Internet Changes Everything: Online crime Archives

Category Archive

December 08, 2006

UK Net Boffins Targeted

Sky News: Net Crime Gangs Using 'KGB Tactics'

Updated: 08:56, Friday December 08, 2006

Internet crime gangs are using "KGB-style" recruitment tactics to snare talented computer students from British universities.

Security technology company McAfee also said children as young as 14 are being drawn into cybercrime by the promise of "celebrity status" among their peers.

The company's second annual report on internet organised crime included input from the FBI and European hi-tech crime units.

It suggested gangs were approaching top students and graduates from leading academic institutions to provide vital IT skills.

These tactics echo those of Russia's KGB and other countries' intelligence agencies during the Cold War.

"Cybercriminals are actively approaching students and graduates of IT technology courses to recruit a fresh wealth of cyber skill to their ranks," said the report.

It indicated cybercrime had won a "cult" following among hackers, with some online offenders reaching almost celebrity status.

McAfee security analyst Greg Day said: "Cybercrime is no longer in its infancy, it is big business."

December 8, 2006 at 10:45 PM in Online crime | Permalink | Top of page | Blog Home

September 10, 2006

Suspicions and Spies in Silicon Valley

Scandal at HP: The Boss Who Spied on Her Board - Newsweek Business - MSNBC.com

In a business saga, how Pattie Dunn's obsession with trying to root out the source of press reports ended with the covert tracking of directors' phone records.
By David A. Kaplan
Newsweek

Sept. 18, 2006 issue - It was supposed to be an easygoing celebration of a coronation. In early 2005, after Mark Hurd had been chosen to be Hewlett-Packard's new chief executive officer, he and his wife joined chairman of the board Patricia Dunn and her husband at the Marin County home of director Tom Perkins. Sitting on a lush hilltop overlooking the Golden Gate, they dined and wined in honor of what they hoped would be a new era for HP, an icon of Silicon Valley that had been through much recent turmoil, including the ouster of high-profile CEO Carly Fiorina. After dinner, they moved to the huge living room. Before a blazing hearth, looking out at the stunning view of San Francisco Bay, Dunn wanted to talk shop with Hurd. As Perkins tells the story—Dunn declined to comment—the spouses were bored silly. So was Perkins. He went off to his study to get his prized radio-controlled helicopter, and proceeded to buzz Dunn's head. The spouses were in stitches. Perkins circled the toy helicopter for another mischievous pass. Dunn just kept on talking about regulatory issues and other arcana of management. "Pattie!" Perkins asked: "Didn't you just hear something zooming over your head?" Her answer: "I just thought it was the dishwasher running."

The funny little vignette suggested to Perkins that he and the chairman had entirely different MOs. Little did he realize that about a year later their styles and priorities would collide to create a boardroom scandal that would shake the company that was once lionized in the Valley. At the same time, it would mezmerize corporate America, as other business leaders wondered how HP could have been involved in activity the California attorney general calls "colossally stupid," no matter how well intentioned, and may well result in criminal charges.

HP has now admitted to spying on its own directors' personal phone records in order to root out a leaker. It did so by using private investigators who engaged in "pretexting"—calling up phone companies and impersonating directors seeking their own records. HP late last week additionally admitted to spying on the phone records of nine journalists, including at The New York Times and Wall Street Journal, some of which date to 2005. HP's Dunn stands accused of orchestrating the investigation. Perkins quit in a rage over the surveillance and wants Dunn out as chairman; HP is painting him as an angry traitor with a vendetta against Dunn. Lying, spying, name-calling, finger-pointing—all of it is a tragicomedy that Shakespeare might've penned had he gotten an M.B.A.

Perkins and Dunn surely are contrasting archetypes in the rich backstory of Silicon Valley. At 74, he's the nonpareil behind-the-scenes venture capitalist with a larger-than-life array of extracurriculars. His Kleiner Perkins Caufield & Byers firm is the Medici of the Valley, bankrolling such home runs as Genentech, Google, Netscape and Amazon. He performs the financial alchemy of converting millions to billions when start-ups go public, in the process making VCs like himself centimillionaires. Out and about, he was the fifth husband of romance novelist Danielle Steel. He's just launched the 287-foot Maltese Falcon, the largest and most expensive private sailboat ever built; last year he wrote his own bawdy novel, "Sex and the Single Zillionaire"; in 1996 he was convicted of involuntary manslaughter for his involvement in a sailing collision off the coast of France that resulted in the death of another regatta participant (he paid a $10,000 fine and individuals on the other boats were convicted as well).

Dunn, 53, is less prominent in the Valley's Zeitgeist, yet is a success story in her own right, as well as a profile in courage for her fight against cancer. She was raised in Las Vegas, where her father did bookings for casinos. Her mother was a showgirl at the Copacabana. While Dunn met the rich and famous, her family didn't have a lot of money. Her father died when she was 12, her mother had emotional problems, and Dunn and her sister basically raised their younger brother after they moved to the Bay Area. Dunn majored in economics and journalism at Berkeley, and—your punch line here—hoped to become an investigative reporter, her sister Debbie Lammers says. Dunn eventually wound up as a temp typist at an investing firm that was later acquired by Barclays, at which Dunn began her career climb.

In recent years, as vice chairman of a division of Barclays, she has become wealthy enough to own property in the East Bay and Hawaii, as well as a Shiraz vineyard in Australia. But in the midst of her Barclays and HP duties, she has faced repeated health crises. She was diagnosed with breast cancer in 2000 and melanoma two years later. Those struggles have been widely reported, but Dunn confirms that she was diagnosed with Stage IV ovarian cancer in 2004. Last month, after doctors discovered a malignant tumor in her liver, she underwent extensive surgery. Dunn says she has kept the HP board apprised of her health, and her sister says she marvels at Pattie's "willpower" and ability to "survive beyond doctors' expectations." Six weeks after her 2004 surgery, Dunn kept a promise to her family to hike across the Sydney Harbor Bridge in Australia. Before her most recent surgery, she stopped at her vacation home in Kona and played 27 holes of golf.

Dunn is demonstrably tough. Whether she was wise is a different question. "If I did anything stupid, it's not because I have cancer or was receiving chemotherapy," she tells NEWSWEEK. Perkins himself calls her "nobody's fool"—deft at running annual meetings and a tough questioner. Early in their time together on the HP board, Perkins and Dunn got along and were actually allies: they were part of the team that lured Hurd to HP from NCR. But their different outlooks as directors could not help but emerge. Perkins, the venture capitalist, thought in broad strategic strokes, preferring to leave the details to others. Dunn thought the core of her job was to dot the I's and cross the T's—to keep her board process-driven rather than personality-driven. It drove Perkins nuts. It kept making him think of that helicopter. He recalls a meeting in his office with her in which he wanted to discuss how to compete better with Dell, IBM and others. According to Perkins, she was fixated instead on her discovery that there were inconsistencies between HP's bylaws and the Corporate Directors Handbook. Those inconsistencies then occupied hours of discussion at subsequent board meetings. "Intel might be kicking the crap out of us," Perkins says, "but that didn't seem to matter."

That's an overstatement. In the new world of corporate governance after Enron and other business implosions, good corporate governance isn't just a swell idea, but a legal requirement. And corporate watchdogs give the HP board high marks for independence. The chairman deserves credit for the high marks. Meanwhile, the company's profits have risen, and its stock price has soared. The supreme irony now, of course, is that being a stickler for proper procedures doesn't seem to have worked out so well for Pattie Dunn. An obsession with leaks to reporters could have happened at any company, especially at one with all the intrigue HP had faced during Carly Fiorina's tenure. It's not a function of Silicon Valley and it's got nothing to do with the details of corporate minutiae. The Dunn-Perkins mess is about what drives most conflict: human emotions.

The HP board of directors has long been a leaky ship. During the embattled reign of Fiorina—HP's flashy CEO who was forced out nearly two years ago—a blow-by-blow account of a board retreat, held off-site to discuss the company's most sensitive problems, appeared in The Wall Street Journal. Furious, Fiorina laid down the law to board members: the leaks had to stop. For a time it appeared that the leakers, whoever they were, had gotten the message.

But then, in January 2006, the online technology site CNET published an article about HP's long-term strategy. While the piece was upbeat and innocuous, it quoted an anonymous HP source and contained information that could've come only from a director. It was the last straw for Dunn, who by then had been elected non-executive chairman of the board. Dunn was incensed that the drip-drip-drip of information out of the boardroom continued. She wanted to know the leaker's identity, but she would not supervise an investigation herself.

Dunn referred the matter to HP's general counsel. In turn, that office contracted out the investigation to security experts who recruited private investigators who then took the extraordinary step of spying on the phone records of all the directors (including Dunn), as well as journalists (including the CNET reporter). These were not the records of calls from HP offices, but the records of calls made from personal accounts—like Perkins's home in Marin County. It was classic data mining: HP's consultants weren't actually listening in on calls—all they had to do was look for a pattern of contacts.

It is not uncommon for companies to monitor the phones and computers of their employees. Indeed, in the wired age, most employees don't realize how much privacy they sacrifice. But pretexting goes a step beyond. The investigators use your ID—typically, the last four digits of your Social Security number—to obtain your phone records from unwitting phone companies. Last week California Attorney General Bill Lockyer said he has decided a crime was committed, though he hasn't concluded by whom.

In an interview with NEWSWEEK, Dunn says she was aware HP was obtaining the phone records of suspected leakers as long ago as 2005. But she says she didn't know about the pretexting until late June, when she saw an e-mail to Perkins from HP's outside counsel, Larry Sonsini. "I was told it was all legal," she says. She now acknowledges that HP's tactics were "appalling" and "embarrassing," but says the current "brouhaha" grew out of a personal dispute between her and Perkins.

Dunn insists Perkins was just as eager to learn the identity of the leaker as she was. "Tom was the most hawkish member of the board for plugging the leaks, which he thought were coming from management. He advocated the use of lie-detector tests." Perkins disagrees. He tells NEWSWEEK that Dunn brought up the idea of lie-detector tests and that he volunteered to take one. "I thought it would be a kick—great for my next novel," he says. But he pointed out that if word leaked out an HP director had to take a lie-detector test, it would be a "catastrophe."

It remains unclear exactly what Dunn knew and when she knew it. The California attorney general will want to know if Dunn intentionally avoided knowing about the details, like a head of state who wants "plausible deniability" while ordering an assassination plot. (An ancient model, cited by old CIA hands, is Henry II. When he wanted to get rid of the Archbishop of Canterbury, he simply muttered in front of his knights, "Will no one rid me of this troublesome priest?")

In any case, Dunn sprang the identity of the leaker at a meeting of her fellow directors on May 18, at HP headquarters in Palo Alto, Calif. Meeting in the nondescript first-floor boardroom, Dunn laid out the surveillance and pointed out the offending director, who acknowledged being the CNET leaker. He was 66-year-old George (Jay) Keyworth, a science adviser to President Reagan and the longest-serving HP director. Thunderstruck, Keyworth apologized but said to the board, "I would have told you all about this. Why didn't you just ask?" Keyworth was asked to leave the room and did so. Close to 90 minutes of discussion followed. Hurd, the CEO, reportedly was asked by one director how he would handle a leak by an employee. "I would have no choice but to fire him," Hurd replied.

Other directors were noncommittal, according to Perkins. They included Larry Babbio, the president of Verizon—the phone company that has aggressively sought to protect the privacy of its customers' records. (Babbio, through a spokesman, declined to comment.) Perkins says he was the only director who rose to take Dunn on directly. Perkins told the directors he was enraged at the surveillance, which he called illegal, unethical and a misplaced corporate priority. "Pattie, you betrayed me," he says he railed at Dunn. "You and I had an agreement that if we found out who did this, we would handle it offline without disclosing the name of the leaker."

Dunn now charges that Perkins was just trying to protect his friend Keyworth. "He's angry that I stood in his way to cover up the results of our investigation and the identity of the leaker." Perkins dismisses the charge as a red herring—corporate spin to obscure larger issues. There may indeed be deeper issues at work. Dunn tells NEWSWEEK that Perkins has been agitating to vote her out as chairman for a while. At times, he had been. Inevitably their styles just clashed. Perkins is used to being king of the hill, even though he's never been a CEO. Venture capitalists routinely call the shots from behind the scenes in Silicon Valley, and Perkins is the most powerful VC of them all.

Whatever Perkins's motivations, he acted as if he were onstage in a melodrama. After a divided board, by secret written vote, passed a motion demanding that Keyworth resign, Perkins picked up his papers, grabbed his briefcase, walked out and zoomed off in his Porsche Carrera GT. "I quit!" he said as he stalked out. "I'll not be party to this. I'm resigning." Keyworth re-entered the room and learned he was being told to leave. He refused, saying it was up to shareholders to make such a decision. "We can ask him, but we can't make him," Ann Baskins, HP's general counsel, told the board. (Keyworth remains on the board even now, though HP announced last week it would not recommend him for re-election by shareholders come March; he declined to comment for this article.) After Perkins left the room, the rest of the board's agenda was scrapped and the meeting was thrown into chaos.

When Perkins returned to his office, he soon got a call from Sonsini, the best-known, most powerful lawyer in Silicon Valley. Baskins had called Sonsini at his nearby office and asked him to rush over. As Perkins tells it, Sonsini asked him, "How can I characterize this, Tom? May I say you're resigning for personal reasons?"

"No, Larry, you cannot."

"May I say it's a disagreement with Pattie?"

"Sure, but don't you dare say I resigned to spend more time with my children."

In media mentions a few days after the May 18 meeting, Perkins's resignation was noted, but without explanation or any indication that his exit was a form of protest. This began nearly four months of warfare between HP and Perkins about whether the surveillance would ever come to public light. Any time a director resigns from a public corporation, federal law requires the company to disclose it in an SEC filing. If the director quits because of a major "disagreement" with the company, the reason has to be disclosed as well. HP reported Perkins's resignation but not the reason for it. It was the Perkins-Sonsini phone call, according to HP, that allowed the company to give the SEC no explanation. "I gave them the opening not to disclose," Perkins now says. "I'm no SEC lawyer." Sonsini did not return calls from NEWSWEEK.

A few days later, Perkins was off to south Florida to promote his bawdy novel. His publisher had set up a contest with Romantic Times magazine, with the lucky winners getting a chance to have dinner with bachelor Tom. From Daytona Beach he was off to Istanbul, where he was preparing his superyacht for its sail trials in the Mediterranean. He fumed that the reason for his resignation had not yet come out, and he felt constrained from going public himself. Over time, in e-mails with Sonsini and communications with the board, he escalated his attempts to force SEC disclosure, as well as to get federal and state officials to investigate HP's spying on personal phone records; the FTC, FCC and federal prosecutors have now begun investigations. Perkins hired his own lawyer, Viet Dinh, a former Bush administration lawyer who had helped draft the Patriot Act.

Perkins had concluded that Dunn had to go. He even e-mailed her so. According to Perkins, she told him no. (Dunn recalls only that "Tom wrote to disinvite me from the launch party of his boat" on the Italian Riviera in mid-July.) But Perkins was hardly all-consumed with the battle. The day before his $100 million sailboat departed for its maiden voyage, the government of Turkey threw him a reception at the Imperial Palace. Perkins decked out the Falcon with signal flags adorning the deck from bow to stern, across the tops of the three 190-foot masts. The playful message spelled out in nautical-speak: "Rarely does one have the privilege to witness vulgar ostentation displayed on such a scale."

Perkins came to learn more about HP's use of pretexting. He discovered that he himself was hacked. In an Aug. 11 letter to Perkins that he demanded, an AT&T attorney explained that Perkins was a victim of pretexting in January 2006, just at the time Dunn decided to find the leaker. The AT&T letter explains that the unnamed pretexter who got details about Perkins's home-telephone usage was able to provide the last four digits of Perkins's Social Security number, and that was sufficient identification for AT&T. The impersonator then persuaded a customer-service rep to send the records electronically to an e-mail account, mike@yahoo.com, that on its face had nothing to do with Perkins. Records for Perkins's long-distance AT&T account were similarly obtained, but it was by redsox9855@yahoo.com. Both e-mail accounts are registered to the same Internet Protocol address, but AT&T says it doesn't know the identity of the user.

In mid-June, according to a letter Perkins sent to the full HP board, Perkins contacted Sonsini and asked him to look into the Dunn investigation. In an e-mail to Perkins obtained by NEWSWEEK, Sonsini acknowledged that Dunn's security consultants "did obtain information regarding phone calls made and received by the cell or home numbers of directors" and that it was "done through a third party that made pretext calls to phone-service providers." That was the first time Perkins had heard the word "pretexting."

Sonsini's e-mail emphasized that the consultants engaged in "no electronic surveillance," "no phone recording or eavesdropping" and "no recording, review or monitoring of director e-mail." His initial legal defense of pretexting was that it is "apparently a common investigatory method" and that "there was no 'secret spying,' i.e., no electronic gear, listening devices, etc." In its SEC filing last week, HP stated that the outside counsel had concluded that the use of pretexting "was not generally unlawful," but that counsel "could not confirm that the techniques" used by pretexters in the HP investigation "complied in all respects with applicable law."

Sonsini's legal tiptoeing intrigued Perkins for two reasons: it seemed to raise so many non-issues in Perkins's mind, and Perkins had also never heard of the pretexting that Sonsini admitted to. But it was only after he says HP then refused his repeated requests to take action that he eventually decided to approach a host of government agencies, as well as prosecutors in California and New York. By early September, HP scrambled to go on the offensive, and made a filing last week to the SEC, laying out the pretexting story for public consumption. The story exploded in the press (first in a piece on NEWSWEEK.com). Dunn called an emergency board meeting, which—by the time this story appears—may have called for her resignation. Dunn, interviewed by NEWSWEEK on Saturday, was philosophical. "My goal in this job was to help the board overcome its conflicts. I was unsuccessful. I wanted to show that two people at opposite ends of the spectrum could work together. That was naive."

Next week Dunn is scheduled to be inducted into the Bay Area Business Hall of Fame. Perkins is already a member. Maybe the two adversaries can reconnect at the induction ceremony—and exchange phone numbers.

With Karen Breslau, Brad Stone, Nadine Joseph, Daniel McGinn and Dana Gordon

Update: A source close to Hewlett-Packard tells Newsweek that HP's emergency board meeting was adjourned late in the afternoon on Sunday (ET) without any decision being reached on the possible resignation of Patricia Dunn as chairman. The source, who requested anonymity because of the confidentiality of internal board proceedings, said the HP board would reconvene late Monday afternoon.

Editor's Note: David A. Kaplan is writing a book for HarperCollins about Perkins's superyacht.

URL: http://msnbc.msn.com/id/14736379/site/newsweek/

September 10, 2006 at 10:56 PM in Online crime | Permalink | Top of page | Blog Home

August 06, 2005

Internet Scammers Keep Working in Nigeria

Internet Scammers Keep Working in Nigeria - Yahoo! News

By DULUE MBACHU, Associated Press Writer 1 hour, 6 minutes ago

LAGOS, Nigeria - Day in, day out, a strapping, amiable 24-year-old who calls himself Kele B. heads to an Internet cafe, hunkers down at a computer and casts his net upon the cyber-waters

Blithely oblivious to signs on the walls and desks warning of the penalties for Internet fraud, he has sent out tens of thousands of e-mails telling recipients they have won about $6.4 million in a bogus British government "Internet lottery."

"Congratulation! You Are Our Lucky Winner!" it says.

So far, Kele says, he has had only one response. But he claims it paid off handsomely. An American took the bait, he says, and coughed up "fees" and "taxes" of more than $5,000, never to hear from Kele again.

Festac Town, a district of Lagos where the scammers ply their schemes, has become notorious for "419 scams," named for the section of the Nigerian penal code that outlaws them.

In Festac Town, an entire community of scammers overnights on the Internet. By day they flaunt their smart clothes and cars and hang around the Internet cafes, trading stories about successful cons and near misses, and hatching new plots.

Festac Town is where communication specialists operating underground sell foreign telephone lines over which a scammer can purport to be calling from any city in the world. Here lurk master forgers and purveyors of such software as "e-mail extractors," which can harvest e-mail addresses by the million.

Now, however, a 3-year-old crackdown is yielding results, Nigerian authorities say.

Nuhu Ribadu, head of the Economic and Financial Crimes Commission, says cash and assets worth more than $700 million were recovered from suspects between May 2003 and June 2004. More than 500 suspects have been arrested, more than 100 cases are before the courts and 500 others are under investigation, he said.

The agency won its first big court victory in May when Mike Amadi was sentenced to 16 years in prison for setting up a Web site that offered juicy but phoney procurement contracts. Amadi cheekily posed as Ribadu himself and used the agency's name. He was caught by an undercover agent posing as an Italian businessman.

This month the biggest international scam of all — though not one involving the Internet — ended in court convictions. Amaka Anajemba was sentenced to 2 1/2 years in prison and ordered to return $25.5 million of the $242 million she helped to steal from a Brazilian bank.

The trial of four co-defendants is to start in September.

Why Nigeria? There are many theories. The nation of 130 million, Africa's most populous, is well educated, and English, the lingua franca of the scam industry, is the official language. Nigeria bursts with talent, from former NBA star Hakeem Olajuwon to Nobel literature laureate Wole Soyinka.

But with
World Bank studies showing a quarter of urban college graduates are unemployed, crime offers tempting career opportunities — in drug dealing, immigrant-trafficking, oil-smuggling, and Internet fraud.

The scammers thrived during oil-rich Nigeria's 15 years of brutal and corrupt military rule, and democracy was restored only six years ago.

"We reached a point when law enforcement and regulatory agencies seemed nonexistent. But the stance of the present administration has started changing that," said Ribadu, the scam-busting chief.

President Olusegun Obasanjo is winning U.S. praise for his crackdown. Interpol, the
FBI and other Western law enforcement agencies have stepped in to help, says police spokesman Emmanuel Ighodalo, and Nigerian police have received equipment and Western training in combating Internet crime and money-laundering.

Experts say Nigerian scams continue to flood e-mail systems, though many are being blocked by spam filters that get smarter and more aggressive. America Online Inc. Nicholas Graham says Nigerian messages lack the telltale signs of other spam — such as embedded Web links — but its filters are able to be alert to suspect mail coming from a specific range of Internet addresses.

Also, the scams have a limited shelf life.

In the con that Internet users are probably most familiar with, the e-mailer poses as a corrupt official looking for help in smuggling a fortune to a foreign bank account. E-mail or fax recipients are told that if they provide their banking and personal details and deposit certain sums of money, they'll get a cut of the loot.

But there are other scams, like the fake lotteries.

Kele B., who won't give his surname, says he couldn't find work after finishing high school in 2000 in the southeastern city of Owerri, so he drifted with friends to Lagos, where he tried his hand at boxing.

Then he discovered the Web.

Now he spends his mornings in Internet cafes on secondhand computers with aged screens, waiting "to see if my trap caught something," he says.

Elekwa, a chubby-faced 28-year-old who also keeps his surname to himself, shows up in Festac Town driving a Lexus and telling how he was jobless for two years despite having a diploma in computer science.

His break came four years ago when the chief of a fraud gang saw him solve what seemed like "a complex computer problem" at a business center in the southeastern city of Umuahia and lured him to Lagos.

He won't talk about his scams, only about their fruits: "Now I have three cars, I have two houses and I'm not looking for a job anymore."

August 6, 2005 at 01:57 PM in Online crime | Permalink | TrackBack (72) | Top of page | Blog Home

July 30, 2005

Elderly Americans lose millions to Internet scams

Elderly Americans lose millions to Internet scams - Yahoo! News

hu Jul 28,10:09 AM ET

WASHINGTON (Reuters) - Scams involving Internet auctions, as well as identity theft, lotteries, prizes and sweepstakes, top the list of fraud complaints by older Americans, who lost $152 million to con artists last year, U.S. officials told a Senate panel on Wednesday.

Internet-based scams are growing and now account for about 41 percent of fraud complaints the Federal Trade Commission receives from people over 50, Lois Greisman of the FTC's consumer protection division told the Senate Committee on Aging.

"This figure is all the more dramatic when one considers that Internet-related fraud represented only 33 percent of all fraud complaints from this age group in 2002," she said.

Older consumers reported being defrauded of more than $43 million last year through Internet scams, with on-line auctions topping the complaint list, she said.

But more old-fashioned scams continue to take their toll. Lottery and sweepstakes frauds, in which victims are asked to pay "taxes" or other fees to claim prizes, cost older Americans $35 million last year, Greisman said. People over 70 are particular targets of that kind of scam, she added.

Another popular scam involves fake credit card protection or discount drug services, she said. Others involve scam artists saying they need bank account information for
Social Security or Medicare benefits.

"What is most disturbing is that these scams routinely top the FTC's annual list of consumer frauds in the nation," said Sen. Gordon Smith (news, bio, voting record), an Oregon Republican who chairs the Senate Aging Committee. "It seems that even though we are aware of their use, scam artists remain successful in pitching old scams to new victims, perpetuating a cycle of victimization."

Anthony Pratkanis, a psychology professor at the University of California who has been on a team of researchers examining elderly fraud, said con artists steal using the weapon of "social influence" to create a sense of trust rather than a gun or knife.

Research shows that not just the "frail and lonely" fall victim to scams, he said. Active people who are leaders in their communities can also fall prey.

"We find that con criminals profile their victims' psychological and other characteristics to find their Achilles' heel ... to construct the exact pitch that is likely to be most effective," he said.

In one example, con artists told a potential victim that to ask questions or hang up the phone while they were trying to verify account information was against the law.

Pratkanis said his research group was developing tools to help the elderly defend themselves against fraudulent pitches.

U.S. Postal Service inspector Zane Hill said scam artists know that many elderly people feel isolated and a telephone call from anyone is welcomed.

"Experienced con artists understand elderly citizens' vulnerabilities and know what buttons to push when they have them on the telephone," he said. ((CONGRESS-SCAMS, editing by Americas Desk; Washington Newsroom, 202 898 8300)

July 30, 2005 at 08:36 PM in Online crime | Permalink | TrackBack (18) | Top of page | Blog Home

July 21, 2005

The bombers' money trail

BBC NEWS | Business | The bombers' money trail

By Jeremy Scott-Joynt
BBC News business reporter

Credit card
Changes in spending could help track the bombers' supporters

The identities of the four London bombers are now known.

But now comes the even harder part: trying to identify those who were responsible for sending them on their murderous mission.

According to Metropolitan Police anti-terrorist branch chief Peter Clarke, all the exhaustive work to date is just the start of the long task of identifying those responsible for sending the four to London.

"There are a number of things we need to establish," he told reporters. "Who supported them? Who financed them? Who trained them? Who encouraged them?"

Where to start?

Of these questions, the second could well prove to be the key to cracking the network open.

No-one can exist in the UK in the long term without leaving some kind of a financial trace behind.

Because of this, the fact that the bombers were British - however disturbing it may be - could at least make following the money a little easier, experts say.

One such is Dennis Lormel, who retired from the FBI in 2004 after almost three decades at the agency and is now a senior vice-president at Corporate Risk International in the US.

You build as comprehensive a financial profile as possible, and take it back as far as you can
Dennis Lormel, former head of the FBI's Terrorist Finance Operations Section

After years as a money laundering specialist he was the man who, on 12 September 2001, was charged with setting up the FBI's Terrorist Finance Operations Section to conduct the investigation into the finances of the 9/11 attackers.

"The first priority is the concern of whether there are going to be secondary attacks," he says.

That, he argues, is where financial investigations come into their own - particularly when you can start with known individuals.

"You build as comprehensive a financial profile as possible, and take it back as far as you can. Then connect it to communication records and so on, and you can put together a chronology.

"Between phones and finances, you'll see a lot of links to other people."

Among the raw data will be bank account details, credit card transactions - at least one of the bombers is believed to have been involved with credit card fraud, a common feature in recent bombings - corporate registry and charity records, as well as data from electoral rolls and police records.

And from that will emerge a spider's web of connections between the bombers on the one hand and people who have financed, supported or trained them on the other, generating a whole new set of leads for traditional investigations to take forward.

Some of what comes out of such an investigation will be innocent, Mr Lormel acknowledges. "But there should be enough intersects with those people who may be involved that something's going to stand out."

Focus on finance

On several occasions in the UK recently, this kind of probe has been the factor which has moved a suspect from being overlooked as a casual acquaintance to becoming a focus for the security services.

Plastic sheeting around the wreckage of the destroyed bus near Russell Square
Financial evidence is just as important as physical evidence

Following the money is now a priority and is the responsibility of the UK's National Terrorist Finance Investigative Unit (NTFIU).

Set up after 9/11 within Special Branch, the arm of the police which works most closely with MI5 on security matters, the NTFIU is now the branch's fastest-growing unit.

It has been feverishly training financial investigators: those with the skills to pore over bank statements, corporate or charity accounts, ATM records and put them side by side with other information to draw up a "financial footprint" of their targets.

Increasingly, it has looked outside the police, bringing in people from the private sector to buttress the traditional investigative skills it already has.

All hands on deck

And elsewhere in law enforcement, it seems likely that the National Criminal Intelligence Service (NCIS), too, has thrown its staff into the hunt for the funding behind the bombers.

The NCIS has a small terrorist finance team, which develops intelligence for the NTFIU to exploit.

Far more numerous are its regular financial intelligence staff. They are responsible for the thousands of reports from banks, building societies, accountants, lawyers and even estate agents and casinos which are filed each week, warning of potentially suspicious transactions.

But on the day of the London bombings, the organisation's website carried a warning that NCIS Financial Intelligence was "redirecting many of its staff to other essential duties".

Some may have been put straight onto the investigation; others are believed to be digging through NCIS' huge backlog of suspicious activity reports (SARs) to check that nothing was missed.

"They'll have been told: we've got this huge stack of stuff," says Nick Kochan, author of several books on money laundering and terrorist finance.

"We can't be caught out if there's the slightest hint of a lead in there."

For Dennis Lormel, NCIS is simply doing what he would do.

"For at least the initial time, you are going to want to put every asset you have to contributing to the analytical product," he says.

Many of the records which need to be examined are on paper, or in incompatible formats. "It all needs to be put into databases - then you can start drawing out the connections."

This is the first feature in a series of three on the money trail which could lead to the London bombers' supporters. The others are to be published later this week.

July 21, 2005 at 08:03 PM in Online crime | Permalink | TrackBack (41) | Top of page | Blog Home

July 06, 2005

Cybercrime follows the money, study says

TheStar.com - Cybercrime follows the money, study says

Crooks attracted by online transactions

RACHEL ROSS
TECHNOLOGY REPORTER

Online crime isn't child's play anymore. Experts say it's now the work of sophisticated criminals.

A report on the evolution of cybercrime released yesterday by the anti-virus software company McAfee Inc. found that increasingly, Internet crooks are highly knowledgeable programmers out for money, not fame.

They are lured, experts say, by the increase in online transactions.

"As the money goes, the criminals will follow," said James Lewis, author of the report and director of the technology and public policy program at the Centre for Strategic and International Studies in Washington, D.C.

The report was largely a summary of trends in online crime over the last decade.

Five years ago, corporations feared teenage hackers who would break into and deface websites purely for bragging rights.

"The goal really wasn't financial. It was social," Lewis said.

Many hackers have recently come to realize that they can make money off their skills, often by hiring themselves out.

"They are essentially guns for hire," said Jimmy Kuo, a McAfee fellow who works with the company's Anti-Virus Response Team (AVERT) in Los Angeles, Calif.

They might take a job from a fellow criminal to infect 1,000 machines with software called a bot, Kuo said. Once infected, the bot can be used to launch attacks against other computers.

The computers controlled by the hacker are often referred to as zombie machines, because they do the hacker's bidding automatically.

The owner of the computer often doesn't even know his machine is being used for criminal purposes.

Kuo said the amount of malicious software (a.k.a. malware) released has increased substantially as well.

Two years ago, AVERT received 300 new malicious programs per month. Today, the team sees 2,000 a month.

"Somewhere between 80 and 90 per cent of malware today is written for profit," he said. "Most are bots."

According to the report, some hackers rent out their network of infected computers for as much as $300 an hour.

Lewis said hackers differ from traditional members of organized crime groups because they typically come together only as needed in informal, amorphous communities that lack a geographic centre. In some ways, these hacker groups have more of an impact than traditional organized criminals, Lewis said, because they have such a negative effect on consumer confidence in online shopping.

Mobile devices such as cell phones will become a bigger target for hackers as consumers start using their phones as tools for shopping and banking.

People who make phone calls online using Voice over Internet Protocol should also be wary, as those conversations are not encrypted and consequently would be relatively easy to tap, Lewis said.

Jack Sebbag, vice president and general manager of McAfee Inc. in Canada, reiterated his message at yesterday's press conference that consumers need more than just antivirus software to stay safe.

Consumers should consider buying software to thwart spyware: malicious programs that secretly infiltrate computers and send information about the user — including passwords they use online — to a hacker.

Consumers also need to stay alert to possible phishing scams, which are on the rise and becoming increasingly crafty, where crooks pose as financial institutions and ask for account information.

"Banking passwords should never be shared," Sebbag said.

July 6, 2005 at 07:16 AM in Online crime | Permalink | TrackBack (11) | Top of page | Blog Home

March 17, 2005

Report of the UKERNA Computer Security � Protecting Computers conference held at the Royal Geographical Society, London on 22 November 2000

Minutes of a meeting of the Security Liaison Group, held in Room 115 of Claremont Tower, Newcastle University on Wednesday 24 November 1999

An audience derived from many academic institutions in the United Kingdom and Ireland attended the conference. In spite of the travel difficulties both on land and in the air (Heathrow being fogbound) over 100 attendees were present. This delayed the start, which meant the introductory welcomes were cut short, without affecting the timing of the actual talks.

Report of the UKERNA Computer Security � Protecting Computers conference held at the Royal Geographical Society, London on 22 November 2000

What is the Threat by Darren Watts, DERA � an interesting talk, which at times more resembled a salesman at the Quayside Market on a Sunday than an exposition on security threats. His main thrust was to make sure in looking at security issues we look at the whole picture, taking in a holistic view of the threat. He advocated (being from DERA � Defence Evaluation and Research Agency) the need for an in-depth study of the issues whilst co-operating with other bodies in a common defence against attack. A network attach requires the handling of three distinct phases �

o Reconnaissance
o The actual attack
o Comprehending the affects of the attack

Ideally any attack should be detected soon as possible. Co-operation allows the spotting of a given attack on a site being part of a more global attack on an agency. The examples of the solar sunrise and moonlight maze attacks on the US defence network were cited. These had been preceded by attacks on various institutions to provide camouflaged launch pads for the main attack. He felt that the UK Academic Community was a primary source for such launch pads, with their open networks running a large number of systems, a number of which were not tightly screwed down with the latest security updates.

Security for Unix Systems by Andrew Cormack, UKERNA � This was an interesting presentation as the speaker showed how an off the shelf linux system could be hardened in a relatively small umber of steps to make the system less vulnerable to attack from a hostile source. He advocated the basic principles for configuring any system of-

o Run only what was needed
o Configure those services securely
o Restrict Access and privilege

o Only then should the system be connected to the network

A example of how to configure a linux Web Server was shown � disabling unwanted start-up scripts, wrapping and enabling services, verifying that the relevant daemons are the latest version from the relevant supplier etc. This was a well thought out presentation and a similar exercise may well be useful on campus, showing system administrators a series of easily followed steps to make their systems more secure. This would be a move towards a preventative approach for campus security rather than the current largely curative measures.

Securing NT4 � by Alan Hood, DERA � The speaker tried to follow a similar approach to Andrew Cormack, using NT4 as a platform. Maybe he was trying to cover a wider set of problems, but the use of a poor visual display diluted the impact of his talk. There is clearly a need for a similar set of hardening steps for NT4 (along with other Microsoft Operating Systems). The talk covered the following dangers-

o Using bootable floppy drives to modify files on the hard disk
o SMB password vulnerabilities
o Registry weaknesses
o Port 139 information gleaning
o Dangerous utilities, including the NT resource kit tools
o Trojans and Backdoors

IP Filtering � George Ross, Edinburgh University � The speaker presented the benefits and disadvantages of the use of the TCP wrapper and the use of IP Filters/Chains in protecting networked systems. He outlined how filtering was used to improve system protection, with minimal (claimed) impact on system performance. The system was now in production use, having overcome initial sceptical user reaction. The speaker felt that wrappers and filters were largely exclusive tools, and that their combined use would increase a site�s security protection. Neither tool though gives any protection when access is gained to a vulnerable daemon on a given system.

Detecting intrusions � Andrew Blyth, Glamorgan � The final talks was perhaps surprisingly the most informative of the day. The speaker outlined how he was using the "snort" Intrusion Detection System to monitor network activity on both Unix and Microsoft OS platforms. The package is available for a number of operating systems and has an active user community, which is coming up with new signature files to detect newer types of probes as the hackers start using such probes. The package (which is freeware) can also handle logging to a number of different logging systems.

The speaker shows a log of the system running on his office PC, which highlighted the varied nature of campus wide probes. His system is an office PC, which provides no services as such either on of off campus. He quoted a probe that snort had detected as sourcing from Estonia. He had contacted the Estonian CERT and received a response the next day indicating that the offending system had been taken off the network and that the operator was now in police custody!

Michael Ellison

28th November 2000

March 17, 2005 at 08:07 AM in Online crime | Permalink | TrackBack (12) | Top of page | Blog Home

Moonlight Maze

The Moonlight Maze of secret cyberwar gossip.

As we approach the end of 1999, dear reader, you cannot help but notice that secret cyberwars aimed at the Pentagon seem to be occurring every day. Although the average citizen sees no trace or serious bad effect from them, they are there, claim our national security mandarins.

Russian hackers, Chinese hackers, French hackers -- all are or could be in merciless combat against the electronic forces of the Pentagon, looting ill-defined precious national secrets from under the noses of our guardians.

And the loud trumpet of terror this month is Moonlight Maze.

But first, we'll go back a bit in time, to the first quarter of 1999, to see how it started.

In the first half of March, Deputy Secretary of Defense John Hamre claimed the United States was in a cyberwar -- under attack by hackers.

In a story in the March 1 issue of Defense Week, reporters John Donnelly and Vince Crawley wrote that John Hamre had revealed to Congressman Curt Weldon the "details" of an on-going cyberattack.

"We are at war right now. We are in a cyberwar," John Hamre was said to have claimed. The secret cyberwar was dubbed Moonlight Maze.

Although information was vague then, as it is now, the activity which caused the Pentagon reaction was a slow, extended series of probes seemingly aimed at an Air Force Information Warfare Center (AFIWC) server in San Antonio, Texas. AFIWC -- like most military sites -- is a high profile target for hackers, mostly because of the continuing publicity surrounding the agency's efforts in information warfare.

In addition, the alarms appeared very similar in nature to warning announcements made by SHADOW, a somewhat publicity hungry Navy computer security operation with a fancy acronym in Dahlgren, Virginia, in September of 1998. SHADOW's leader at the time, computer security administrator Stephen Northcutt, has since been associated with the private sector and appears from time to time to announce the approach of various Net menaces. (Most recently Northcutt has appeared as a pitchman for a computer security company's services in detecting boobytrapped software allegedly installed by programmers and the enemies of democracy under the cover of Y2K remediation. The cynics among the readership may notice four similar characteristics between Moonlight Maze and the dread menace of Y2K programmers sapping and impurifying our bodily fluids with software boobytraps: (1) unknown foreigners -- usually ex- or unreconstructed commies -- are involved; (2) more anonymous sources than you can shake a stick at; (3) Congressional hearings which say nothing; (4) shills for computer security vendors employing both as advertisements.)

All of this information on Moonlight Maze was in the public domain by the end of the first quarter of 1999.

Seeing potential enemies everywhere in cyberspace, Hamre also turned the glare of the professional paranoid on his own: "We are increasingly concerned about those who have legitimate access to our networks -- the trusted insider," he said for Defense Week.

And in a gesture that resembled the rumblings of the "Un-American Activities" hysteria of the Fifties, when citizens were asked to staunchly proclaim that were loyal to America, Hamre said he was now instituting "an oral attestation" in which DoD people who have access to Top Secret material or compartments affirm "they will conform to the conditions and responsibilities imposed by that access."

David Kennedy of the International Computer Security Association reflected in a memo to Crypt News, "[Some] details seem to be ignored in all the [current] 'Pentagon Hacks' reporting:"

"[Detection of an attack] is a function of one's ability to observe. [The Pentagon] has dramatically improved its ID capabilities and [it is] now able to observe what was in all likelihood, already there."

"Finally, for two years running Deputy Secretary Hamre has made dramatic announcements of the Pentagon being under attack just as budget submissions are going in," wrote Kennedy. "Last year it was Feb 25, 1998 -- three teenagers and 'the most organized and systematic' attack DoD had seen."

"So far, none of the [mainstream] reports I've seen have considered the possibility DoD is social engineering the Congress, media and public to bolster their Fiscal Year 2000 budget request."

(Note: Coincidentally, on October 8 the Pentagon ran a dog-and-pony show in Norfolk, Virginia, in which a number of DoD bigwigs including the chairman of the Joint Chiefs of Staff and Secretary of Defense William Cohen ballyhooed the opening of a new US military center for "cyberwar" to be headquartered at Colorado Springs. "To combat the expanding threat of cyberwarfare, the Pentagon established a new center on Thursday to defend the United States from hackers and to plot ways to attack an enemy's computer network," read one account of it which ran in the New York Times. "In future wars, U.S. cyberwarriors will try to disable air defense systems, upset logistics and infect software [with computer viruses] . . . according to [an anonymous] Pentagon official.")

After a spate of news stories piggybacking on the Defense News revelations in March of this year, Moonlight Maze died away for awhile.

Then, in a London Sunday Times piece published on July 25, Hamre's "we're in a cyberwar" quote was resurrected once again to ring the bell for "electronic Pearl Harbor" in a story that implied Russian hackers were stealing US information treasure via the Internet.

Entitled "Russian Hackers Steal US Weapons Secrets," the article breathlessly proclaimed: "The intelligence heist, that could cause damage to America in excess of that caused by Chinese espionage in nuclear laboratories, involved computer hacking over the past six months."

However, it was apparent even then that a significant part of the US military devoted to computer security operations was either ignorant of the Moonlight Maze secret "cyberwar" or not particularly interested in it.

In an article that ran in Defense Daily, a trade publication, two days after the London Sunday Times piece, Navy Captain Bob West, deputy commander of the Pentagon's Joint Task Force on Computer Network Defense said: "The odds of the U.S. being attacked on line by a foreign nation state in some kind of cyberwar in the near future are probably pretty low."

The Sunday Times story was pumped up by a great deal of anonymous government and military sources uttering baleful warnings. It maintained: "Besides military computer systems, private research and development institutes have been plundered in the same operation. Such institutes are reluctant to discuss losses, which experts claim may amount to hundreds of millions of dollars."

The London Sunday Times wrote that secret documents had been stolen but that the US military could not determine what was in them or which ones, precisely, had been stolen -- which would seem to constitute a somewhat ludicrous contradiction in terms.

Further, this information -- claimed the Times -- had been revealed at a private computer security conference by an employee of the Space and Naval Warfare Systems Command (SPAWAR).

The Times article speculated that either Russia or China could be behind the "cyberwar" that only the Pentagon can see because: ". . . Russia's relations with America have reached their lowest ebb since the cold war because of NATO's intervention in Yugoslavia. Relations with China have also suffered. An offensive in cyberspace may be their one way of retaliating without getting into a shooting war."

The London paper also speculated that Russian organized crime might be behind Moonlight Maze, and that: "China, Libya and Iraq are developing information warfare capabilities and, according to one White House official, 'we see well-funded terrorist groups that also have such capabilities'."

The London Sunday Times piece set a hallmark by which subsequent stories in the US media on Moonlight Maze could be judged:

That is -- Moonlight Maze stories are recognizable by their almost complete reliance upon gossip and speculation; their complete lack of definition in the who, what and where categories; and a stupefying preponderance of anonymous sources from the Pentagon, intelligence agencies, and/or the private computer security industry speculating or expostulating for journalists.

Throughout the latter part of the summer, reporters from the mainstream media contacted Crypt Newsletter about Moonlight Maze. The story had taken on a life of its own even though there was a complete lack of substantive evidence to go by. It was clear that Moonlight Maze was going to enjoy a second lifetime in the news and, indeed, a media cascade resulted in the second week of October, mostly built upon a wave of copycat reporting and inconclusive statements about the affair made in a Congressional hearing that week.

All of the reporters contacting Crypt Newsletter for comment had one thing in common.

They were all working from the exact same script. In addition to being inspired by the London Sunday Times piece, they all said or wrote that one "anonymous" source in "the Pentagon" was telling them that "Russian hackers" working off of the "Russian Academy of Sciences'" Internet domain were "involved."

This being the case, one could not totally rule out the possibility that someone within, connected to or formerly connected with the Pentagon or Department of Defense was attempting to pump this story into the mainstream U.S. media for the usual "cyber-scare" purposes.

On September 13, Newsweek's Gregory Vistica "We're In The Middle Of A Cyberwar" rolled out the old quote attributed to Hamre from the first quarter of the year.

Vistica's article reported nothing new from the London Sunday Times, but did republish, unattributed, much of its quote, tone and phraseology.

"Russian hackers may have pulled off what could be the most damaging breach ever of U.S. computer security . . ." writes Vistica.

"This was, Pentagon officials [anonymous, of course] say flatly, 'a state-sponsored Russian intelligence effort to get U.S. technology' -- as far as is known, the first such attempt ever by Russia," wrote Newsweek.

In response to the growing media hubbub created by Vistica's article, Michael Vatis, the head of the National Infrastructure Protection Center, was questioned about it in a Congressional subcommittee meeting on technology and terrorism on Wednesday, October 8.

Articles immediately resulted from the New York Times, the Los Angeles Times and Reuters. None reported anything that hadn't been written about from earlier in the year. All repeated the same nebulous quote. All, to varying degrees, attempted to make the case that Moonlight Maze had resulted in the loss of unspecified national security treasure to unspecified parties.

On October 6, "Cyber Blitz Traced To Russia, FBI Says," was a story issued by Reuters.

"A major effort to pierce U.S. government and private-sector computer networks seems to have originated in Russia, a top U.S. law-enforcement officer told Congress Wednesday," wrote Reuters.

In Moonlight Maze, Vatis said intruders had stolen ``unclassified but still-sensitive information about essentially defense technical research matters.''

This was a quote, the substance of which would be repeated in every subsequent story on Moonlight Maze.

``About the furthest I can go is to say the intrusions appear to originate in Russia,'' Vatis said.

A Pentagon public relations officer "said the Defense Department knew of no classified information that had been jeopardized in the Moonlight Maze intrusions."

On October 7, the New York Times checked in with a story entitled "Computer Intruders Apparently From Russia, Senate Panel Is Told."

"Intruders who stole sensitive information on Defense Department weapons during a widespread series of attacks on government and private computer networks are apparently based in Russia, an FBI official told a Congressional panel . . ." wrote the Times, referring to NIPC's Michael Vatis.

Lost in much of the overheated coverage on Moonlight Maze was Vatis testimony before Congress that most computer security breakdowns can be traced to insiders.

"Senator Robert F. Bennett, a Utah Republican who is chairman of a special Senate committee that is overseeing Year 2000 efforts . . . [said] 'The challenge of information warfare will be the No. 1 security issue for the next administration," wrote the Times.

Bennett, wrote the Times, proposed an "electronic FEMA" to combat cyberterror.

This was completely unremarkable. Over the years, stories about secret cyberwars and hackers plundering our national treasure tend to be chock full of suggestions for creating new law enforcement or military agencies designed to protect us from them.

Also on October 7, the Los Angeles Times filed a front page story entitled "Yearlong Hacker Attack Nets Sensitive US Data."

The LA Times' story, while lengthy, was par for the course in that it produced no new information on Moonlight Maze.

It did state, however, that Wednesday marked "the first public confirmation of Moonlight Maze." This was, as we have read, flat-out wrong.

The Los Angeles Times article was, however, quite notable for its excessive reliance on anonymous sources passing on innuendo, speculation, hypotheses and half-baked theories on the matter.

Some excerpts:

" . . . circumstantial evidence points heavily toward a Russia-based intelligence gathering operation, officials said."

"'There are strong indications and it's our belief, that it's coming from Russia and that it may be a sponsored activity,' a senior Energy Department official said."

"Another computer security expert called Moonlight Maze 'the longest-running and most widespread attack we've seen. It's not been stopped . . . It's not even clear why. But the consequences are potentially huge."

"One US intelligence veteran, now a Senate staff member, said that the Internet has created huge new opportunities, as well as frightening vulnerabilities, for spy agencies around the world. 'Think of it . . . You can sit anywhere in the world now and run a spy operation.'"

"A senior White House official said that the evidence so clearly points to Russia that it almost seems like a deliberate diversion."

"Other intelligence experts argued that skilled hackers hired by Russian organized crime elements may be probing for commercially valuable information."

"Some experts suggested that France, a longtime proponent of economic espionage, may be the ultimate customer. That theory also remains unproved, however . . . "

Which would seem indisputable.

Crypt Newsletter asks the reader to pose these questions: Why are all the "sources" on Moonlight Maze anonymous? Why does the mainstream media persist in giving them a free ride? Why cannot anyone say what, precisely, has been stolen? Since when does a theory or hypothesis about unknown "hackers" constitute evidence of what is happening? Why can it not be said precisely what national security interests have been damaged, if this is so serious? And why has this news story been repeated from March in the year with no substantial addition of information?

There has been one doubting Thomas in the media with regard to Moonlight Maze.

On September 27, 1999, Federal Computer Week published a story on "Moonlight Maze" by reporter Dan Verton. Entitled "Russia hacking stories refuted," the piece stated flatly, "DOD sources say U.S. military secrets were not compromised."

Bias disclosure: Crypt Newsletter was a quoted source in this article.

". . . Pentagon officials and security experts refute claims that the Russian government officially took part in a computer break-in that reportedly resulted in the theft of sensitive naval codes and missile-guidance data," wrote FCW.

". . . a DOD spokesperson called recent media coverage of [Moonlight Maze] 'a combination of outright fabrications, distortions and incorrect quotations,' adding that military secrets were not compromised."

One of the anonymous sources peddling the story of Moonlight Maze through the summer, "who works for a major Internet domain registration firm, said he found copies of DOD duty rosters, network maps and photographs of DOD facilities residing on servers belonging to [the alleged attackers]," wrote FCW.

"As far as the pictures of DOD facilities and other materials that sources claim to have found on Russian systems, [Crypt Newsletter] said that type of material can be found in many places on the Internet."

" 'Portions of DOD are prone to yell cyberwar at just about any potential misuse of cyberspace,'" CN added.

A sampling of the incongruity in reporting on Moonlight Maze:

From Newsweek reporter Greg Vistica: "This was, Pentagon officials say flatly, 'a state-sponsored Russian intelligence effort to get U.S. technology' -- as far as is known, the first such attempt ever by Russia."

From Federal Computer Week: ". . . Pentagon officials and security experts refute claims that the Russian government officially took part in a computer break-in that reportedly resulted in the theft of sensitive naval codes and missile-guidance data."

From Federal Computer Week: ". . . a DOD spokesperson called recent media coverage of [Moonlight Maze] 'a combination of outright fabrications, distortions and incorrect quotations,' adding that military secrets were not compromised."

From the London Sunday Times:

"The intelligence heist . . . that could cause damage to America in excess of that caused by Chinese espionage in nuclear laboratories, involved computer hacking over the past six months."

From Reuters: ". . . the Defense Department knew of no classified information that had been jeopardized in the Moonlight Maze intrusions."

From The LA Times: "'There are strong indications and it's our belief, that it's coming from Russia and that it may be a sponsored activity,' a senior Energy Department official said."

Also from The LA Times: Some experts suggested that France, a longtime proponent of economic espionage, may be the ultimate customer."

From the London Sunday Times: "The computer assaults have given fresh impetus to measures ordered by [President] Clinton more than a year ago to protect the country's electronic infrastructure. Alerted to the threat of Moonlight Maze, the president has called for an extra $600 [million] to help fund a variety of initiatives, including [boosted investment in the National Infrastructure Protection Center] . . ."

Other relevant links. No -- you are not seeing double when you read them. The previous analysis was excerpted from Crypt Newsletter reports over the last nine months. Caution: May be annoying to national security mandarins, Congressional fear-mongers and computer security industry marketing types.

The genesis of Moonlight Maze: Read about how Pentagon info-warriors claimed we were in the secret cyberwar earlier this year.

The big Kahuna of "electronic Pearl Harbor" reportage: Crypt Newsletter's archive of media excerpts on the topic.

NIPC analyst sees foreign programmers polluting our precious bodily fluids in assorted Y2K plots aimed at subverting computer software.

The men who started Moonlight Maze in the press: The Pentagon's John Hamre and politician Curt Weldon.

Solar Sunrise: Read about how Pentagon info-warriors claimed we were in yet another secret cyberwar last year, too.

Read about how the Army wishes to disconnect from the Internet because of the danger of secret cyberwar.

Or read about Eligible Receiver.

London police foil huge bank raid

BBC NEWS | UK | London police foil huge bank raid

Police in London say they have foiled one of the biggest attempted bank thefts in Britain.

The plan was to steal �220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui.

Computer experts are believed to have tried to transfer the money electronically after hacking into the bank's systems.

A man has been arrested by police in Israel after the plot was uncovered by the National Hi-Tech Crime Unit.

Unit members worked closely with Israeli police.

The investigation was started last October after it was discovered that computer hackers had gained access to Sumitomo Mitsui bank's computer system in London.

They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards.

Cyber warning

From that they could learn account numbers, passwords and other sensitive information.

Yeron Bolondi, 32, was seized in Israel after an attempt to transfer �13.9m into an account there.

He has been charged with money laundering and deception, but police say their investigation is continuing. His relationship with the gang who tried to break into the network is unknown.

They have issued a warning for banks and businesses to watch out for cyber criminals.

The National Hi-Tech Crime Unit was launched in April 2001 with responsibility for tracking down the growing range of criminals who operate in cyberspace.

Takashi Morita, head of communications at Sumitomo Mitsui in Tokyo, said the company had not suffered any financial loss as a consequence of the robbery attempt.

He said: "The case is still in the middle of investigation so we cannot comment further.

"We have undertaken various measures in terms of security and we have not suffered any financial damage."

March 17, 2005 at 07:53 AM in Online crime | Permalink | TrackBack (15) | Top of page | Blog Home

March 15, 2005

Dusting for digital fingerprints

Economist.com | REPORTS

Mar 10th 2005
From The Economist print edition
Forensic computing: As criminals and crime-fighters go digital, analysing clues from computers is a growing field

EVERY new technology leads to new forms of crime. As a Chicago policeman once put it: �No other section of the population avail themselves more readily and speedily of the latest triumphs of science than the criminal class.� He was speaking in 1888, about the electric telegraph. But he could just have easily been speaking about computers and networks today. As criminals adopt new technologies, crime-fighters must follow suit, devising new ways to gather and analyse evidence. In the case of modern digital technology, the result is the growing field of �forensic computing�.

The scope for using technology in criminal ways, and the complexities of catching people who do so, are illustrated by the case of a 42-year-old Maryland man who pleaded guilty last October to attempted extortion after sending threats and demands by e-mail, and was sentenced to 63 months in prison. For more than two years the man had sent sexually explicit e-mails to the clients of a patent firm using a forged e-mail address which made it appear as though the messages came from the company's own executives. Analysis of the company's computers ruled out the possibility of a malicious insider. Instead, further analysis of the e-mails revealed that they actually originated from multiple homes in a suburban area just outside of Washington, DC. The real culprit successfully created this confusion by driving around with a laptop and an antenna that could detect unsecured Wi-Fi wireless networks. Having found a network, he could then use it to send untraceable e-mails from his car.

The investigators used clinical psychologists to create a profile of the person behind the extortion attempts, and found that the home owners from whose networks the messages had originated did not match the profile. The man was also sending messages from several local university computer laboratories, using false or stolen accounts. The investigators responded to one of his messages, embedding tiny invisible graphics called �web bugs� in their replies in an attempt to determine the network address of the recipient's machine. But he spotted their ruse.

Finally, he issued a $17m extortion demand in an e-mail that contained personal details consistent with a primary suspect who had, by this time, been identified by the psychologists. The suspect was followed as he drove to one of the university computer laboratories from which incriminating e-mails had been sent. He was then arrested, and a search of his house produced evidence of his campaign against the patent firm, along with hand-grenade components and ingredients for the deadly toxin ricin.

This kind of computer-based investigative work, which involves tracing the digital footprints left by criminals on machines and networks, is becoming ever more important. In 1999, America's Federal Bureau of Investigation helped to launch the first Regional Computer Forensics Laboratory (RCFL) to support federal, state and local law-enforcement agencies. There are now six such labs across the country, and seven more will open by the end of this year. Last year the labs processed 107.9 terabytes of data, roughly equivalent to more than 4.5m boxes of paper filled with text. Douglas Schmidtknecht of the RCFL National Programme Office says the amount of data being analysed is growing exponentially.

While the public perception of computer crime is that it is carried out by malicious hackers and �script kiddies�, the greatest threat is often from within. �There's a huge rise in the number of cases of intellectual-property theft,� says Gordon Stevenson, managing director of Vogon International, a forensic-computing and data-recovery firm based in Bicester in England. Most of Vogon's forensic work involves conducting investigations for corporations that suspect employees of wrongdoing�and half of these cases concern intellectual-property theft. Mr Stevenson points out that employees can easily make copies of crucial data, from corporate databases to product blueprints. �They can e-mail it to themselves at home,� he says.

Tools of the trade

Forensic computing, like traditional forensic science, relies on a range of tools and techniques. Special software is used to gather evidence from storage devices and to apply cryptographic tags to verify that it has not been tampered with during the investigation. There are specialist search tools, e-mail scanning tools and disk-analysis tools; tools to gather information over a corporate network when investigating internal incidents; tools that monitor network traffic for suspicious behaviour; administrative tools to keep track of evidence from multiple cases, to plot events on timelines for analysis, and to generate reports. The leading vendor of forensic-computing tools is Guidance Software of Pasadena, California. Its EnCase software, which bundles together these sorts of features in various combinations, has 14,000 government and corporate users worldwide and is used by over 90% of America's law-enforcement agencies.

The first step in most investigations is to make a copy of the original evidence, typically by removing the hard disk from a computer and making a perfect copy of its contents without altering the original. To do this, the source disk is copied to a target disk using a tool known as a �write blocker� which only permits a one-way flow of information. The resulting stream of data can then be reconstructed into its original files (which are usually sprinkled in chunks across the disk) by consulting the disk's directory, a table that lists the locations of the constituent chunks of each file. Further analysis can reveal leftover chunks from deleted files, or previous versions of documents.

�Evidence can be gathered from hard disks, networks, and devices such as mobile phones.�

Similar tools are available to consumers to recover data from corrupted disks or �undelete� lost files. But forensic investigators can go one step further, using �spin stand testers��devices normally used by disk-drive manufacturers to test their products. These rely on the fact that modern disks generally store information in narrow, concentric circles on each disk, along a track about 400 nanometres (billionths of a metre) wide. Since the track is so narrow, new data do not always get written directly on top of old, slivers of which remain at the track's edges. By picking up this information, it is sometimes possible to reconstruct files that have been deleted or deliberately overwritten.

Network traffic can also be used as the basis of an investigation. Recording all the data flowing across a network is impractical, but it is possible to monitor patterns of traffic, types of traffic, attempts to access particular machines or parts of a network, and so on. So-called �intrusion-detection systems� do just that, sounding an alarm when something suspicious happens. The logs generated by such systems can therefore reveal telling details about network activity. Other network tools examine the contents of data packets zipping across the network, and record selected streams of data for subsequent playback and analysis. Such systems can capture e-mails to or from specified people, reconstruct instant-messaging conversations and even record and replay voice-over-internet phone calls.

As well as gathering evidence from hard disks and network traffic, investigators must also stay abreast of the rapid evolution of portable devices. Data can be copied on to a music player or keychain flash drive, or hidden on the memory card of a digital camera. These devices provide new sources of evidence, but also create new challenges for investigators, says Eoghan Casey of Stroz Friedberg LLC, a computer-security and forensic consultancy that took part in the investigation that followed the collapse of Enron, an energy company, in 2001. �The fact that many handhelds are connected to networks increases the amount of data they generate,� says Mr Casey, who also edits Digital Investigation, a quarterly journal.

Making the case

When presenting digital evidence in court, investigators must be able to demonstrate its integrity and provenance. �You don't just walk into the court and say �Here's a hard drive',� says Mark Pollitt, the former head of the FBI's RCFL network who is now an independent security consultant. As with physical evidence, which must be stored and handled appropriately, this can involve procedures (such as timestamping) to ensure that digital evidence has not been tampered with or mixed up. The need to take these extra steps has not discouraged people from introducing digital evidence. Mr Pollitt notes that five years ago, a motion for electronic discovery in a civil lawsuit was the exception rather than the rule. Now, he says, virtually every lawsuit involves this type of request.

A decade ago, companies offering forensic-computing and data-recovery services dealt mostly with government requests. But these days they are often called on directly by businesses and lawyers investigating intellectual-property theft or inappropriate use of corporate systems by insiders. A common complaint from specialist investigators in such cases, however, is that investigations by incompetent staff can contaminate the evidence. �What they don't realise is that they've muddied the water,� laments Nouman Mir, a forensic-computing specialist at Data Recovery UK, a British firm.

That companies are unaware how to handle digital evidence is not surprising, since such cases are generally hushed up. That, in turn, causes the scale of the problem to be underestimated. But there are ways around this. Britain's National High-Tech Crime Unit (NHTCU) lets companies provide details about security breaches in confidence. This contributed to a five-fold increase in the number of firms participating in the NHTCU survey last year, compared with 2003. Better data, ever more elaborate tools and greater awareness will be needed if the crime-fighters are to keep up with the criminals.

March 15, 2005 at 09:31 PM in Online crime | Permalink | TrackBack (25) | Top of page | Blog Home

February 06, 2005

FBI Unable to Launch New Computer Program -Audit

Yahoo! News - FBI Unable to Launch New Computer Program -Audit

By Deborah Charles

WASHINGTON (Reuters) - The FBI (news - web sites) has squandered $170 million on a failed computer system agents can use to instantly share information, and seems to know neither how long it will take nor how much it will cost to build one, a Justice Department (news - web sites) audit showed on Thursday.

In a harsh criticism of the FBI's efforts to fix a shortfall identified after the Sept. 11, 2001, attacks, Inspector General Glenn Fine said the bureau still relies on an antiquated case-filing system that hampers agents' ability to properly do their jobs.

"After more than three years, multiple missed deadlines, and a price tag of $170 million, the FBI still does not have an investigative case management system to replace the antiquated ... system," Fine said in a statement to the Senate Appropriations Committee submitted along with his report.

"Further, we are not confident that the FBI has a firm sense of how much longer and how much more it will cost to develop and deploy a usable system," he said.

Parts of the audit were reported last month and the FBI acknowledged then that it might not be able to salvage the computer program.

In a hearing before the committee to discuss the problems with the program, FBI Director Robert Mueller said he was frustrated and disappointed with the delays. He took responsibility for some of the setbacks and for the bureau's failure to properly control the project.

Senators in the committee appeared exasperated with news that the program would likely be scrapped.

"I'm ready to tear out what little bit of hair I have left," said Sen. Patrick Leahy (news, bio, voting record), a Democrat from Vermont, who called the FBI's efforts to revamp its computer system a "train wreck in slow motion."

Failure of the Virtual Case File software is the latest glitch in the bureau's effort to overhaul its computer system -- one of Mueller's priorities in the agency's reorganization after the Sept. 11 hijackings.

FBI'S WORK AFFECTED

Fine said if the new software system -- which allows agents to directly input reports and share information instantly -- is not implemented, the FBI cannot do its job.

"In sum, we believe the FBI's ability to perform its important functions effectively, including counterterrorism, counterintelligence and criminal law enforcement, will be significantly affected by its ability to implement a modern case management system," Fine wrote in the report.

He said the FBI disagreed with his conclusion that there were national security implications if the FBI continued to rely on its old system.

Mueller said that, although the Virtual Case File appears likely to be scrapped, the FBI had made other substantial information technology improvements to help support its counterterrorism mission.

He said the pace of technological innovation had overtaken the FBI's original vision for the Virtual Case File software. The bureau will likely end up using commercially available programs to create a new automated case file system.

Mueller said the FBI hoped to recoup about $65.5 million in reusable services and equipment from the $170 million spent on the Virtual Case File, commissioned from Science Applications International Corp. of San Diego in 2001 but delayed repeatedly before being delivered in December 2004.

Mueller said Science Applications International was partially responsible for failing to deliver the system as promised. He said the Justice Department was looking into whether it could recover some of the funds paid to them.

February 6, 2005 at 01:34 AM in Online crime | Permalink | TrackBack (22) | Top of page | Blog Home

November 14, 2004

Greek, British Police Break Illegal Software Ring

Yahoo! News - Greek, British Police Break Illegal Software Ring

Fri Nov 12,10:43 AM ET
ATHENS (Reuters) - Greek and British police in a joint operation cracked a multi-million illegal software sales ring, arresting two people and seizing thousands of pirate high-tech software programs, Greek police said on Friday.

They said they had arrested a Greek citizen and a Briton who pirated and sold an expensive computer software program for the car and aeronautic industry, charging only about 700 euros.

"The copyrights to the program belong to a multinational software development company that lost $360 million because of the illegal distribution," police officials said in a statement.

They did not name the company involved but said the man and his British accomplice in London were selling the program to buyers through the Internet.

Police in Athens also found dozens of copies of the software as well as 7,000 CDs containing "every kind of program on the world market."

Officers also confiscated documents of bank accounts, orders, a computer and three hard drives.

November 14, 2004 at 10:50 AM in Online crime | Permalink | TrackBack (13) | Top of page | Blog Home

November 10, 2004

Cyber Crime Tools Could Serve Terrorists -FBI

Yahoo! News - Cyber Crime Tools Could Serve Terrorists -FBI

By Michael Christie

MIAMI (Reuters) - The hacking and identity theft tools now earning big money for mainly eastern European organized crime could be used by terrorists to attack the United States, an FBI (news - web sites) official said on Wednesday.

FBI Deputy Assistant Director Steve Martinez said cyber crime was no longer the domain of teenage geeks but had been taken over by sophisticated gangs.

"Tools and methods used by these increasingly skilled hackers could be employed to cripple our economy and attack our critical infrastructure as part of a terrorist plot," Martinez told a conference in Miami on Internet security.

People had to assume, he said, that terrorists would seek to hire hackers to "raise money, aid command and control, spread terrorist propaganda and recruit more into their ranks and, lastly and most ominously, attack at little risk."

The seminar in Miami, hosted by Florida International University, focused on the growing incidence of "phishing," in which hackers send computer users e-mails to convince them to enter financial data or passwords in fake Web sites.

Victims can compromise their credit cards, bank accounts and even their identities.

Martinez, acting head of the FBI's Cyber Division, said the agency had not seen traditional organized crime in the United States migrate to the Internet but that eastern European gangs had embraced cyber crime with enthusiasm.

"They're targeting your money, access to your personal information, identity. They're doing it on a massive scale. The price of a credit card number is dropping into the pennies now," he said.

The FBI was trying to convince foreign law enforcement agencies to crack down on the culprits, he said.

In many former Soviet republics, laws covering cyber crimes were inadequate and the U.S. Justice Department (news - web sites) was working with foreign governments to fill the legal gaps, he said.

In the meantime, he said the risk of cyber terrorism post-Sept. 11, 2001, should not be ignored.

The Internet could allow attackers to remain anonymous, to strike at multiple targets from a distance, and escape detection. Critical infrastructure such as water, power and transportation systems remained vulnerable, Martinez said.

"In the future cyber terrorism may become a viable option to traditional physical acts of violence," he said. "Terrorists have figured out that we have a technological soft underbelly."

November 10, 2004 at 10:57 PM in Online crime | Permalink | TrackBack (14) | Top of page | Blog Home

November 06, 2004

US Secret Service busts 28 ID fraudsters

SecurityFocus HOME News: US Secret Service busts 28 ID fraudsters

By John Leyden, The Register Oct 29 2004 7:59AM
Adblock
A US-led operation targeting ID fraud crooks has led to the arrest of 28 people across seven countries this week.

The arrests follow an undercover operation headed by US Secret Service agents that successful infiltrated gangs that traded sensitive personal information and tips on ID fraud and forgery through online groups called Shadowcrew, Carderplanet and Darkprofits. The organisations were described by the US Justice Department as running a "one-stop marketplace for identity theft".

Operation Firewall identified a group of suspects investigators reckon collectively stole over 1.7 million credit card numbers as well as forging driving licenses, birth certificates and passports. Losses to banks through credit card fraud because of the gang's activities are estimated at $4.3m. The suspects face identity theft, computer fraud, credit card fraud and conspiracy charges.

"These suspects targeted the sensitive and private information of ordinary citizens as well as the confidential and proprietary information of companies," said Secret Service director W Ralph Basham. He added that the early arrest of the suspects prevented losses that could have run into hundreds of millions of dollars.

Operation Firewall began in July 2003 as an investigation in access device fraud before expanding into an investigation of global credit card fraud and identity theft fraud. The US Secret Service singled out the UK's National Hi-Tech Crime Unit, the Royal Canadian Mounted Police and Europol for praise in supporting the investigation.

In a statement the US Secret Service said Operation Firewall had led to the arrest of suspects in "eight states and six foreign countries" this week. Which foreign countries isn't specified. But since US authorities worked with their counterparts in the UK, Canada, Bulgaria, Belarus, Poland, Sweden, Ukraine and the Netherlands we can deduce that the suspects came from one or other of those countries or the US. �

November 6, 2004 at 10:15 AM in Online crime | Permalink | TrackBack (7) | Top of page | Blog Home

Online fraud tutorials... from the Secret Service?

SecurityFocus HOME News: Online fraud tutorials... from the Secret Service?

By Kevin Poulsen, SecurityFocus Nov 5 2004 10:54AM
Adblock
Until Wednesday one of the best public sources of information on how to use a stolen credit card number, forge a drivers license, defeat a burglar alarm or silence a firearm was a website under the control of the U.S. Secret Service.

As a jaunty flourish in its high-profile roundup of fraudsters and forgers last Thursday, the agency took over Shadowcrew.com, a New Jersey-based online crime bazaar that sits at the center of the government's "Operation Firewall" investigation. Officials locked out the user accounts and swapped in a new front page featuring a Secret Service banner, an image of a prison cell, and a list of federal charges against some site members.

The new page struck the Shadowcrew tag line, "For Those Who Like to Play in the Shadows," and posted a new motto: "You Are No Longer Anonymous!!"

But even as media attention surrounding the busts drove a new and wider audience to Shadowcrew.com, the accumulated knowledge of Shadowcrew's denizens remained on public display on the site's message board, which was linked prominently from the substituted home page.

Among the content that was available on the now-government operated site: a tutorial on credit card fraud; a wiki that tracks which state I.D. cards are forgeable; a how-to on defeating passive infrared alarm sensors; and exchanges on such disparate matters as handgun silencers and polyester laminating films.

The U.S. government's unlikely embrace of the Information Wants to Be Free meme wasn't lost on Shadowcrew's former user base, busily regrouping on another underground site called Stealth Division. "Someone backup the sc database," one member urged. "There is a wealth of information there."

The message board remained accessible until Wednesday, when officials finally shut it down without comment. An archive of older material was still accessable Friday.

Secret Service deputy assistant director Bruce Townsend said Thursday he couldn't discuss the government's stewardship of Shadowcrew.com because it could expose investigative sources and methods.

Hardware, Drugs and Microsoft Certs
Gartner analyst John Pescatore, a former Secret Service agent, says the agency may have made the message board public to make a point.

"My informed speculation would be that they let this stay up, because in general, law enforcement doesn't think that this problem is being taken seriously enough," says Pescatore. "From their point of view it would be good to get the word out: look at this, this is really nasty stuff, and we better increase our enforcement budget to do something about it."

The exposed message board revealed Shadowcrew.com as a bustling marketplace of ideas and credit card numbers.

The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.

Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..

Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias.

All that commerce came to an end last Thursday, when the Secret Service and the Justice Department announced 28 arrests around the world, and the indictment of nineteen Shadowcrew founders, moderators and members for trafficking in stolen identity information and documents, and stolen credit and debit card numbers. Shadowcrew allegedly moved at least 1.7 million stolen credit card numbers and caused total losses in excess of four million dollars.

November 6, 2004 at 10:14 AM in Online crime | Permalink | TrackBack (20) | Top of page | Blog Home

October 30, 2004

Secret Service Busts Internet Organized Crime Ring

Yahoo! News - Secret Service Busts Internet Organized Crime Ring

Fri Oct 29, 4:00 PM
Dan Verton, Computerworld

In what it called an "Information Age undercover investigation," the U.S. Secret Service announced the arrest of 28 people from eight states and six countries allegedly involved in a global organized cybercrime ring.

Charges filed against the suspects include identity theft, computer fraud, credit card fraud, and conspiracy.

The investigation, code-named Operation Firewall and announced Thursday, resulted in what the Secret Service described as a significant disruption of organized criminal activity online that was targeting the financial infrastructure of the United States. The suspects are alleged to have collectively trafficked in at least 1.7 million stolen credit card numbers.

Financial institutions have estimated their losses associated with the suspects targeted by the investigation to be more than $4.3 million.

"Led by the Secret Service Newark Field Office, investigators from nearly 30 domestic and foreign Secret Service offices and their global law enforcement counterparts have prevented potentially hundreds of millions of dollars in loss to the financial and hi-tech communities," said Secret Service Director W. Ralph Basham in a statement. "These suspects targeted the personal and financial information of ordinary citizens, as well as the confidential and proprietary information of companies engaged in e-commerce."
Multinational Cooperation

Operation Firewall began in July 2003 and quickly evolved into a transnational investigation of global credit card fraud and online identity theft. The underground criminal groups have been identified as Shadowcrew, Carderplanet, and Darkprofits. The organizations operated Web sites used to traffic counterfeit credit cards and false identification information and documents. The groups allegedly used the sites to share information on how to commit fraud and sold the stolen information and the tools needed to commit such crimes.

International law enforcement organizations that took part in the investigation and arrests included the United Kingdom's National Hi-Tech Crimes Unit, the Vancouver Police Department's Financial Crimes Section, the Royal Canadian Mounted Police, and Europol.

Officials in Bulgaria, Belarus, Poland, Sweden, the Netherlands, and Ukraine also were involved.

October 30, 2004 at 01:41 AM in Online crime | Permalink | TrackBack (6) | Top of page | Blog Home

October 09, 2004

FBI busts alleged DDoS Mafia

SecurityNewsPortal.com - Latest Breaking Security, Hacking and Virus News

Feds calling it the first criminal case to arise from a DDoS-for-hire scheme
08-27-2004 09:57:31 AM CST -- By Kevin Poulsen, SecurityFocus

A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors, in what federal officials are calling the first criminal case to arise from a DDoS-for-hire scheme. Jay Echouafni, 37, is a fugitive from a five-count federal indictment in Los Angeles charging him with aiding and abetting computer intrusion and with conspiracy. As CEO of the online satellite TV retailer Orbit Communication Corp., Echouafni allegedly paid a business associate to recruit members of the computer underground to cripple three online stores, resulting in long periods of downtime and an estimated $2 million in losses to the businesses and their service providers. Paul Ashley, 30, of Powell, Ohio, is named in a separate criminal complaint as Echouafni's go-between in arranging two of the attacks. Ashley was the network administrator of the Web and IRC hosting company CIT/FooNet, run from his home, which was shuttered sometime after being raided by the FBI last February. Three other Americans and one U.K. citizen are charged with actually carrying out the attacks.

"This is an example of a growing trend: that is, denial of service attacks being used for either extortionate reasons, or to disable or impair the competition," says FBI supervisory special agent Frank Harrill. "It's a growing problem and one that we take very seriously, and one that we think has a very destructive impact and potential."

According to an FBI affidavit filed in the case, Echouafni was a client of CIT/FooNet's hosting services when he made a deal with Ashley, then the owner, in October of last year. Echouafni allegedly paid Ashley $1,000 to snuff out two competing websites that he claimed had stolen some of his content and were staging DDoS attacks against his company.

Ashley in turn used his connections in the underground, and in at least one case the promise of free CIT/FooNet server, to recruit three associates to do the dirty work: Joshua Schichtel, Jonathan Hall, and Lee Walker, known online as "Emp," "Rain," and "sorCe" respectively. Each of the three apparently had sizable "botnets" at their disposal, meaning they could each command thousands of compromised PCs to simultaneously attack a single host -- Walker alone had control of between 5,000 and 10,000 computers through a customized version of the Agobot worm, according to the FBI affidavit. Schichtel's network of 3,000 zombies was more modest, and he quietly subcontracted the job to Richard "Krashed" Roby, who allegedly took the assignment in exchange for a free shell account.

The attacks began on October 6th, with SYN floods slamming into the Los Angeles-based e-commerce site WeaKnees.com, crippling the site, which sells digital video recorders, for 12 hours straight, according to the FBI. The company's hosting provider, Lexiconn, responded by dropping WeaKnees.com as a client, sending the company to more expensive hosting at RackSpace.com.

RackSpace fought back, but the attackers proved determined and adaptive. In mid-October the simple SYN flood attacks were replaced with an HTTP flood, pulling large image files from WeaKnees.com in overwhelming numbers. At its peak the onslaught allegedly kept the company offline for a full two weeks. (The company declined to comment on the case).

RapidSatellite.com, which sells satellite TV receivers, was hit at the same time and with similar results. The company responded by quickly moving their electronic storefront to the distributed content delivery services of Speedera, only to be crippled three days later by an attack on that provider's DNS servers, which for an hour also blocked access to other Speedera-hosted sites, including Amazon.com and the Department of Homeland Security, according to the FBI affidavit. RapidSatellite then moved to Akamai, but were out again within a week when the attackers switched to an HTTP flood attack, running massive numbers of queries through RapidSatellite.com's search engine.

Behind the scenes Ashley was allegedly micromanaging the assault. A chat log recovered from Schichtel's hard drive shows Ashley admonishing his subordinate to stay on top of his portion of the attack: "u gotta keep ane [sic] eye on it...cuz they could null route the ip and change the dns...and it would be back up." When Schichtel asks, "what did they do to you?," Ashley replies with an answer fit for Tony Soprano. "[F]---ing with us...well, a customer."

"Operation Cyberslam"
In December, the alleged DDoS conspirators' informal relationship became more corporate, when Echouafni purchased CIT/FooNet from Ashley, and kept Ashley on as network administrator at $120,000 a year salary. Ashley, in turn, formally hired Hall to perform "security" for the company -- which the FBI suggests was a euphemism for launching more DDoS attacks against Echouafni's enemies.

In Feburary, Echouafni -- now the boss -- phoned Hall directly to order an attack on a new target, according to the government: another satellite T.V. retailer called Expert Satellite. Hall dutifully launched a SYN flood against the new victim, but the results didn't please his CEO; Echouafni contacted Hall repeatedly to inform him that the site had resurfaced, and to express his disappointment. "Echouafni also implied that [Hall] would be fired if he did not launch the attacks," reads the affidavit

By then, law enforcement was making progress on the investigation they code named "Operation Cyberslam."

FBI cyber crime agents had spotted what appeared to be reconnaissance for the HTTP flood attacks in WeaKnees.com's October log files, originating from a shell hosting company called Unixcon