Join us to hear the story of Chirag Patel, a former Choice Hotels employee who socially engineered reward points and credit card numbers from several of their franchised hotels. This is eCrimeBytes.com S 2 Ep 8-1 – Socially Engineered Reward Points With Chirag Patel – Act 1: Drugs And Spyware.
Sources:
- https://www.justice.gov/usao-az/pr/hacker-sentenced-51-months-prison-stealing-customer-credit-card-numbers
- https://www.courtlistener.com/docket/63158296/united-states-v-patel/
- https://www.12news.com/article/news/crime/hacker-sentenced-stealing-hundreds-credit-card-numbers-arizona/75-81cac896-cb60-4923-83eb-d9af670475bd
Transcript:
00:00:10:00 – 00:00:39:07
Keith
Hey, welcome to eCrimeBytes Season two Episode eight. This is socially engineered reward points with Chirag Patel and there’s a couple of twists there. One is social engineering, which we talked about before, and it’s pretty interesting in this case. And we’re also talking about reward points, which is a new monetary unit that we haven’t really seen on our podcast yet, that hackers are going to use in order to make money.
00:00:39:10 – 00:00:42:17
Keith
And they use it in a few different ways. It’s pretty interesting. We’re going to walk you through them.
00:00:42:17 – 00:00:45:11
Keith
So the technology here is pretty simple.
00:00:45:11 – 00:00:53:24
Keith
One is social engineering, and that’s just humans tricking humans to do different things on computers. And that’s pretty much it.
00:00:53:27 – 00:01:04:24
Keith
The other is Keyloggers and Keyloggers is an application where you can put on your computer or you can put on your phone that its main purpose is just to record whatever human input comes into it.
00:01:04:24 – 00:01:14:27
Keith
For most of the time it doesn’t really matter, right? If I’m out there surfing cats and looking at cat pictures on you know, Google images is not a real big deal.
00:01:14:28 – 00:01:44:06
Keith
If somebody can see me doing that. But but if I were logging into a very highly secure, sensitive system like you’re going to see in this case and I type my username and then I type my password in between my cat picture browsing, that’s going to be saved by a keylogger. And that’s where a keylogger shines, is it saves information like that into a file where an attacker then can use that in order to impersonate you and go into the same accounts
00:01:44:06 – 00:01:59:01
Keith
you would. Here the crime. I guess we’re going to say plural crimes. There’s a lot of them. There’s conspiracy, there is wire fraud, there’s aggravated identity theft and computer fraud and it’s all done by this.
00:01:59:01 – 00:02:05:11
Keith
I’m going to say an insider. He wasn’t an insider always, but he was an insider at one point, meaning he worked at
00:02:05:11 – 00:02:07:26
Keith
the hotel called Choice Hotels.
00:02:07:26 – 00:02:33:01
Keith
They’re a chain. And his name was Chirag Patel. I told you that upfront. Now, the victim is that hotel company, Choice Hotels. If you’ve never heard of them, just real quick ten cent tour, they have thousands of hotels in more than 40 countries. So they’re not just your mom and pop hotel, they’re all over the place. You’ve probably either stayed in one or at least seen one when you’ve even just driven to work.
00:02:33:01 – 00:02:51:17
Keith
And I picked this case because I just thought the reward aspect of it was pretty interesting. We may see a few more of these down the line, but this is the first one I ran into in this case just interests me right off the bat. So I thought, Let’s make an episode on it. Now, this week’s episode, we’re going to have four acts for you.
00:02:51:19 – 00:02:59:29
Keith
The first one, which is today, Monday. Oh God, I love the name on this one. Act one is drugs and spyware.
00:02:59:29 – 00:03:15:27
Keith
Act two, which is going to be Tuesday. That’s the hack. And we’re going to talk about a little more in-depth about what he did in order to get the information that they try to monetize later Wednesday, which is Act three.
00:03:15:28 – 00:03:41:11
Keith
This is going to be spyware detected. It’s the point where the hotel company said, hey, we found something strange here. We think something strange is going on and it makes the days numbered for the criminals here. And then our last act at number four, we’ll bring you the arrest and sentencing. So with that, let’s go ahead and just jump in to act one, which is drugs and spyware.
00:03:41:13 – 00:04:02:03
Keith
And to do that, I’m going to introduce you to our star of this episode. His name is Chirag Patel. And like any great American, he like drugs and drugs aren’t free. They require money. So he went on a crime spree in order to make money for his drugs.
00:04:02:03 – 00:04:07:11
Keith
I also saw him claim that in addition to the drugs as being the reason why he did this
00:04:07:11 – 00:04:08:14
Keith
crime spree,
00:04:08:14 – 00:04:14:15
Keith
he also said that once he started it, he was quote unquote, pressured into continue doing it.
00:04:14:18 – 00:04:22:29
Keith
Now, there was no elaboration on what that means. Okay. So I had to kind of guess on what this could mean.
00:04:22:29 – 00:04:31:08
Keith
And I kind of thought maybe he’s saying the bad guys that he was working for basically said no or,
00:04:31:08 – 00:04:31:28
Keith
imagine like,
00:04:31:28 – 00:04:34:08
Keith
end of the day, Tony Soprano wants to retire. Right?
00:04:34:08 – 00:04:53:00
Keith
And then his criminal buddies were like, nope, nope, that’s not how it works. Once you’re in, you’re in for life, just like Tony Soprano. That’s kind of how I imagine it. But again, there was no elaboration. He just said he was pressured into continuing the scheme, so that’s why it went on for so long. So let’s specifically see what happened here.
00:04:53:00 – 00:05:08:08
Keith
So I’m going to give you a date. It’s June 22nd, 2018, and this is the date that Patel purchased this application called pcTattletale. And it’s all one word. It’s the brand name of this software program.
00:05:08:08 – 00:05:15:25
Keith
Now on this date, and we’re going to laugh. I don’t know. I think his email address is here Seth They’re pretty funny.
00:05:15:26 – 00:05:20:25
Seth
The email addresses are fantastic. The email address should have their own episode.
00:05:20:28 – 00:05:37:00
Keith
As and they just kind of ratchet up as they go further into them. So I’m just going to warn you with that. So we got our first email address here where pcTattletale is sending him a receipt when he bought it, and it’s called I Got Juice Man eight at Gmail that came and I was like.
00:05:37:05 – 00:05:41:23
Seth
Not seven, not nine, eight, eight.
00:05:41:23 – 00:06:02:18
Keith
So. PC Tattletale, if you can’t tell by the name of it, it’s software that when installed will do that key logging stuff that I told you about at the very beginning of this act which is it runs so that the user doesn’t know it’s running and then it records what the user is doing at the computer. So
00:06:02:18 – 00:06:07:12
Keith
in most circumstances, all you really care about are the key keys that are pressed.
00:06:07:12 – 00:06:27:27
Keith
So we call it keylogger. But some of these will even give you, you know, pictures of what the person sees at the time. You know, maybe snapshot it every couple of minutes or something along those lines. So even though we’re just talking about usernames and passwords in this episode, do know what we’re describing you here, there’s a lot more to this technology.
00:06:28:00 – 00:06:42:25
Keith
Now for our video viewers, I’m going to pop up a screen for you, which is just the website of PC Tattletale. All I did was Google it and I went to the website and I screen captured it. At the time I was researching this episode, which is within the last month.
00:06:42:25 – 00:06:45:29
Keith
So this is what they say about themselves.
00:06:45:29 – 00:06:49:15
Keith
They say we’re the number one employee in child monitoring software.
00:06:49:15 – 00:07:02:07
Keith
Protect your Business, a family monitor, social media, text messages, email, web browsing, video games and more. Catch this honest employee theft of leaking information. I’m sorry, I’ll say that again.
00:07:02:07 – 00:07:13:28
Keith
Catch this honest employee theft and leaking of information records Android and Windows 100% undetectable 60 day money back guarantee.
00:07:14:00 – 00:07:32:07
Keith
And if you’re wondering why I’m reading most of this is we do have audio only listeners that don’t see this picture. So this is what they say about themselves. This isn’t even what Keith and Seth say about them. They are basically like, when you put our software on here, we could see everything and we’re recording everything. That’s what that page is telling you.
00:07:32:09 – 00:07:39:19
Keith
Now, A couple months later, in August, there’s another purchase. Why don’t you tell us about that one Seth?
00:07:39:22 – 00:08:05:28
Seth
Sure. So in August, our hero, Chirag Patel, he purchased another monitoring software called Spyrix. So that was purchased and the ereceipt was sent to this one as the less awesome cptrance at Gmail. And that’s a similarly, it’s a key logging software that when installed records and logs all keystrokes to a designated application for remote viewing
00:08:06:22 – 00:08:29:13
Seth
We also learned from the court documents that later on back in December of 2018, so several months after an executable file for this virus software was saved to the Google drive associated with that email. So that was at a point where Chirag must have actually kind of staged to the actual Spyrix tool to be deployed at a later point.
00:08:29:13 – 00:08:47:08
Keith
So what I did is I pulled their website just like I pulled the other website. This had a lot more information on it. So I thought without prompting, you want to say, Seth, I put these pictures on here and even indicated that you should talk about them to see what you would say about them.
00:08:47:08 – 00:08:51:05
Keith
Because as you go further into the website, more interesting
00:08:51:05 – 00:08:54:19
Keith
content is given to you, in my opinion.
00:08:54:19 – 00:09:14:05
Seth
So yeah, and I mean, I just reading this in two different functionalities of Spyrix, it’s kind of scary. I worked very closely with privacy attorneys in my day job and, you know, we were very careful as to what we are allowed or not allowed to do. This would definitely not pass muster in many jurisdictions around the world.
00:09:14:13 – 00:09:33:17
Seth
So Spirit’s personal monitor will allow for invisible remote monitoring of user activities that include monitoring via secure web account, keylogger. So your keystroke logging things like Facebook or WhatsApp or Skype or email. And that’s interesting because specifically WhatsApp is supposed to be
00:09:33:17 – 00:09:39:11
Seth
ephemeral messaging, which means it’s by design supposed to be super secure. The message goes away right away.
00:09:39:11 – 00:10:07:16
Seth
But if you have keystroke logging, you get to see it. Screenshot capture. So somebody does something. You can actually get a screenshot of what they were literally seeing on this screen, live screen and webcam review, which is literally spying on that user’s activity via the built in webcam continuous screen and webcam recording. You can see what they’re doing over a period of time, literally see the screens face recognition, which has to violate several laws, right?
00:10:07:16 – 00:10:20:08
Seth
I mean, you didn’t give your permission to do that. Even if you work for a corporation. And don’t worry, it works for Mac as well, not just on Windows. So they even have a free version of it.
00:10:20:11 – 00:10:30:18
Keith
They do. And they even have like this enterprise employee monitoring version. So not even like the personal version. You got sort of this professional version.
00:10:30:18 – 00:10:56:28
Seth
Yeah. They even say you don’t even need an IT department or no server even to work on this, which is kind of weird. I guess they have some kind of sad situation here. They even have a tool for your Android phone. Notice they don’t have one for the Mac phones. That’s by design, I guess. You can’t really do without a mac, but you can look for SMS text messages, call detail, web activity, GPS, location, Skype, WhatsApp, Viber, which I’m not familiar with
00:10:56:28 – 00:11:02:20
Seth
Jones got a fill me in. Facebook, Snapchat, all features, all available.
00:11:02:23 – 00:11:25:16
Keith
So what I just showed you was kind of for our audio listeners, you can imagine your typical commercial website of buying software where it’s kind of very simplistic, flashy, just e-commerce ish looking. So then I scrolled down a little further and on the same exact website, it’s kind of like this just
00:11:25:16 – 00:11:27:25
Keith
almost going back to a different era.
00:11:27:27 – 00:11:44:25
Keith
And it starts out with like keyloggers in the law, Keyloggers and parental control Keyloggers that employees control and basically, you know, all these things are arguments and you know, keyloggers are completely illegal. If you have admin on the computer, you can capture all you want and so forth.
00:11:44:25 – 00:12:08:22
Keith
So, Seth, when I got to capturing all those pictures that I just showed you, which is like I’d say, the commercial side of the website where it was, hey, all these great features you get to buy and use on our spyware. But at the bottom it was almost like this website made a shift and it was just this black and white text, and I wouldn’t even call it the fine print because it wasn’t even that small.
00:12:08:22 – 00:12:20:00
Keith
It was it was big enough where I went, What is this? And I started reading it, but I screen captured it. And this is the point, Seth, where I’m kind of like from an attorney standpoint I thought was pretty interesting. Why don’t you tell us what you think of it?
00:12:20:00 – 00:12:45:15
Seth
You know, it’s an interesting thing that they set up. They talk about keyloggers and the law and they claim that key logging is completely legal. I would never use the word completely in any legal scenario because everyone knows in law, it depends. Most of you probably know that there are various privacy laws at the state level in the United States and this little one page here makes no distinction between federal and state law.
00:12:45:15 – 00:13:06:17
Seth
It says keylogger is a complete legal. And if you have admin privileges on a personal computer, you may install any software including keylogger. So yeah, you can put a key log on your own computer. That’s probably okay. I’d agree with that legally. Then they talk about keyloggers and parental control and they say actually using keyloggers and other monitoring software is unethical in most situations.
00:13:06:19 – 00:13:27:28
Seth
However, according to some random and safety net project, I don’t know what that is. It’s certainly not a law children or teenagers living with you don’t possess rights of privacy on a personal computer. I’m not sure that’s true. I think it would depend on the state. Parents who worry about their children’s activity on the Internet may legally monitor the PC.
00:13:28:01 – 00:13:49:03
Seth
That probably is true with some key caveats. Right? It’s got to be a kid, I think under the age of 18 or 17, depending on the state. I would guess I’m not an expert in this area, but that’s an overly broad statement. Now, the last one is really fascinating. It talks about key loggers and employee control. I’m going to read this because I deal with this kind of privacy and security balance all the time at work.
00:13:49:05 – 00:14:10:28
Seth
So it says nowadays many employers use special software to control their staff. By the way, that is really sketchy. I don’t know about how you’re controlling your staff. You can actually monitor and you can limit what staff can access with their computer. But I would have worded this differently. They did not hire an attorney or I guess a good one to write this. They next say
00:14:10:28 – 00:14:31:22
Seth
sometimes they inform their staff about it, but most often they don’t. So if you are a company and have any employees outside the U.S., you definitely have to have some kind of login page that explains your rights as an employer as to what you may or may not monitor. That’s default. So if you’re only talking about a US company, maybe it’s a very, very small company.
00:14:31:24 – 00:14:56:17
Seth
I guess it’s possible that they don’t have that level of information. Is it legal to have a key log in the us? Let’s just say this the traditional model that there’s no expectation of privacy in the workplace in the US is crumbling, in my opinion. You have several states, including California, used through their act and several other interestingly, red states have pretty aggressive privacy laws that do impact employers.
00:14:56:19 – 00:15:26:05
Seth
So I think this is an extremely questionable whether or not you can just start throwing keyloggers on a company’s machine that all on top of that, there are serious ethical and moral issues that most companies should or would take into account regarding key logging. Normally, there should be some kind of process to say if we do have a real risk and threat, we may want to engage key logging not as a default but when needed.
00:15:26:07 – 00:15:36:21
Seth
And it should be very, very clear as to how and when they do that. If you’re just throwing key logging onto your employees for monitoring, you might be violating, if not the law. Certainly the morals and ethics of the company.
00:15:36:21 – 00:16:00:05
Keith
So with that, we have set you up for Act two, which is coming tomorrow, the actual hack. So if there was anything in here that you liked, please do like and subscribe on whatever application you’re on, because we try to we try to blast this out there on every social media and YouTube and we have audio only folks as well.
00:16:00:08 – 00:16:14:21
Keith
And if you’re one of those and specifically if you’re on Apple Podcasts, if you could give us a five star review and just say anything nice in there or tell us what your favorite case is, we would totally appreciate that. That’s one of the main drivers of our audio only
00:16:14:21 – 00:16:25:28
Keith
ability to bring in new listeners and the other ones we have a little more control over like YouTube and so forth, but specifically Apple Podcasts, we could use that help.
00:16:26:01 – 00:16:50:04
Keith
And if you have, visit our website, go to eCrimeBytes dot com. And for audio listeners, it’s just e c r i m e b y as in yellow milk t e s dot com. And for video people just at the beginning and the end of this you will actually see it flashed on there in our logo with that sound. So that’s where you want to go.
00:16:50:06 – 00:16:56:14
Keith
And with that please come back and check our back to the hack because we’re going to be putting
00:16:56:14 – 00:17:10:13
Keith
the social engineering and some of this key logging technology that we’ve primed for you together to see what Chirag Patel did with the hotel he chose as a victim here.
00:17:10:13 – 00:17:14:00
Keith
So we’ll see you then. Thanks. Bye.
Leave a Reply