[ISN] Internet Dreams Turn To Crime

From: InfoSec News (isnat_private)
Date: Sun May 18 2003 - 23:35:39 PDT

  • Next message: InfoSec News: "[ISN] IRC operators may out-hack Fizzer"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A2619-2003May17.html
    
    By Ariana Eunjung Cha
    Washington Post Staff Writer
    Sunday, May 18, 2003
    
    First of three articles 
    
    CHELYABINSK, Russia -- Vasiliy Gorshkov did not set out to be a thief. 
    
    Relatives and friends say he had wanted to build a dot-com like those 
    he had read about on the other side of the world -- the Amazon.coms, 
    eBays and Yahoos that were becoming household names even in this 
    industrial expanse of dilapidated tenements and factories. 
    
    But in the spring of 2000, just three months after he sank his 
    inheritance into a quixotic start-up to build Web sites for 
    corporations, Gorshkov was getting squeezed. Few merchants here wanted 
    to hear about the Internet, much less invest in it. What's worse, 
    Gorshkov told several associates, local crime bosses had started to 
    demand that he hand over a percentage of his earnings to avoid smashed 
    windows, theft of merchandise and broken bones. 
    
    Gorshkov, then 24, didn't have the cash. Business associates recalled 
    that he didn't even have enough money to keep paying his four 
    programmers. 
    
    But one of those programmers, 19-year-old Alexey Ivanov, said he knew 
    how to raise the protection money, according to lawyers familiar with 
    the conversation. Goshkov could offer a protection service of his own. 
    To online businesses. Six thousand miles away in the United States. 
    
    Soon, U.S. prosecutors said, Gorshkov and Ivanov were scouring the 
    Internet looking for security vulnerabilities in the computer networks 
    of American corporations. When they found a way in, they would steal 
    credit card numbers or other valuable information. They would then 
    contact the site's operator and offer to "fix" the breach and return 
    the stolen data -- for a price. 
    
    Within a few months, banking, e-commerce and Internet service 
    providers across the country, including Central National Bank of Waco, 
    Tex.; Nara Bank NA of Los Angeles; and Internet service provider 
    Speakeasy Inc. of Seattle, became victims. The hackers also used 
    online payment service PayPal Inc. to turn pilfered credit card 
    numbers into cash by setting up phony accounts. The men would 
    eventually expose American businesses to perhaps tens of millions of 
    dollars in losses, the prosecutors said. 
    
    Gorshkov and Ivanov are two of the hundreds, perhaps thousands, of 
    virtually untraceable hackers who are overwhelming cyberspace. Hackers 
    have stolen customer databases, company blueprints and credit card 
    numbers. They have unleashed viruses, crashed computer systems, placed 
    phony orders for merchandise, rerouted e-mail communications and 
    committed various other mischief. 
    
    Over the past few years, the U.S. Justice Department, the FBI, the 
    Secret Service and other government agencies have accelerated efforts 
    to counter cybercrime. Last week, Attorney General John D. Ashcroft 
    said one joint operation resulted in the arrest of more than 130 
    people suspected of using the Internet to defraud 89,000 consumers and 
    businesses of $176 million since the beginning of the year. 
    
    Businesses are expected to spend $25 billion this year to fend off 
    online intruders, according to market researcher IDC Corp. About 65 
    percent of all online attacks originate overseas. 
    
    "The Internet makes moving money across continents faster, less of a 
    hassle -- and easier to hide," said Louise I. Shelley, director of the 
    Transnational Crime and Corruption Center at American University. 
    
    International law is often ill-suited to deal with the problem, with 
    conflicting views on what constitutes cybercrime, how -- or if -- 
    perpetrators should be punished and how national borders should be 
    applied to a medium that is essentially borderless. 
    
    "We don't think about the FBI at all," Gorshkov told a potential 
    business partner. "Because they can't get us in Russia." 
    
    Gorshkov was wrong. The events that led to his and Ivanov's arrest 
    open a window on the elusive and lucrative world of computer hacking 
    -- where many perpetrators no longer fool with computers just because 
    they are bored or want to make political statements. They're in it for 
    the money. 
    
    The events were reconstructed from interviews with relatives, friends, 
    co-workers, classmates and acquaintances of the hackers. Key details 
    were corroborated by court records, prosecutors, defense lawyers and 
    government intelligence officials. Gorshkov answered several questions 
    in a letter; Ivanov declined to be interviewed. 
    
    Their case is unusual only because they were caught. Most online 
    thieves, computer security investigators and prosecutors said, get 
    away with it. 
    
    Chelyabinsk might be the most polluted place on earth, because of an 
    explosion in a nuclear-bomb-making factory in the 1950s that dumped 
    radiation through its Ural Mountain river valley but was kept secret 
    for decades. Monuments to Stalin's industrial push dominate the city 
    of 1.2 million. During the Cold War, many residents lived well, 
    working in state-of-the-art military installations that were so secret 
    they were known only by their numbers. But since the collapse of the 
    Soviet Union, the region has struggled and many residents have had 
    trouble finding work comparable to what once was available. 
    
    Gorshkov and Ivanov grew up here, though they didn't know each other 
    until they were adults. Gorshkov is described as outgoing, with a gift 
    for talking people into anything. He graduated from the area's top 
    school, Southern Ural State University, with a mechanical engineering 
    degree. Unlike most of his urbanite peers, who favored clothes in 
    black and gray, Gorshkov -- a thin, muscular guy with a chiseled face 
    -- would occasionally shock friends by showing up at gatherings 
    wearing orange and purple shirts. 
    
    Ivanov's life was more troubled. He left home at 16 and lived in a 
    small fourth-floor apartment attached to the local prison. He is 
    described as a computer whiz, having had the opportunity when he was 
    very young to play with machines in the office of his mother, who is a 
    history teacher. Ivanov briefly studied computers at Southern Ural 
    State University, but he was kicked out after twice failing freshman 
    exams, according to school officials. 
    
    Gorshkov's company and its Web site, known as tech.net.ru, were born 
    in February 2000 when he quit his auto-parts job and struck out on his 
    own, plunking down $40 for the first month's rent for Room No. 502 at 
    the Chelyabinsk Textile Factory. It was a shoestring operation. Desks 
    were built from scrap materials. The chairs were hand-me-downs from a 
    Coca-Cola marketing campaign. But his programmers were first-class. 
    
    The first few months he was in business, Gorshkov negotiated contracts 
    to build Web sites for two companies. But he did the work at a 
    severely discounted price and it wasn't long before Gorshkov's money 
    began to run out and Ivanov introduced him to a group called the 
    Expert Group of Protection Against Hackers. 
    
    The group was made up of several dozen loosely affiliated hackers at 
    any given time, 12 to 15 in Chelyabinsk and others in Russian cities 
    including Moscow and St. Petersburg, though it is unclear how many 
    people in all were involved. There were lots of good programmers 
    scattered throughout the country, but very few good jobs for them. In 
    Chelyabinsk, a programmer might earn $200 to $300 a month, but the 
    jobs available were anything but the cutting-edge perches for 
    programmers in the biotech, telecom and Internet companies in other 
    countries. So some of them looked for other ways to put their skills 
    to work. 
    
    The hackers typically worked in groups of twos and threes, according 
    to U.S. law enforcement officials. Sometimes members knew each other 
    only by their online aliases. Some did not know each other at all. 
    
    Each group or cell operated somewhat independently -- using its own 
    methods and determining its own targets for online hacking -- but paid 
    30 percent of what it collected to a krisha, or "protector" whom no 
    one was willing to identify. "I don't know and I don't want to know," 
    said one person involved with the group. 
    
    Gorshkov suddenly found himself in a profitable business. 
    
    He, Ivanov and another programmer, Michael -- a 19-year-old Siberian 
    and college classmate of Ivanov's -- were one cell. Each had a 
    distinct role, Michael said. Gorshkov was the coordinator, Ivanov the 
    hacker. Michael poked around the exposed computer systems, hunting for 
    data that might be useful. 
    
    The tech.net.ru computers were meticulously organized to make the 
    crimes as efficient as possible, investigators said. Each victim's 
    information was kept in its own file; the hacking programs were placed 
    in a folder labeled "badstuff." 
    
    At first, the target companies were chosen pretty much at random, said 
    Michael, who is known online as Hermit and spoke on the condition that 
    his real name not be used.. They could be any e-commerce or banking 
    companies that sounded like they had money. 
    
    Ivanov created a program that would search on Google for keywords such 
    as "bank" or "casino" or "electronics" to find targets. They would 
    then run potential victims through a program that scanned the 
    companies' networks for known vulnerabilities. 
    
    The group had only one rule about choosing victims: Stay away from 
    Russian businesses. 
    
    "You may go to jail and that's the best case," Michael said. "More 
    likely, you'll be killed." 
    
    The main way they broke into corporate Web sites was through a 
    well-known vulnerability in the widely used Microsoft NT server 
    software. Often, they only had to type in the default username and 
    default password created by the manufacturer and then, just like that, 
    they were inside the network, said security consultant Kevin Mandia, a 
    cybercrime consultant who helped U.S. law enforcement agencies 
    investigate Gorshkov and Ivanov. 
    
    Their attacks were brazen. The hackers rarely bothered to cover their 
    tracks. Mandia described their technique as akin to "storming a bank 
    with a machine gun." 
    
    "You could take five months to plan a super-secret operation, but if 
    your chances of getting caught were minimal why bother?" Mandia said. 
    
    The first contact between the hackers and their victims would 
    typically be an e-mail sent to the company's chief executive or 
    systems administrator. It was a form letter that Ivanov had shown to a 
    lawyer to make sure it was legal under Russian law. 
    
    It was in rough but polite English. "Hello Mr.," it began. "We are a 
    security consulting group specialized in banking and credit card 
    services, big online shops, insurance companies. Due to our job we 
    have to work on the territory that can't be controlled by U.S. 
    authorities. Our government and laws are loyal to that kind of 
    computer activities." It then listed the number and a description of 
    insecure computers on the company network and offered their security 
    services. The group typically signed off with an ominous warning: 
    "YOUR SITE IS TOTALLY INSECURE!!!. It's not just bluff. Any user on 
    the net can get ALL the personal information concerning any account." 
    
    As later detailed in court documents, Ivanov would follow up with 
    another e-mail, an online chat request or a phone call, and say he 
    used stolen calling card numbers or had commandeered satellite voice 
    systems, talking leisurely with the cell's victims. 
    
    Ivanov was so bold he sometimes sent his résumé -- and even photos -- 
    to prove that he was a serious security consultant. The documents 
    listed his home phone number and detailed his previous experience, 
    noting that he was an expert in a half-dozen computer languages and 
    that he had a passport but needed "visa support." 
    
    The hackers asked for as little as a few hundred dollars from some 
    start-ups and several hundred thousand dollars from corporations that 
    sounded rich. 
    
    In an interview, Michael claimed that his group made as much as 
    $500,000 during one nine-month period, much of it wired to accounts in 
    the Russian Federation, Romania and Cyprus. U.S. authorities have only 
    been able to account for about $10,000 of the extortion fees paid to 
    the hackers. 
    
    It's unclear how many of the tens of thousands of stolen credit card 
    numbers Gorshkov and Ivanov used. The "Expert Group" traded files of 
    credit card numbers with each other and with other associates and sold 
    the information, prosecutors say, making it a difficult if not 
    impossible task to assess who used them. A U.S. spot-check found that 
    nearly 1,300 of the credit card numbers on tech.net.ru were used for 
    fraudulent purchases in Canada, France, Guatemala, Israel and many 
    other countries. 
    
    Reaction to the hackers varied widely among their victims. Some cursed 
    them and others befriended them. 
    
    Speakeasy, a company that started as an Internet cafe and then 
    expanded to offer network services to homes and businesses, was among 
    the most troublesome. The company refused to pay up even after Ivanov 
    threatened, deleted files and posted customer information on a Web 
    site. In online chat, Max Chandler, a systems administrator for 
    Speakeasy, was tough, telling Ivanov that hacking is illegal, 
    according to court documents. 
    
    Ivanov was unmoved and typed in this response: "If you want put me to 
    jail you never can do it because laws in my country is not work and my 
    country don't have strong computer crime laws." 
    
    Later on in the conversation, however, Ivanov sounded almost 
    child-like as he asked Chandler for career advice. 
    
    Ivanov: I need job only because I need money. Okay? . . . 
    
    Ivanov: What name of companies where you have friends? 
    
    Chandler: Well, Microsoft of course . . . Amazon. . . . 
    
    Ivanov: Hey hey. Cool company. I'm steal a lot of CD/DVD/books from 
    Amazon. . . . Max, is it possible to get job in Microsoft or Amazon? 
    
    Chandler: Sure. They're hiring all the time. 
    
    Ivanov: I mean for me? 
    
    Chandler: Well, you need to send them a résumé but I can put a word 
    for you in certain departments. 
    
    Ivanov: Okay. Please do it. 
    
    Some companies treated the extortion demands as regular business 
    transactions. When Brian Miller, chief executive of Cambridge, 
    Mass.-based Internet service provider Channel 1 Communications, heard 
    from Ivanov about a breach in its computer systems, he concluded that 
    it would be better to have Ivanov on his team than to fight with him. 
    He wired $250 to an account that Ivanov provided and thanked him for 
    his help. 
    
    "I had a lot of sympathy for him," Miller said. "He seemed like a 
    bright kid who just wanted to make some money and get out of his 
    country. I thought maybe he would move on to better things." 
    
    Gorshkov, meanwhile, still believed he could get his legitimate 
    business off the ground. He paid his programmers $150 a month to 
    pursue projects that he hoped would change the way Russians use the 
    Internet in the same way the Silicon Valley dot-coms were transforming 
    American culture. One employee was working on a more robust e-mail 
    filtering system. Another person was trying to set up an Internet 
    dating service. Yet another person was programming an online auction 
    site. 
    
    Two of Gorshkov's programmers, Maxim Semenov and Denis Bukarov, who 
    U.S. authorities say were not involved in the extortion scheme, said 
    they loved working for the company because of its ambition. Their boss 
    encouraged them to spend part of their time tinkering with new 
    technologies. 
    
    "It's a problem to find an interesting job like the one I had" at 
    tech.net.ru, Bukarov said. 
    
    Michael said the hackers felt invincible, and in some ways they were. 
    He described nights when none of the other programmers were around and 
    the three of them would sit drinking vodka and singing songs. Ivanov 
    loved tunes from old Russian movies and would begin to belt them out, 
    off key. Gorshkov and Michael would join in. 
    
    The more happy and playful their mood, he said, the more generous they 
    would be to their would-be victims. 
    
    Take the U.S.-based network administrator for a Singapore Internet 
    service provider. Michael said he threatened to crash her system 
    unless she paid up but she sounded so nice online that they felt bad 
    about the whole thing. He told her that if she called up on the phone 
    and sang "Happy Birthday" they would leave her alone. She did and he 
    kept his promise to drop the extortion demand. 
    
    No one would say what the group did with all its money. To friends and 
    relatives, the changes in the men's lifestyles were subtle. They 
    apparently didn't splurge on lavish dinners or buy expensive clothes. 
    Ivanov wore secondhand jeans and old scruffy boots, said his 
    grandmother, Raisa Gorshkova, 73. "He even smoked very cheap brand of 
    cigarettes. Nobody smokes these anymore." 
    
    Ivanov, though, bought a used car and a $1,000 cell phone. Gorshkov 
    got an apartment for himself and his fiancee, Masha Milegova, who he 
    met on a trolley on the way home one night and who was pregnant with 
    their first child. 
    
    The hackers also used the credit card numbers they had purloined from 
    companies that refused to pay their fee. Once, they ordered 15 DVD 
    players and had them delivered to a mailbox across the border in 
    Kazakhstan, less than an hour from their homes. They also ordered 
    music CDs, movies, laptops, cell and satellite phones and other 
    electronics. They also abused the PayPal system to turn the stolen 
    credit card numbers into cash by setting themselves up as seller and 
    buyer in online auctions. (PayPal officials said they have since taken 
    steps to reduce the chances that perpetrators of that type of scam 
    will succeed.) 
    
    Later, in November 2000, Gorshkov threw a housewarming party for 
    himself. One of the half-dozen or so close friends in attendance, a 
    medical student named Yvgenia Peleskova, recalled that they drank beer 
    and watched "Gone in 60 Seconds," a movie about ingenious car thieves 
    who could break any lock, get past any alarm and never get caught. 
    
    Peleskova remembered that it was a "big hit" with the people in the 
    room. 
    
    But while Gorshkov and Ivanov were laughing about their good fortune, 
    they had become the target of a manhunt originating in America. Some 
    of the companies the hackers thought were cooperating with them were 
    actually working for the FBI. 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon May 19 2003 - 02:08:42 PDT