what about the exit sign above the front door?”

Jenny turned to look up at the illuminated sign. “Probably.”

At the swoosh of the inner door opening behind them, both officers turned around.

“Just the two?” said a hugely overweight man, a smile on his face. He gave the two women a lascivious onceover, his smile broadening in appreciation.

“You were expecting more than two of us?” demanded Jenny, bristling at his blatant leer.

“No. I mean the number of secret cameras monitoring this area. You’ve only spotted two of them.”

“How many are there then?” asked Fiona looking around.

“Plenty, including that one hidden in the carpet tile pointed up your skirt.”

Fiona jumped backwards with a screech.

The man leaned back and guffawed loudly, his enormous belly rippling in rhythm with his laughter. “Hah, just joking. But you should have seen your face. From that reaction, I’m guessing you’re not wearing any knickers. If only I’d known, I would have put a camera there.”

“Oi, mate.” Fiona’s voice was caustic. “You can go —”

Jenny cut in, loudly. “Mr McCarthy?”


Oui, c’est moi
.” His Essex accent masked any hint of French. He showed no shame in his poor pronunciation.

Jenny flashed her warrant card. It had the desired effect.

“Fuck me, I’m well gutted. If I’d known you were the filth, I’d have . . . ” He folded his arms across the expanse of belly. “Hah, I’d have done nothing different.” His tone turned hostile. “What do you lot want?” 

“We need to ask you some questions. About two webcam installations done by your company.”

“Why, what’s happened to attract the attention of the police? A camera fallen on someone’s head or something?”

“No, it’s a bit more serious than that, Mr McCarthy. This is about the murders of two young women.”

“I don’t understand.”

“Well, if you did,” said Fiona, still bristling from his earlier comment, “then that might make our conversation a damn sight more interesting.”

“Is there somewhere we can talk properly?” Jenny glared at Fiona while speaking to McCarthy, emphasising what she said next: “We really need your help.”

Fiona glanced at her feet: a muted apology.

“Uh, sure,” said McCarthy; more amiable now that Jenny had played the damsel in distress card. Her experience of chauvinistic men — and she had no doubt from his sexist comments that McCarthy was a relic from an earlier age — was that it worked both ways; they could be downright rude, but they were usually the first to jump to a woman’s rescue. “Come through to my office.”

They followed McCarthy through the inner security door and into a short corridor. On one side was a massive window overlooking a room with tall benches, piled high with computer equipment. Two male employees, one with short dark hair, the other with blond hair in a ponytail, stopped working at the sight of the two police officers trailing behind their boss. 

McCarthy stopped to offer some commentary. “This is our staging area. We preconfigure all our installations here before fitting them at our clients’ premises. Just leaves the creative job of running all the wiring on site.”

“Are your clients mostly residential?”

“Nah, that’s just a sideline we’ve developed in the last few years, although it’s turning out to be highly profitable. We face lots of competition for the major commercial contracts, so a nice run-rate of consumer IP webcam business is certainly helpful.”

McCarthy opened the door at the end of the corridor. They followed him through, passing a kitchenette and a storeroom.

“Businesses don’t use IP webcams then?” asked Fiona.

“Some do, especially if they’re spying on their staff. But our core business is traditional CCTV installations. From builders wanting to secure their yards to councils installing city-centre control room systems, we do the lot. The best camera systems aren’t hidden; they’re on full show. If you see a camera is watching you, you’re less likely to do anything dodgy. They’re preventative.”

He opened the door on the left and they entered a more traditional office area. Office workers, chairs, desks, phones, computers, filing cabinets and waste paper bins filled the large expanse. Windows looked out onto a staff car park, with one bright red Maserati standing proud amid its more prosaic neighbours. 

Other books

Daring In a Blue Dress by Katie MacAlister
Suddenly Sexy by Kendra Little
Brush Back by Sara Paretsky
Imago Bird by Nicholas Mosley
Lost & Found by Brooke Davis
Potter Springs by Britta Coleman
Owned for Christmas by Willa Edwards
Getting to Happy by Terry McMillan