High-tech criminals target Seattle-area businesses

The first sign of trouble at the small Seattle software company where Alec Fishburne works came when several employees reported that their paychecks hadn’t shown up as usual via direct deposits at their banks.

Checking the payroll, the company accountant found that the routing numbers for the employees’ bank accounts had been changed. The money was being diverted to bank accounts in North Dakota, where it could be quickly loaded onto debit cards and withdrawn.

Another downtown company discovered that several employees had been given unauthorized raises and that their money was similarly redirected. Company accounts were being used on EBay and through false PayPal accounts to buy high-end automobile parts, Rolex watches and computer equipment.

Detectives were able to trace many transactions to Internet protocol addresses at more than nine homes around town and thought they had their culprits. But when they pounced, they found nonplussed citizens whose home computers had been, without their knowledge, drawn into elaborate networks of cyber-warfare.


On Wednesday, western Washington’s U.S. attorney, Jenny Durkan, announced the indictment of three men on charges of operating an extraordinary series of “wardriving” operations that targeted at least 53 businesses here. The losses are still being tallied but are expected to reach hundreds of thousands of dollars.

The federal charges come just days after Durkan disclosed that about $1,000 had been lifted from her own bank account in one of a series of ATM-skimming operations. Indictments in some of those cases were announced this week.

Federal authorities have been focusing on increasingly rampant fraud and identity thefts perpetrated by high-tech criminals around the country, including a well-known wardriving case in Boston in 2008 in which hackers lifted more than 45 million credit and debit card numbers from national retail outlets. But the new case in Seattle, authorities said, was stunning in its brashness and complexity.

The newly indicted men — called wardrivers because they allegedly drove the streets in a vehicle equipped with large antennas and high-tech laptops looking for available WiFi networks — are accused of combining garden-variety burglaries with highly complex cyber-infiltrations, often involving multiple layers of hijacking that disguised not only the identities of the hackers, but where they were working.


For weeks, police were questioning innocent home computer owners, and companies were anxiously suspecting their own employees.

“Not only were the locations being physically burglarized, but literally electronically burglarized,” assistant Seattle Police Chief Jim Pugel said.

At a news conference Wednesday, authorities demonstrated how antennas — one fashioned from an empty can of Pringles potato chips — were often paired with GPS devices and installed in cars that drove slowly down streets until they found an available WiFi signal. The accused perpetrators then mapped the location for later, or parked, penetrated the network and used it as a springboard to probe into other computer systems.

Fishburne’s company, located in a downtown high-rise and apparently penetrated electronically from another floor (“I guess you’d call it war hoteling,” he said), had protected its WiFi network with a security code, but the hackers were able to decrypt it.


“It was very disconcerting for a small company … for those of us who had been there for a long time to start to wonder whether there was some internal fraud of embezzlement happening,” Fishburne said.

At another small Seattle firm, hackers broke into the offices twice within a week, stole a laptop, and installed malware on the company’s computers to detect and transmit passwords.

The problem was discovered only when company President Jeff Eby found a computer printout about a month after the break-in showing that two names he’d never heard of had been added to his payroll.

“There was a lot of havoc for all of us,” he said.


In many cases — including one involving more than 50 workers at a company in Renton, Wash. — employees’ names, birth dates and Social Security numbers were lifted and used to open fraudulent credit card accounts or penetrate personal bank accounts.

The perpetrators took over email servers of some businesses, allowing them to eavesdrop as victims became suspicious and began communicating with the police, the indictment alleges. They remotely destroyed firewall logs that would have allowed the businesses to detect intrusions — and helped eliminate evidence in case they were caught.

“It’s enraging, because you think you have a [security] system that’s going to work. But these guys are really smart, and they’re ambitious, and that’s a tough combination,” said Mark Houtchens, chief executive of a company that lost at least $100,000 when hackers penetrated its accounts and diverted money onto debit cards.

Named in the indictment are Joshua Witt, 34, Brad Lowe, 36, and John Griffin, 36, all of Seattle. Two of the men have already entered not-guilty pleas in Seattle federal court. They face, if convicted, up to 15 years in prison and a $250,000 fine.


The case is the second major cyber-crimes case announced in Seattle this week. In the other, authorities announced that six suspects had been arrested and charged with installing “skimming” devices at automated teller machines — usually a data recorder and a tiny camera able to read PIN entries — to drain bank accounts and run up unauthorized credit card charges.

“The suspects arrested over the last few weeks account for more than a million dollars in losses to banks and consumers,” Durkan said. Total skimming operations in the U.S. now reach up to $1 billion a year, she said.

Durkan said about $1,000 was removed from own her bank account after she had used an ATM in a vestibule with a door lock that was not working.

“I knew better than most the means that these people would use to skim bank accounts, and I usually take great precautions when I use my ATM card,” said Durkan, who chairs the Justice Department’s cyber-crime and intellectual property working group.


“The door swipe [lock] was missing, which was unusual, and the door just pushed open. I usually jiggle the slot and look for cameras, but I was in a hurry and I just put my card in, got my money and left,” she said. The money, she said, was gone “within hours.”