The Man on the Train: Caught with his phishing loot

How does it end for phishing attackers who get caught?

In a case that’s been working its way through the British courts since last September, the unusual answer is in the first-class carriage of a train travelling between Wales and London.

That’s where police apprehended Grant West, 25, as he logged into an Alpha Bay dark web account using a laptop belonging to his girlfriend that police had been tracking as it hopped across IP addresses.

Police needed to pounce there to catch the accused in the act – ‘hands on keyboard’, as it were. The arrest was even caught on the train’s CCTV.

The laptop was found to contain the financial data of 100,000 people, bulked by another 63,000 credit and debit card numbers later discovered on an SD card at West’s home.

The SD card also allegedly contained usernames and passwords connected to a string of phishing attacks carried out against the customers of 200 companies, including Apple, Uber, Sainsbury’s, Groupon, Nectar, Ladbrokes, Asda, Argos, AO.com, Coral Betting, the British Cardiovascular Society, and T-Mobile.

What finally led police to West was a hugely successful and prominent phishing campaign attack against customers of the Just Eat food delivery service from the summer of 2015.

This offered recipients a bogus £10 reward in return for filling in a customer satisfaction survey used to lure them to a phishing site which grabbed their account credentials.

It might sound like the sort of routine phishing attack that fills inboxes every day, but it worked well enough to compromise the personal details of 165,000 accounts over several months.

These were sold on the dark web as ‘fullz’, slang for a complete set of records that could be used to commit fraud.

It’s not clear how much customers lost but it reportedly cost Just Eat £200,000 ($271,000) despite its systems not being breached.

It got bad enough that during late 2015 some wondered aloud whether Just Eat had suffered a data breach.

The sale of credentials helped West amass Bitcoin worth £500,000 (now £1.5 million), which became the first ever virtual currency to be seized by London’s Metropolitan Police.

West has admitted 10 offences and will be sentenced on 27 May.

The case offers plenty to think about, including how easy phishing attacks are when criminals understand how to find their way around the dark web.

This allowed an individual to pull off a one-man crimewave based on knowledge and contacts rather than advanced hacking skills.

The ease with which money can be squirreled away in pseudonymous accounts holding Bitcoins that banks never see is another well-worn theme.

Police were keen to underline that Bitcoins and the dark web are far from impregnable. Said the Met’s DCS Michael Gallagher:

There was a myth that Bitcoin in particular, and crypto-currencies more generally, was anonymous and it was also a myth that people can operate with impunity on the dark web and remain anonymous.

While true, it still took a lot of effort investigating a single attack to catch West after a lot of damage had already been done.

One down, untold numbers of others left to find.