Israeli 'Trojan horse couple' jailed over Trojan horse Scandal 27/3/06



December 4, 2005


Gone Spear-Phishin'



ABOUT a year and a half ago, Amnon Jackont, an Israeli mystery novelist and Tel Aviv University history professor, became ensnared in a mystery of his very own: friends and students were receiving e-mail messages from him that he had never written. A few months later, unpublished paragraphs and chapters from a book he was writing were plucked from his computer and began appearing on Israeli Web sites.


Mr. Jackont took his computer to the Israeli police last fall and was told to reformat it. But his problems persisted. So the police examined his computer more closely and discovered that a malicious program known as a Trojan horse lay hidden deep inside and had hijacked the machine from a remote location.

"When they followed the link they found a lot of goodies, but they wouldn't tell me anything," Mr. Jackont said. "All they told me was that they found something big, something that was bigger than just me being harassed."

In May, Israeli investigators opened their bag of goodies, disclosing that the Trojan horse on Mr. Jackont's computer had also galloped onto the networks of about 60 other Israeli companies, unleashing the biggest corporate espionage scandal in Israeli history. Prosecutors indicted members of three of the country's largest private investigation firms on criminal fraud charges in July. And some of Israel's most prestigious corporations are now under investigation for possibly stealing information from companies in such assorted fields as military contracting, telephony, cable television, finance, automobile and cigarette importing, journalism and high technology.


While the Israeli victims were diverse, they shared one thing in common: the Trojan horses that penetrated their computers came packaged inside a compact disc or an e-mail message that appeared to be from an institution or a person that the victims thought they knew very well. Once the program was installed, it whirred along surreptitiously, logging keystrokes or collecting sensitive documents and passwords before transmitting the information elsewhere.


"It's like the Yom Kippur War or Pearl Harbor in the Israeli business market because of the great surprise the victims had when the problem was exposed," said Haim Wismonsky, a senior prosecutor in the Tel Aviv district attorney's office who is overseeing the investigation. "It's O.K. to get information about competitors from the Internet or from former employees, but using Trojan horses is an entirely other matter."


PEOPLE in many other countries, including the United States, have reason to feel queasy as well, say Internet security specialists and government agencies that monitor cyberfraud. Over the last few years, enticing offers wearing the friendly guise of e-mail solicitations have been at the center of well-publicized frauds known as "phishing," in which con artists troll online for valuable personal and financial information. In September, the Anti-Phishing Working Group, a coalition of corporate and law enforcement groups that track identity theft and other online crimes, said it had received more than 13,000 unique reports of phishing schemes in that month alone, up from nearly 7,000 in the month of October last year.


More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims.


Spear-phishing, say security specialists, is much harder to detect than phishing. Bogus e-mail messages and Web sites not only look like near perfect replicas of communiqués from e-commerce companies like eBay or its PayPal service, banks or even a victim's employer, but are also targeted at people known to have an established relationship with the sender being mimicked.

And spear-phishing is usually not the plaything of random hackers; it is more likely, analysts say, to be linked to sophisticated groups out for financial gain, trade secrets or military information. While hard data about spear-phishing incidents is hard to come by and some security vendors may have a vested interest in hyping potential threats, veteran security analysts describe spear-phishing as one of the more insidious cybercrimes they have encountered and one that has been underpublicized because victims are hesitant to come forward.


"The real challenge of spear-phishing is that it's embarrassing, like head lice," said Alan Paller, research director at the SANS Institute, a group that trains and certifies computer security professionals. "Nobody wants to talk about it and say, 'Look, we're being hurt.' There's never been a better attack method than spear-phishing."


Last spring, staff, faculty and students at the University of Kentucky opened e-mail messages purporting to be from the university's credit union and requesting confidential information to access their accounts (something no financial institution in the country ever seeks via e-mail). University officials snuffed out the scheme, which made use of a computer server based in South Korea, after some recipients realized they had been duped and called the university to complain.


In June, the National Infrastructure Security Coordination Centre, a government agency that monitors computer security in the United Kingdom, took the unusual step of publicly warning about a spear-phishing campaign of "targeted Trojan e-mail attacks" aimed at industrial and government computer networks. The warning noted that the e-mail messages appeared to come from a trusted sender, that antivirus software and firewalls didn't protect recipients, and that, in fact, there was no way to completely protect any computer connected to the Internet from the Trojan attacks once recipients opened a bogus e-mail message.


"Files used by the attackers are often publicly available on the Web or have been sent to distribution lists," the warning said. "The attackers are able to receive, trojanise and resend a document within 120 minutes of its release, indicating a high level of sophistication."


About two weeks ago, a more traditional phishing scam infected about 30,000 individual computers worldwide, according to CipherTrust, a computer security firm. Consisting of what CipherTrust said was about 50 million e-mail messages that a German hacker deployed simultaneously, the communiqués purported to come from the Federal Bureau of Investigation, the Central Intelligence Agency and a German intelligence agency and tried to convince recipients to provide personal information and open a file containing a virus. The F.B.I. issued a warning about the scheme and a spokeswoman said that thousands of people swamped the agency with phone calls inquiring about it. The F.B.I. is investigating the matter and declined further comment; a CipherTrust analyst said the phisher's motive remained unclear.


Analysts caution that, despite stepped-up attacks, there is no indication that phishers of any stripe are siphoning torrents of cash out of bank accounts or foraging willy-nilly in any hard drive they choose. But they do note that at the very least the attacks show the vulnerability of sensitive data stored on computer networks, undermine consumer confidence in Web-based transactions, and uproot faith in e-mail, a backbone of electronic commerce and digital communication.


"The problem is not a loss of money or credit, it's a loss of trust," said David Perry, director of global education at Trend Micro Inc., an Internet security firm. "If you open up e-mails and 8 out of 10 of them are from people selling prescription drugs or Nigerian banking scams, then you lose trust and e-mails become the criminals."


At least one veteran fraud investigator in Israel said he wasn't shocked by revelations of widespread spear-phishing and the corporate espionage scandal last spring. "This case is not unconventional," said Boaz Guttman, a lawyer and former head of the cybercrimes unit for the Israeli national police. "Most of the crimes are not reported. The police here and in the United States only know about 5 percent of the cases. Hackers don't take a break, not one minute.


"Everybody is spying against everybody in Israel," added Mr. Guttman, who said he was representing one of the suspects in the Trojan horse investigation but was not authorized to reveal his client's identity. "You cannot be surprised by this because this is the way of life for companies today."


Others, however, had a less subdued reaction to the realities of the investigation when its scale and sprawl first became clear in the spring. "There it was," Mr. Jackont recalled, "we were all in the middle of a hurricane."


The hurricane that enveloped Mr. Jackont probably began spinning, Israeli investigators told him, when an e-mail message arrived that appeared to come from a student asking him to review an essay, or from another e-mail address that looked familiar. (Because Mr. Jackont had his computer swept clean in his unsuccessful early effort to oust the digital hijacker, all records of the initial intrusion disappeared.)


By November of last year, as investigators scrutinized Mr. Jackont's computer woes more closely, his stepdaughter, Natalya Wieseltier, stepped forward with a key bit of evidence. According to records of the Israeli investigation, Ms. Wieseltier told authorities that she received a Trojan-infested e-mail message bearing the address of, which she believed came from a friend.


But her friend's e-mail was actually As Israeli investigators traced the origin of the bogus account they discovered that the person who had opened it lived in London and had charged the cost of the account to his American Express card. The name on the card was Michael Haephrati - Ms. Wieseltier's former husband.


Israeli authorities then deployed their own computer snoop, which analyzed packets of information as the Trojan filched them from Ms. Wieseltier's computer. The files ended up on a computer server in the United States and the server's contents startled investigators, according to records of the investigation. Among the personal documents and screenshots of Ms. Wieseltier's family were hundreds of records from Israeli companies as well as classified military documents. Investigators soon uncovered four more servers, two in America and two in Israel, that also housed stolen information.


As the trail became clearer, authorities learned that at least 15 senior members of three of Israel's largest private investigative agencies were involved in a scheme in which dozens of companies received a compact disc or an e-mail message offering a business opportunity. The offer required them to respond to

investigation, was impervious to antivirus and anti-Trojan software.


Investigators say Mr. Haephrati designed and transmitted the Trojan responsible for pickpocketing Mr. Jackont and Ms. Wieseltier's computers. And while his methods were modern, Mr. Jackont said, his motive was ancient: his divorce from Ms. Wieseltier was messy, and he resented the family. Mr. Haephrati's reason for working with private investigators, said Mr. Wismonsky, the Israeli prosecutor, was pecuniary; private eyes paid him about $3,500 for each installation of his spyware and about $900 a month per Trojan after that to monitor information the spyware collected.


Israeli investigators have unearthed e-mail messages indicating that Mr. Haephrati interacted with a number of companies and governments in countries besides Israel; Mr. Wismonsky said e-mail messages suggest that Mr. Haephrati once apparently tried to sell his spyware to the Norwegian government.


BRITISH authorities arrested Mr. Haephrati, 41, and his new wife, Ruth, 28, last summer on computer fraud charges, but the authorities there did not respond to interview requests. The Haephratis, currently detained in separate British prisons, were unavailable for comment and Israeli prosecutors are awaiting the couple's transfer to Israel. Mr. Wismonsky said corporate victims ranged from HOT, a major Israeli cable television concern, to I.M.C., an Israeli high-tech company that supplies the military.


Among the Israeli corporations on the receiving end of stolen information, said Mr. Wismonsky, were two telecommunications affiliates of Bezeq, the country's largest telephone company. The Israeli government held a controlling interest in Bezeq until it sold most of its stake to private investors, including Los Angeles media mogul Haim Saban, shortly before the Trojan horse scandal became public. A lawyer representing Bezeq and the two affiliates, YES and Pele-Phone, declined to comment on the investigation; Mr. Wismonsky said that Bezeq itself appeared to have been a victim, not a recipient, of stolen information.


Mr. Wismonsky's office has indicted members of the three detective agencies involved in the scandal on computer fraud charges. The firms - Modi'in Ezrahi, Zvi Krochmal Investigations and Pilosoph-Baleli - or their lawyers declined to comment or did not respond to interview requests. As of yet, said Mr. Wismonsky, no Israeli corporations have been indicted for receiving information because no evidence has surfaced indicating that the companies had knowledge that the data was stolen.


"The main problem we have is to match the firms that ordered computer espionage with the companies that were victims," Mr. Wismonsky said. "We have to see if the private investigators have records in their offices that show who ordered the spying."


While reputable firms and businesspeople worldwide rarely admit to enlisting the services of private investigators, it is a routine fact of life in some business quarters.


"The thinking in Israel is that if a company gets away with stealing information, they're heroes, and if they get caught, they're stupid," said Ben Gilad, an Israeli-born business consultant who works in the United States. "You can always hire someone from outside the company to get the information for you, and if they get caught you can deny any knowledge."


For his part, Mr. Wismonsky said that so far he had encountered many denials. "The president of every company said they didn't know at all that they were receiving stolen information," he said. "These are people whose jobs are to know what is going on in the market."


Elsewhere in the world, authorities advise a dose of common sense for individuals who want to protect themselves from spear-phishers, plain vanilla phishers and other online predators. "We have yet to meet a bank or any financial institution that contacts their customers via e-mail to alert them to problems with their credit cards or accounts," said Thomas X. Grasso, a special agent with the F.B.I. who specializes in investigating cybercrimes. "Armed with that knowledge, consumers should look on any e-mails like that suspiciously."


Some computer security specialists suggest at least one basic approach that might allow e-mail recipients to learn right away that a communiqué appearing to come from a company like actually originated somewhere in the Ukraine, Romania, Bulgaria, Poland, Russia or any of the other places that law enforcement officials say are hot spots for phishing scams. "It strikes me that this is just a failure of most e-mail systems to reveal the history of an e-mail," said Whitfield Diffie, a pioneer in computer cryptography who is the chief security officer of Sun Microsystems. "You could post a warning flag indicating that the 'from' address doesn't seem consistent with the path history."


Still, spear-phishers and other cyberstalkers have well-earned reputations for their ability to morph, molt and develop new modes of attack. Analysts say that attackers have moved on from trying to infiltrate computer operating systems and now appear to favor piggybacking spyware on external applications and network routers. The low cost of doing business is also attractive to spear-phishers.


According to CipherTrust, a spear-phisher can rent a server for about $300 month after paying a $100 setup fee; install spam-sending software on the server for about $1,200 a month; and get spam-sending proxies, a database of e-mail addresses, and other necessary add-ons for another $1,900 a month. How much phishers make depends on how many victims they hook, but the relatively small expense means the work can be lucrative. According to a research report issued in June by Gartner Inc., a consulting firm, about 2.4 million Americans reported losing about $929 million to phishing schemes during the previous year.


The Gartner report noted that although some analysts thought that phishing attacks were a fad that peaked in 2004, reports of such schemes have continued to grow at double-digit rates. According to the report, for the year ending in May about 73 million American adults who use the Internet believed that they received an average of more than 50 phishing e-mails during the prior 12 months. And that, of course, is just what Internet users actually know might be happening.


"Phishing is really transforming into more desktop-based attacks that are not visible to users, and there are so many different varieties that I'm not sure there's anything the average user can do to stop them," said Avivah Litan, a Gartner research director who wrote the June report. "Having said that, I don't think there's a crisis in our country in terms of money being drained out of bank accounts. It's all sporadic."


Sporadic or not, information theft has skyrocketed, Ms. Litan said, and banks have been under siege by hackers. Phishers prize checking-account numbers as well as credit card and A.T.M. card numbers, which they can copy onto bogus cards.

Ms. Litan said many banks had had security gaps in the software used to analyze magnetic stripe coding on the back of A.T.M. cards, and these gaps had allowed card hijackers to use bogus copies. American regulators, concerned about online vulnerabilities at the country's banks, have sharply tightened security requirements at financial institutions.


Meanwhile, spear-phishers remain on the prowl, pinpointing victims in a way that phishers never did. "Widespread phishing and spear-phishing are going to merge so that company logos can be snatched from Web sites to build customized databases of corporate logos," said Johannes B. Ullrich, who monitors and responds to emerging digital attacks at the SANS Institute's Internet Storm Center. "The main goal of all hacking attacks is automation, basically trying to have the biggest effect with the least amount of work. So I think it will go that way and it will be harder and harder for people to detect."


All of this provides cold comfort to victims like the mystery writer, Mr. Jackont, who said he was still reeling from his encounter with a Trojan horse in Israel.


"I must tell you that I still have a reflex of uneasiness when I get onto the Internet - I feel a trauma," he said. "People don't like it when I say this, but it's like being raped. It's like my underwear was spread all over the streets. It was a severe breach of privacy."


Copyright 2005 The New York Times Company All rights reserved.


Israel Holds Couple in Corporate Espionage Case -



Michael Haephrati (4Law Photo/Motti Kimchi)



Ruth Haephrati (4Law Photo/Motti Kimchi)



4Law Special Documents  - Hebrew


Tel Aviv District Court Document - March 2006


State of Israel v. Michael and Ruth Haephrati - Verdict


Tel Aviv District Attorney's Office Documents - March 2006


State of Israel v. Michael and Ruth Haephrati - Indictment


State of Israel v. Haephrati`s Request for their Arrest


State of Israel v. Haephrati`s Request for their Computers


State of Israel v. Haephrati`s Request to ban leak of secrets



Trojan : Israelis Nab 16 in Computer Espionage Case - 5/05




Suspect :IDF MP Investigation Chief Ex Col. Zvi Krochmal        


4Law Exclusive Document  - Hebrew


Israeli Police Cyber Crime Team Affidavit - Arrest of 16 Trojan Suspects



How This Trojan Horse Looks & Works in this Case



4Law Exclusive Presentation