Invasion of Privacy: A Deep Web Thriller #1 (Deep Web Thriller Series) (6 page)

“I checked out WMA Associates as you asked, Jenny,” said Fiona. “They’ve got nothing to do with music. They’re a tax audit firm. Apparently, WMA stands for Wilfred MacDonald Advisors. I’ve got Lawrence MacDonald here. He says he runs the London practice. His dad is Wilfred MacDonald, but he retired years ago.”

“Okay. Bring him in,” said Da Silva.

Fiona returned with a middle-aged man, so dull and grey that if Jenny had had to guess his occupation, accountant would have been top of the list. The only exception was the flash of luminescent green from the frames of his designer glasses.

“Is it true about the poor girl? Some kind of murder?” he asked.

Jenny looked Fiona in the eye, but she shook her head.

“What makes you say murder, Mr MacDonald?”

“Only because of the questions the press asked me as I arrived at the office a few minutes ago.”

“Shit!” Da Silva stood up, leaned on the window and stared down twelve floors. Jenny had never heard him swear before. “I’d better sort this out before it gets out of hand. Detective Inspector Price, you take it from here. Excuse me, Mr MacDonald.” Taking his mobile phone from his pocket, he left the office. His coffee was left on the desk.

“Did the press say her name?” asked Jenny, standing so as not to be the only one left sitting down.

“No? Please tell me it wasn’t one of my employees.”

“No, we don’t believe so. Her name was Anna Parker. Do you know her?” 

“Sorry, no.” 

“What about a W. Webber?”

MacDonald thought for a minute. “No. Not a name I recognise. Should I?”

“The signing-in book has a W. Webber from your company down for the victim’s arrival last Friday evening. Do you know anyone with the surname Webber? A friend? A client, perhaps? A supplier? Someone who knows WMA?”

MacDonald thought for a moment. “None that comes to mind. But we can go downstairs and check our contacts database if you like.”

Fiona said, “Thanks. Let’s do that in a few minutes.”

Jenny walked up and down the length of the window. She slowly articulated a line of thought that was forming in her mind. “Okay, let’s assume this Webber person was pretending to be from your company. How could he do that? He’s booked a meeting room. And yet you know nothing about it?”

At that moment, Jenny saw Alan through the interior glass wall of the office, accompanied by Evans. She waved them over.

“No, why should I? Any of my staff can book a meeting room. We just phone reception.” 

Alan and Evans entered the office. 

Jenny said to the building manager, “Walk me through how you book a meeting room in this place.”

Evans ignored Jenny. “Hello, Mr MacDonald. I’d like to apologise for this inconvenience. I’m sure we’ll have everything back to normal in an hour or so.”

Jenny wanted to slap him. He acted like a tube driver announcing a short delay to his passengers. “As I said to you in the lift earlier, Mr Evans, someone has been murdered. It’s a very serious situation, and not one we can take lightly. I think you’ll find it might take more than an hour or so to get back to normal.”

Out of Evans’ line of sight, Alan winked at Jenny and said gravely, “Maybe as much as the whole day. Perhaps two.”

Evans’ face whitened.

MacDonald mediated. “The more you can do to help the police, I’m sure the quicker they’ll be done.”

“Well, uh yes. I’m sorry. I know it’s more than an inconvenience, but what I was trying to say was —”

Alan persisted, “Meeting rooms, Mr Evans. How do they get booked?”

“Uh, yes. Let me see.” He took a breath. “Meeting rooms can be booked by any of our customers already leasing space in this building or any Flexbase customer leasing space in any of our other serviced offices around the country. Well, saying that, anyone could phone up and book a meeting room. All they’d need is a credit card. We have this concept called Local Meeting —”

“Credit card?” interrupted Jenny, spotting an angle to follow here. “You mean we can see the credit card details that were used to book the room on Friday?”

“Well, yes. That’s assuming it wasn’t an existing Flexbase tenant with an account. Like WMA here. If it was an existing customer, no credit cards are needed. Just their customer account number, phone number and email address of the person from the company. Then we add it to the company’s bill and invoice at the end of the month.”

“Can you get me the details of the booking for the room on Friday?” Jenny then forced herself to add, “Please.”

“Sure, I’ll just go and ask my assistant...” 

Jenny picked up the phone on the desk and handed the receiver to Evans. “Will this work?”

“Uh, actually no. It’s an IP phone. It doesn’t work until someone logs into it first.” 

Spotting the look of malice in Jenny’s eyes, Evans pulled out his mobile phone. He asked his assistant to pull up the records for meeting room eighteen-twelve for the Friday just gone. A pause, then, holding his hand over the mouthpiece, he said to Jenny, “Sorry, not a credit card booking. It was booked out to WMA using their account number...”

MacDonald exclaimed, “That’s not possible!”

Fiona placed a hand on MacDonald’s arm.

Evans continued, “...In the name of a William Webber. He booked it from 4:00 p.m. through to 7:00 p.m. He gave his phone number as the main switchboard number that WMA uses.”

“How do you request a room?” asked Fiona. “Phone? Email?”

“You can book by phone, email or even through our website. Whichever method you use, we always ask for an email address for the booking confirmation to be sent to.”

“Which method was used?”

Evans repeated the question into his phone. “They can’t tell. Perhaps the IT people in headquarters can tell?”

“Okay, we’ll check that later,” said Fiona. Jenny knew the DC was doing a far better job dealing with these technology-related issues than she ever could. “What email address was given?”

Evans relayed the answer: “[email protected].” 

“But we don’t have a William Webber, I tell you,” MacDonald persevered. “Hold on, I’ll phone my IT guy to see if that address is on our email system.” MacDonald pulled out his mobile, dialled a number and started issuing instructions.

Fiona asked Evans, “Can you tell when the booking was originally made?”

Evans relayed it into his phone. The answer came, “Two days before.” His eyes widened. “No way! Apparently, the same person also booked the four other meeting rooms on the same floor for the same times. That’s the whole damn floor!”

A chill ran through Jenny’s body. 

“I suppose being that late on a Friday afternoon meant they were all available?” Alan surmised.

“Well yes, I suppose. It’s typically the quietest time of the week. Everyone wants to get home for the weekend.”

MacDonald then spoke, “No, we don’t have an address with that name on the WMA email system. And my IT guy says that, as he doesn’t have it set up, it doesn’t exist and never has.”

Jenny summarised, to make sure she had it right. “So, two days prior, someone with access to WMA’s Flexbase account number booked the whole top floor on Friday from 4:00 p.m. onwards. And they gave a fake name and email address that made it look like it was someone from WMA.”

“So, what would happen if the email address used for the booking was fake?” Fiona asked Evans.

Evans said he didn’t know and relayed the question into his phone. “My assistant doesn’t know either. She’s just patching me through to IT in Head Office.” A minute later, Evans repeated the question and listened. “Apparently, we just type it into the booking system. As the domain name — you know, the bit after the ‘@’ sign in the email address — matches the customer’s, no one would have questioned it. The booking system sends out a confirmation email.” He listened some more and then relayed the next bit with a fatalistic tone. “But if the email address didn’t exist, it would bounce back to the booking system’s own email address and —”

“— no one ever looks at that,” finished Fiona for him.

Evans nodded.

MacDonald turned to Evans, indignant. “So what you’re telling me is that anyone could book a meeting room in my company’s name just by phoning in with a fake email address? Right, that’s it. I’m going through every invoice for the six months we’ve been here at Flexbase!”

“But they would have to know your Flexbase account number as well,” wheedled Evans, “and only your employees would know that.”

“
And
anyone working for Flexbase, Mr Evans,” said Jenny, firmly.

* * *

Brody’s fingers were shaking over the keyboard. He wasn’t sure if it was too much caffeine or an adrenaline rush from the challenge he’d foolishly got himself caught up in. He wondered whether Doc_Doom had manipulated him into taking on the challenge against Matt_The_Hatter. He scanned back through the chat logs but there was no real evidence of that. Like any hacker — white, grey or black — Brody’s reputation online was built up over time, through publishing new exploits, sharing code, blogging, tweeting and answering questions on the forums from other hackers. Brody had spent years getting his reputation as Fingal to its current elite status. And here he was putting it all on the line in a childish race to gain root access to a website. If he failed, then word would spread rapidly across the global hacker community. That was one of the downsides of the Internet; it only took seconds for news and gossip to spread. His online reputation would be in tatters. 

Brody slammed the tablet PC shut, looked up and caught Stefan’s eye. The barista came over immediately.

“Ah, Mr Brody,” said Stefan, “Let me think . . . ”

“— same again,” said Brody, in no mood to play Stefan’s guessing game. 

“Oh! Okay . . . as you wish, Mr Brody.” Stefan shuffled off.

Brody wondered if he could have avoided trapping himself in the challenge. The root cause was his perfunctory approach to reviewing Crooner42’s original request for help during the Atlas Brands pentest at that morning. He should have waited until he’d returned to London, when he would have gone thorough due diligence before offering to help. He would have carried out an initial set of penetration tests before responding to make sure that he knew there were some holes he could quickly take advantage of once he was formally given the job. He would also have devoted time to checking out Crooner42’s online background more thoroughly to make sure the request for help was legitimate. After all, no one other than Matt_The_Hatter and he had responded to the Crooner42’s unusual broadcast for help. Perhaps all the others had figured out this was a tough job and didn’t want to risk their reputation. 

Now he was in the unpleasant situation where not only did he have to take on the challenge, but failure would be very public. He just hoped he had a few more tricks up his sleeves than Matt_The_Hatter. 

A fresh cup of coffee was placed on his table. Brody looked up to say thank you to Stefan, but it was Stefan’s trainee waitress who had brought it over instead. Stefan was behind the counter, wiping it down and deliberately avoiding eye contact. Brody thanked the girl anyway and made a mental note to apologise to Stefan before leaving. Maybe a larger tip than normal would help.

Brody rolled up his sleeves and began.

The first step was to familiarise himself with the website in the way a normal online visitor would do. Well, not quite a normal visitor. First of all he would disguise who he was and from where he was connecting. He logged into TOR and two additional proxy connections, one in Russia and the second in Bulgaria. The proxies slowed down his speed a little, but it was worth it to make him impossible to trace. Anyone tracking his address would think he was accessing the Internet from Bulgaria rather than his apartment in Islington. And even if they somehow tracked him down through the first proxy, they’d then think he was really from Russia. And after that, they’d have to take on hundreds of randomly selected relays within the encrypted TOR network.

Brody remembered Crooner42’s concern that police around the world might take an interest in the site. Double-proxying should handle that. 

He clicked on the site.

The site Crooner42 had built was called www.SecretlyWatchingYou.com. Its name and description implied that it was serving live webcam footage without the knowledge of the inhabitants. Brody knew enough about webcam sites to know that this was very rarely the case. A whole new industry had popped up the day a redheaded American student called Jennifer Ringley chose to broadcast her day-to-day life over the Internet, clothed or naked. Fully aware that she was watched all the time, JenniCam had become an Internet phenomenon at much the same time that
Big Brother
was beginning to take off in the UK. Millions of voyeurs paid to watch and Ringley became very rich, spawning thousands of copycat sites. Brody couldn’t understand why anyone would want to watch someone else’s life like that, never mind allow it to be watched in the first place.

At first glance, SWY — the techie in Brody had automatically shortened SecretlyWatchingYou to a more usable acronym — seemed harmless enough. Brody was able to look at a few taster videos without registering any personal details. One of the teaser clips was of a girl taking a shower, with the camera directly above. Brody couldn’t see her face and the steam blocked out anything interesting. Another was of a man doing the washing up. His back was to the camera. There were five or six others. Big deal. It all seemed boringly innocuous. 

He clicked through to the registration pages. Eight US dollars a month or $66 for a year. And that was just for the ‘basic’ locations. There were newly added ‘premium’ locations available where users needed to pay more. The site was quite expensive. Who the hell would pay these rates? 

The fastest way for Brody to check out the website was to pretend to be a customer. He quickly registered with a brand new anonymous and untraceable email address. The default payment option was PayPal, which meant only needing to disclose his PayPal email address to the website. Although PayPal would never share those details with the website, it was traceable and so not something Brody wanted to use. However, there was one other payment method — bitcoin — and Brody was impressed to see it listed. It was a cyber-currency, which used a peer-to-peer network coupled with cryptography to control and secure the transactions. But most importantly, it was completely unregulated by any government. For Brody, bitcoin’s main benefit was that it was virtually untraceable, especially for smart people who masked their credentials when creating accounts. Brody always set up a new account for every job he took on, just to further confuse anyone who attempted a trace.