Police Oracle

In May 2021, Cheshire received a report from a local business that their website had been hacked and defaced.

The business supplied high-end Christmas decorations to local residents. Their website however had been taken over and customers were faced with a superimposed blue screen with written accusations claiming the company used exploited labour along with religious iconography (the allegations were unfounded).

At the same time, clients were sent emails detailing the same allegations and accusing them of being complict. The victim was told to contact an email address and make a payment for it to stop.

Detective Sergeant David MacFarlane told Police Oracle: “If you have a website, you have to host it somewhere, so it has to live somewhere. There are companies that will upload the code for your website and it will live there.

“If you have an account with someone like Wix or GoDaddy you log on to upload or make changes to your site. You also have the ability to send emails and do other admin tasks from there via email addresses linked to your company.

“In this case, the offender, Craig Fox, had gained access to that hosting account. [He defaced the site, sent emails] and also used the victim’s credit card which was also held in the account, to pay for account upgrades - which was a bit of a pointless fraud, but still fraud.”

DS MacFarlane, who investigated the case on his own, began to do some open source research on the email address that had been used. Because the word used within the address was quite unique, he was able to locate a second victim.

Using a Google cache search, he could see that victim’s site had also been defaced - this time with a religious video.

The second victim also ran a home decor site, in this case however Fox had deleted their entire online shop - meaning they had no way of trading for as long as the site was down.

The two victims gave DS MacFarlane information about their logins and access on their accounts and with communication data enquiries he was able to trace the access back to one address in Manchester.

On researching the address and residents, it didn’t appear likely any were involved. However Cheshire officers visited anyway with a ‘soft knock’ approach.

The residents were co-operative but searches of devices gave no indication they were involved. It then transpired that a neighbour had visited a few weeks ago asking to use their WiFi, saying he didn’t have any internet access.

Craig Fox lived in a houseshare next door. An IT security worker - he had convictions for similar offences that had been investigated by a regional agency.

DS MacFarlane said : “[We got him to agree to a voluntary interview]. I’ve found fraudsters are a bit of their own thing really - they genuinely think they can talk the way out of it. With Craig Fox it was the same thing.

“He told me he didn’t have a laptop and he had sold his phone. We arrested him and did another search of his room but found no devices.

“We eventually tracked his computer to his workplace. It was a work-issued device so he couldn’t delete anything and he couldn’t get rid of it.”

Officers never located his phone, but DS MacFarlane believes that he hadn’t used his phone to do any offending.

While he was released under investigation, South Wales contacted Cheshire following a PNC check with two similar victims.

The first South Wales victim was a service provider to the second.

Officers later recovered a spreadsheet created by Fox that mentioned a company in London.

The company was a supplier to the two original victims in Cheshire - it turned out that that was where the hack originated from.

“Fox hacked that company and he gained access to all of their customers. And that customer data - that spreadsheet as it was contained names, addresses, usernames, emails, and passwords, to all of the companies.

“There was about 300 companies on there and he’s simply cherry picked from there, including our victim in Cheshire, the one in Newcastle and a couple of others. There’s probably more victims we don’t know about as well.

“He’d reached out to another victim and accessed her email address to send an email to the company in London saying ‘Craig Fox is a great security guy, you should use him for security.” So that was unauthorised access.’

“There’s a technique called SQL injection where with login pages that haven’t been made properly - instead of putting your email or username in, you can input this code called SQL code.

“You basically trick the website into sending data back. So because the website is expecting a username and a password, using this code will make it send back an error message that contains some information about the backend server that stores your data.

“That’s how it did it to both the company in South Wales and the company in London. And then he had the data to access all the others.”

In the end five victims made complaints and 12 charges were authorised including computer misuse, fraud and blackmail. Fox originally pleaded not guilty but changed his plea and was convicted of 11 charges.

He was given a five year custodial sentence and issued with a 10 year criminal behaviour order.

In interviews Fox had tried to say that what he was doing was standard industry practice - there are things called pen testing and bug bounties where companies would hire “ethical hackers” to test their security.

Those situations are controlled however, the victim is aware and would have to advertise it properly.

DS MacFarlane concluded: “Computer Misuse legislation is really underused. And in my mind, it’s really useful - not just for these sorts of cases.

“We get quite good sentences off computer Computer Misuse, and a lot of people tend to think that it's to do with just our area of work. It's not, if you're if you're dealing with domestic abuse cases and you've got suspects who were doing things like mobile hacking or just accessing social media accounts without authority, you've got a computer misuse offence there. And it can be quite easy to quite easy to prove it as well.”