Personal and financial details change hands for just pennies in
the online underworld. Delve into the murky depths of cybercrime
in our special report
by Jim Giles
HOW curious. Early this year my bank sent me a replacement credit
card. I hadn't asked for one, and the bank did not elaborate except to
refer vaguely to "security" issues.
I still don't know why my card was replaced, but I have a hunch: a
massive electronic heist at a New Jersey-based company called
Heartland Payment Systems. Heartland acts as a middleman between
retailers and credit card companies, and processes about 100 million
transactions every month. At some point in March 2008, a group of
hackers is believed to have broken through the firm's cyber-defences.
They installed software that, for about four months, secretly relayed
credit and debit card details to an external computer. It is likely
that tens of millions of cards were hacked.
Like many other people, I initially missed the news about Heartland -
perhaps because it was announced on the day of Barack Obama's
inauguration. But my belated discovery made me wonder what would have
happened to my credit card details if they had been stolen. So I
called internet security company Team Cymru, based in Burr Ridge,
Illinois. A few weeks later, cybercrime experts Steve Santorelli and
Levi Gundert introduced me to a sprawling criminal underworld so large
and pervasive that no one can control it.
This underworld is surprisingly easy to access. It consists of a
network of online chatrooms and web forums where stolen information is
openly traded, along with off-the-shelf software tools needed to pull
off just about every kind of online scam going. "This is an economy
that is worth billions of dollars," says Dean Turner of the security
company Symantec in Calgary, Canada. "It's highly organised.
Everything that criminals need is available for sale."
It was not always like this. In the early days, criminal hacking
required advanced technical skills. But organised crime has moved in
and the black market has become a service economy where anybody can
buy a career in cybercrime.
As soon as Santorelli and Gundert log me onto a chatroom, messages
start to appear.
<cinch>: I got fresh hacked UK cvv2's
My guides explain. This means that a criminal by the name of "cinch"*
is selling stolen British credit card details. "CVV2" means he or she
has the full credit card numbers, expiry dates, billing addresses and
the three-digit security codes on the back of the cards - all the
details you need to make a purchase at most online retailers. These
will cost you anything from about 50 cents to $12 depending on the
card's credit limit, where it comes from and how many you want to buy.
Gundert says that cinch or an associate probably obtained these
details by hacking an online retailer or an intermediary like
Heartland. Web retailers routinely employ tough electronic protection,
but hackers are frighteningly adept at finding and exploiting holes in
their defences. Once hackers are in, they can scoop up credit card
details and start selling them. The retailer may never know its
defences have been breached.
Symantec estimates that almost a third of all adverts in the
underground economy are for credit card information of some type, (see
diagram). While I've been talking to Santorelli and Gundert, a new,
more sinister message has appeared:
<loopz>: Uk US Dump Track 1 Track 2
Loopz is selling "dumps" - CVV2s plus all the information encoded in
the card's magnetic stripe, known as Track 1, or that stored in the
chip that is built into many European cards, which is called Track 2.
Dumps are more valuable. Access to these details allows criminals to
print "cloned" credit cards and shop almost anywhere. The
card-printing equipment costs $20,000 to $30,000, but is available
legally. If that investment is too great, traders can email the
details to criminal specialist printers who will run off cards and
return them by mail for just a few dollars per card.
I send a message to loopz asking about price and availability. Minutes
later I get a reply: he has 10 dumps and wants $15 for each.
That seems ridiculously cheap for details that could potentially be
"cashed out" for thousands of dollars. A few months back, loopz might
have been asking several times that. But supply and demand shape this
market, just like any other, and recently prices have slumped. It is
impossible to say why, though the economic slowdown is probably not
the cause: credit card fraud, says Turner, is a recession-proof
business. Santorelli's guess is that the market has been flooded with
information stolen from Heartland.
As in any transaction, however, let the buyer beware. Anyone who took
loopz up on the offer would probably have come away empty-handed.
Santorelli says that 9 out of 10 traders in the chatroom are "rippers"
- con artists who take the money and run. To combat this, many
chatroom operators impose a ratings system not unlike the ones you
find on eBay or Amazon. Most of the 340 people in the room are, like
loopz, unrated, but a few have coloured dots next to their name which
indicate that they have shown some level of trustworthiness in their
previous transactions: the colour changes from yellow to blue to green
to red as the trader's reputation grows. I guess that's what they mean
by honour among thieves.
Some chatrooms rate the traders' trustworthiness. I guess that's what
they mean by honour among thieves
There are a handful of "reputable" traders in the room, including one
called netter who has a blue dot next to his name.
<netter>: Selling USA Fulls Cvv2 Info + SSN MMN DOB 8$ Per 1
This marks netter out as an identity thief. "Fulls" is jargon for a
collection of information that includes credit card details but also
more personal details: SSN for social security number, MMN for
mother's maiden name and DOB for date of birth. Criminals can use
these details to apply for credit cards, take out loans or set up bank
accounts to launder money.
Retail systems like Heartland's do not generally contain personal
information, but hackers find it surprisingly easy to dupe people into
handing it over. "Netter is almost certainly getting his information
by phishing," says Gundert. He's referring to scams that direct users
to websites that look almost identical to those operated by major
banks. In reality, the sites are run by criminals, who use them to
trick people into giving away the kind of information that netter is
selling.
Phishing sounds like a complex operation, and five years ago it was.
But like e-commerce in general the black economy has matured. Now a
relatively unskilled criminal can buy everything they need to go
phishing. I saw several adverts for off-the-shelf phishing kits, and
others for hacked access to internet servers, which phishers need to
host their fake websites. Still others were hawking scanners -
software that roams the internet looking for holes in servers'
defences. I could also have bought hacked email logins, which can be
used to squat on the web space that comes free with most internet
accounts but which few people use.
Phishing is not the only way to steal logins. Hackers can also
covertly install "keylogger" software, perhaps by attaching it to an
email that appears to come from a friend. Once installed, the
keylogger monitors every keystroke a user makes and relays details to
a remote computer known as a dropzone.
Last year, Thorsten Holz at the University of Mannheim in Germany
took a close look at keylogging. He and colleagues tracked down
240 dropzones and took a peek inside 70 of them. They found usernames
and passwords for around 5700 eBay accounts, login details for over
10,000 bank accounts and 5700 credit card numbers. Holz estimates that
this information was worth $16 million.
So if just 70 dropzones open the way to such a large sum of money, how
much is the entire black economy worth? Since criminals do not file
company reports, it is hard to be precise. In one of only a
handful of independent studies, Vern Paxson of the International
Computer Science Institute at the University of California, Berkeley,
monitored chatroom trading over a seven-month period in 2006. He saw
over 13 million messages sent under 100,000 different names. Every
day, more than 400 credit card numbers were posted, and hacked access
to bank accounts containing millions of dollars offered. Almost 4000
valid social security numbers were posted in total. All in all, Paxson
observed trades worth $93 million.
The underground economy is almost certainly much larger than that now.
A year-long monitoring exercise run by Symantec in 2007 and 2008
identified credit card details, bank accounts and other stolen
information worth $276 million on just a small sample of underground
chatrooms.
Not surprisingly, individual criminals can make a fortune. For
example, the US government is currently trying to take possession of
$1,650,000 in cash, a condominium in Miami and a BMW owned by hacker
Albert "CumbaJohnny" Gonzalez, who was charged last August along
with 10 alleged accomplices from the US, China, Belarus, Ukraine and
Estonia.
I found it unsettling to watch people like this doing business in the
chatrooms. The fact that the conversation was public didn't stop me
feeling that I was eavesdropping: it was as if I was overhearing a
gang discussing plans for a bank robbery. But there is a crucial
difference. In the real world, I could call the police and identify
the plotters. Tracking down the people hiding behind usernames like
netter and cinch is close to impossible.
The first layer of anonymity is provided by the servers running the
chatrooms, which are programmed to mask the identity of traders. I
asked the server to supply information on loopz. Here's what came
back:
< >: lo...@xxxxxxx-6c3f616c.adsl-static.isp.belgacom.be
Even to an expert eye, this means little except that the chatroom
server is set up to hide the trader's identity. The last parts suggest
that that loopz may be connected via Belgacom, a Brussels-based
internet service provider, but there is no guarantee of that, as there
are numerous ways for hackers to obscure the route they use to
connect. Some rent time on legitimate servers and send their messages
from them rather than their home computers. Others use bots - illegal
software installed covertly on other computers - to relay messages for
them. Either method makes it very difficult for law enforcement
officers to identify the location of the sender.
Tracking down the chatroom servers is equally difficult. I ran a
standard search, known as a "whois query", to establish the internet
address of the chatroom. It revealed only that the operators have an
appreciation of irony: they had registered the server under the name
and address of the New York State Division of Criminal Justice
Services.
Law enforcement experts, such as the cyber-security team run by the
FBI, have more sophisticated methods for locating chatroom servers,
but the trail often leads to countries such as China or Russia, where
foreign agencies can find it time-consuming to collaborate with the
police. Security experts say better international cooperation is
producing results, such as last year's arrest of two prominent Turkish
hackers. There will always be some governments, however, that will not
work with authorities in the west, where most victims of cybercrime
live.
With no technological fix, law enforcement has to rely on
old-fashioned detective techniques, such as sting operations and the
use of informants. The police can also work up the trading chain by
catching criminals using stolen credit cards in stores and then
tracing the traders who supplied the forged plastic.
All these techniques have played a part in the big police successes of
recent years, including the September 2007 arrest of Max "Iceman"
Butler, a trader from San Francisco who is alleged to have run a site
known as Cardersmarket and to have personally sold tens of thousands
of credit card numbers. A month earlier, a US Secret Service
investigation culminated in the arrest of 11 people in what federal
officials said was the biggest ever identity-theft and hacking bust.
Victories like that are causes for celebration, and not just for card
issuers and retailers. If somebody hacks your credit card, they pick
up the bill. But both ultimately pass the cost onto consumers. So in
the end, we all pay for the ill-gotten gains of cinch and netter.
The cost would be smaller if we all took steps to defend ourselves
(see "Beat the cybercrooks"). But with so much money to be made,
the threat is not going to go away. "There is never going to be a
silver bullet," says Santorelli. "We can make it harder for these
criminals, but we'll never stop them."
* The names of all traders have been changed, and some of the messages
edited for clarity
Beat the cybercrooks
Online crime is not going to go away, but there is no reason to be a
sitting target. Here's how you can stay one step ahead of the
fraudsters:
Use hard-to-guess passwords, not ones with obvious personal links,
such as your birthday or the name of your street. Good passwords
include a combination of upper and lower-case letters, numbers and
other characters.
Change your passwords often.
Use an up-to-date browser, operating system and antivirus software.
Turn your computer's firewall on and, if you are using Windows, set up
your computer to automatically download new security patches from
Microsoft.
Never download email attachments from people you do not know or trust.
Avoid attachments that you were not expecting, even if they are from a
known source.
Jim Giles is a writer based in San Francisco
To unsubscribe send a message to accessindia-requ...@accessindia.org.in with
the subject unsubscribe.
To change your subscription to digest mode or make any other changes, please
visit the list home page at
http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
