When the FBI needed help shutting down an international cybercrime ring, agents came to UAB. The bureau’s Operation Ghost Click was on the trail of a group of foreign nationals that gained millions through a massive spam campaign. When an unsuspecting user clicked on a virus-laden e-mail, the criminals were able to hijack Internet searches and route the user’s computer directly to certain Web sites and advertisements. Eventually, hundreds of millions of computers were infected.Investigators from the FBI and NASA’s Office of Inspector General worked with UAB researchers and students to identify the latest threats from the 1 million messages per day streaming into the UAB Spam Data Mine.A Q&A with Gary Warner
Read more “Our team can help law enforcement quickly track down and successfully prosecute cybercriminals anywhere in the world because we can identify related spam almost instantaneously,” says Warner, director of research in computer forensics at UAB. Warner is also part of UAB’s Center for Information Assurance and Joint Forensics Research, which brings together experts in data mining, identity theft, justice sciences, and computer intrusion. “Our team has taken the lead in helping law enforcement eradicate cybercrime by making it near impossible for online criminals to hide,” says Anthony Skjellum, Ph.D., founding director of the center and chair of UAB’s Department of Computer and Information Sciences.

Wild animals run amok in the mega-popular Facebook game known as “Farmville,” but for more than three years, Facebook users ran the risk of encountering a far more dangerous enemy on the site: a rogue worm called Koobface. Hidden behind seemingly innocent links (“Hey man, check out this video!”), the virus infected hundreds of thousands of computers, forcing users to watch ads and visit commercial Web sites—a scheme that earned millions in revenue for the criminals.In March 2011, however, Facebook’s security team located and terminated the criminal-controlled “mothership” computer directing this army of infected machines. The coup was made possible in part by UAB’s Gary Warner and graduate student Brian Tanner. In January 2012, the site’s security team thanked Warner and Tanner by name for their help in stopping the menace.“Brian had been investigating Koobface since 2008,” Warner says. “Several times, his work made the criminals change what they were doing. One time, he determined a way to cause Koobface to dump out a list of all the user passwords that it had, and then we contacted Google and Yahoo and Facebook and had them change all those passwords. In one day, the criminals lost 100,000 users.”Learn more about Brian Tanner in this Q&A.

Last year, UAB officially launched a master’s degree program in computer forensics and security management. It is the only graduate program of its kind, says Warner, who notes that dozens of companies routinely contact him looking to hire his graduates.“Our computer science program is for people who have really strong math and programming skills and are really serious developers,” says Warner. “There is a lot more investigation and analysis training in the master’s in computer forensics. You do have to be able to program, but not at the same level that a computer science master’s student would. If your goal is to be a cybercrime investigator, this is the graduate program for you.”

UAB’s PhishIntel database is a unique catalog of the worst of cybercrime and cybercriminals. Built on top of the billion-message-strong UAB Spam Data Mine, PhishIntel offers investigators from federal agencies, state and local law enforcement, and private businesses a way to find their man in cyberspace. By connecting the dots between the seemingly random acts of crime around the Internet, PhishIntel can separate the major players from the small fry, giving overworked investigators a roadmap on where to focus their scarce resources. Word is getting around: Users at major banks and federal agencies now log on to the site multiple times per day.“Banks have now become very responsive to phishing attacks,” says Warner. “Within a few hours of the start of a crime, we can stop it. But that same day, the criminals will make another fake site—or several more. What we need to do is track down the criminals responsible for creating all those sites and put them in jail. With PhishIntel, law enforcement can find the evidence they need to do that.” Watch Gary Warner explain UAB PhishIntel in this video.

Learn more from current and former students in UAB's computer forensics program:
• Sarah Turner, master's student, who reports on trending malware attacking U.S. firms
• Brian Tanner, 2011 master’s graduate, now working as an analyst at Sentar, a computer security firm
• Josh Larkins, 2011 master's graduate, now working at a major U.S. bank