We quickly figured out that the former VP had discovered the CEO's email password and was using it to pick up copies of bid information between his former company and Egypt. The newly discovered email address linked back to a nearby university, which, coincidentally, both the former VP and I had attended years ago. The school allowed former students to continue to use limited parts of its computer system, including email. Antiquated by today's standards, the university's system had a few interesting features that proved useful in our investigation: You could look up when other people were using the system, and it would let you link email addresses to real names, along with other identifying information.
We contacted the FBI and city police to report the cyber crime. At the time, the FBI had very few computer crime experts, none with real hacking skills. But with their legal assistance, I was allowed to perform, under the FBI's legal authority, some limited forensic investigative techniques.
Sure enough, the hacker was using a university email account that we could trace to the former VP. Using various lookups, we were able to see when the former employee used the university system. The correlation to days when fish bidding was performed was striking.
Of course, we could not conclusively confirm that the former VP was using his old email account, no matter how obvious it seemed. We needed a way to track an opened email back to the former VP's current IP address, which could then be subpoenaed from his ISP. I decided to use a Web beacon.
A Web beacon (aka a Web bug) is a hidden HTML link to a nearly invisible graphic element that when viewed in an HTML-enabled client allows the custodian of that element to track information about the user who has opened it. I modified the CEO's email signature to contain an HTML link to a 1-pixel transparent GIF file located on a Web server that we managed. When anyone opened an email containing the CEO's modified signature, their email client would automatically download the Web beacon, and our Web server logs would contain the viewer's current IP address, along with time, date, and other identifying information.
With our trap in place, we set up a sting. We contacted our Egyptian friend via phone to notify him of our plans. We sent an email discussing a nonexistent bid, along with our Web beacon. Further, we made a bid price that was several orders of magnitude higher than either party normally negotiated and used a fish type that did not exist. Everything about this email screamed fake, if you took the time to research it.
Immediately after we sent the email, the former VP took the bait, sending a bid to our Egyptian exactly 1 cent lower than our extremely high price. I was also able to produce evidence that the former VP accessed the university email system just prior to his response to the fake bid, and our Web beacon worked as planned. We had his IP address, which tracked him to his home. We knew it was his company; we knew it was him; we knew he had been illegally reading emails.
It was an open-and-shut case, although it took years to wind its way through multiple court hearings. Years after the hacking event, I learned that the CEO never changed his email password, proving once again that I understand computers way better than humans.
True tale of (mostly) white-hat hacking No. 4: Hacking comeuppance
I've been actively fighting malicious hackers for three decades and have been hacked only twice -- once, because I knowingly ran an early computer virus on my system but had forget to set up a safe "jail" before executing it.