Readaloo

68,000 stolen logons in hands of 'amateur' hackers

The gang most likely began by hiring spam specialists to send out e-mail and social-networking posts to lure recipients into clicking on a tainted Web link, says Don Jackson, senior researcher at SecureWorks.

 

They then used a dated free version of a hacking tool called ZeuS and did nothing to hide their tracks, indicating that "they're probably amateurs," Jackson says.

That disclosure underscores how deeply cybercriminals — from novices to elite gangs — have now saturated the Internet with infections that allow them to take full control of Windows PCs. Cybergangs slot newly infected PCs, called bots, into networks called botnets. On any given day, 12% to 15% of the 1.6 billion computers connected to the Internet are bots, according to security firm Damballa.

Botnets are the engines that drive cybercrime, ranging from petty scams to espionage. "We've become desensitized to botnet infestation," says Tim Belcher, NetWitness chief technology officer.

In late January, NetWitness began tracking data exchanges between a bot in one of its client's networks and a remote server. Investigators accessed the server and found some 68,000 user name and password pairs for an array of online accounts. The data were stolen from 75,000 botted PCs in 2,411 organizations from 196 countries.

These included government agencies and schools, as well as drug, health, energy, tech, financial and media companies.

Gunter Ollmann, Damballa's vice president of research, has tracked this particular gang since late 2008. He says the hackers, now being referred to as the Kneber gang, are responsible for infecting at least 97,100 PCs in corporate networks in North America, in what's considered a "small" botnet. There are some 2,000 botnet gangs that together control 5% to 7% of PCs in corporate settings in North America. "Large enterprises have multiple layers of security defenses," Ollmann says. "Yet the criminal botnet operators are uniformly successful in breaching these well-defended networks."

Computer hacker to repay $27.5M, sentenced to prison for credit scam

A San Francisco man who had more than 1.8 million stolen bank and credit card numbers on his home computers was sentenced Friday to 13 years in federal prison and ordered to repay $27.5 million to the banks and credit card companies he victimized.

Max Ray Vision, who legally changed his last name from Butler, had pleaded guilty in June to his role in an online clearinghouse where identity thieves shared stolen information.

A self-taught computer whiz who fell in love with the devices as an 8-year-old boy in his father's computer store, Vision told Senior U.S. District Judge Maurice B. Cohill Jr. that he was mesmerized by "the thrill of hacking, being addicted to it."

Bespectacled, soft-spoken and articulate, the 37-year-old Vision told the judge he had changed and realizes what he did was wrong.

"You probably hear that a lot, but it's absolutely true," he said.

Cohill's sentence was based on a joint recommendation by federal prosecutors and Vision's public defender, Michael Novara. Federal sentencing guidelines suggested a sentence of 30 years to life, which Novara called "ludicrous."

Still, Assistant U.S. Attorney Luke Dembosky said serious punishment was merited because of the scale of Vision's crimes. Dembosky agreed to the lesser sentence because Vision has continued to work with the government under terms that remain sealed.

All Dembosky would say is, "It could relate to a whole range of things."

Before his arrest in 2007, Vision had developed software to prevent hacking and had even worked as a volunteer who helped the FBI understand and prevent cyber crimes.

Dembosky agreed that Vision wasn't mean-spirited, but was more "wide-eyed" and "curious" about what he could accomplish behind a keyboard.

"Unfortunately, that curiosity took a dark turn and that's why we're here today," Dembosky said. "The amount of damage a person can cause with a keyboard in this day and age is astronomical."

Visa, MasterCard, American Express and Discover tracked more than $86 million in fraudulent purchases to the account numbers found on Vision's computers. In all, 10,000 financial institutions were victimized, Dembosky said.

Vision was charged in Pittsburgh because he sold more than 100 credit card numbers and related information to a western Pennsylvania resident who cooperated with the investigation of a website called cardersmarket.com. About 4,500 people worldwide could trade or access stolen credit information on the website from 2005 until it was shut down in 2007.

Vision has been in custody since authorities raided his apartment in September 2007.

Although authorities found 1.8 million stolen credit card numbers on his computers, they said they were confident that Vision had obtained 1.1 million directly, Dembosky said. The others might have come from other sources.

Vision's $27.5 million restitution was calculated by multiplying the 1.1 million by the roughly $25 it costs banks and credit card companies to replace each stolen credit card number, Dembosky said.

"No one should think that's the amount of money Max gained as a result of this misadventure," said Novara, who claims Vision likely netted less than $1 million from selling the numbers.

"I think we're all trying to figure out, how did we get here?" Novara said.

Chinese police shut down hacker training business

Police in central China have shut down a hacker training operation that openly recruited thousands of members online and provided them with cyberattack lessons and malicious software, state media said Monday.

The crackdown comes amid growing concern that China is a center for Internet crime and industrial espionage. Search giant Google said last month its e-mail accounts were hacked from China in an assault that also hit at least 20 other companies.

Police in Hubei province arrested three people suspected of running the hacker site known as the Black Hawk Safety Net that disseminated website hacking techniques and Trojan software, the China Daily newspaper said. Trojans, which can allow outside access to a computer when implanted, are used by hackers to illegally control computers. The report did not say exactly when the arrests took place.

Black Hawk Safety Net recruited more than 12,000 paying subscribers and collected more than 7 million yuan ($1 million) in membership fees, while another 170,000 people had signed up for free membership, the paper said.

The report said police seized nine servers, five computers and a car, and shut down all websites involved in the case. Authorities also froze 1.7 million yuan ($250,000) in assets.

The shutdown of the site followed an investigation involving 50 police officers in three other provinces, the local Changjiang Times newspaper said.

The case can be traced to a hacking attack in 2007 on an Internet cafe in Macheng city in Hubei that caused Web services for dozens to be disrupted for more than 60 hours, the paper said. A few of the suspects caught in April said they were members of the Black Hawk Safety Net.

Black Hawk's website 3800hk.com could not be accessed, but a notice purportedly from Black Hawk circulating on online forums said that a backup site had been set up. The notice also sought to reassure members of its continued operations and said its reputation was being smeared by some Internet users.

"At this time, there are Internet users with evil intentions who have deliberately destroyed Black Hawk's reputation, deceived our members and stole material," the notice addressed to members said. "We must join forces and attack these websites."

A customer service officer contacted by phone, who refused to give his name, said the backup site provides content for its paying members to download course material to allow them to continue their computer lessons — though not in hacking.

The Hubei government refused to comment Monday while officials at the provincial public security bureau did not respond to repeated requests for comment.

Google threatened last month to pull out of China unless the government relented on censorship, an ultimatum that came after the search giant said it had uncovered a computer attack that tried to plunder its software coding and the e-mail accounts of human rights activists protesting Chinese policies.

Government officials have defended China's online censorship and denied involvement in Internet attacks, saying the country is the biggest victim of Web attacks. The Ministry of Industry and Information Technology said hackers tampered with more than 42,000 websites last year.

Meanwhile, scrutiny of Chinese Internet security grows following a rash of attacks traced to China and aimed at a wide array of U.S. and European targets, including military contractors, banks and technology companies.

Security consultants say it is hard to know what proportion of hacking from China is the work of individuals and whether the government is involved. But some say the high skill level of some attacks suggests China's military or other agencies might have trained or directed the hackers.

"The scale, operation and logistics of conducting these attacks — against the government, commercial and private sectors — indicates that they're state-sponsored," security firm Mandiant Corp. said in a report last month. "The Chinese government may authorize this activity, but there's no way to determine the extent of its involvement."

Security chip that does encryption in PCs hacked

Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former U.S. Army computer-security specialist has devised a way to break those locks.

The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google.

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer. But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.

Jeff Moss, founder of the Black Hat security conference and a member of the U.S. Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."

"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?"

Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation. Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC.

When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on.

Many computers sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it. If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated.

"You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, California, and demonstrated his hack last week at the Black Hat security conference in Arlington, Virginia.

The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft Corp.'s Xbox 360 game console and smart phones.

That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorized accessories that circumvent security protocols are not certified to meet our safety and compliance standards."

The technique can also be used to tap text messages and e-mail belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon.

Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users.

"The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than an unprotected computer without encryption."

The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack — given enough time, specialized equipment, know-how and money — was impossible. No form of security can ever be held to that standard."

It stood by TPM chips as the most cost-effective way to secure a PC.

It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them.

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory. Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.

Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defense.

"This chip is mean, man — it's like a ticking time bomb if you don't do something right," Tarnovsky said.

Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio, saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.

"His work is the next generation of hardware hacking," Grand said.

#Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases

Albert Gonzalez, who has admitted hacking into TJX and other companies, has filed a plea agreement in charges that he breached Heartland Payment Systems, Hannaford, 7-Eleven and two other companies.

Under the terms of the agreement, Gonzalez, a former Secret Service informant, will plead guilty to two counts of conspiracy to gain unauthorized access to computers, and to commit wire fraud. Prosecutors have agreed to seek a sentence of no more than 25 years, to run concurrent with his sentence in two other pending cases. Gonzalez had agreed to ask the court for no less than 17 years in prison.

Gonzalez is currently facing a sentence of between 15 and 25 years in two combined cases out of Massachusetts and New York, involving the hacks of TJX and Dave & Buster’s restaurants. The New Jersey agreement would add two years to the minimum time he could seek.

Gonzalez, 28, was indicted in August in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers.

According to the plea agreement, between October 2006 and May 2008 Gonzalez and an associate identified as “P.T.” — possibly indicted TJX co-conspirator Damon Patrick Toey — picked out hacking targets from a list of Fortune 500 companies, and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. Gonzalez leased and controlled servers in Latvia, Ukraine and the Netherlands to store malware, launch the attacks against the networks and receive the stolen numbers.

Using a SQL-injection attack, the two Russian hackers allegedly broke into the 7-Eleven network in August 2007 through the company’s website, then routed their way to a server connected to the stores’ ATMs, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, resulting in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

Once on the networks, the hackers installed back doors to provide them with continued access at later dates. According to authorities, the hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.

Although documents in the New Jersey case don’t identify the two Russians, a sentencing memo filed in the TJX case in Massachusetts last week revealed the online nicknames of the two hackers to be “Grigg” and “Annex.” Parts of the memo discussing the two Russian hackers were redacted, but the redaction was done poorly and Threat Level was able to uncover the concealed portions.

According to the memo, Gonzalez described for prosecutors how “Grigg” and “Annex” hacked into Hannaford Brothers through a vulnerability in the computer systems of Hannaford’s parent company Delhaize. He gave prosecutors the information in late 2008, nine months before he was indicted in New Jersey on charges that he and the two Russians breached Hannaford.

Gonzalez is scheduled to enter his plea at a hearing in the New Jersey case on Dec. 29, after which a date will be set for his sentencing. He’s scheduled to be sentenced in the TJX and Dave & Buster’s cases in March. That sentencing was originally scheduled for Dec. 21, but as Threat Level previously reported, it was delayed after Gonzalez’s attorney filed a psychiatric evaluation with the court indicating that Gonzalez suffered from symptoms consistent with Asperger’s Disorder.

On Monday, U.S. District Judge Patti Saris rejected a request from prosecutors to obtain their own psychiatric evaluation of Gonzalez, but said she’d reexamine the issue once the government’s psychiatric expert offers specifics on the “needed areas of inquiry.”

#Twitter Email Security Blamed for Latest #Hack

A successful attack on Twitter early Friday morning is being blamed on Twitter’s own email security, as hackers were able to get access to an email account and change a password, then redirect Twitter.com traffic elsewhere.

Twitter suffered a security breach Friday morning that displayed a message from the “Iranian Cyber Army” for around an hour before Twitter.com became completely inaccessible. Early reports confirmed that Twitter itself had not been compromised: rather the DNS records (which send web users to the right place when hitting Twitter.com) had been changed to point to another location.

Now Twitter’s DNS provider, Dyn Inc., has absolved itself of blame by claiming that the DNS records were changed by an authorized user: in other words, the attacker had the password to Twitter’s Dyn Inc account, logged in and changed the settings. That points to one likely cause: a Twitter administrator had their email security compromised, and a password reset request was made.

Twitter’s email security was also the cause of previous Twitter attacks: a breach of one staff member’s email account provided access.

It’s a vulnerability that might lead some to question the security of web-based applications like Google Apps: if all your data is online, you’re only one password away from a major breach.

 

#Twitter hacked by 'Iranian Cyber Army'‎

 

On the early hours of Friday morning, the Iranian Cyber Army claimed it has hacked into Twitter. The microblogging site was down for nearly an hour, leaving millions in the eastern hemisphere tweetless. The reasoning behind this attack is suspicious, especially as Twitter was a core tool this summer for Iranian protesters to put their story out.

Twitter is back up now, saying in its status page that the DNS records were temporality compromised.

Regardless, the alleged Iranian hackers managed to deface Twitter home page with the message: "This site has been hacked by the Iranian Cyber Army." (as per image above; click on it for a closer look).

The reasoning behind the attack is not known as of yet. The group was previously unknown, and some speculate this attack was carried out by pranksters, rather than pro-Iranian campaigners. Graham Cluley, from the Sophos security firm, writes on his blog that the message posted "does not necessarily mean that hackers from Iran are responsible for the defacement."

When Iran's presidential election was believed fraudulent this summer, protests turned bloody and the opposition used Twitter to put their message out to world. Actually, Twitter became the leading source of the story, with videos and photos pulled from the site by all major media outlets, which were banned from reporting from inside the country.

Twitter also did a favor for the Iranian protesters back in the summer, with intervention from the U.S. State Department. The site delayed a planned maintenance shutdown, only to be able to continue spreading the message of the Iran protests turned bloody. The events in Iran were also the biggest trending topic in the news category on Twitter this year, followed by swine flu and Gaza.

Twitter helped the people of Iran to put their message out when nothing else could. The reasoning behind the alleged hackers, the Iranian Cyber Army, several months later is nothing short of strange.

4 #Hackers Indicted in $9.5 Million #Bank Card Attack

 

Four men have been indicted in Georgia on charges that they hacked into the Atlanta-based bank card processing company RBS WorldPay. They allegedly used an army of flunkies to steal $9.5 million in cash from ATM machines around the world in a span of hours.

Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3″ were indicted by a federal grand jury in what’s being described as “perhaps the most sophisticated and organized computer fraud attack ever conducted.”

The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack.

The case is being prosecuted by the U.S. Attorney’s office for the Northern District of Georgia, in Atlanta.

RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a multitude of electronic payment processing services, including debit card transactions, electronic benefits transfer payments (EBT), gift cards, customer-loyalty cards, prepaid cards, credit card and ATM-processing services. The processor discovered last November 10 that it had been hacked and that the intruders had accessed account details for 100 payroll cards. The hackers also obtained Social Security numbers of about 1.1 million account holders.

Initial reports painted the intrusion as a limited hack, due to the number of cards compromised. But the 16-count indictment charges that the four hackers “compromised the data encryption” that RBS WorldPay used on payroll debit cards to raise the amount of funds available on the cards, as well as withdrawal limits. Payroll debit cards are used by employers to pay employees instead of checks. In some cases the hackers raised the limits to $500,000.

According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs.

Once the hackers raised the account limits, they provided an army of cashers with 44 cards embedded with the account details for a coordinated, simultaneous attack on ATMs around the world. On November 8, the cashers were instructed to begin siphoning money, and they hit more than 2,000 ATMs in less than 12 hours, netting about $9.5 million. Three Estonian defendants charged for their role in cashing — Ronald Tso, Evelin Tsoi and Mihhail Jevgenov — allegedly were responsible for withdrawing about $289,000 from ATMs in Tallinn, Estonia.

The cashers kept 30 to 50 percent of the loot before transmitting the remainder back to the hackers in Eastern Europe through Western Union and Web Money, a Russia-based digital currency service. The hackers, still in RBS’s network, were able to observe the withdrawals of funds from ATMs as they occurred in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals.

Once the mission was completed, the hackers tried to erase their tracks on the RBS network.

Tsurikov was arrested earlier this year in Estonia and is being held there pending extradition to the United States. The Justice Department will not comment at this time on the status of Pleshchuk and Covelin, a spokesman told Threat Level.

Tsurikov, Pleshchuk, Covelin and “Hacker 3″ face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud and other wire-fraud counts, and up to five years in prison for conspiracy to commit computer fraud as well as up to five or 10 years for each count of computer fraud. They also face a two-year mandatory minimum sentence for aggravated identity theft and fines up to $3.5 million dollars.

Covelin was also indicted in September in New York as part of a gang that authorities dubbed the Western Express Cybercrime Group. That group, operating between 2001 and 2007, trafficked in at least 95,000 known stolen credit card numbers.

The group worked with a New York-based company called Western Express International, which authorities allege was used to coordinate and facilitate the illegal activities and launder the ring’s ill-gotten gains.

#F.B.I. Indicts Dozens in Online Bank #Fraud

 

In what it is calling Operation Phish Phry, the F.B.I. began arresting 53 people on Wednesday on charges of conducting a vast financial fraud based on phishing — the act of tricking Internet users into revealing their passwords and other information.

The arrests were in Southern California, Nevada and North Carolina, while the authorities in Egypt sought to arrest 47 people whom the F.B.I. said were co-conspirators.

An 86-page indictment, filed in the United States District Court for the Central District of California in Los Angeles, accuses the defendants of tricking people into giving up their bank account information. The F.B.I. said that this was the largest number of defendants ever charged in a cybercrime case, and that they had stolen at least $2 million from 2007 to last month.

The scams victimized people with accounts at Bank of America and Wells Fargo, two of the nation’s largest banks. The online component of the fraud was perpetrated in Egypt, Keith B. Bolcar, the acting chief of the F.B.I.’s Los Angeles bureau, said. The defendants there sent mass e-mail messages that appeared to be authentic communication from the banks, the F.B.I. said.

The people who clicked on those e-mail messages were sent to fake Web sites made to look identical to the real banking sites, where they were asked to enter personal information like their bank account numbers, passwords, Social Security numbers and drivers’ license numbers.

The co-conspirators in the United States took over from there, transferring funds into their own accounts and remitting some money back to their accomplices in Egypt, according to the indictment.

“It was very well done, it was very organized and everybody got paid,” Mr. Bolcar said.

The F.B.I. said the mastermind of the operation in the United States was Kenneth Joseph Lucas, 25, who had help from John Clarke, a friend, and Nichole Merzi, Mr. Lucas’s former girlfriend. A public defender for Mr. Lucas did not immediately return a call seeking comment.

According to the indictment, the trio would ask other conspirators, some down on their luck, to open accounts and then withdraw money that had been transferred from victims’ accounts. They would then send some money to participants in Egypt.

The investigation began in early 2007, when the banks alerted the F.B.I. to the fraud. Tara Burke, a spokeswoman for Bank of America, would not comment specifically on this case but said the bank “monitors for fraudulent sites and works to shut them down as quickly as possible.”

Each of the 53 defendants named in the indictment is charged with conspiracy to commit bank fraud and wire fraud, which carries a maximum penalty of 20 years in prison. Some defendants face other charges.

The case highlights the pernicious problem of phishing, in which online scammers send e-mail messages and build Web sites that look authentic, then make off with sensitive information. Early this week, more than 10,000 addresses and passwords for customer accounts on Hotmail, one of Microsoft’s Web-based e-mail services, appeared online, apparently after being stolen via phishing.

In what appeared to be a separate incident, a list of more than 20,000 addresses and passwords for accounts on Hotmail, Gmail, Yahoo and AOL were posted to a Web site. The Internet companies said they were working with affected customers to help them recover their accounts.

Chet Wisniewski, senior security adviser at Sophos, a Web security firm, doubted the arrests would have an effect on the number of online banking scams. “I would imagine there are many different groups doing similar things,” he said. “You squash one bug and another one emerges. If there’s an opportunity to make money, someone will be there to collect the bill.”

Tracking the Russian Scammers

 

 

 

Dmitry Ivanovich Golubov, a 22-year-old Ukrainian who went by the nickname "Script," was considered one of the godfathers of Eastern European carding rings. As one of the leaders of CarderPlanet, authorities say Golubov facilitated the theft and international trading of millions of credit and debit card numbers that resulted in multimillion-dollar losses to banks and merchants over several years.

So when Ukrainian police finally nabbed Golubov in the summer of 2005 it was a coup, representing the culmination of dogged investigative work by U.S. Postal Inspector Greg Crabb and other law enforcement officials in the United States.

"Golubov was such a high-profile target," Crabb told Wired News. "The Secret Service, FBI and myself were working Golubov in different districts over the United States trying to get some inroads into where he was coming from."

But achieving the arrest wasn't easy. While U.S. authorities collared numerous small-time crooks in the United States who used the stolen card numbers that Golubov's ring distributed, efforts to nab Golubov himself proved futile for three years, due to indifference from Ukrainian authorities.

Crabb says he made three trips to Ukraine to plead his case, but got little response. Then the Orange Revolution swept the country in late 2004 and suddenly "the Ministry of Interior was willing to listen to our concerns about Golubov," Crabb says.

In mid-July 2005, Crabb flew to meet with ministry officials, "and two weeks later (we) went out and popped (Golubov)."                                                 

But Golubov didn't remain in jail for long. About six months after his arrest, two Ukrainian politicians convinced a judge to release him on bond. Prosecutors are still moving forward with the case, but Crabb suspects Golubov could flee before trial.

"When you can call in some favors and get some politician in the Ukraine (to) vouch for your upstandedness, there's not much the U.S. can do after that," Crabb says. "We're just (hoping) that the legal system in the Ukraine delivers what we hope."

It's one of the enduring frustrations of chasing carders overseas: In addition to the difficulties inherent in trying to ferret out the real person behind an online criminal's nickname, countries where cybercrime thrives, such as in Eastern Europe and Asia, often lack sufficient laws, budgets, skills and even the will to pursue such criminals.

The FBI has established liaison agents in dozens of U.S. embassies around the world to help facilitate cooperation with foreign crime-fighting agencies. But sometimes the obstacle is foreign law-enforcement agents themselves. Crabb says the criminal cohorts of one top carder he tracked turned out to be Ukrainian law-enforcement agents, among them a former captain of the Ukrainian state service in Kiev.

"It's a different world in the Ukraine," Crabb says. "Corruption is a problem."

At times, it's easier to avoid local obstacles altogether, such as with the arrest of a 28-year-old Ukrainian who was nabbed in a Bangkok ice cream parlor in 2003 while on vacation with his wife. Crabb spent a year intercepting more than 20,000 e-mail messages the suspect exchanged with cohorts and waited for the suspect to leave his native soil.

Arresting a suspect is only half the battle, however. Then come extradition proceedings and cyberforensic trails. "The volume of (forensic) evidence that exists in these cases is obscene," Crabb says. "They take forever to introduce all this evidence in court."

In the cat-and-mouse game of tracking carders, the U.S. Postal Inspection Service might seem like an odd player, since financial crimes generally fall within the purview of the Secret Service and FBI. But the USPIS often becomes involved if the crime includes mail fraud -- such as shipping stolen goods or credit cards through the mail or FedEx or changing the billing address of a victim's financial account.

Crabb focuses on tracking and arresting Eastern Europeans because they're "much more organized and malicious" than U.S. carders who, more often than not, simply work as cashers for the Russians.

"You can take (the cashers) out any day of the week," Crabb says, "but you're not going to stop the problem if you don't take out the operations where the card data is getting compromised, and that's primarily out of Eastern Europe."

The highest-profile carder he tracked, however, was an American named Douglas Havard, who went by the nick "Fargo" and who fled drug-selling charges in Texas before settling in the United Kingdom. There he ran a lucrative cashing operation for a legendary Russian carder called "King Arthur" with a Scottish accomplice. Crabb became involved in the case after a casher for Havard was arrested in Texas while trying to board a plane carrying thousands of dollars in $20 bills.

"I called Department of Justice because I knew Secret Service and FBI had investigations into King Arthur," Crabb says. "We worked (the Texas suspect) to get back to Fargo, and we worked with the National Hi-Tech Crime Unit in the U.K. to take out Fargo."

King Arthur, however, eluded them.

Crabb says that after several years chasing these crimes, authorities are much more attuned to what the criminals are doing today and have been greatly aided by increasing cooperation among businesses and law enforcement agencies. But that isn't always enough. Sometimes, he says, the criminals "are just smarter than us."