http://www.wired.com/news/technology/0,72515-0.html By Kim Zetter Jan, 30, 2007 By the time David Thomas eased his Cadillac into the parking lot of an office complex in Issaquah, Washington, he already suspected the police were on to him. An empty Crown Victoria in one of the parking spaces confirmed it. "That's heat right there," he told his two passengers -- 29-year-old girlfriend Bridget Trevino, and his crime partner Kim Marvin Taylor, a balding, middle-aged master of fake identities he'd met on the internet. It was November 2002, and Thomas, then a 44-year-old Texan, was in Washington to collect more than $30,000 in merchandise that a Ukrainian known as "Big Buyer" ordered from Outpost.com with stolen credit card numbers. His job was to collect the goods from a mail drop, fence them on eBay and wire the money to Russia, pocketing 40 percent of the take before moving to another city to repeat the scam. But things didn't go as planned. Ignoring Thomas' suspicions, Taylor walked into the Meadow Creek Professional Center to collect the Outpost shipment, and found the cops waiting for him. Thomas and his girlfriend tried to escape in the Cadillac but were caught half a mile away. An ID badge that Taylor wore when he was arrested indicated that he worked for Microsoft. But that was no more accurate than the two-dozen other employee badges he possessed for E-Trade and AT&T Broadband, or the 15 driver's licenses from various states that featured his congenial face and a dozen aliases. Nor did Thomas's California driver's license help authorities identify him. Although it had his picture, the name and address on the ID belonged to a producer for the A&E channel. With so many fake IDs in play it was unclear to police exactly who they had in custody. Then as they read Thomas his rights, he told them: "Get me some federal agents and I'll give you a case involving the Russians and millions of dollars." Thus was the beginning of Thomas' turn to the other side. For 18 months beginning in April 2003, Thomas worked as a "paid asset" for the FBI running a website for identity and credit card thieves from a government-supplied apartment in the tony Queen Anne neighborhood of Seattle. From bedrise to bedrest, seven days a week, he rode the boards and forums of his and other carding sites using the online nickname El Mariachi. He recorded private messages and IRC chats for the FBI as "carders" schemed to, among other things, sell stolen credit and debit card numbers, defraud the George Bush and John Kerry campaign sites, drain hundreds of thousands of dollars from bank and investment accounts, sell access to Paris Hilton's T-Mobile account and run phishing scams against U.S. Bank and the FDIC. He did it all while battling denial-of-service attacks against his site and dodging attempts by his old partner Taylor and other carders to track his whereabouts and out him as a fed. Just as his enemies were closing in on him in September 2004, the FBI pulled the plug on his work and cut him loose. But not before Thomas had given authorities a valuable look at the internet's underworld, even though the strain of leading a double life nearly broke him. Now Thomas is telling the story of his work during this period. It's a tale that provides a rare glimpse of the thriving international computer underground of high and low-tech thieves and swindlers whose crimes cost millions each year. It also illuminates the rarely seen world of federal law enforcement's war against these organized criminals, and the moral and ethical tradeoffs sworn agents make in pursuing their mission -- providing crooks with an electronic marketplace where they can congregate and conduct their ignominious business anonymously. Even allowing some crimes to go unpunished. The full scope of the problem is hard to judge, but nonetheless staggering. U.S. banks lost $546 million to debit card fraud in 2004, according to banking research firm Dove Consulting, and credit card fraud losses were estimated to be about $3.8 billion globally in 2003 according to The Nilson Report. The Federal Trade Commission estimates that 10 million Americans are victims of identity theft each year. The financial impact of identity theft remains untold. Thomas says he is telling his story now because he's tired of the life he's lived on the boards over the last five years and resentful of the control the FBI maintained over him for so long. He also wants to warn the public about the risks they face from the carding community and deter kids from being seduced into a life of crime. The FBI's Seattle office wouldn't discuss Thomas, and neither confirmed nor denied that he worked for them. But over the last year Wired News verified other key aspects of Thomas' account in dozens of interviews with members of the underground, victims of online crimes he observed, as well as attorneys and other people connected with Thomas -- his former apartment manager, for example, confirmed that the FBI paid Thomas' rent. Additionally, Thomas provided hundreds of chat logs and forum posts from his former website, The Grifters [1] -- a criminal marketplace that played a key role in a parade of diverse frauds, ranging from bank theft to telephone records hacking, all unfolding in a sprawling international tableau spanning from the former Soviet empire to the tropics of Colombia. It was July 2004 and Brian Campbell had been on Isla Mujeres off the coast of Cancun for three days for a relative's wedding when he discovered he'd been scammed. An American MBA student studying in Australia at the time, Campbell (not his real name [2]) was accustomed to checking his investment portfolio daily over the internet. But the wedding distracted him a couple of days, and when he finally got online, he found he was locked out of his Schwab trading account. He called Schwab and discovered that his user name and password had been changed. What's more, $106,000 had recently been wired from his account to a Fortis bank account in Belgium. Campbell hadn't requested the transfer. Unknown to Campbell, a cyber thief who went by the nick "desertmack" had gained access to his e-mail account and had been watching him for weeks. The Mexico wedding was the break desertmack needed. He'd been hoping a little tequila and sunshine would distract Campbell from obsessively checking his brokerage account long enough to steal the money and send it to Brussels, where an accomplice would withdraw it. But while desertmack was watching Campbell, the FBI was watching him. Or at least David Thomas was. Sitting in a 500-square-foot Seattle apartment, window shades drawn and cramped with three computers that emitted an oppressive heat, Thomas recorded every conversation that desertmack and his accomplice, who used the nick jonjacob, exchanged in a private area of TheGrifters.net. TheGrifters was a members-only "carding" site that Thomas launched in December 2003, eight months after beginning his work for the FBI. The goal of the site was to attract identity and bank thieves. It was the kind of site authorities called a "build it and they will come" site. And they did. By mid-2004 the site was crawling with thieves trafficking in fake IDs, stolen credit card numbers, card-embossing equipment and ATM skimmers that capture data on a debit card's magnetic stripe so criminals can encode it on blank cards and drain an account. TheGrifters was a successful crime hub in a crowded field, competing with other sites like Shadowcrew, CarderPlanet and DarkProfits to attract the biggest criminals. None of the carders knew that Thomas was working for law enforcement, although there were many who accused him of it. Indeed, if a carder was arrested and returned to the boards, as Thomas had done, often he was working for "LE," in carder lingo. But the boards were always thick with a fog of police paranoia, and no one took the accusations seriously enough to stay away from Thomas. Thomas began following desertmack closely after he saw the crook purchase a credit report for Campbell from a Florida woman who used the nick Decepgal. Decep ran a carding site called Muzzfuzz and, according to bankruptcy filings in her real name, worked as a transcriber of psychiatrists' notes. She also ran a side business selling credit reports to identity thieves -- $40 for a standard report or $75 for full-info reports that included a victim's property holdings, bankruptcy filings and lists of possible relatives [3] The report, coupled with e-mail account statements, gave desertmack all he needed to access Campbell's Schwab account and initiate the money transfer. Jonjacob and another associate in Brussels then opened a Fortis business account -- chosen because of the bank's $40,000-a-day withdrawal limit on such accounts. As the day for the transfer neared, the thieves could hardly contain their excitement: "Hehe, fingers firmly crossed, along with my legs, testicles and anything else I can think of," one associate wrote desertmack. Then, on the day of the theft: "well ... I expect our friends are off enjoying their holiday. And with a bit of luck, you're busy raping that juicy account of theirs." The night before the attack, desertmack changed the contact number on Campbell's account so Schwab would call him for verification instead of Campbell if it suspected the wire request was fraudulent. The ruse worked. Within 24 hours the money was on its way to Brussels. But that was the last desertmack heard of it. Once the funds were overseas, his accomplice jonjacob disappeared. If desertmack suspected a double-cross, he was wrong. Campbell, who confirmed the details of the theft for Wired News, learned from Schwab that a suspect was arrested in Brussels while trying to withdraw money from Fortis. [4]) Shortly after that, it appears that desertmack was arrested too, though not for the Schwab crime. Oregon sheriffs arrested a 47-year-old man on unrelated identity theft charges in September 2004, after his wife was involved in a car accident and deputies discovered outstanding warrants on both of them for an old eBay fraud caper. Police searching the couple's apartment found equipment for making credit cards and fake IDs, as well as 432 stolen credit card numbers, 176 bank account and routing numbers and boxes of credit reports in other people's names. E-mail found in the suspect's computer inbox was addressed to desertmack@private "He was very organized," Oregon deputy sheriff David Thompson told Wired News. He had 510 dossiers on victims that consisted of "each person's credit cards and IDs that he had created, bundled up with a rubber band so that he could just grab a bundle and have that identity for a day to go out and go shopping." The suspect claimed it was all research for a book he was writing about fraud prevention. Oregon FBI spokeswoman Beth Ann Steele said the man was suspected of initiating the Schwab wire transfer, but said the bureau didn't pursue charges because local authorities had a stronger identity theft case against him. The Schwab case illustrates a running theme in Thomas' dealings with the FBI. Although Thomas says he provided his handlers at the Seattle FBI with logs depicting desertmack's scheme, the bureau apparently never acted on that information -- the Oregon FBI only learned of the theft because Campbell, the victim, reported it himself after it occurred. "If we had left it up to Schwab, they might never have gotten the FBI involved at all," Campbell says [5], Schwab, too, was less than responsive. Campbell got his money back from the company only after several calls to the firm pointing out the obvious security flaws in a system that failed to flag a wire request made on an account a day after contact information on the account was changed. "Schwab was pretty bad with customer service," Campbell says. "For a long time they wouldn't tell me they were going to take responsibility for it and return (the money)." (Schwab had no comment). As for Thomas, he was unaware of desertmack's fate until Wired News tracked down the suspect. As with all of the information Thomas provided the FBI, he was kept in the dark and never knew what, if anything, the agency did with the intelligence he gave his handler. Thomas began his work for the FBI five months after his Issaquah arrest and after serving three months in jail. His partner, Kim Marvin Taylor, known by the nick "Macgyver," left Washington before he could be charged, and landed quickly back on Shadowcrew, where he was a top administrator of the site. After Thomas' arrest, federal agents came to see him in jail, as he'd requested. He told Secret Service agent Michael Levin what he'd done for the Russians, but Levin wasn't impressed. According to Thomas, the agent replied that he had multi-million-dollar cases on his desk and wasn't going to waste time on a lousy $50,000 internet scam. Seattle FBI Agent Steve Butler also came to see him and seemed just as unresponsive at first. The jailhouse chat through a glass partition lasted less than 10 minutes with no mention of a job. But when Thomas was transferred to Nebraska to face an outstanding warrant for check fraud, Butler showed up for a repeat visit, an assistant U.S. attorney in tow. The agent laid out his plan: Thomas would work for the Northwest Cyber Crimes Task Force in Seattle to gather intelligence and teach Butler how the carding sites operated; in return, the FBI would pay his rent and all of his expenses. It would be an intelligence gathering mission, not aimed at making arrests, but rather at learning how the international carding scene operated. "They made a big show down there," Thomas says. "They told me that they'd take care of me, and I'd have a legit job with them." [6]. He didn't have to think twice. No one had ever sought him out for work before, and in an age of background checks they likely wouldn't. But that wasn't the only reason he took the offer. He wanted to write a book about the carding world, and figured this was the perfect chance to gather material. "(The FBI) wanted to see just what they could get out of it, and I wanted to see what was really going on and to write about it," Thomas says. "It was a win-win situation." [7]. His lawyer got the Nebraska charges reduced to a misdemeanor and fine, and by April 2003 Thomas was back in Seattle, where girlfriend Trevino joined him, and on the boards, using computers the FBI supplied him. But almost immediately the words he'd spoken in Issaquah came back to bite him. On CarderPlanet, someone posted a copy of his police report containing the statement he made to police about the Russians and federal agents. Taylor, still a fugitive, took to the boards and accused Thomas of selling him out to the feds. A war of words broke out between Thomas' supporters on CarderPlanet and Taylor's supporters at Shadowcrew. "All of a sudden, whatever I was hired to do (for the FBI) looked like I wasn't going to be able to do it," Thomas says. "In my mind I was toast. Because that report was too damning." Thomas denied the claims to little avail. Then, two months later Taylor was jailed in Colorado on new charges unrelated to the Issaquah bust. He served eleven months before being released in May 2004. But his absence did little to foster calm. Over the next year, the board war would escalate from verbal scuffling to all-out Joe Jobs and DDoS attacks. And every 45 days or so when things would quiet down, someone would repost Thomas' police report to stir them up again. Between battling other carders and gathering information for the feds, Thomas's workdays were long and full of non-stop activity. He became obsessed with knowing everything that was happening on the boards. He'd often sleep during the day, then work all night when the boards were most active. Each day when he awoke, he'd hop on the boards to see what had happened while he'd slept. Were any carding sites down? Had anyone been arrested? Then he'd run through a checklist of scams unfolding that day. He spent 18 to 20 hours a day online with 15 to 20 chat windows open on his screen at a time. When he wasn't chatting online, he was talking on the phone. "People would talk to me -- I've got this deal, I've got that deal. What do you think of this, what do you think of that?" he says. "El had a huge following." His job was to log every message he received and sent as well as every note that members posted to the boards. At the end of each day he sent Butler a report. Sometimes there were more than 300 messages in a single discussion thread. Every morning Butler debriefed him by phone, and once a week they met in person. Everything he recorded for the FBI, he recorded for himself as well. His task for the FBI was to track who was doing what, which wasn't always easy since members changed their nicks often and used anonymous e-mail, proxy servers and pre-paid cell phones to mask their identities and whereabouts. Occasionally, however, they'd let their guard down. Thomas never pressed for details. But like a good psychiatrist, he did the cyber equivalent of nodding with interest, and people were happy to talk. Ironically, even though the carders constantly accused each other of working for the feds, they often acted as if a cloak of invisibility shielded them. Larry Johnson, special agent for the Secret Service's investigative division who headed an undercover operation for his agency on the boards, says agents were often dumbfounded by the carders' lack of discretion. "If I were going undercover they would accuse me, accuse me and accuse me (of being a fed) and then buy something from me (anyway)," he says. "Figure that out." Thomas says the carders believed they operated in a protected world. "It was all some fantasy criminal paradise," he says. "Nobody believed law enforcement was out there in force." In truth, law enforcement agents were (and still are) some of the fraud sites' most determined users, and it wasn't just undercover U.S. feds scouring the boards. There were also agents from Russia, the U.K., Australia, Israel and Brazil. Fraud investigators from Visa, Bank of America, eBay and others also lurked on the sites, determined to gather intelligence about threats to their customers. The presence of so many watchers meant that authorities sometimes targeted the wrong person for investigation. Although U.S. agencies held deconfliction meetings to apprise each other of who was doing what, word didn't always get around. When Thomas once asked Butler who was the biggest target the feds were tracking, Butler laughed and replied, "You're the biggest target. Everyone is after you." Although the Seattle neighborhood where Thomas lived was upscale, his apartment was strictly low-rent. Except for a small couch and TV, the only living room furniture was an Ikea table that groaned from the weight of two desktop computers -- one for watching the boards and chatting with carders, the other later used for hosting TheGrifters -- and a laptop for compiling reports to Butler. Trevino occasionally helped out with research but for the most part avoided Thomas's work and spent her time chatting with friends online and playing digital games. "I didn't want to be there doing what he was doing," Trevino says. "I didn't want to be a part of it. Because I had done my time (in the carding community) and I didn't want to do any more." To conduct his work, Thomas was allowed to facilitate and commit crimes, but only after clearing them with Butler. Butler said undercover agents from other agencies who didn't know what Thomas was up to would try to set him up, and Butler would need to run interference when he saw it happening. He was also told that if he committed any crimes without clearing them first, Butler would make sure that he went to prison, and that other inmates would know he'd worked for the FBI. [8]. The boards had a strict hierarchy that Thomas had little trouble infiltrating. At the top were administrators, like Taylor, who handled day-to-day operations and served as gatekeepers to private areas of the board where the best deals were made. Admins also meted out punishment to carders they didn't like or to "rippers" who cheated fellow carders. An admin could ban someone from the board or, worse, post his photo online and expose his identity. The pictures came from fake-ID vendors who often held on to the photos of customers just to use them when someone got out of line. Beneath the admins were moderators who oversaw forums dedicated to various topics, such as bank fraud and identity theft. Then came vendors and reviewers. Before a vendor could sell his merchandise on the boards, a reviewer evaluated the quality of his offerings based on such criteria as the quality of a hologram on a fake ID, or whether the stolen credit card numbers a vendor was hawking were still live and valid. Most reviews consisted of a couple of lines: "Cards good. Premium numbers with high balances." The organized chain of command allowed a rich economy to flourish -- and the range of products and services at offer was staggering. While credit card fraud was a staple of the cyber underground, a wide variety of other crimes also unfolded -- and still unfold -- on the boards. Some underground denizens offered spamming and "bullet-proof" hosting services from servers placed in locations unreachable by law enforcement. Extortionists used botnets to deliver DDoS attacks against websites that didn't pay protection money. And hackers designed and sold rootkits, spyware and spam mailers, alongside peddlers of stolen source code from companies like Microsoft. Pretty much anything went in the underground if it could produce a profit. Of course, the quickest way to make money was to, literally, make money. And when a Colombian counterfeiter named Dexer showed up on the boards peddling top-quality fake dollars and euros, Thomas was interested. After consulting with Butler, Thomas asked Dexer to send him some sample bills to review their quality. Two weeks later they arrived at an FBI mail drop in Seattle, secreted in a hollowed-out book cover. Although Thomas never saw the bills, Butler told him the counterfeiters had bleached $1 and $5 bills then printed $50 and $100 denominations onto the paper to produce near-perfect fakes. Thomas gave Dexer a glowing review on CarderPlanet, and orders began pouring in -- that is, until members started complaining that bills they ordered never arrived. Dexer said U.S. customs was holding them up. He discussed plans to get around the blockade, but shortly thereafter his nick disappeared from the boards, leading others to wonder whether he'd been arrested or simply skipped out to avoid the anger of dissatisfied customers who never received their bills. Did the FBI move in on Dexer? As usual, Butler kept Thomas in the dark. The uneven power relationship between Thomas and his handler, and the increasing claustrophobic nature of Thomas's life, took their toll over time. The strain wasn't helped by the differences in Thomas' and Butler's personalities. As Trevino describes him, Butler was the polar opposite of Thomas -- tall and confident with tightly cropped blond hair and the physique and jaw of a college jock. According to Thomas, Butler's background was in drug investigations not cyber crime, and the two of them frequently butted heads over how to run the operation, often resulting in shouting matches in Butler's car as they drove around the neighborhood for their debriefing sessions. "He was very intelligent," Thomas says. "But ... we just never hit it off." The conflict came to a head one day after Butler rebuffed Thomas's requests for some time off to get some rest. When Butler next phoned for their routine debriefing session, Thomas, exhausted, refused. "I'm on vacation." Another shouting match ensued, culminating in Butler coming to the apartment and carting off the computer Thomas used to host TheGrifters website. As Butler left with the PC, he told Thomas he was fired and gave him a week to leave the apartment. Dumbfounded, Thomas sat there for days struggling to figure out where he'd go with no money when Butler, his point finally made, called back. "Okay. Are you ready to get back to work now?" When TheGrifters went back online Thomas had to cover for his downtime by telling board members he'd been taken out by a DDoS attack. The troubles with Butler were only compounded by the continuing attacks that Thomas faced from enemy carders trying to expose him and take out his site. To deal with the stress of maintaining his double identity and battling Butler, he'd often retreat to the bathroom where he'd turn on the shower and lie on the floor, letting the water run for hours to clear the chatter from his head. The shower ran so long one month that the FBI got a bill for 18,000 gallons of water. Thomas says federal investigators appeared at his door to see if he was growing marijuana or making homebrew. "They opened a federal investigation to find out where the water went," Thomas says laughing. "And the water went down the drain. Because it was my only way to relax." Tomorrow: Enter the Russians. -==- [1] ... posts from his former website, The Grifters. The logs appear to be legitimate but Wired News was unable to verify that they were recorded on behalf of the FBI or that they were unaltered by Thomas. [2] Campbell asked Wired News not to publish his real name for fear that other thieves would target him. [3] ... and lists of possible relatives. According to Thomas, Decep had previously worked for a Florida prosecutor and had access to a Lexis-Nexis database used by law enforcement agents and businesses. [4] ... trying to withdraw money from Fortis. I was unable to confirm the arrest in Brussels with either Schwab or the FBI. [5] "If we had left it up to Schwab, they might never have gotten the FBI involved at all." Even then, it was the Oregon sheriff's department that nailed the suspect on unrelated charges. And the Oregon prosecutor handling the identity theft cast against the suspect says no one told him about the Schwab crime and investigation. The victim, Campbell, said he was told that authorities were able to connect the suspect to the theft of his Schwab money because the suspect had changed the contact phone number on his account to the suspect's real cell phone number. I was unable to confirm this. [6] "They told me that they'd take care of me, and I'd have a legit job with them." One of Thomas's former public defenders in Seattle, Thomas Hillier, was reluctant to speak with me but confirmed the jailhouse visit with Butler. He said his memory of the four-year-old case was foggy and that he didn't recall a federal job offer for Thomas, although his file notes do contain a cryptic reference to a job offer next to the name of former assistant U.S. Attorney Hugh Berry. According to Thomas, Berry was the U.S. attorney who visited him in Nebraska with FBI agent Steve Butler. The Nebraska prosecutor, Andrea Belgau, who Thomas says was present at the Nebraska meeting with Butler and Berry, was also very reluctant to discuss the meeting. "I can't speak very completely about it other than he did offer assistance to the federal authorities," she said. She wouldn't discuss the details, but said she wouldn't dispute what Thomas told me either. "I don't think it's appropriate for me to delve into it," she said. "The defendant may be free to speak about it, but those of us employed by government agencies have more restrictions." [7] "It was a win-win situation." Thomas says the FBI paid him no salary, but covered his rent and expenses. The former apartment manager at the complex where Thomas lived confirmed that the FBI paid rent on the apartment and that FBI Agent Steve Butler and another agent whom the manager identified as an FBI district supervisor accompanied Thomas the day he and Trevino moved in. The manager, who asked not be identified by name because he spoke without permission from his former employer, said Butler gave him his cell phone number and told him to call if Thomas caused any problems while living there. Candace Hamel, who worked in the property management head office at the time, said she couldn't confirm that the FBI paid for the apartment, but then added after a pause and without prompting, "I'm not denying it either." When asked if the management company had an ongoing deal with the FBI to supply the agency with apartments, as Thomas contends, Hamel again said she couldn't confirm or deny then added, "That's confidential information." FBI Agent Steve Butler was polite and friendly but declined to comment on whether Thomas worked for the FBI. "We would never confirm or deny something like this," he said, saying that such comments would make other people reluctant to work in such capacity with the FBI. I should note here that there is a David A. Thomas who works for the FBI as chief of the agency's Cyber Division Criminal Computer Intrusion Unit. He's often quoted in articles about cyber crime and should not be confused with David R. Thomas, who is the source for this story. [8] Butler would make sure that he went to prison, and that other inmates would know he'd worked for the FBI Thomas says he was cowed by Butler's threat and never considered committing crimes behind his back because he assumed the feds were watching his every move. But recent court records involving another carder in South Carolina show how easily a criminal working for the feds can commit crimes under the nose of agents who are supposed to be watching him. According to an affidavit in the case, while working a few hours each day out of a government-supplied apartment, this other carder allegedly continued to card secretly on the side. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 23:24:41 PST