[ISN] A Tempting Offer for Russian Pair

From: InfoSec News (isnat_private)
Date: Tue May 20 2003 - 00:10:32 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - May 19th 2003"

    Forwarded from: William Knowles <wkat_private>
    By Ariana Eunjung Cha
    Washington Post Staff Writer
    Monday, May 19, 2003 
    Second of three articles 
    Jon Morgenstern's nightmare began with an e-mail. It arrived in his 
    computer's mailbox on July 15, 2000, and its basic message was this: 
    Your security has been compromised. We would like to help you.
    Morgenstern, president of E-Money Inc., a Washington-based provider of 
    technology for online payment transactions, immediately suspected the 
    message's underlying meaning. It was a threat.
    His fears were confirmed the next day when a youthful-sounding man 
    called and asked Morgenstern if he had received the e-mail. The man 
    identified himself as "Alex," said he was from Russia and part of 
    something called the "Expert Group of Protection Against Hackers." He 
    said he had gotten access to the firm's customer database , including 
    credit card information, and would be happy to ensure that further 
    intrusions were not possible -- as long as E-Money would pay him 
    $500,000 to do so.
    As proof that E-Money's computer had been broken in to, he asked 
    Morgenstern to go to one of his servers and look for a system file 
    containing some digital graffiti. Morgenstern had no trouble finding 
    the file.
    It said: "Alex was here."
    So began a series of transatlantic telephone, e-mail and instant 
    message exchanges about how to resolve the situation. In the ensuing 
    back-and-forth between Morgenstern and his attackers, a kind of easy 
    rapport developed that would ultimately lead to the arrest of two 
    members of the "Expert Group" and allow U.S. officials to gain new 
    insight into an overseas hacking networks that to this day continues 
    to terrorize American businesses.
    Hacking has reached crisis levels in the past few years -- the average 
    U.S. company is attacked 30 times a week, according to the online 
    security firm Symantec Corp. Most are not serious; they are efforts to 
    scan computer networks for vulnerabilities. Still, a significant 
    number -- about 15 percent -- are actual attempted or successful 
    Morgenstern, meanwhile, was conflicted. He didn't want to pay any 
    extortion fee but he was determined not to let the hackers ruin his 
    company's reputation either. He was worried that news of even a minor 
    break-in might spook customers. After all, E-Money was built on trust.
    Morgenstern hired an expensive security consultant from Silicon Valley 
    to respond to the hackers and ordered his systems administrators to do 
    a complete analysis of the E-Money systems for other vulnerabilities, 
    tasks that he estimates ended up costing his company more than $1 
    million in fees, lost business and new computer equipment.
    Meanwhile, Morgenstern tried to negotiate with the hackers. The 
    $500,000 demand to "assist in repairing the system" became $250,000, 
    then $150,000, and then $75,000. But when he still wouldn't pay, 
    Morgenstern said, the hackers launched a new type of attack, bombing 
    the company's network with so much bogus traffic that it caused his 
    network to slow so much that legitimate transactions could not get 
    Morgenstern then called the FBI.
    To the agency, it was a familiar story. The FBI for many months had 
    been tracking organized hacker groups in Russia, the Ukraine and other 
    countries who had been trying to extort money from operators of Web 
    sites. In particular, references to the "Expert Group" kept coming up. 
    "The number of victims and losses involved made us take notice," 
    remembered Charlie Mandigo, an FBI agent who was one of the 
    supervisors of the investigation of the extortion cases. By the next 
    year, the problem would become severe enough that the FBI would issue 
    an unusual alert about the spree, which they said netted more than 1 
    million credit card numbers. The agency pleaded with firms to better 
    secure their systems. 
    The FBI's Don Cavender, who worked on the cases, said the breadth of 
    the attacks showed the need for more trained cybercrime investigators. 
    In part as a response to these case, the FBI recently doubled its 
    staffing to 700 agents, supplementing the 200 trained agents the 
    Secret Service employs.
    The local field office of the FBI sent two agents to help Morgenstern. 
    They came by E-Money's offices and brought equipment so that 
    Morgenstern could record all his conversations with Alex and a friend 
    who called himself Victor, or Vladimir. Over several weeks, the FBI 
    agents came by and sat next to Morgenstern at his Dupont Circle 
    headquarters and his Gaithersburg home, listening in on his 
    negotiations, their vigil fortified by one Diet Pepsi after another.
    They advised him to keep notes, drag out the negotiations and gather 
    as much information as possible about the guys he was dealing with. 
    Morgenstern said he spoke to them at least four times a week, or often 
    more. It was always Alex or Victor who initiated the conversation, 
    claiming to be dialing in from a satellite phone they had 
    The first few conversations followed this formula: Alex would begin by 
    offering to lower the price for "protection" from hacking. Each time 
    Morgenstern would make up different excuses about why he couldn't pay.
    "My board is made up of very strict guys and they want to meet you and 
    put you on a long-term retainer," Morgenstern told them. (With only 15 
    employees, E-Money did not, in fact, have a board.) "We need you in 
    the United States. Or how about a more neutral place -- Finland? 
    Denmark?" Morgenstern asked. (He was hoping officials in those 
    countries would be more cooperative about letting U.S. authorities 
    arrest the hackers.)
    But as the days went by, the tenor of the conversations changed. The 
    men went from sounding arrogant and angry to gradually becoming more 
    chatty. Sometimes the hackers would call Morgenstern at home. 
    Morgenstern said his young son became so used to the odd-hours phone 
    calls that he would often pick up and shout "Dad, it's Alex on the 
    phone again!"
    Morgenstern told them about life in the United States and they in turn 
    told him about life in Russia.
    Alex said he was fresh out of school and had had trouble finding a job 
    and had little money for food or clothes. Victor said he was older, 
    married with a child. Their personalities were evident in their choice 
    of e-mail addresses: Alex was "megapunk" while Victor used a more 
    generic name, "accessd."
    Alex seemed okay with his situation, once saying that he could "live 
    like a king here" on the money he made from American companies. But 
    Victor was more uneasy.
    "You don't understand how hard I work. I work 72 hours at a time and I 
    have all my programmers [to care for]. They are sleeping here and then 
    we work more and more. . . . Jon, you think I like to do this for a 
    living?" Morgenstern recalled Victor saying.
    Alex and Victor described how they were forced by men with "leather 
    jackets" and "big guns" to work for a crime group and that he was 
    supposed to get 50 cents per credit card number. The problem, they 
    said, was that they often didn't get paid.
    Then one day Victor said something that threw Morgenstern off 
    completely: He told him to forget about the extortion fee. He simply 
    asked for a visa and employment in the United States.
    "Please get job from America," Morgenstern remembered Victor telling 
    him. "John, I will fix up your system and you will never get anyone 
    attack you again. I need to bring my wife and little child."
    Victor confirmed his intentions in a follow-up e-mail a few days 
    later, on Sept. 15: "I have made a decision to come and visit you in 
    USA whenever will happen to me. I am [expletive] tired of hiding. I 
    will take a risc [sic]. I think I can trust you. . . . I want to get a 
    job to forget about my criminal past. . . . I can departure next 
    Morgenstern, who is a lawyer, empathized with their situation. He 
    offered to serve as the men's representative and tried to broker an 
    offer of immunity from the FBI if the two were to come to the United 
    States and find honest work. He put them in touch with an agent who 
    said he would talk to them about the possibility.
    The attacks abruptly stopped and Morgenstern never heard from the men 
    By the summer of 2000, about the time Morgenstern's systems had been 
    hacked, the United States had come to view the "Expert Group" as a 
    major threat to the country's financial networks. People identifying 
    themselves as members of the group had claimed responsibility for some 
    of attacks on some of the country's most critical companies -- Western 
    Union, PayPal and a series of regional banks. Investigators worried 
    that perhaps the extortion demands represented only part of what the 
    group was trying to accomplish. They feared the hackers had control of 
    other computer networks that no one knew about and that they were 
    attempting to creating a "credit card production system" that they 
    could tap at any time. The attacks seemed to be coordinated by someone 
    who knew more about money laundering than the average hacker, someone 
    who could turn the credit card numbers in to goods and then sell the 
    goods to generate cash.
    "One of the more disturbing trends we were beginning to see was an 
    increased level of cooperation between the Russian hacker community 
    and traditional organized crime," said Shawn J. Chen, a U.S. attorney 
    in Connecticut who worked on the case.
    More than a dozen U.S. attorneys and FBI agents from Connecticut, 
    Washington, California and New Jersey convened a series of 
    brainstorming conferences about how to stop them.
    For months the law enforcement group had been pursuing conventional 
    methods of trying to capture the Russian hackers. They suspected at 
    least some of the hacks were being conducted by someone named Alexey 
    Ivanov. He was so bold that he had been sending his resume and picture 
    around to companies he was trying to extort. While authorities were 
    investigating an incident at CTS Network Services in Seattle, which 
    had "hired" Ivanov as a consultant, they found 38,000 partial credit 
    card numbers from E-Money databases on one of the hacker's computer 
    The Justice Department sent a letter through diplomatic channels 
    asking that Ivanov be detained and questioned. There was no response. 
    They sent a follow-up inquiry. Again, no response.
    To catch Ivanov, U.S. authorities couldn't very well go to Russia and 
    grab him so they had to figure out a way to get him here, recalled 
    Stephen Schroeder, one of the main U.S. attorneys on the case.
    "We do not have an extradition treaty with Russia so unless they were 
    found outside of Russia our ability to deal with them would be 
    limited," said Schroeder, who recently retired.
    The United States has taken the lead in recent years on trying to get 
    countries to cooperate in cybercrime investigations. It came to an 
    agreement with other G-8 nations, which represent the governments of 
    the world's biggest industrialized countries, to create a way for them 
    to more easily share information and to make Internet service 
    providers save data about break-ins. U.S. authorities have also sent 
    attorneys and agents to travel around the world to train foreign 
    intelligence officials about how to investigate such crimes. They are 
    urging other countries to draft laws making hacking illegal.
    But in the end it is up to individual nations to decide whether they 
    want to help.
    Morgenstern's pleas for the Russian programmers to meet him to discuss 
    a business contract was just one of the ways the FBI was working 
    behind the scenes to try to get the hackers to a place where they 
    could be arrested. His conversations with the hackers along with those 
    of other victims yielded valuable clues about the group's personality 
    and hierarchy, allowing the U.S. government to invent what must have 
    been seemed to Ivanov as an opportunity he couldn't refuse.
    That turned out to be a potential job offer from a fake company called 
    Invita Technologies. Invita claimed to be looking to partner with a 
    security firm to provide consulting services to U.S. companies. 
    Investigators sent a flattering letter to Ivanov, telling him they had 
    heard good things about him and were considering him as a candidate. 
    He would need to come to their offices in Seattle for an interview.
    >From Ivanov's perspective, the offer must have seemed magical: Finally 
    someone recognized his talents and was offering to bring him to 
    Ivanov contacted Invita and agreed, asking if he also could bring 
    along his "business partner," a Vasiliy Gorshkov whose name the FBI 
    officials hadn't heard before. The company responded yes. It would pay 
    all of Ivanov's expenses, but his associate Gorshkov would need to buy 
    his own plane ticket. Gorshkov gladly shelled out the money.
    Sergey Gorshkov, Vasiliy's older brother by two years and now 29, 
    remembers that Vasiliy couldn't stop smiling after he received the 
    letter. "It seemed like a dream come true to him, to all of us," 
    Sergey said in a recent interview.
    A "company" representative picked them up from the airport in November 
    2000, took them to what looked like an ordinary office building. 
    There, the hackers were asked to prove their skills.
    The FBI secretly videotaped the encounter. The grainy black-and-white 
    video shows two young men in the heavy, puffy coats they brought with 
    them from Chelyabinsk -- outerwear that looked out of place in the 
    mild weather of Seattle. Company employees flit around them in the 
    8-by-20-foot room asking if they want drinks or anything else to make 
    them comfortable. They muse about the price of cigarettes, the 
    weather. Then the real conversation begins.
    Gorshkov takes charge, telling the officials that the two men are 
    experienced hackers. He describes past exploits as Ivanov sits 
    silently tapping away at the keyboard of his laptop and later at one 
    of the "company's" computers, apparently analyzing various Web sites 
    and their security vulnerabilities while playing snippets of pop 
    An undercover FBI agent asks: "So how often have you hacked into 
    computer systems and have you ever found or taken credit card 
    Gorshkov avoids the question. He chuckles, then says, "These things 
    are better talked about in Russia."
    But as the conversation drags on for an hour or so, he becomes bolder.
    Gorshkov: "We don't think about the FBI at all. Because they can't get 
    us in Russia."
    FBI: "Right."
    Gorshkov: "Your guys don't work in Russia."
    Unbeknownst to Gorshkov and Ivanov, the agents had installed onto the 
    "company's" computers a program that logged the young men's keystrokes 
    as they were accessing the tech.net.ru systems in Russia. That allowed 
    U.S. law enforcement to obtain the hackers' passwords.
    At about 5 p.m., the company officials offer to take Gorshkov and 
    Ivanov to the flat that has been rented for them. After a short drive, 
    the car doors burst open and someone shouts: "FBI -- Get out of the 
    car! Get out of the car with your hands behind your back," according 
    to a transcript of the taped encounter. There's garbled conversation 
    and then one of the hackers -- it isn't clear which one -- starts 
    pummeling the vehicle.
    "It's not my car," one of the FBI agents says. "Yeah, you can hit it. 
    I don't care."
    A few hours later it was over. Gorshkov and Ivanov were in jail. And 
    FBI computer specialists were preparing to enter the hackers' 
    computers in Russia. They would eventually download 2,700 megabytes of 
    data -- hacking programs, extortion letters, credit card numbers -- to 
    help them build their case.
    Morgenstern didn't hear about the arrests until early 2001, a few 
    months after they happened. By that time, he had managed to sell his 
    business for a tidy sum to a competitor (he still serves as an 
    executive). He wasn't sure whether Gorshkov and Ivanov were in fact 
    the men he talked to on the phone but he knew they were somehow linked 
    because they all identified themselves as part of the "Expert Group." 
    He had mixed feelings about the sting. He was angry at the men for 
    jeopardizing his business but he had come to understand that perhaps 
    they had little choice in doing what they did.
    "It isn't their fault that they were born in a place where they don't 
    have opportunities," Morgenstern said.
    Gorshkov pleaded innocent but was found guilty of conspiracy, computer 
    fraud, hacking and extortion. Last fall, he was sentenced to three 
    years in prison and ordered to pay $700,000 in restitution. In a plea 
    agreement, Ivanov acknowledged hacking into 16 companies, including 
    E-Money, as well as a scheme to defraud payment service PayPal by 
    using stolen credit card numbers to set up accounts. Ivanov is likely 
    to be sentenced this summer and faces up to 20 years in prison and a 
    $250,000 fine.
    The FBI sting operation was held up as a example of the ingenuity of 
    American law enforcement. Two of the agents who set up the sting -- 
    Marty Prewett and Michael Schuler -- won outstanding criminal 
    investigation awards from the agency's director.
    But there was still a little problem.
    In a series of interviews with investigators that took place over the 
    next year, Ivanov acknowledged that he hacked E-Money but that he was 
    not Alex and Gorshkov was not Victor as U.S. authorities initially had 
    believed. Someone else had been on the phone with Morgenstern, he 
    claimed, and that someone else was still in Russia.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 20 2003 - 02:12:15 PDT