This TELECOM Digest special report is on the topic of the FBI
investigation of 'The Phonemasters', a recent group of hackerphreaks
who were investigated, arrested, put on trial and convicted. This will
be a permanent addition to the Telecom Archives in the
http://telecom-digest.org/archives/security-fraud area.
Subject: The Phonemasters
Date: Sun, 3 Oct 1999 19:25:36 -0700 (PDT)
From: tad@ssc.com (Tad Cook)
How an FBI Cybersleuth Busted a Hacker Ring
By JOHN SIMONS
Staff Reporter of THE WALL STREET JOURNAL
DALLAS -- In a federal courtroom here, Calvin Cantrell stands
silently, broad shoulders slouched. His lawyer reads from a short
letter he has written:
"My parents taught me good ethics, but I have departed from some of
these, lost my way sometimes," the letter states. "I was 25 and living
at home. No job, and no future. All I ever really wanted was to
work with computers."
Mr. Cantrell certainly did work with computers -- both his own, and,
surreptitiously, those of some of the largest companies in the
world. He was part of a ring of hackers that pleaded guilty here to
the most extensive illegal breach of the nation's telecommunications
infrastructure in high-tech history.
And sitting behind him in court as he was sentenced two weeks ago was
the accountant-turned-detective who caught him: Michael Morris. A
decade earlier, Mr. Morris, bored with accounting work, left a $96,000
job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a
year. Mr. Cantrell's sentencing was the final act in a five-year drama
for Mr. Morris, and secured his reputation as the FBI's leading
computer gumshoe.
The tale of Mr. Morris and Mr. Cantrell is among the first cops-and-
robber stories of the New Economy, involving, among other things, the
first-ever use of an FBI "data tap." It illustrates how the nation's
law-enforcement agencies are scrambling to reinvent their profession
in a frantic effort to keep pace with brilliant and restless young
hackers.
The story also shows that hacking's potential harm is far more ominous
than theft of telephone credit-card numbers. Mr. Cantrell was part of
an eleven-member group dubbed "The Phonemasters" by the FBI. They were
all technically adept twenty-somethings expert at manipulating
computers that route telephone calls.
The hackers had gained access to telephone networks of companies
including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI
WorldCom (then MCI Communications Corp.), Southwestern Bell, and
Sprint Corp. They broke into credit-reporting databases belonging to
Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and
systems of Dun & Bradstreet, court records show.
The breadth of their monkey-wrenching was staggering; at various
times, they could eavesdrop on phone calls, compromise secure
databases, and redirect communications at will. They had access to
portions of the national power grid, air-traffic-control systems and
had hacked their way into a digital cache of unpublished telephone
numbers at the White House. The FBI alleges, in evidence filed in
U.S. District Court for the Northern District of Texas, that the
Phonemasters had even conspired to break into the FBI's own National
Crime Information Center.
Unlike less-polished hackers, they often worked in stealth, and
avoided bragging about their exploits. Their ultimate goal was not
just fun, but profit. Some of the young men, says the FBI, were in the
business of selling the credit reports, criminal records, and other
data they pilfered from databases. Their customers included private
investigators, so-called information brokers and -- by way of
middlemen -- the Sicilian Mafia. According to FBI estimates, the gang
accounted for about $1.85 million in business losses.
"They could have -- temporarily at least -- crippled the national
phone network. What scares me the most is that these guys, if they had
had a handler, whether criminal or state-sponsored, could have done a
lot of damage," says Mr. Morris. "They must have felt like cyber-gods."
With the exception of Mr. Cantrell, none of the defendants in the
Phonemasters case would comment on the matter. Others are thought to
remain at large. This is the story of Mr. Cantrell and two accomplices,
largely put together from federal district court records and FBI interviews.
Mr. Morris first learned of the group in August 1994, when he got a
phone call from a Dallas private investigator, saying Mr. Cantrell had
offered to sell him personal data on anyone he wished. He even offered
a price list: personal credit reports were $75; state motor-vehicle
records, $25; records from the FBI's Crime Information Center, $100.
On the menu for $500: the address or phone number of any "celebrity/
important person."
Mr. Morris immediately opened an investigation. Only 33 years old at
the time, he had taken an annual pay cut to join the FBI just five
years earlier. He had been a tax consultant at Price Waterhouse, and
despised the work. "I was young and making the big bucks, but every
morning I would think 'God, I don't want to go to work.' "
Tall, square-jawed and mustachioed, Mr. Morris began working white-collar
crimes when he arrived at the Dallas FBI field office. He took on a
few hacker cases and realized he liked the challenge. "These guys are
not the kind who'll rob the convenience store then stare right into
the security camera," he says. "Trying to be the Sherlock Holmes of
the Internet is hard when the fingerprints on the window can be so
easily erased."
Mr. Morris convinced the private investigator to meet with Mr. Cantrell
while wearing an audio taping device. After reviewing the tapes, he
was certain that he was onto something big. He applied for and received
court authority to place a digital number recorder on Mr. Cantrell's
phone lines, which would log numbers of all outgoing calls. It showed
that Mr. Cantrell frequently dialed corporate telephone numbers for
AT&T, GTE, MCI, Southwestern Bell and Sprint. Mr. Cantrell had also
placed calls to two unlisted numbers at the White House, which further
piqued Mr. Morris's interest.
So, late that summer, Mr. Morris took an unprecedented step. He began
writing a 40-page letter to the FBI's Washington headquarters, the
Department of Justice and the federal district court in Dallas. Recording
Mr. Cantrell -- now his central suspect -- while on the phone wasn't
sufficient for the job that faced him, he believed. Instead, he needed
new federal powers. He asked for Washington's permission to intercept
the impulses that traveled along Mr. Cantrell's phone line as he was
using his computer and modem.
"It's one of the hardest techniques to get approved, partly because it's
so intrusive," says Mr. Morris, who spent the next month or so consult-
ing with federal authorities. "The public citizen in me appreciates
that," he says. Still, the long wait was frustrating. "It took a lot
of educating federal attorneys," he says.
Once authorities said yes, Mr. Morris faced another obstacle: The
equipment he needed didn't exist within the FBI. Federal investigators
had experimented with a so-called data-intercept device only once
before in a New York hacker case a year earlier. It had failed miserably.
Mr. Morris and technicians at the FBI's engineering lab in Quantico,
Va., worked together to draft the specifications for the device Mr.
Morris wanted. It would need to do the reverse of what a computer's
modem does. A modem takes digital data from a computer and translates
it to analog signals that can be sent via phone lines. Mr. Morris's
device would intercept the analog signals on Mr. Cantrell's phone line
and convert those impulses back to digital signals so the FBI's
computers could capture and record each of a suspect's keystrokes.
While waiting for the FBI to fit him with the proper gear, Mr. Morris
contacted several of the telephone companies to alert them that they
had been victimized. The reception he got wasn't always warm. "It's
kind of sad. Some of the companies, when you told them they'd had an
intrusion, would actually argue with you," he said.
GTE was an exception. Mr. Morris discovered that Bill Oswald, a GTE
corporate investigator, had opened his own Phonemasters probe. Mr.
Oswald and Mr. Morris began working together and uncovered another of
Mr. Cantrell's schemes: He and some friends had managed to get their
hands on some telephone numbers for FBI field offices. They entered
the telephone system and forwarded some of those FBI telephones to
phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result
of the prank, the FBI was billed for about $200,000 in illegal calls.
Mr. Morris also learned that on Oct. 11, 1994, Mr. Cantrell hacked
GTE's computer telephone "switch" in Monticeto, Calif., created a fake
telephone number and forwarded calls for that number to a sex-chat
line in Germany. The FBI isn't sure how Mr. Cantrell convinced people
to call the number, but court records show that Mr. Cantrell received
a payment of $2,200 from someone in Germany in exchange for generating
call traffic to the phone-sex service.
In early December 1994, Mr. Morris's "analog data intercept device"
finally arrived from the FBI's engineering department. It was a $70,000
prototype which Mr. Morris calls "the magic box."
On Dec. 20, Mr. Morris and other agents opened up their surveillance
in an unheated warehouse with a leaky roof. The location was ideal
because it sat between Mr. Cantrell's home and the nearest telephone
central office. Mr. Morris and nine other agents took turns overseeing
the wiretap and data intercepts. The agents often had to pull a tarp
over their workspace to keep rain from damaging the costly equipment.
As middle-class families go, the Cantrells seem exemplary. Calvin's
father, Roy, was a retired detective who had once been voted "Policeman
of the Year" in Grand Prairie, the suburb west of Dallas where they
live. His mother, Carol, taught Latin and English at Grand Prairie
High School, where Calvin graduated in 1987 with above-average
grades. As a student, he was no recluse. He had a small circle of
friends who shared his love of martial arts, video games, and spy
movies. Mr. Cantrell's longtime friend, Brandon McWhorter, says Calvin
was always a fun-loving guy, but there was one thing about which he
was very serious.
"He would always talk to me about religion," says Mr. McWhorter. "He
held very strong religious beliefs."
After high school, Mr. Cantrell continued to live at home while taking
classes at the University of Texas at Arlington and a local community
college.
He held a series of odd jobs and hired himself out as a deejay for
weddings and corporate parties. Mr. Cantrell balanced, school, work,
family and friends even as he began hacking more often. His parents
became suspicious, but said nothing. The family had three phones;
Calvin stayed on his 15 hours a day.
"They'd go in my room and see all the notes and the phone numbers.
Even though they couldn't put it together technically, they knew
something was up," says Mr. Cantrell. "They were kind of in denial. My
parents were pretty soft."
Mrs. Cantrell says Calvin had been so well behaved that she never
suspected his computer activities were more than fun and games. "I
wish I had known what was going on. Unfortunately, my son was smarter
than I was." (Calvin's father passed away last year.)
At 8:45 on the night of Dec. 21, just four days before Christmas, Mr.
Cantrell went online. Using an ill-gotten password, he entered a
Sprint Corp. computer, where he raided a database, copying more than
850 calling-card access codes and other files, court records in the
case show. The Phonemasters often got passwords and other key inform-
ation on companies in a low-tech approach called "Dumpster diving,"
raiding the trash bins of area phone firms for old technical manuals,
phone directories and other company papers. This often allowed
Mr. Cantrell to run one of his favorite ruses -- passing himself off
as a company insider.
"I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.'
I'd chat with them for a while, then I'd say 'We're doing some network
checkups today. Can you log off of your computer, then tell me every
character you're typing as you log back on?' A lot of people fell for
that," Mr. Cantrell says.
After hacking into the Sprint database that evening, Mr. Cantrell
talked to another hacker, Corey Lindsley, over the phone. He'd 'met'
Mr. Lindsley, and another hacker, John Bosanac, in 1993 while surfing
the murky world of hacker bulletin boards. Mr. Cantrell then sent the
copied files to Mr. Lindsley, who was a student at the University of
Pennsylvania in Philadelphia.
Mr. Morris's equipment captured everything -- voice and data. It was
an FBI first. "We're sitting in this place that looked liked a bomb
pit, but the atmosphere was really exciting," says Mr. Morris. "We
were ecstatic."
As the days passed, the FBI wiretap generated stacks upon stacks of
audiotapes and data transcripts. Some was just idle talk among
friends, the occasional call to finalize dinner plans, lots of
workaday chatter. But the incriminating evidence mounted. "It's great,
you know. I really love fraud," joked Mr. Bosanac, a Californian who
was musing with Mr. Cantrell about the various technical methods of
using other people's cellular telephone accounts to place free
calls. "Fraud is a beautiful thing."
Family conversations even entered the investigation. On Jan. 7, for
instance, Mr. Cantrell called his mother from a friend's house and
asked her find an MCI Corp. manual on his shelf. He then asked her to
read him a set of directions for accessing MCI's V-NET computer
system. Mrs. Cantrell read the material but asked her son whether he
was supposed to have the book, citing warnings that stated its
contents were restricted to MCI employees. Mr. Cantrell just avoided
his mother's question. The FBI data-tap captured every word.
Still, the process took its toll on the FBI team, especially coming
during the holidays. "It was stressful that the wiretap was going 24
hours a day, seven days a week. I had to write up the legal documents
and it's tough making people work through Christmas," Mr. Morris
said. On top of that, he had to keep records of his findings, and
every ten days he had to reapply to the court to prove that his
wiretap was yielding evidence.
By late January, the FBI had begun to get a clear profile of Mr.
Cantrell and his hacker friends. Mr. Lindsley, it appeared, was the
group's acerbic leader, directing much of the hacking activity. Over
phone lines, the FBI heard him bragging about how he had given a
Pennsylvania police department "the pager treatment" in retaliation
for a speeding ticket he received. Mr. Lindsley had caused the police
department's telephone number to appear on thousands of pagers across
the country. The resulting flood of incoming calls, Mr. Lindsley
bragged, would surely crash the department's phone system.
They also enjoyed collecting information about film stars, musicians
and other famous people. Mr. Cantrell has admitted that he broke into
President Clinton's mother's telephone billing records in Arkansas to
obtain a list of unpublished White House numbers. The men, says the
FBI, even made harassing phone calls to rock star Courtney Love and
former child actor Danny Bonaduce using pilfered numbers.
They weren't without fear of getting caught. On the evening of Jan. 17,
for instance, there was a clicking on the phone line as Messrs. Bosanac,
Cantrell, and Lindsley shared a three-way conference call. "What the
hell happened?" asked Mr. Bosanac, according to an FBI transcript of
the conversation.
"That was the FBI tapping in," laughed Mr. Cantrell.
"Do you know how ironic that's gonna be when they play those tapes in
court?" Mr. Lindsley said. "When they play that tape in court and
they got you saying it was the FBI tapping in?"
On Jan. 18, the FBI overheard Messrs. Cantrell, Bosanac and Lindsley
on another conference call. With the other two men giving directions,
Mr. Cantrell dialed his computer into Southwestern Bell's network and
copied a database of unlisted phone numbers. The three men then
discussed plans to write a computer program that could automatically
download access codes and calling-card numbers from various telephone
systems. They also talked about the chance that the FBI would one day
track them down.
"Just remember, nobody f-- rats anybody out," said Mr. Lindsley to the
others. "No deals."
"Yeah, no deals is right," replied Mr. Bosanac.
"No deals. I'm serious. I don't care what your f-- lawyers tell you,"
said Mr. Lindsley.
Mr. Cantrell said nothing.
Later that morning, between 5:09 a.m. and 7:36 a.m., Mr. Cantrell
entered Sprint's computer system and downloaded about 850 Sprint
calling-card codes. He then transferred those codes to a man in
Canada. The codes would allow anyone who purchased them to place free
international phone calls. Mr. Morris would later learn that a contact
in Canada paid Mr. Cantrell $2 apiece for each code, court records
show. The Phonemasters most likely did not know -- or care -- where
the codes ended up, but the FBI traced them and found some ended up in
the hands of a Sicilian Mafia operative in Switzerland.
On Jan. 23, while probing a U S West telephone database, Mr. Cantrell,
Mr. Bosanac, Mr. Lindsley and others stumbled over a list of telephone
lines that were being monitored by law enforcement. On a lark, they
decided to call one of the people -- a suspected drug dealer, says
Mr. Morris -- and let him know his pager was being traced by the police.
On Jan. 27, the group was clearly feeling paranoia about being caught,
prompting Mr. Lindsley to tell his accomplices to pull as many Sprint
codes as quickly as they could. Mr. Cantrell began to have reservations.
"What if I stopped before all of y'all?" Mr. Cantrell asked Mr. Lindsley.
"Would you applaud my efforts?"
"No," said Mr. Lindsley. "I don't think there's any reason to stop.
What are you worried about?"
"Uh, I'm not worried about anything. I'm just saying, uhm. There might
... There might come a time here where I don't have time for this."
He added a little later: "I, you know, really like it. But, I don't
know, I just ... Eventually, I don't see myself doing a lot of illegal
things."
Mr. Lindsley continued to prod Mr. Cantrell to speed up the download
of stolen codes by spending more time online and using two phones.
"I'm telling you, you run two lines around the clock," Mr. Lindsley
said.
"You can't run them around the clock," said Mr. Cantrell.
"Why not?"
"Oh, come on. I think that's pushing it too hard."
"I think you just got a weak stomach there, boy."
By late February, things began to get tense. One of Mr. Cantrell's
hacker friends informed him that his number had shown up in a database
of phone numbers being monitored by the FBI. In all the excitement of
burglarizing databases and rerouting phone calls, the Phonemasters had
neglected to check their own phone lines for any signs that law enforce-
ment might be listening in.
Mr. Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents
raided Mr. Cantrell's home, Mr. Lindsley's college dorm room, and
burst into Mr. Bosanac's bedroom in San Diego.
For Mr. Morris, the climactic raid was only the start of a long battle
to bring the hackers to justice. Because of the complicated nature of
his evidence gathering, it took him more than two years to compile the
most salient portions of the wiretap transcripts and data-tap evidence.
"All the documents and tapes from this case could fill a 20-by-20
room," Mr. Morris explains. "And at the time, I was the only computer
investigator for all of Texas."
In the meantime, as federal prosecutors slowly geared up for a trial,
Mr. Cantrell tried to get on with his life. "I spent the first few
weeks after the raid being paranoid and wondering what would happen,"
he says. Occasionally, Mr. Morris and other agents would call him,
asking questions about some of the systems he had hacked. By the
summer of 1995, at the urging of his mother, Mr. Cantrell started
attending church again. He scored the first in a string of professional
computing jobs, doing systems-administration work for a company called
Lee Datamail in Dallas. He neglected to tell his employers about the
FBI case. "It's been mental torture for the last four years, not
knowing," says Mr. Cantrell. "Can I go to school, move to another
state? That kind of thing messes with your head."
Over time, Mr. Cantrell says he had come to seriously regret what he
had done and the $9,000 he says he made from selling codes wasn't
worth the trouble. "Looking back, it was all crazy. It was an
obsession. I wanted to see how much I could conquer and a little power
went to my head." Mr. Cantrell notes that he has since tried to make
amends, even helping the phone companies plug their security holes and
helping the FBI gather more information on some of the group's members
who haven't yet been apprehended.
The matter finally seemed near conclusion this March when Mr. Morris
was able to play "a couple of choice tapes" in separate meetings with
Messrs. Cantrell, Bosanac and Lindsley. Afterward, all three agreed
to plead guilty to federal charges of one count of theft and possession
of unauthorized calling-card numbers and one count of unauthorized
access to computer systems. Chief Judge Jerry Buchmeyer ordered a
presentencing investigation.
During a hearing on the matter, Mr. Lindsley's attorney tried to argue
that the FBI had wildly overstated the $1.85 million in losses that
her client's hacking had allegedly caused. But in the end, Judge
Buchmeyer rejected the argument and sentenced him to 41 months in
prison. Mr. Bosanac, in the meantime, has asked that his sentencing
hearing be moved to San Diego, where he lives.
As for Mr. Cantrell, Judge Buchmeyer lauded his "acceptance of guilt."
He could have been sentenced to three years in federal prison; instead
he was given two. He reports to federal prison in January of next
year.
Mr. Morris, meanwhile, has used his data-tap method in several other
cases; he also travels around the country and the world advising
law-enforcement agencies on how to conduct state-of-the-art investi-
gations of hacker crimes.
TELECOM Digest Editor (ptownson@telecom-digest.org)