Digital Crimes Unit uses Microsoft data analytics stack to catch cybercriminals
Digital Crimes Unit uses Microsoft data analytics stack to catch cybercriminals
The Microsoft Digital Crimes Unit consistently leverages the latest in analytics technology, relying on some of the brightest employees, some of the smartest scientists, and certainly some of the company’s best partners in law enforcement, to disrupt and dismantle devious cybercriminals. Learn how Microsoft used some of our best technology to uncover the behavior of one cybercriminal ring, and how the Digital Crimes Unit worked in partnership with Microsoft IT and federal law enforcement, to shut down one of the nation’s most prolific cybercrime operations.
It’s not hard to find a good deal on the Internet, but this deal looked a little too good. Kelly Reynolds, a small-time operator in Des Moines, Iowa, was offering Windows software online at prices that were a small fraction of retail. In November 2013, an agent from the US Department of Homeland Security purchased a copy of the software, including a product key to activate and use it, and sent the key to Microsoft, along with a question: Was the product key legitimate or stolen?
They say timing is everything in life. In this case, it was true. Had the question been asked just a few years earlier, Microsoft probably would have passed it on to its Product ID Center, which would have checked the product key number against a database and identified it as a real number that hadn’t yet been activated. Microsoft probably would have answered that, as far as it could tell, the key was legitimate and unused. No flags would have been raised. And that might have been the end of the investigation.
Instead, it was only the start. That’s because Microsoft had already brought together leading data scientists, forensics specialists, and former law-enforcement officers; equipped them with the company’s own advanced
data-mining and analysis tools; installed them in the Digital Crimes Unit (DCU) of the newly created Cybercrime Center located on the Redmond, Washington, campus; and tasked these individuals to fight cybercrime worldwide.
Thanks to the involvement of the DCU, the inquiry about the suspect product key in Des Moines resulted in the identification of tens of thousands of stolen product keys, the disruption of a multimillion dollar criminal operation, and the generation of leads that are now helping to identify half a dozen more criminal enterprises. (Some names and locations have been changed due to ongoing investigations.)
This is a story of collaboration—starting with a team of Microsoft analysts who worked closely with law-enforcement agents in a public-private partnership at every stage of the investigation, from their earliest suspicions to the early-morning SWAT-team raid that busted the Des Moines operation.
Another partnership was equally crucial to the success of the case, this one a partnership wholly within Microsoft itself. It was an example of a model that sees business units—in this case, the DCU—working in collaboration with Microsoft IT, with each party playing to its distinctive strengths. Microsoft IT took the lead in providing and supporting the technology infrastructure on which the data analysis was based, and the DCU led in creating the data sets and models that would yield the most effective solutions. It’s a marked evolution from the traditional way that IT has been handled in most companies, with a centralized IT organization providing infrastructure and the business solutions that run on that infrastructure.
Here, Microsoft IT gathered and integrated data from 20 databases throughout the company, established a highly automated and efficient means of updating the system, and managed it on a 24 x 7 basis for optimal accuracy and availability. But it was the data scientists in the DCU who best understood the data and invented highly innovative ways to use it.
Yet another piece to the story is the collection of technologies for mining and analyzing big data that the investigators used to uncover the scope of the global conspiracy from a single set of numbers. It’s a collection of technologies that is proving increasingly useful not only to Microsoft but also to other corporations. And not only in the fight against cybercrime, but also in making sense of big data and propelling better, data-driven decisions in fields as diverse as physical sciences and financial services.
Those technologies include some of the newest Microsoft big data mining and analysis tools, including an Analytics Platform System to manage the massive volume of data; Azure HDInsight for big-data analysis; Azure Machine Learning for predictive analysis; and Power BI and Power Maps to give the Microsoft analysts a highly visual and easy-to-use tool to gain insights from the data.
When law enforcement asked about the Des Moines product key, the Microsoft DCU investigators were ready. They checked it against the 650 million product keys and 7 billion rows of data—growing at a rate of 4 million rows a day—in its product key activation database. No one had previously attempted to activate the key—a good sign. But then the key turned up in a Microsoft database of known stolen keys. It was one of more than 300,000 keys stolen from a Microsoft-contracted facility in the Philippines and resold and distributed by another rogue operator in China. That didn’t mean that Reynolds, in Des Moines, knew the key was stolen nor that he had any other stolen keys—but it was enough to raise suspicion.
It was enough for law enforcement to search his curbside trash and discover records of another 30,000 product keys, which also turned up in the stolen-key database. Now, Microsoft and law enforcement had enough to act—but they wanted more. Analyzing a database of PCs with stolen software keys—a traditional way to look for patterns of fraud—turned up nothing suspicious about the Des Moines location. So how was an online seller in Des Moines connected to a stolen product-key ring halfway around the world? Both Microsoft and law enforcement wanted to know.
“We took datasets about product keys shipped worldwide and merged them with datasets about key activation—and we did it in ways we’d never tried to do before,” says Donal Keating, Senior Manager of Cyberforensics at the DCU. “That requires some heavy lifting to manage the data volumes, especially when you’re asking new questions and want the answers quickly. At a different moment in time, we wouldn’t have had these tools—and we wouldn’t have gotten our answers, certainly not as quickly and easily as we did. What happened in minutes might otherwise have taken days.”
When Keating and his team looked at the data in an untraditional way, the answers instantly became clear. Instead of focusing on the PCs on which product keys were activated, they decided to look only at the activations themselves—and then an IP address in Des Moines suddenly appeared as the most prominent site in the US (see map, below.). Law enforcement used the information to obtain warrants to connect the IP address to the location of the suspect activity.
More than 2,800 copies of Microsoft Office had been loaded and activated on just four computers there. “We don’t expect to see Microsoft Office loaded on a PC 700 times—let alone see it loaded 700 times onto each of four PCs,” says Keating, with some understatement. “We didn’t understand it, but it confirmed that whatever was going on in Des Moines wasn’t legitimate.”
When law enforcement entered and secured the house, they found plenty of evidence, including invoicing and purchasing records, and emails indicating the imminent delivery of another 300 stolen product keys.
The officers also found one of the PCs on which Reynolds had activated hundreds of stolen product keys. And from him, law enforcement got the answer to the mystery of why he had done so. Reynolds confessed that he had activated the keys—a bit less than 10 percent of his inventory—to test them, much as a drug dealer tests random samples of a new narcotics delivery to ensure its quality.
“That was a new insight into the behavior of the bad guys,” says Keating. “And it gave us a new pattern—the ‘test spike’ algorithm—to put into the big-data warehouse to help detect new cases.”
Already, leads and lessons from the Des Moines case have helped DCU identify other suspected stolen key operations at home and abroad. And Microsoft IT is helping the DCU make the data discoveries in this case a standard part of its cyberforensics toolkit for future investigations.
“The bad news is that cybercriminals have never been as brazen and as sophisticated as they are today. But there’s good news: our tools and technologies are better than ever, and that means we can do more to disrupt the cybercriminals. We leverage big data and technologies like Azure HD Insight, PowerBI, and PowerMaps to understand and glean behaviors on how they operate and anticipate their next moves. And we have deeper partnerships with industry, academic experts, and law enforcement, too—all of which helps us drive greater impact,” says David Finn, Executive Director & Associate General Counsel, Digital Crimes Unit.
Organizations realize a competitive edge when more employees are empowered with data. The unique approach that Microsoft has to data technology delivers this capability—whether through insights and analytics or with powerful reporting for line-of-business applications. In a world where business demands the speed to compete, Microsoft data solutions cut the time it takes to go from raw data to results for everyone.