Stolen Credit Cards Go for $3.50 at Amazon-Like Online Bazaar
Bloomberg News, nothing the FBI and Secret Service can do about it.”
In April, the Department of Justice dismantled one of the largest known criminal botnets, a network of infected computers programmed to send data automatically from their hard drives to a server controlled by hackers. The department declared the break-up of Coreflood, as the botnet was known, a major victory.
The Russians
It said almost nothing about the criminals who ran it. Researchers at Dell SecureWorks, the Atlanta-based security firm that aided the investigation, said the kingpins behind Coreflood are three Russians last known to be living comfortably in Rostov, a mid-size city on the Don River.
“Our relationship with the Russians is always a work in progress,” Strom said.
No one personifies Russia’s place at the top of the cyber underworld more than Gribo-demon, a Russian programmer, around 30 years old, U.S. investigators estimate. He is one of the few cybercriminals who is the focus of a his own FBI special operation. Gribo-demon is the author of SpyEye, a sophisticated malware package first released in late 2009 and upgraded several times since then.
Once downloaded on a machine, the malware can be used by hackers to take remote command of key functions. Using SpyEye, a cyberthief can hijack an online banking session in real time, transfer funds to accounts they or their mules control, and adjust the balance displayed so nothing seems amiss.
Seems Legit
The transaction looks legitimate because, in computer terms, it is. All the bank can tell is that it was made from their customer’s computer, using their correct password. A basic version of SpyEye costs around $2,000, according to the hacker sites.
“SpyEye provides military-grade intrusion capabilities for the price of a TV,” said Gunter Ollmann, vice president of research at Damballa Inc., the Atlanta-based security firm that tracks major cyberthreats.
Gribo-demon’s real innovation stems from what he didn’t do: keep SpyEye to himself. Hackers used to write their own code. Good tools were trade secrets. Gribo-demon instead licenses SpyEye, mimicking Microsoft and Oracle, a business model that arguably opened cybercrime to the masses.
The model was pioneered by a competitor and fellow Russian who created popular malware called ZeuS, according to security experts. ZeuS first appeared in 2008. Both programmers provided clients with customer service, offering an array of enticing modules to add functionality for an additional price.
Beta Testing
The ZeuS author, known as Slavik, even Beta-tested new versions with elite users, according to Don Jackson, a SecureWorks researcher. Slavik disappeared in late 2010, but not before he handed the ZeuS source-code to Gribo, who incorporated some of its features into his own product, Jackson said.
Security experts say it’s hard to overestimate impact of Slavik’s and Gribo-demon’s handiwork. In September, the Tokyo- based cybersecurity firm Trend Micro publicized a dossier on a 20-something Russian cyberthief who goes by the name Soldier, tracing his activities in the underground forums over several months. Using SpyEye, soldier stole $3.2 million from U.S. customers of three banks in just six months — about $17,000 a day — Trend Micro said.
Going Price
The hacker used bank-account information scraped from more than 25,000 victims’ computers, in some cases renting other cyberthieves’ networks of infected computers. He created counterfeit checks with banking data and mailed them to money mules throughout the United States. They cashed them, then forwarded the funds untraceably to Russia. He even used stolen credit card numbers vacuumed from the victims’ hard drives to buy pre-paid postal-service labels for the packages.
“From start to finish, this guy leveraged every bit of data,” said Alex Cox, an investigator for Netwitness, a cybersecurity division of EMC Corp., which has also been tracking Soldier’s activities.
The most remarkable thing about the theft — and this is, to experts in the field, the most worrisome development of the past few months — was that Soldier didn’t need any special expertise with computers. All he needed was a shopping list.
“He’s not a lone hacker,” said Trend Micro’s David Perry. “He didn’t write any code.”
Shopping List
Strom said the FBI is also tracking Soldier and is confident they’ll get him. “These guys are very sophisticated, but often times they slip up,” Strom said.
Strom and other investigators have one significant advantage: the hackers have a habit of turning their skills on one another. The FBI’s DarkMarket sting started with a hacker war between a hacker, calling himself Iceman, who ran CardersMarket, and JiLsi, the DarkMarket administrator, whose real name was Renukanth Subramaniam, the FBI said.
“We took advantage of that animosity,” Strom said, eventually persuading JiLsi to turn over the site to the FBI and giving the bureau control over all communications involving DarkMarket’s 2,500 members. As a result, Subramaniam was sentenced to more than four years in prison in the U.K.
Maza, the elite Russian forum, was recently hacked and its database dumped online. It presented a priceless opportunity for law enforcement. The forum’s database held membership lists, e- mail addresses, IP addresses, and passwords — the kind of information the world’s top cyber thieves try very hard to keep secret. The main suspect in the Maza attack is the administrator of a rival site, Hex Nightmare said.
Learned a Lot
“We learned a lot of lessons with DarkMarket, and we’ve passed that experience on not only to other offices within the FBI but to our counterparts overseas,” Strom said. “We’re definitely taking the fight back to them.”
Hex Nightmare agrees the FBI may eventually make more progress. When Slavik, the author of the ZeuS malware, disappeared in 2010, he was at the height of his fame. Theories about his disappearance abound on the underground: Slavik was killed; he now works as a cyberspy for the Russian government. Hex Nightmare has her own: “I think Slavik thought it was a good time to get out.”
To contact the reporter on this story: Michael Riley in Washington at michaelriley@bloomberg.net
To contact the editor responsible for this story: Michael Hytha at mhytha@bloomberg.net .
Find out more about Bloomberg for iPhone: m.bloomberg.com/iphone/
Sent from my iPhone