[ISN] Cybercrime flourishes in online hacker forums

From: InfoSec News (alerts@private)
Date: Thu Oct 12 2006 - 02:02:39 PDT


http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-10-11-cybercrime-hacker-forums_x.htm

By Byron Acohido and Jon Swartz
USA TODAY
10/11/2006

SEATTLE -- Criminals covet your identity data like never before. What's 
more, they've perfected more ways to access your bank accounts, grab 
your Social Security number and manipulate your identity than you can 
imagine.

Want proof? Just visit any of a dozen or so thriving cybercrime forums, 
websites that mirror the services of Amazon.com and the efficiencies of 
eBay. Criminal buyers and sellers convene at these virtual emporiums to 
wheel and deal in all things related to cyberattacks and in the fruit of 
cyberintrusions: pilfered credit and debit card numbers, hijacked bank 
accounts and stolen personal data.

The cybercrime forums gird a criminal economy that robs U.S. businesses 
of $67.2 billion a year, according to an FBI projection. Over the past 
two years, U.S. consumers lost more than $8 billion to viruses, spyware 
and online fraud schemes, Consumer Reports says.

In 2004, a crackdown by the FBI and U.S. Secret Service briefly 
disrupted growth of the forums. But they soon regrouped, more robust 
than ever. Today, they are maturing and consolidating just like any 
other fast-rising business sector, security experts and law enforcement 
officials say. In fact, this summer a prominent forum leader who calls 
himself Iceman staged a hostile takeover of four top-tier rivals, 
creating a megaforum.

Security firms CardCops, of Malibu, Calif., and RSA Security, a division 
of Hopkinton, Mass.-based EMC, and volunteer watchdog group Shadowserver 
observed the forced mergers, as well, and compiled dozens of 
takeover-related screen shots. "It's like he created the Wal-Mart of the 
underground," says Dan Clements, CEO of CardCops, an 
identity-theft-prevention company. "Anything you need to commit your 
crimes, you can get in his forum."

The Secret Service and FBI declined to comment on Iceman or the 
takeovers. Even so, the activities of this mystery figure illustrate the 
rising threat that cybercrime's relentless expansion enabled in large 
part by the existence of forums poses for us all.

In the spy vs. spy world of cybercrime, where trust is ephemeral and 
credibility hard won, CardersMarket's expansion represents the latest 
advance of a criminal business segment that began to take shape with the 
formation of the pioneering Shadowcrew forum.

Shadowcrew, which peaked at about 4,000 members in 2004, arose in 2002. 
It established the standard for cybercrime forums set up on 
well-designed, interactive Web pages and run much like a well-organized 
co-op. Communication took place methodically, via the exchange of 
messages posted in topic areas. Members could also exchange private 
messages.

Shadowcrew gave hackers and online scammers a place to congregate, 
collaborate and build their reputations, says Scott Christie, a former 
assistant U.S. Attorney in New Jersey who helped prosecute some of its 
members.

In the October 2004 dragnet, called Operation Firewall, federal agents 
arrested 22 forum members in several states, including co-founder Andrew 
Mantovani, 24, aka ThnkYouPleaseDie. At the time, Mantovani was a 
community college student in Scottsdale, Ariz. In August, he began 
serving a 32-month federal sentence for credit card fraud and 
identification theft.


Shadowcrew as catalyst

Shadowcrew's takedown became the catalyst for the emergence of forums as 
they operate today. With billions to be made, new forums have reformed 
like amoebas, splintering into 15 to 20 smaller-scale co-ops. "They 
learned that it's best to disperse," says Yohai Einav, director of RSA 
Security's Tel Aviv-based fraud intelligence team.

Forum leaders have become increasingly selective about accepting new 
members. "Vouching" for new members is now the norm, requiring a member 
in good standing to extend an invitation to new recruits. Some forums 
charge an initiation fee; others limit the power to invite new members 
to the forum leaders.

Veteran vendors and buyers typically do business in multiple forums 
simultaneously, in case any particular forum shuts down.

"If criminals get caught one way, they modify their behavior," says 
Kevin O'Dowd, an assistant U.S. Attorney in New Jersey who prosecuted 
the Shadowcrew case.

Some forums have become known for their specialties, such as offering 
free research tools to do things such as confirming the validity of a 
stolen credit card number or learning about security weaknesses at 
specific banks. A few offer escrow services, handling the details of 
complex deals for a fee.

The better-run forums invest in tech-security measures that have become 
the norm in the corporate world, such as use of encrypted Web pages. All 
forums run aggressive campaigns to identify and sweep out rippers the 
con artists who gain membership and instigate deals, only to renege on 
their part of the bargain.

 From this post-Shadowcrew milieu, Iceman has emerged as a forum leader 
to watch.

RSA Security has tracked Iceman's postings on CardersMarket since 
October 2005; CardCops has compiled an archive of hundreds of postings 
on several forums by someone using the nickname Iceman since January 
2006.

In the boastful world of cybercrime, nicknames, or nics, are sacrosanct. 
It's not unusual for a hacker or cyberthief to go by two or three 
different nics, but unthinkable for two or three people to knowingly 
share the same nic, says RSA Security's Einav. "I believe we're talking 
about one guy and not a group hiding behind his name," he says.


Hostile takeover

Clearly enterprising and given to posting rambling messages explaining 
his strategic thinking, Iceman grew CardersMarket's membership to 1,500. 
On Aug. 16, he hacked into four rival forums' databases, electronically 
extracted their combined 4,500 members, and in one stroke quadrupled 
CardersMarket's membership to 6,000, according to security experts who 
monitored the takeovers.

The four hijacked forums DarkMarket, TalkCash, ScandinavianCarding and 
TheVouched became inaccessible to their respective members. Shortly 
thereafter, all of the historical postings from each of those forums 
turned up integrated into the CardersMarket website.

To make that happen, Iceman had to gain access to each forum's 
underlying database, tech-security experts say. Iceman boasted in online 
postings that he took advantage of security flaws lazily left unpatched. 
CardCops' Clements says he probably cracked weak database passwords. 
"Somehow he got through to those servers to grab the historical postings 
and move them to CardersMarket," he says.

Iceman lost no time touting his business rationale and hyping the 
benefits. In a posting on CardersMarket shortly after completing the 
takeovers he wrote: "basically, (sic) this was long overdue ... why 
(sic) have five different forums each with the same content, splitting 
users and vendors, and a mish mash of poor security and sometimes poor 
administration?"

He dispatched an upbeat e-mail to new members heralding CardersMarket's 
superior security safeguards. The linchpin: a recent move of the forum's 
host computer server to Iran, putting it far beyond the reach of U.S. 
authorities. He described Iran as "possibly the most politically distant 
country to the united states (sic) in the world today."

At USA TODAY's request, CardCops traced CardersMarket's point of origin 
and confirmed that it is registered to a computer server in Iran.

If Iceman succeeds in establishing CardersMarket as the Wal-Mart of 
forums, its routing through an Iranian server will make an already 
complex law enforcement challenge that much more difficult, security 
experts say.

"Chasing these carding fraudsters is like chasing terrorists in 
Afghanistan," says RSA Security's Einav. "You know they are somewhere 
out there, but finding their caves, their underground bunkers, is almost 
impossible."

The U.S. Secret Service declined to answer questions about Iceman and 
CardersMarket. It would not acknowledge whether they are under 
investigation as part of Operation Rolling Stone, the most intensive 
federal probe of cybercrime since Operation Firewall. This year, 35 
suspects have been arrested. No names were initially released, but a few 
have surfaced after indictments were unsealed.

Suspects include Binyamin Schwartz, 28, of Oak Park, Mich., indicted in 
July in Nashville for allegedly trafficking more than 100,000 Social 
Security numbers, and Paulius Kalpokas, 23, of Lithuania, whose 
extradition to Nashville on charges of trafficking stolen credit card 
data has been requested.

Schwartz "got caught up in something on the Internet but did not profit 
from it," says Sanford Schulman, Schwartz's attorney. "He inquired about 
acquiring information online without criminal intent, nor was he 
involved in a sophisticated enterprise."

Secret Service spokesman Thomas Mazur says Operation Rolling Stone is 
designed to "disrupt and dismantle any of these carding forums," but he 
declined to say which forums or how many are being investigated.

Security experts worry that CardersMarket's emergence as a model for 
setting up hypersafe forums could translate into a spike of activity by 
the best and brightest cybercrooks.

"It's called bulletproofing," says CardCops' Clements. "Guys will now 
migrate to CardersMarket because they really are untouchable there."


Trust a thief?

Iceman's masterstroke rattled his rivals and raised suspicions among his 
peers.

In the tech industry, companies routinely spread what they call FUD 
fear, uncertainty and doubt about a competitor's business model. Shortly 
after Iceman swept up TalkCash's 2,600 members onto CardersMarket's 
website, TalkCash's leader, nicknamed Unknown Killer, e-mailed a shrill 
warning to TalkCash members: "I've talked to a number of guys and all 
say that they didn't merge a (expletive) with that site ... so please 
beware as they can be feds."

Speculation abounds on the Internet that the FBI helped install Iceman 
as head of a dominant forum set up to lure kingpin cybercrooks into 
capture.

In busting up Shadowcrew, law enforcement had used a high-ranking member 
of Shadowcrew as an inside informant, beginning in August 2003, 
according to court records. Security experts say it's possible, though 
unlikely, Iceman could be an informant. While not commenting directly 
about Iceman, FBI spokesman Paul Bresson says, "The FBI is not in the 
business of exposing Americans to fraud."

Instead of being admired by his peers, Iceman found himself scrambling 
to deal with an intensifying backlash. A forum member, nicknamed Silo, 
posted this public comment on CardersMarket: "How Can we TRUST you and 
this boards admin? You breached our community's security. Stole the 
Databases of other forums ... you've breached what little trust exist's 
(sic) in the community."

Ten days after the forced mergers, the deposed leaders of DarkMarket and 
ScandinavianCarding managed to reconstitute forums under those names. 
And CardersMarket appeared to be under assault, with some of the 
features on its website functioning sporadically, according to RSA 
Security's Einav.

Security experts expect the infighting to run its course. They say 
Iceman's attack prompted forum leaders to beef up database passwords and 
patch other security holes, making both hostile takeovers and law 
enforcement investigations more difficult. Most experts expect the 
activity level of the forums to rise, because many consumers and 
businesses are uninformed or apathetic.


Consumers' lax attitudes

Consumers continue to exhibit lax attitudes, even as Internet intrusions 
and scams rise in frequency and sophistication. John Thompson, CEO of 
anti-virus giant Symantec, contends Internet users must adopt the same 
"sixth sense about security" they use when they get in their cars or 
leave home.

Meanwhile, the commercial sector has been slow to ask consumers to take 
other steps, such as using a smartcard or fingerprint reader along with 
typing a log-on and password to prove they are who they say online.

Thomas Harkins spent two decades as operations director for MasterCard 
International's fraud division, gaining an insider's view of 
cybercrime's breakneck rise. Now COO of security firm Edentify, based in 
Bethlehem, Pa., Harkins says identity theft is poised to increase by a 
factor of 20 over the next two years.

"There's so many stolen identities in criminals' hands that (identity 
theft) could easily rise 20 times," Harkins says. "The criminals are 
still trying to figure out what to do with all the data."

Meanwhile, stories such as Kevin Munro's will continue to pile up. In 
late August, the name, Social Security number and other data of the 
51-year-old Warsaw, N.Y., building inspector turned up for sale on a 
forum monitored by CardCops. Munro recalls changing checking accounts 
after a thief tried to cash several bad checks in 2002. Since then, his 
personal data have persisted in circulation.

Cybercrooks have used it online to order magazines, purchase three Dell 
computers and attempt to take out a real estate loan. Recently, 
MasterCard notified Munro that an account he's had for 20 years and uses 
infrequently was being canceled.

"I work for a living," Munro says. "I do everything on the up-and-up, 
and some lowlife comes by and takes it away."

Acohido reported from Seattle, Swartz from San Francisco.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 12 2006 - 02:23:46 PDT