TELECOM Digest OnLine - Sorted: Cybercrime Flourishes in Hacker Online Forums


Cybercrime Flourishes in Hacker Online Forums


Byron Acohido & Jon Swartz, USA Today (usatoday@telecom-digest.org)
Mon, 02 Apr 2007 14:40:57 -0500

By Byron Acohido and Jon Swartz, USA TODAY

SEATTLE -- Criminals covet your identity data like never before. What's
more, they've perfected more ways to access your bank accounts, grab
your Social Security number and manipulate your identity than you can
imagine.

Want proof? Just visit any of a dozen or so thriving cybercrime forums,
websites that mirror the services of Amazon.com and the efficiencies of
eBay. Criminal buyers and sellers convene at these virtual emporiums to
wheel and deal in all things related to cyberattacks and in the fruit
of cyberintrusions: pilfered credit and debit card numbers, hijacked
bank accounts and stolen personal data. They've got it all available.

The cybercrime forums gird a criminal economy that robs U.S. businesses
of $67.2 billion a year, according to an FBI projection. Over the past
two years, U.S. consumers lost more than $8 billion to viruses, spyware
and online fraud schemes, Consumer Reports says.

In 2004, a crackdown by the FBI and U.S. Secret Service briefly
disrupted growth of the forums. But they soon regrouped, more robust
than ever. Today, they are maturing -- and consolidating -- just like
any other fast-rising business sector, security experts and law
enforcement officials say. In fact, this summer a prominent forum
leader who calls himself Iceman staged a hostile takeover of four
top-tier rivals, creating a megaforum.

Security firms CardCops, of Malibu, Calif., and RSA Security, a
division of Hopkinton, Mass.-based EMC, and volunteer watchdog group
Shadowserver observed the forced mergers, as well, and compiled dozens
of takeover-related screen shots. "It's like he created the Wal-Mart
of the underground," says Dan Clements, CEO of CardCops, an
identity-theft-prevention company. "Anything you need to commit your
crimes, you can get in his forum."

The Secret Service and FBI declined to comment on Iceman or the
takeovers. Even so, the activities of this mystery figure illustrate
the rising threat that cybercrime's relentless expansion -- enabled
in large part by the existence of forums -- poses for us all.

In the spy vs. spy world of cybercrime, where trust is ephemeral and
credibility hard won, CardersMarket's expansion represents the latest
advance of a criminal business segment that began to take shape with
the formation of the pioneering Shadowcrew forum.

Shadowcrew, which peaked at about 4,000 members in 2004, arose in
2002. It established the standard for cybercrime forums -- set up on
well-designed, interactive Web pages and run much like a well-organized
co-op. Communication took place methodically, via the exchange of
messages posted in topic areas. Members could also exchange private
messages.

Shadowcrew gave hackers and online scammers a place to congregate,
collaborate and build their reputations, says Scott Christie, a former
assistant U.S. Attorney in New Jersey who helped prosecute some of its
members.

In the October 2004 dragnet, called Operation Firewall, federal agents
arrested 22 forum members in several states, including co-founder Andrew
Mantovani, 24, aka ThnkYouPleaseDie. At the time, Mantovani was a
community college student in Scottsdale, Ariz. In August, he began
serving a 32-month federal sentence for credit card fraud and
identification theft.

Shadowcrew as catalyst

Shadowcrew's takedown became the catalyst for the emergence of forums
as they operate today. With billions to be made, new forums have
reformed like amoebas, splintering into 15 to 20 smaller-scale
co-ops. "They learned that it's best to disperse," says Yohai Einav,
director of RSA Security's Tel Aviv-based fraud intelligence team.

Forum leaders have become increasingly selective about accepting new
members. "Vouching" for new members is now the norm, requiring a
member in good standing to extend an invitation to new recruits. Some
forums charge an initiation fee; others limit the power to invite new
members to the forum leaders.

Veteran vendors and buyers typically do business in multiple forums
simultaneously, in case any particular forum shuts down.

"If criminals get caught one way, they modify their behavior," says
Kevin O'Dowd, an assistant U.S. Attorney in New Jersey who prosecuted
the Shadowcrew case.

Some forums have become known for their specialties, such as offering
free research tools to do things such as confirming the validity of a
stolen credit card number or learning about security weaknesses at
specific banks. A few offer escrow services, handling the details of
complex deals for a fee.

The better-run forums invest in tech-security measures that have become
the norm in the corporate world, such as use of encrypted Web pages. All
forums run aggressive campaigns to identify and sweep out rippers -- the
con artists who gain membership and instigate deals, only to renege on
their part of the bargain.

From this post-Shadowcrew milieu, Iceman has emerged as a forum
leader to watch.

RSA Security has tracked Iceman's postings on CardersMarket since
October 2005; CardCops has compiled an archive of hundreds of postings
on several forums by someone using the nickname Iceman since January
2006.

In the boastful world of cybercrime, nicknames, or nics, are
sacrosanct. It's not unusual for a hacker or cyberthief to go by two
or three different nics, but unthinkable for two or three people to
knowingly share the same nic, says RSA Security's Einav. "I believe
we're talking about one guy and not a group hiding behind his name,"
he says.

Hostile takeover

Clearly enterprising and given to posting rambling messages explaining
his strategic thinking, Iceman grew CardersMarket's membership to
1,500. On Aug. 16, he hacked into four rival forums' databases,
electronically extracted their combined 4,500 members, and in one
stroke quadrupled CardersMarket's membership to 6,000, according to
security experts who monitored the takeovers.

The four hijacked forums -- DarkMarket, TalkCash, ScandinavianCarding and
TheVouched -- became inaccessible to their respective members. Shortly
thereafter, all of the historical postings from each of those forums
turned up integrated into the CardersMarket website.

To make that happen, Iceman had to gain access to each forum's
underlying database, tech-security experts say. Iceman boasted in online
postings that he took advantage of security flaws lazily left unpatched.
CardCops' Clements says he probably cracked weak database passwords.
"Somehow he got through to those servers to grab the historical postings
and move them to CardersMarket," he says.

Iceman lost no time touting his business rationale and hyping the
benefits. In a posting on CardersMarket shortly after completing the
takeovers he wrote: "basically, (sic) this was long overdue ... why
(sic) have five different forums each with the same content, splitting
users and vendors, and a mish mash of poor security and sometimes poor
administration?"

He dispatched an upbeat e-mail to new members heralding CardersMarket's
superior security safeguards. The linchpin: a recent move of the forum's
host computer server to Iran, putting it far beyond the reach of U.S.
authorities. He described Iran as "possibly the most politically distant
country to the United States (sic) in the world today."

At USA TODAY's request, CardCops traced CardersMarket's point of origin
and confirmed that it is registered to a computer server in Iran.

If Iceman succeeds in establishing CardersMarket as the Wal-Mart of
forums, its routing through an Iranian server will make an already
complex law enforcement challenge that much more difficult, security
experts say.

"Chasing these carding fraudsters is like chasing terrorists in
Afghanistan," says RSA Security's Einav. "You know they are somewhere
out there, but finding their caves, their underground bunkers, is
almost impossible."

The U.S. Secret Service declined to answer questions about Iceman and
CardersMarket. It would not acknowledge whether they are under
investigation as part of Operation Rolling Stone, the most intensive
federal probe of cybercrime since Operation Firewall. This year, 35
suspects have been arrested. No names were initially released, but a
few have surfaced after indictments were unsealed.

Suspects include Binyamin Schwartz, 28, of Oak Park, Mich., indicted
in July in Nashville for allegedly trafficking more than 100,000
Social Security numbers, and Paulius Kalpokas, 23, of Lithuania, whose
extradition to Nashville on charges of trafficking stolen credit card
data has been requested.

Schwartz "got caught up in something on the Internet but did not
profit from it," says Sanford Schulman, Schwartz's attorney. "He
inquired about acquiring information online without criminal intent,
nor was he involved in a sophisticated enterprise."

Secret Service spokesman Thomas Mazur says Operation Rolling Stone is
designed to "disrupt and dismantle any of these carding forums," but
he declined to say which forums or how many are being investigated.

Security experts worry that CardersMarket's emergence as a model for
setting up hypersafe forums could translate into a spike of activity
by the best and brightest cybercrooks.

"It's called bulletproofing," says CardCops' Clements. "Guys will now
migrate to CardersMarket because they really are untouchable there."

Trust a thief?

Iceman's masterstroke rattled his rivals and raised suspicions among
his peers.

In the tech industry, companies routinely spread what they call FUD --
fear, uncertainty and doubt -- about a competitor's business model.
Shortly after Iceman swept up TalkCash's 2,600 members onto
CardersMarket's website, TalkCash's leader, nicknamed Unknown Killer,
e-mailed a shrill warning to TalkCash members: "I've talked to a
number of guys and all say that they didn't merge a (expletive) with
that site ... so please beware as they can be feds."

Speculation abounds on the Internet that the FBI helped install Iceman
as head of a dominant forum set up to lure kingpin cybercrooks into
capture.

In busting up Shadowcrew, law enforcement had used a high-ranking
member of Shadowcrew as an inside informant, beginning in August 2003,
according to court records. Security experts say it's possible, though
unlikely, Iceman could be an informant. While not commenting directly
about Iceman, FBI spokesman Paul Bresson says, "The FBI is not in the
business of exposing Americans to fraud."

Instead of being admired by his peers, Iceman found himself scrambling
to deal with an intensifying backlash. A forum member, nicknamed Silo,
posted this public comment on CardersMarket: "How Can we TRUST you and
this boards admin? You breached our community's security. Stole the
Databases of other forums ... you've breached what little trust
exists (sic) in the community."

Ten days after the forced mergers, the deposed leaders of DarkMarket and
ScandinavianCarding managed to reconstitute forums under those names.
And CardersMarket appeared to be under assault, with some of the
features on its website functioning sporadically, according to RSA
Security's Einav.

Security experts expect the infighting to run its course. They say
Iceman's attack prompted forum leaders to beef up database passwords
and patch other security holes, making both hostile takeovers and law
enforcement investigations more difficult. Most experts expect the
activity level of the forums to rise, because many consumers and
businesses are uninformed or apathetic.

Consumers' lax attitudes

Consumers continue to exhibit lax attitudes, even as Internet
intrusions and scams rise in frequency and sophistication. John
Thompson, CEO of anti-virus giant Symantec, contends Internet users
must adopt the same "sixth sense about security" they use when they
get in their cars or leave home.

Meanwhile, the commercial sector has been slow to ask consumers to
take other steps, such as using a smartcard or fingerprint reader --
along with typing a log-on and password -- to prove they are who
they say online.

Thomas Harkins spent two decades as operations director for MasterCard
International's fraud division, gaining an insider's view of
cybercrime's breakneck rise. Now COO of security firm Edentify, based
in Bethlehem, Pa., Harkins says identity theft is poised to increase
by a factor of 20 over the next two years.

"There's so many stolen identities in criminals' hands that (identity
theft) could easily rise 20 times," Harkins says. "The criminals are
still trying to figure out what to do with all the data."

Meanwhile, stories such as Kevin Munro's will continue to pile up. In
late August, the name, Social Security number and other data of the
51-year-old Warsaw, N.Y., building inspector turned up for sale on a
forum monitored by CardCops. Munro recalls changing checking accounts
after a thief tried to cash several bad checks in 2002. Since then,
his personal data have persisted in circulation.

Cybercrooks have used it online to order magazines, purchase three
Dell computers and attempt to take out a real estate loan. Recently,
MasterCard notified Munro that an account he's had for 20 years and
uses infrequently was being canceled.

"I work for a living," Munro says. "I do everything on the up-and-up,
and some lowlife comes by and takes it away."

Acohido reported from Seattle, Swartz from San Francisco.

Find this article at:
http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-10-11-cybercrime-hacker-forums_x.htm?csp=N009

Copyright 2007 USA TODAY, a division of Gannett Co. Inc.

NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html

For more news and headlines, please go to:
http://telecom-digest.org/td-extra/internet-news.html (or)
http://telecom-digest.org/td-extra/technews.html

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: communicationsdirect: "CommunicationsDirect News Daily Update - April 02, 2007"
Go to Previous message: Reuters News Wire: "Microsoft Rushes Animated Cursor Security Patch to Users"
TELECOM Digest: Home Page