Cybercrime stories

[Al-khiyal]

Welcome to DarkMarket – global one-stop shop for cybercrime and banking fraud

January 14, 2010 -- To the casual observer, there was little to distinguish the Java Bean internet cafe in Wembley from the hundreds of others dotted around the capital. But to surveillance officers staking it out month after month, this unremarkable venue was the key to busting a remarkable and sophisticated network of cyber criminals. From the bank of computers inside, a former pizza bar worker ran an international cyber "supermarket" selling stolen credit card and account details costing the banking industry tens of millions. Renukanth Subramaniam, 33, was revealed today as the founder and a major "orchestrator" of the secret *DarkMarket website, where elite fraudsters bought and sold personal data, after it was infiltrated by the FBI and the U.S. Secret Service. Membership was strictly by invitation. But once vetted, its 2,000 vendors and buyers traded everything from card details, obtained through hacking, phishing and ATM skimming devices, to viruses with which buyers could extort money by threatening company websites. The top English language cybercrime site in the world, it offered online tutorials in account takeovers, credit card deception and money laundering. Equipment – including false ATM and pin machines and everything needed to set up a credit card factory – was available. It even featured breaking-news-style updates on the latest compromised material available, while criminals could buy banner adverts to promote their wares. So vast was its reach, with members in the UK, Canada, U.S., Russia, Turkey, Germany and France, the UK's Serious Organised Crime Agency (Soca), which helped bust it, said it was "impossible" to put a figure on how much it cost banks worldwide.

Subramaniam, who used the online soubriquet JiLsi, was remanded in custody at his own request at Blackfriars crown court today after pleading guilty to conspiracy to defraud and five counts of furnishing false information. Judge John Hillen warned it was "inevitable" he faced a "substantial custodial sentence". A Sri Lankan-born British citizen, Subramaniam was a former member of ShadowCrew, DarkMarket's forerunner, which was uncovered by the U.S. Secret Service in 2004. "JiLsi was one of the highest in cybercrime in this country with what he managed to achieve setting up a forum globally. No JiLsi, no DarkMarket," said one Soca investigator. Its 2,000 members never met in real life. Quality, not quantity, was the key. DarkMarket was fastidious in banning "rippers" who would cheat other criminals. Honour among thieves was paramount. It operated an "escrow" service, with payments and goods exchanged through a third party – "like a PayPal for criminals", the judge observed, and an arbitration service resolved disputes. To keep off the radar, the rules were strict: no firearms, drugs or counterfeit currency. Built on a pyramid structure, administrators decided who joined, moderators ran specific site sections, and reviewers vetted wannabes – each demanding 5% or £250 per transaction as a fixer's fee. To get on, criminals had to present details of 100 compromised cards free of charge - 50 to one reviewer, 50 to another. Reviewers would test the cards and write an online review of customer satisfaction – just like eBay customers. "If the cards did what they were supposed to … they would be recommended. If not they weren't allowed in," said the investigator. Payment was via accounts on WebMoney, or E-Gold. "It was the QuickTime method of sending money anywhere."

Subramaniam was one of the top administrators. He kept his operating system on memory sticks. But when one was stolen, costing him £100,000 in losses and compromising the site's security, he was downgraded to reviewer. Surveillance officers caught him logging on to the website as JiLsi unaware the fellow criminal MasterSplyntr he was talking to was, in fact, an FBI agent called Keith Mularski. Considerable money was exchanged, though actual transactions took place away from the site for security reasons. One buyer spent £250,000 on stolen personal information in just six weeks. Described as "a very quiet man", Subramaniam worked at Pizza Hut and as a dispatch courier. "He owned three houses but was largely itinerant," said Sharon Lemon, Soca deputy director. "The key to investigations of this sort is finding the evidence to connect the online persona with a living, breathing person." Harendra de Silva QC, defending Subramaniam, said the "evidence was unchallenged" but said the "question of interpretation does arise in certain areas" and there would be submissions on "nuance" of the fraud in so far as it applied to his client. He is charged alongside John McHugh, 66, known as Devilman, also a site reviewer who has pleaded guilty to conspiracy to defraud and at whose Doncaster home officers found a credit card-making factory. The two will be sentenced later. But the battle against cybercrime continues. "This was one of the top 10 sites in the world, but there are more than 100 we know of globally, and another 100 we don't yet know of," said the investigators.

In the DarkMarket

DarkMarket price list

Trusted vendors on DarkMarket offered a smorgasbord of personal data, viruses,
and card-cloning kits at knockdown prices. Going rates were:

Dumps Data from magnetic stripes on batches of 10 cards
Standard cards: $50. Gold/platinum: $80. Corporate: $180.

Card verification values - Information needed for online transactions $3-$10 depending on quality.

Full information/change of billing Information needed for opening or taking over account details
$150 for account with $10,000 balance. $300 for one with $20,000 balance.

Skimmer Device to read card data. Up to $7,000.

Bank logins 2% of available balance.

Hire of botnet - Software robots used in spam attacks $50 a day.

Credit card images Both sides of card. $30 each.

Embossed card blanks $50 each.

Holograms $5 per 100.

[Al-khiyal]

Haiti donors warned against scam emails

January 18, 2010 -- Consumers giving money to help those hit by last week's Haiti earthquake have been warned about a flurry of online scams. Fraudsters attempting to cash in on last week's disaster are sending fake emails soliciting donations, and setting up poisoned search results which can infect computers with viruses. The technology company Symantec, which produces anti-virus software, said it had seen an email purporting to be from the British Red Cross asking charitable readers to make a donation using a Western Union transfer. The email does have the correct postal address for the charity, but it is badly written and includes a spelling mistake, and the name of the person sending it and the bank account details have nothing to do with the Red Cross appeal. "Cyber-scammers are quick to prey on people's emotions with bogus emails and phoney websites devised to steal what should have been charitable donations," said Abigail Lovell, a spokeswoman for Symantec. "Any money sent using the instructions in this email would not help anyone in Haiti, it would end up in the pockets of a cyber criminal."

The scam email is an example of a 419-fraud, so called because of the article of the Nigerian Criminal Code which covers this type of activity. The website 419eater.com yesterday posted another example of an email which also appears to be trying to use the Haitian disaster as a way to rip people off. It claims to be from a London-based charity called Help the World, but the address listed is that of a pub in Islington. Again it asks for money to be handed over via a Western Union transfer – something genuine charities do not tend to do – and the charity is not registered with the UK's Charity Commission. Kate Beddington-Brown of the fraud prevention service Cifas said she wasn't surprised that criminals had found a way to target unsuspecting consumers, but it was "particularly horrible" that the crisis in Haiti was being used in this way. She said consumers should report scams like this to Consumer Direct, using its online form, and check the legitimacy of a charity with the Charity Commission, which keeps a list of registered causes.

A spokeswoman for the Disasters Emergency Committee (DEC) said the best way to make sure donations were going to the main charities involved with the aid effort was to give via itself. The DEC is an umbrella organisation for 13 agencies including Oxfam, Save the Children and Christian Aid. Some reputable charities including Unicef are holding their own appeals. It is collecting through traditional channels, such as its website and by phone, while the retailer H&M is raising funds by asking shoppers to donate £1 when they pay for goods. Earlier today the singer Wycliffe Jean denied he was making money through his U.S. charity, which is currently raising funds for earthquake victims. Jean said claims that he had profited personally through Yele Haiti were "baseless attacks".

[Al-khiyal]

Broad new hacking attack detected

February 18, 2010 -- Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach. The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property. The hacking operation, the latest of several major hacks that have raised alarms for companies and government officials, is still running and it isn't clear to what extent it has been contained, NetWitness said. Also unclear is the full amount of data stolen and how it was used. Two companies that were infiltrated, pharmaceutical giant Merck & Co. and Cardinal Health Inc., said they had isolated and contained the problem.

Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found. In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email. They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions. At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said. Data stolen from another U.S. company pointed to an employee's apparent involvement in criminal activities; authorities have been called in to investigate, NetWitness said. Criminal groups have used such information to extort sensitive information from employees in the past.

The spyware used in this attack allows hackers to control computers remotely, said Amit Yoran, chief executive of NetWitness. NetWitness engineer Alex Cox said he uncovered the scheme January 26 while installing technology for a large corporation to hunt for cyberattacks. That discovery points to the growing number of attacks in recent years that have drafted computers into cyber armies known as botnets — intrusions not blocked by standard antivirus software. Researchers estimate millions of computers are conscripted into these armies. "It highlights the weaknesses in cyber security right now," said Adam Meyers, a senior engineer at government contractor SRA International Inc. who reviewed the NetWitness data. "If you're a Fortune 500 company or a government agency or a home DSL user, you could be successfully victimized." Disclosure of the attack comes on the heels of Google Inc.'s allegation that it and more than 20 other companies were breached by Chinese hackers. This operation appears to be more far-reaching, infiltrating some 75,000 computers and touching 196 countries. The highest concentrations of infected computers are in Egypt, Mexico, Saudi Arabia, Turkey and the U.S.

NetWitness, based in Herndon, Virginia, said it was sharing information with the companies infected. Mr. Yoran declined to name them. The company provides computer security for U.S. government agencies and companies. Mr. Yoran is a former Air Force officer who also served as cyber security chief at the Department of Homeland Security. Besides Merck and Cardinal Health, people familiar with the attack named several other companies infiltrated, including Paramount Pictures and software company Juniper Networks Inc. Merck said in a statement that one computer had been infected. It said it had isolated the attack and that "no sensitive information was compromised." Cardinal said it removed the infected computer from its network. Paramount declined to comment. Juniper's security chief, Barry Greene, wouldn't speak about any specific incidents but said the company worked aggressively to counter infections.NetWitness, which does extensive work for the U.S. government and private-sector clients, said it was sharing its information with the Federal Bureau of Investigation. The FBI said it received numerous allegations about potential compromises of network systems and responded promptly, in coordination with law-enforcement partners.

The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form. It works with the FireFox browser, according to computer-security firm SecureWorks. This version included a $2,000 feature that works with FireFox, according to SecureWorks. Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught, said NetWitness's Mr. Yoran. There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military, NetWitness's Mr. Yoran said. That attack was described in a February 5 report from the Department of Homeland Security, which said it was issuing an alert to the government and other organizations to "prevent further compromises." A DHS official said that ZeuS was among the top five reported tools for malware infections.

[Al-khiyal]

Microsoft shuts down global spam network

February 25, 2010 -- Microsoft has won court approval to shut down a global network of computers which it says is responsible for more than 1.5 billion spam messages every day. A U.S. judge granted the firm's request to shut down 277 internet domains, which it said were used to "command and control" the so-called Waledac botnet. A botnet is a network of infected computers under the control of hackers.

The firm said that closing the domains would mean that up to 90,000 PCs would stop receiving orders to send out spam. A recent analysis by the firm found that between 3-21 December "approximately 651 million spam e-mails attributable to Waledac were directed to Hotmail accounts alone". It said it was one of the 10 largest botnets in the U.S. Machines in a botnet have usually been infected by a computer virus or worm. Typically, users do not know their machine has been hijacked. Microsoft said that although it had effectively shut down the network, thousands of computers would still be infected with malware and advised people to run anti-virus software.

The court order was part of what was called "Operation b49". Along with intelligence organisation Shadowserver, the University of Washington and security firm Symantec, Microsoft managed to get a court in Alexandria, Virginia, to force Verisign, which manages the .com domain, to temporarily switch off the domains. Microsoft said it was the result of months of investigation and described it as a legal first. "This action has quickly and effectively cut off traffic to Waledac at the .com or domain registry level, severing the connection between the command and control centres of the botnet and most of its thousands of zombie computers around the world."

[Al-khiyal]

Alleged controllers of 'Mariposa' botnet arrested in Spain

March 3, 2010 -- Spanish investigators have arrested three alleged ringleaders of the so-called "Mariposa" botnet, which had infected and controlled up to 12.7 million PCs, including more than 500 of the U.S. Fortune 1,000 companies and more than 40 major banks. The PCs, running Microsoft Windows, were spread among 190 countries, and infected by a computer virus that allowed the ringleaders to steal credit card details and online banking credentials, as well as sensitive data from the hard drives of the machines.

The Spanish authorities worked with a number of private computer security companies, including Panda Security and Defense Intelligence, to track down the alleged controllers of the botnet, which seems to have been started in December 2008 and was first detected in May 2009. More arrests are expected in other countries. The arrests are significant because the masterminds behind the biggest botnets are not often taken down. And the suspects are not the stereotypical genius programmers often associated with cybercrime. Instead, they had underworld contacts who helped them to build and operate the botnet, Cesar Lorenza, a captain with Spain's Guardia Civil, which is investigating the case, told the Associated Press.

Investigators are examining bank records and seized computers to determine how much money the criminals made. "They're not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits. The most frightening thing is they are normal people who are earning a lot of money with cybercrime," Lorenza said. The three suspects, who were not named, were described as Spanish citizens with no criminal records. They face up to six years in prison if convicted of hacking charges. Spanish authorities identified them by their internet "handles" and their ages: "netkairo", 31; "jonyloleante", 30; and "ostiator", 25.

Botnets are networks of infected PCs that have been hijacked from their owners, often without their knowledge, and put into the control of criminals. Linked together, the machines supply an enormous amount of computing power to spammers, identity thieves, and internet attackers, who can mount "denial of service" attacks against companies – or blackmail them by threatening to block them at crucial times. The Mariposa botnet, which has been dismantled, was easily one of the world's biggest. Christopher Davis, CEO for Defence Intelligence, who first discovered the Mariposa botnet, said: "It would be easier for me to provide a list of the Fortune 1000 companies that weren't compromised, rather than the long list of those who were."

Davis said he noticed the infections when they appeared on networks of some of his firm's clients, including pharmaceutical companies and banks. But it was several months later before he realized the infections were part of something much bigger. After seeing that some of the servers used to control computers in the botnet were located in Spain, Davis and researchers from the Georgia Tech Information Security Center joined with software firm Panda Security, which is headquartered in Bilbao, Spain.

Critically, one suspect made direct connections from his own computer seeking to reclaim control of his botnet after authorities took it down. Investigators were able to identify him based on that traffic, and were able to back up their claims with records from domains he registered where he would eventually host malicious content. It turned out that the people behind the botnet – its "runners" – had infected computers by instant-messaging malicious links to contacts on infected computers. They also uploaded viruses onto removable thumb drives and through peer-to-peer networks. The program used to create the botnet was known as Mariposa, from the Spanish word for "butterfly."

"I don't think there's anything about this guy that makes him smarter than any of the other botnet guys, but the (Mariposa) software, it's very professional, it's very effective," said Pedro Bustamante, senior research adviser with Panda Security. "It came alive and started spreading and it got bigger than him." But, he added: "Our preliminary analysis indicates that the botmasters did not have advanced hacking skills. This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss."

While arrests of people accused of running smaller botnets are fairly common, the biggest botnet leaders are rarely caught. That's partly because it's easy for criminals to hide their identities by disguising the source of their internet traffic. Often, every computing resource they use is stolen. For instance, there have been no arrests – nor even any public idenfication of suspects – in the spread of the Conficker worm, which was set up in November 2008 and infected between 3 million and 12 million Windows PCs, causing widespread fear that it could be used as a kind of internet super-weapon. The Conficker botnet is still active, but is closely watched by security researchers. The infected computers have so far been used to make money in standard ways for such infected machines – pumping out spam and spreading fake antivirus software.