UPDATE: Hacking (Not Fracking) Gives Oil Industry Website Developer Gas Pains

December 20, 2016

This is an UPDATE of "Hacking (Not Fracking) Gives Oil Industry Website Developer Gas Pains" (BrokeAndBroker.com Blog, April 4, 2016))

Nary a day goes by when we don't read about someone hacking into something. Frankly, we've grown a bit blase' about such things. A recent criminal Complaint, however, provides us with a fascinating details about the detective work involved in uncovering clues and ferreting out the mastermind behind allegedly unauthorized online access. At issue is the creation of an oil and gas industry website and the sale of that site for $51 million. Then the same guy who created that first site, builds another website eerily similar to the one that he had sold, and . . . well, here's where it gets interesting: The online entrepreneur attempts to sell the second site to the same folks who bought the first one from him. What makes that fact pattern illegal, you might ask. What's wrong with staying with a formula that already worked? Okay, maybe that's going to be the defendant's defense.

Case In Point

On March 30, 2016, the United States Attorney for the Southern District of New York ("SDNY") announced that it had unsealed a Complaint against David W. Kent, 40, Spring TX, alleging one count of Conspiracy and one count of Wire Fraud. If convicted, Defendant Kent faces a maximum of 5 years in prison (Conspiracy) and 20 years in prison (Wire Fraud). United States of America v. David W. Kent, Defendant (Complaint, 16-MAG-1906, SDNY, March 23, 2016)

NOTE: A Complaint merely contains allegations and a defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

What caught my eye about this Complaint was the interesting fact pattern - one which got me thinking about how to better protect clients who might find themselves exposed to the same possible crimes.

In the Beginning

Reduced to its basics, the Complaint alleges that in 2000, Kent founded a website, which, in part, offered oil and gas industry professionals the ability to post resumes and other personal/professional information in order to facilitate networking. After opening a website account, the member used a username and password to logon. Kent realized income from this website through the sale of advertising and fees from recruiters and employers who were looking for job applicants.

Payday

Apparently, Kent was on to something because by August 2010, a publicly-traded New York City-based company paid him $51 million for the website. The Complaint asserts that at the time of the sale, the member database was worth about $6 million. Thereafter, as more fully explained in the Complaint:

17. On or about August 9, 2010, DAVID W. KENT, the defendant, entered into an employment agreement with Company-1 (the "Employment Agreement"), agreeing to continue to serve as President of Website-1 after the acquisition. As part of the Employment Agreement, KENT agreed to not participate in any business that competes with Website-1 while employed by Company-1. KENT also agreed to refrain from competing with Company-1 if he left Company-1, until the expiration of the latter of three years after the signing of the Employment Agreement, or two years after leaving the employ of Company-1 (the "Non-Compete Period."

18. In or around September 2011, DAVID W. KENT, the defendant, left Website-1. In or about October 2013, shortly after the earliest possible expiration of the Non-Compete Period, DAVID W. KENT, the defendant, announced that he had founded Oilpro.com ("Oilpro"), which also provides networking service to professionals working in the oil and gas industry. Oilpro is headquartered in Houston, Texas.

Moving On

After about a year of service, as President of the online business, Kent resigned in September 2011. Okay, so far, so good: Kent made a chunk of change, he served in a executive capacity during the first year of transition of his former website to new owners, and, for whatever reason, he moved on and founded a new biz. Maybe you caught the name of the new biz? Oilpro.com. Yeah, you're right, Kent launched another online networking venture servicing oil industry professionals.

Hacking

Starting around October 2013, Kent allegedly accessed his former website's member database without the authorization or permission of the new owners. According to the Complaint, once Kent gained access to the website database, he stole information, among which were the identities and profiles of some 700,000 customer accounts. On top of this digital breaking-and-entering, one of Kent's Oilpro employees (referenced in the Complaint as an unnamed co-conspirator), seems to have hacked into the old website's Google Analytics account and forwarded the data to Kent.

You Are Invited To Join

What did Kent do with the allegedly purloined information? The Complaint charges that he sent invitations to all the members of his former website to join Oilpro.com. Then there's another quirky twist: In April 2014, Kent contacts the Chief Executive Officer of the company that had purchased his former website and floated a story about how Oilpro had received an unsolicited offer of investment. Using that premise, Kent allegedly explained to the CEO that his "original mission" in setting up Oilpro was to build another site that the CEO's company might acquire.

Let's Make a Deal

After more than a year of communications about the possible sale of Oilpro to the company that had acquired the first website, Kent and the CEO, Chief Financial Officer, and General Counsel of the acquiring company teleconferenced to discuss the proposed acquisition of Oilpro. Kent represented that Oilpro had increased its membership through purportedly legal, standard marketing.

 The Gumshoes At Work

One often wonders, when reading about such alleged fraud and hacking, how the purported bad guys got busted - how were they found out? In a rare instance, we sort of have the answer, even if only for this case. Paragraph 23 of the Complaint explains, in part, that:

a. On or about February 26, 2014, an individual who had created a member profile with Website-1 ("Member-1") contacted Website-1's customer support line. Member-1 stated, in sum and substance, that Member-1 had received an email solicitation from Oilpro to use Oilpro/s services even though Member-1 had never provided any information in the past to Oilpro.

b. An internal review of Website-1's computer systems revealed no evidence that any employee of Oilpro had viewed Member-1's profile using an account created through Website-1.

c. To determine if the Members Database was being accessed improperly, employees of Company-1 created two fictitious member accounts and populated them with names and email addresses that were only available through Website-1's Members Database.

As further explained in the Complaint, on April 14, 2014, the fictitious member accounts received an email from an Oilpro employee soliciting a membership on Oilpro. In tracking down how the Oilpro employee obtained the contact information, it was discovered that on October 17, 2013, about 100,000 HTTP requests were submitted to the Member Database through the use of what was identified as a Get Resume Command, which was crafted to exploit a piece of source code unique to Website-1 and known only to a few individuals, including Kent. This was but the first round of identified hacking.

Bill Singer's Comment

I urge you to read the Complaint for the detailed explanation about how the investigation proceeded. It's a fascinating bit of detective work and an eye-opener as to how clues are found and used. By way of spoiler alert, the trail that eventually led to Kent went from the HTTP requests to a computer's Internet Protocol address to a United Kingdom company that was in the business of hiding a user's actual IP address to one of Kent's social media accounts and to an email address of Kent's that was used to pay the United Kingdom firm.

READ the Complaint

UPDATE December 2016

On December 19, 2016, Kent pled guilty to one count of intentionally accessing a protected computer without authorization as charged in a Superseding Information.  Kent faces a maximum penalty of five years in prison.