April 11, 2005

Big Bad Black Market

Online fraud has been organised, industrialised, institutionalised and big for some time now. When I tell people that they just look blank, they have no conception of what this means. In a nutshell, it means they're making money, scads of it, and they ain't going away. If that doesn't make any sense, then read this:

"I work in the fraud dept. for a well known US company, and have access to hundreds of CCs (credit card numbers) on a daily basis. All I'm looking for is an easy way to make some money and stay anonymous ..."

New, smarter generation of Internet crooks
Personal-information thieves hook up with people who may help them profit

Carrie Kirby, Chronicle Staff Writer Monday, April 11, 2005

"I work in the fraud dept. for a well known US company, and have access to hundreds of CCs (credit card numbers) on a daily basis. All I'm looking for is an easy way to make some money and stay anonymous ..."

Late last year, someone known as "Elric" posted this message on a Web site for hackers and credit card thieves called Network Terrorism Forums. Within an hour, the Web site shows that Elric received the first of a half-dozen replies -- business offers and advice on how to carry out the theft.

This is the online underworld, where stolen private information is quickly and easily sold over the Internet. The credit card numbers, bank account numbers, eBay accounts and other data sold there are stolen in corporate security breaches like the one at ChoicePoint, through offline crime like old-fashioned pickpocketing, and through scams known as "phishing" attacks, in which criminals trick people into revealing account information with slick-looking fake e-mails.

Cyber crime investigators say deals like the one proposed in Elric's posting are common on a number of similar underground Web sites.

"When you take into account the reach of the Internet and the level of sophistication of the trading in this information, it makes your hair stand on end," said Mike Drewniak, spokesman for the U.S. attorney's office in New Jersey.

These sites have become a dangerous training ground for criminals, where con artists are gaining technical chops and hackers are developing a taste for profit. The result is that online fraud is becoming much more sophisticated and organized.

"It's no longer teenage hackers in a garage trying to rip off credit cards. It is coordinated, organized crime," said Stratton Sclavos, chief executive of VeriSign, a Mountain View security and network infrastructure company that processes and monitors Internet transactions.

Last October, New Jersey prosecutors, along with the Secret Service and the Department of Justice's Computer Crime and Intellectual Property Section, announced they had shut down three of the major online crime Web sites -- Shadowcrew, Carderplanet and Darkprofits -- and arrested 28 alleged participants who are scheduled to go on trial in October.

On Shadowcrew alone, 4,000 members trafficked in at least 1.5 million stolen credit cards, causing losses to financial institutions of more than $4 million, according to the indictment.

But new sites pop up all the time to replace those that law enforcement takes down. The ones that can be easily found online represent just the tip of the iceberg, said David Thomas, chief of the Federal Bureau of Investigation's computer intrusion squad.

"A lot of the more organized groups will be more clandestine about what they do," with invitation-only Web sites, Thomas said. The Internet Relay Chat, or IRC, network, a series of chat rooms that predate the Web, is also a popular meeting place for online crooks.

Denizens of the Internet underworld range from young computer whizzes, to career criminals just getting into computers, to traditional mobsters from established crime families. They live all over the world.

The site where Elric's posting appeared, www.mazafaka.cc, is dominated by Russians, but Americans, Romanians and others can be found on the English-language portion of the site.

When contacted by The Chronicle via instant messenger, Elric said he was a 22-year-old Midwestern college student who had been hacking as a hobby since he was 9 years old. He said he knew little about how to turn his skills into money -- until a Russian man who responded to his posting helped him run up charges on some of the credit cards in his employer's database.

Elric would not reveal his true identity for fear of being arrested, so his story could not be verified. However, his story is typical of a change that's going on in the hacking world, said Christopher Painter, deputy chief of the Justice Department's computer crime unit.

"There's been a convergence," Painter said. "It used to be that the hackers were very technically sophisticated but often didn't do things for a profit." Many hackers were curiosity-driven. They explored corporate networks just to see what was there and wrote viruses just to show they could.

But over the last five years, Painter said, "you see hackers who are doing things for monetary rewards, and the fraudsters becoming sophisticated."

One reason for the growing interest in online fraud: Increasingly, that's where the money is. A quarter of all adults, or 44 percent of Internet users, now use Internet banking, according to the Pew Internet & American Life Project.

How it works

The black market Web sites are part of what the FBI's Thomas calls "nontraditional organized crime." People work together, but they may never meet one another. They may carry out just one illegal transaction together or many.

Here's a typical scenario: A hacker in California steals a batch of credit card numbers from a corporate database. On an underground Web site, he posts a request for help getting money off the cards, just like Elric did.

A Russian partner takes the credit card numbers and uses them to order electronics online. The goods are delivered to a "drop," an address where the resident has agreed to receive stolen merchandise, in the United Kingdom.

The recipient sells the merchandise and sends the proceeds back to the Russian partner, minus the reseller's cut. The Russian partner sends half to the hacker and keeps the other half.

However, since the hackers, thieves and others doing business often don't know one another and remain anonymous, no one knows whom to trust. Rip-offs are rampant. An archive of the now-defunct Shadowcrew site obtained by The Chronicle, and the still-functioning Network Terrorism Forums, show that almost every new offer is met with suspicion.

"If it ain't a rip-off, or an attempt of (Secret Service) to f*** around with us, contact me ..." read one response to Elric's posting.

This has led some Web sites to develop review systems of the sellers not unlike those of eBay and other legitimate e-commerce sites.

According to the indictment, Shadowcrew required the "vendors" to submit their product or service to a trusted community member for review.

Shadowcrew's archives show people who were reviewed for selling merchandise such as stolen credit card numbers and counterfeit credit cards that were created using stolen account information.

In a typical review, the potential seller would provide the reviewer with several credit card numbers -- along with important details such as the expiration date or the three-digit code from the back of the card. The reviewer would try using the card numbers to make purchases, and if they worked, would post a favorable review on the site.

Other vendors were reviewed for selling eBay accounts, which would allow a scam artist to auction off nonexistent merchandise and collect payment while remaining anonymous.

Vendors on the Network Terrorism Forums and other sites are encouraged to get reviewed as well.

To be sure, credit card and bank account fraud is done without using the Internet. But the online world has made it much easier to form sprawling cooperatives to quickly exploit accounts that are often shut down within a day or so after numbers are purloined, law enforcement officials said.

"Because on the Internet you are able to communicate so easily 24 hours a day ... then it's a lot easier to do something on a larger scale and to do so with people overseas," said Assistant U.S. Attorney Arif Alikhan, chief of the computer crimes section for the Central District of California.

Crime families plug in

At the same time that hackers and thieves are forming loose networks online, traditional crime families are also increasingly operating on the Internet.

On Feb. 14, alleged members of the New York Gambino crime family pleaded guilty to a scheme in which they charged the credit cards of consumers who visited pornographic Web sites for "free tours."

According to the indictment in the case, the family had been involved in Internet fraud since the late 1990s.

Traditional mafia in Eastern Europe have been involved in online fraud for years, said Thomas of the FBI.

The Web sites in the online underworld are not just trading posts for stolen information, however. They are places where would-be crooks can get advice on masking their identities online, techniques for stealing data and ideas for how to move around their ill-gotten cash.

One nervous "carder," or stolen credit card user, told peers on Shadowcrew of panicking when a counterfeit card had failed to go through at a store. The carder used his own real credit card instead.

Some members advised the foiled carder to go on the lam, since the store now had his real identity. Others said there was little chance the store would report the incident.

Services are also for sale on these sites, such as creating and hosting phishing Web sites designed to trick people into giving up banking and credit card information.

Phishing e-mails -- one of the fastest-growing threats on the Internet, according to security companies -- look like legitimate messages from banks or online services, but they are really scams. They usually ask recipients to click on a link that sends them to a Web site that also looks real, but is fake. Once there, users are lured into entering account numbers and passwords to "verify" their accounts.

The scammer then uses that information to steal money from victims' accounts or commit identity theft.

One post at the Network Terrorism Forums using the name "Children_Of_Console" offered Web sites that mimic those of 34 banks, including Wells Fargo and Bank of America, for $50 each. For $100, the seller would also provide the wording for the scam e-mail message. All the buyer would have to do is find a way to blast out the e-mail message to as many addresses as possible, then sit back and collect the account information.

Conveniently, e-mail hosting services for sending spam or phishing e-mails can also be found on these sites. Hackers use viruses to secretly take control of hundreds or thousands of personal computers, then use the computers to send spam, for a fee.

Making the digital bust

Catching and prosecuting online fraudsters is not an easy task, especially since the crimes so often involve people overseas, sometimes in many countries.

"It's very difficult working international cases. We get cooperation in countries where we can," said the FBI's Thomas.

While the United States is one of the top sources of fraudulent transactions -- due to heavy Internet use here -- there are other countries where a high percentage of transactions appear to be fraudulent, according to security firm VeriSign.

Belarus, Slovenia and Vietnam had the highest percentages of fraudulent transactions in 2004, but the list is in constant flux. And 58 percent of the Web sites used in phishing attacks are hosted outside the United States, VeriSign said.

There are some successful busts.

Last summer, the U.S. attorney's office for the Northern District of California extradited Ukrainian Roman Vega from Cyprus, for allegedly operating a Web site for trafficking stolen credit card numbers. He was charged with 20 counts of wire fraud and 20 counts of using unauthorized credit cards. If convicted, he faces fines of $250,000 per count, as well as 10 to 20 years in prison for each count, plus possible restitution.

But cases like that aren't the norm, said Ken Silva, vice president of network and security at VeriSign.

"Truth be told, there haven't been very many prosecutions," he said. "The FBI and Secret Service and local law enforcement have had a number of successes, but by and large it goes unpunished. These people don't often get caught."

The FBI has an extensive cyber crime unit and a newly opened computer forensics laboratory in Menlo Park. But the unit acknowledges that Internet fraud is a relatively low priority, taking a backseat to cyber terrorism, computer intrusions, theft of trade secrets and online crimes against children.

"That does not mean we don't work on" Internet fraud, said FBI Special Agent LaRae Quy, "but it is the fifth priority in this division."

Keep it private

Here are tips on protecting your personal information:

-- Guard private information in the physical world by using a locked mailbox and a crosscut paper shredder on mail such as credit card offers and bills.

-- Keep a separate credit card for online transactions, so if anything unusual shows up, you're more likely to notice it and can easily close the account.

-- Don't give your credit card or Social Security number to anyone -- online or over the phone -- without verifying his or her identity.

-- Layering the security measures on your computer will help prevent you from becoming a victim -- or part of the problem. Use a firewall and antivirus software, and download all the updates.

Source: Chronicle research

Chronicle staff writer Dan Fost contributed to this report. E-mail Carrie Kirby at ckirby@sfchronicle.com.

Addendum; new paper on The Economy of Phishing.

Posted by iang at April 11, 2005 02:10 PM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.