Read Fatal System Error Online
Authors: Joseph Menn
Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology
Fatal System Error (29 page)
Andy was still angry that SOCA had dropped the ball, as he saw it. The case he’d led in Russia was supposed to open a new era of cooperation that would make the Internet much safer for everyone. That was certainly how Andy justified the enormous amount of time and money his government had devoted to a single set of criminals. Perhaps Brain still would be brought to justice, but it didn’t seem likely. King Arthur and Stran were nonstarters. And then, in all likelihood, the crusade was over. SOCA’s retreat meant that Andy was never able to pave the way for dozens of similar joint investigations, as he had hoped. In the end, Andy wasn’t a pathfinder: he was an outlier. The Russian mob went on as before.
Andy caught up with what had transpired in his absence. During the three years he had been locked in on the Maksakov ring and its allies, identity theft and related crimes had gotten much worse. Broad phishing attacks rose and then declined. In their place came wider distribution, often through legitimate websites that had been hacked, of the worst kind of spyware—the type that logged users when they enter passwords to brokerage or bank accounts. Some variants built on the success of the extortion racket, locking consumers’ computer files and demanding ransom.
The sheer volume of new viruses and other “malware” grew so vast—being reported at clips as rapid as two a minute—that security firms could no longer analyze each one by hand. Instead, they relied on machines to identify the most pernicious. The number that could evade antivirus software and firewalls soared as well. Hackers even trained viruses to mutate on their own, making them harder to block systematically: one called Storm spawned 5,000 variants within days of its release. Facebook, Twitter, and other social networks soon made it easy to take one stolen identity and then induce the victims’ friends to click on poisoned links.
A Gartner survey found that 30 percent of Americans had been victimized by identity fraud by 2009. They got back an average of 86 percent of the money drained from credit cards and 77 percent of the money stolen from ATM and debit cards. Victims of bogus account transfers, though, recovered only 54 percent of their losses. Small businesses were increasingly targeted in account transfers, and the banks often refused to make up the losses. As for the banking industry’s red ink, that was anyone’s guess. Convictions remained an extreme rarity, striking far less than half of 1 percent of the perpetrators.
While the U.S. got better at domestic arrests, taking down the likes of Max Butler and Albert Gonzalez, it still struggled to get anywhere near as much assistance from the former Eastern Bloc as Andy managed. The most notable success was in Romania, which arrested dozens in mostly small-time identity theft cases. According to many, that was money talking. “The European Union brought down the hammer on Romania. They said there’s no funding for technology assistance unless they cracked down, and they did,” said VeriSign security analyst Kimberly Zenz. FBI Assistant Director Shawn Henry said it helped that Romania was looking to join NATO. Still, in mid- 2009 Andy’s initial interview with Ivan Maksakov remained the most fruitful interrogation to date of any hacker in the top country for hacking.
While Andy had advanced against cybercrime on one front, the situation on every other front had deteriorated. It was now a full-blown geopolitical struggle, and neither the U.K. nor the U.S. wanted to fight it.
THOSE WHO ESCAPED ANDY’S GRASP were just a sampling of the dangerous men protected by superior political force. The most likely authors of two of the worst viruses of all time, SoBig and Bagle, were identified to no avail. Top Ukrainian carder Script, aka Dmitry Golubov, walked out of prison on no less authority than the good word of two members of that country’s parliament.
For every entry-level crook picked up overseas in cooperation with U.S. or U.K. investigators, a known modern-day mob boss thumbed his nose, certain of safety. In 2005, the FBI and Secret Service worked with other U.S. officials to try to bust one notorious Russian gang, the HangUp Team. Their officials met with Russian authorities multiple times, identified the members behind the crew, and even provided their locations. The Russians did nothing. “Same goes for King Arthur,” said one agent involved. “American authorities couldn’t even get a picture of the guy.”
Worst of all was the Russian Business Network, Andy learned. By following the trail from the denial-of-service hackers, he realized, he had come as near to the infamous RBN as anyone in the West, perhaps within a steel door’s thickness of a close affiliate. Now Andy began to doubt that anyone would ever get that close again.
Bra1n’s St. Petersburg crew had been tipped off, it had been tied to child porn, and it ran a slick operation that could make evidence disappear down a dumbwaiter at short notice. That sounded a lot like the way the RBN did business. Researchers who spent much of their time tracking the RBN said the group enjoyed some kind of special protection. A key figure in the group called himself Flyman and might have been the world’s largest supplier of child pornography. But he was off-limits to police, according to reports from several investigators, including Zenz, who spent many months in Russia. Zenz reported that a senior MVD investigator told her in Moscow in 2006 that his efforts to arrest Flyman “met forceful, official resistance. Flyman’s father is an influential St. Petersburg politician who used his leverage and money to persuade law enforcement authorities to prevent do-gooders from pursuing the case.” She elaborated: “Flyman is a very rare type, in that he has both mafia protection and political protection at a very strong level.”
Without some cover from above, no organization could have been so deeply involved in everything from DDoS attacks to spyware—and so public that it advertised “bulletproof hosting” and other services and gave out staffers’ names—while escaping prosecution. The RBN gave off an astonishing combination of mystery and openness that made it all the more menacing: it hid in plain sight. The group dated back as far as 1998, according to Zenz and another of the most influential experts on the gang, a security professional using the pseudonym Jart Armin. Armin believes that the RBN started out as a conventional, if proficient, circle of hackers. Then it had a merger with one of the most powerful traditional organized crime groups in Russia, the Tambov gang of St. Petersburg.
If this reading is accurate, the combination became a model for other cybercrime groups throughout the country. Although most hackers started on their own, as they got bigger they developed a need for protection by old-school mobsters, who were better connected politically. Even if they didn’t see such a need, the mobsters might point it out to them in a very persuasive manner. It’s not so much that the hackers feared getting arrested: it’s more that they feared that any police who identified them would demand a bribe. The typical way to avoid paying an exorbitant bribe in Russia is to have one’s own mob ally, or “roof,” negotiate for you, according to Joe Serio, an American who worked in the Soviet government’s anti-organized crime bureau.
It remains a challenge to figure out who does what at the Russian Business Network, and not everyone agrees even what functions the group carries out as a whole. But tremendous work has gone into the effort by such researchers as Zenz; Armin; David Bizeul, a security expert for French banks; Paul Ferguson, of the big security firm Trend Micro; Don Jackson of SecureWorks; and the people at Team Cymru. Independently and teamed up, such researchers have written a number of analyses, posting some of them on the Web for criticism and refinement.
It is worth noting why experts are willing to work with people like Armin, who masks his real identity. It’s because they understand the personal risk he is taking in trying to expose the RBN. The threats Andy faced in Russia are not unheard of. The name of the author of “Who Wrote SoBig” is known to a very few individuals, mainly in government. Ferguson and security firm F-Secure’s Mikko Hypponen take steps to obscure where they live. The group Cymru, which helped Barrett track botnets, names its top executives but never takes credit for any of its activities. Zenz said she knows Flyman’s real name but wouldn’t be the first to make it public. “If he’s not going to get picked up, I’m not going to pick a fight with him personally,” she said. “He’s a nasty piece of work.”
A former colleague of Armin’s once went to St. Petersburg to investigate some thefts of material worth millions of dollars. As Armin put it later, his colleague made the mistake of trusting the police there, working with them, and using his real identity. Shortly afterward, the man’s teenage daughter permanently disappeared from their home in a Western country. He was told that if he forgot about the matter in St. Petersburg, his other children would be left alone.
What’s already known is that the Russian Business Network offers hosting and connections to the Internet, and probably much more. This gives it a layer of deniability: it can always say that someone else bought technology services and used them to criminal ends without the company’s knowledge. That is an obvious smoke screen, because with the exception of a small number of porn sites, no one has ever found legitimate content hosted by RBN. French expert Bizeul probed thousands of servers bearing Internet addresses under the control of RBN and its close affiliates. He found 555 addresses that tried to infect visitors’ Web browsers, 47 containing child porn, 15 with conventional porn, 8 providing command-and-control functions that managed botnets, 5 selling scareware (the fake anti-spyware programs that trick users into thinking a download will scan and secure their computers), 4 used in financial fraud, 3 offering to pay outsiders to install malicious programs on PCs, 2 holding masses of pirated software, and 1 recruiting mules to move money around the planet. Until 2007, when the RBN got too much attention and dropped its public website, it had an official responsible for handling abuse complaints. The official generally demanded a Russian court order before cutting anyone off. But that’s not to say the company didn’t take note of such complaints—according to Zenz, it warned customers that if there was too much heat from what they were doing, it would have to charge them more.
Describing everything bad that happened on RBN computers would fill a separate book. In its early days the outfit hosted Cool-WebSearch, a piece of nefarious, ad-spewing spyware that was so hard to disentangle from infected PCs that many consumers threw their machines away. More recently, RBN provided the home for the first major marketplace for automated hacking as a service. On those computers, an outfit called 76service, successor to the HangUp Team, sold subscriptions for access to machines infected by a Trojan called Gozi. Would-be criminals could purchase a freshly infected machine most likely to provide new and valuable financial data for $1,000 a month. “Used” computers were cheaper, according to one researcher who was able to log onto the home site.
A leading figure at the group that ran Gozi was in all likelihood one of the two critical allies for Albert Gonzalez, the biggest American identity thief ever accused. A source close to the 2009 prosecution of Gonzalez in the 130 million-card Heartland Payment Systems breach said that Gonzalez’s indicted but unnamed Russian co-conspirators, “Hacker 1” and ”Hacker 2,” used the online nicknames Anex and Grig, and the source said Grig had used that alias in posting to Shadowcrew. Don Jackson, the SecureWorks analyst who logged into Gozi’s customer interface and chatted with Russians involved there, said that only one major Shadowcrew poster went by Grig. That was the hacker who refashioned himself as a major figure in the HangUp Team and as “76,” co-leader of 76 Service. As Gonzalez pleaded guilty in August 2009, the FBI asked the FSB to go after Grig and Anex. But Jackson said that Grig’s longtime prominence made it plain that the FSB already knew who he was and had decided not to arrest him. ”If they wanted to do it, they would have,” Jackson said. ”They have had many opportunities.”
RBN was also involved in the 2007 attack that took control of the Bank of India’s main website. A piece of bad software measuring just one pixel by one pixel—and therefore essentially invisible to the naked eye—was placed on
BankofIndia.com
. When people visited the site, the bug connected to an RBN page that tried to install twenty-two different pieces of malicious code, including identity-theft tools. And RBN was the largest host for pages taking advantage of MPack, an innovative crime kit that sold for $1,500 in the Russian underground. MPack used the same technique as that in the Bank of India attack, known as an iFrame exploit, to corrupt thousands of legitimate Web pages, including many related to Italian tourism, and then breach the systems of as many as half of those sites’ visitors. The bugs succeeded so often because they tried to find holes in many different pieces of software a visitor’s computer might be running, including Windows, Internet Explorer, and Apple’s QuickTime.
BankofIndia.com
. When people visited the site, the bug connected to an RBN page that tried to install twenty-two different pieces of malicious code, including identity-theft tools. And RBN was the largest host for pages taking advantage of MPack, an innovative crime kit that sold for $1,500 in the Russian underground. MPack used the same technique as that in the Bank of India attack, known as an iFrame exploit, to corrupt thousands of legitimate Web pages, including many related to Italian tourism, and then breach the systems of as many as half of those sites’ visitors. The bugs succeeded so often because they tried to find holes in many different pieces of software a visitor’s computer might be running, including Windows, Internet Explorer, and Apple’s QuickTime.
Other books
Naked by Stacey Trombley
Light Up the Night by M. L. Buchman
HOLD by Cora Brent
Girl in Hyacinth Blue by Vreeland, Susan
Out of the Ashes by Kelly Hashway
A Dream to Cling To by Sally Goldenbaum
Presumed Dead by Vince May
Foxe Hunt by Haley Walsh
Fanghunters by Leo Romero
Waking Up by Arianna Hart
