MAY 29, 2006
Meet The Hackers
Cybercrooks are stealing billions. An inside look at law enforcement's biggest targets
By Spencer E. Ante and Brian Grow, with Roman Olearchyk in Ukraine
But when the Ukrainian police arrested him last July for his involvement in credit-card fraud, U.S. law enforcement officials hailed it as a big break in their fight against cybercrime. Subsequently, in January, 2006, the U.S. Attorney's office for the Central District of California charged Golubov with a number of cybercrimes, including credit-card fraud. An affidavit by a special agent with the Federal Bureau of Investigation states that Golubov held the title of "Godfather" for "an international ring of computer hackers and Internet fraudsters that has...trafficked in millions of stolen credit card numbers and financial information." U.S. Postal Inspection Service senior investigator Gregory S. Crabb, who worked with Ukrainian authorities on their case, says Golubov and others controlled the numbers, names, and security codes attached to credit cards. Low-level criminals would use that to load up fake cards and withdraw cash from automated teller machines or buy merchandise. "Golubov was known as the go-to guy," says Crabb.
But last December, Golubov's story took a bizarre twist. Two Ukrainian politicians, including Vladimir Demekhin, deputy chairman of the Energy Committee of the Ukrainian Parliament, vouched for Golubov's character in court. The judge hearing the case released Golubov on a personal recognizance bond from the two officials. (Demekhin did not respond to e-mails and phone calls.) U.S. officials say they are worried that Golubov may leave the country, and a date for his trial hasn't been set. "Chat from the carding community" indicates Golubov may be back in business, says Crabb. Golubov's lawyer, Petro Boiko, claims he isn't hiding and the charges are groundless: "There has been a legend made of Golubov, of a big hacker. There is no evidence linking him to this case. He knows how to use a computer, but he is not a hacker by any means."
At least authorities had their hands on Golubov, however briefly. Usually, the people they suspect of conducting computer crime leave behind only traces of their existence: a quirky online nickname, a few postings on illicit Web sites, and a trail of financial mayhem. But BusinessWeek, working with information and photos supplied by officials at the U.S. Postal Inspection Service, as well as state law enforcement agencies and private Internet security experts, compiled descriptions of some of the most sought-after targets in cybercrime investigations. Shown the list, the United States Secret Service said it is investigating some of those on it as well, but declined to comment further. The FBI also declined to comment.
The picture that emerges is of organized gangs of young, mostly Eastern European hackers who are growing ever more brazen about doing business on the Web. They meet in underground forums with names like DarkMarket.org and theftservices.com to trade tips and data and coordinate scams that span the globe. (Those and other Web sites and organizations named by investigators did not respond to e-mails, instant messages, or phone calls seeking comment.) "Financial payment fraud has evolved tremendously," says John Corbelletta, a former police officer who is director of fraud control for Visa U.S.A. Inc. "Most of the cases I investigated when I was a cop involved people who had their cards stolen out of their purse. We didn't even think of counterfeiting cards."
Today, cyberscams are the fastest-growing criminal niche. Scores of banks and e-commerce giants, from JPMorgan Chase & Co. (JPM ) to walmart.com (WMT ), have been hit, sometimes repeatedly, by hackers and online fraud schemes. The 2005 FBI Computer Crime Survey estimated annual losses to all types of computer crime -- including attacks of viruses and other "malware," financial fraud, and network intrusions -- at $67 billion a year. Of the 2,066 companies responding to the survey, 87% reported a security incident. The U.S. Federal Trade Commission, which says identity theft is its top complaint, on May 10 created an Identity Theft Task Force following an executive order signed by President George W. Bush.
To track cybercrime, law enforcement officers work with companies such as eBay Inc. (EBAY ) or Microsoft Corp. (MSFT ) as well as with authorities around the globe. EBay has 60 people combating fraud, while Microsoft's Internet Safety Enforcement team has 65 operatives, including former law enforcement agents and federal prosecutors. To document the extent of the activity, BusinessWeek reporters also scoured underground Web sites where stolen data is swapped like so many baseball cards on eBay. Consider this e-mail promoting the launch of an online trading bazaar, vendorsname.ws, last year:
"During the battle with US Secret Service, we !@#&! all those [law enforcement] bastards and now are running a brand new, improved and the biggest carder' forum you ever seen." The message brags about its array of stolen goods: U.S. and European credit-card data, "active and wealthy" PayPal (EBAY ) accounts, and Social Security numbers. Those who "register today" get a "bonus" choice of "one Citybank account with online access with 3K on board" or "25 credit cards with PINs for online carding."
What follows is a look at four individuals, besides Golubov, who are identified by multiple law enforcement authorities as high-priority targets in their investigations. It's no coincidence that all are Russian. Strong technical universities, comparatively low incomes, and an unstable legal system make the former Soviet Union an ideal breeding ground for cyberscams. Also, tense political relations sometimes complicate efforts to obtain cooperation with local law enforcement. "The low standard of living and high savviness is a bad combination," says Robert C. Chesnut, a former U.S. federal prosecutor who is a senior vice-president directing antifraud efforts at eBay.
SHIPPING AND RECEIVING
Among the most pernicious scams to emerge over the past few years are so-called re-shipping rings. And U.S. officials believe the king of these is a Russian-born hacker who goes by the name Shtirlitz -- a sly reference to a fictional Soviet secret agent who spied on the Nazis. In real life, Shtirlitz is being investigated by the U.S. Postal Inspection Service in connection with tens of millions of dollars worth of fraud in which Americans are signed up to serve as unwitting collaborators in converting stolen credit-card data into tangible goods that can be sold for cash. "We think he is involved in the recruitment of hundreds of people," says William A. Schambura, an analyst with the U.S. Postal Inspection Service. Shtirlitz did not respond to e-mail requests for comment.
Investigators believe that people like Shtirlitz use stolen credit cards to purchase goods they send to Americans whose homes serve as dropoff points. The Americans send the goods overseas, before either the credit card owner or the online merchant catches on. Then the goods are fenced on the black market. BusinessWeek found that re-shipping groups take out advertisements in newspapers and spoof ads from online job sites. "We have a promotional job offer for you!!" beckons one e-mail for a "shipping-receiving position" from UHM Cargo that appeared to come from Monster.com (MNST ). It states that "starting salary is $70-$80 per processed shipment. Health and Life benefits after 90 days."
In truth, these scams come and go so fast that the "shippers-receivers" don't know what hit them. One retired business executive from Florida was furious after learning that he had become entangled in a company that U.S. officials believe was run by Shtirlitz. The man sent about 40 packages, mostly computers and expensive cameras, to Finland before a department store notified him of the scheme. "At that point I wanted to do everything I could to destroy them," says the former exec, who is helping with the Postal Inspection Service investigations.
Officials do not know Shtirlitz' real name but believe he is 25 to 27 years old and lived in the San Francisco area at one time after his parents emigrated. They do not know where he is now but believe he is active. In one forum of CardingWorld.cc, a person with the alias iNFERNis posted this request on Dec. 23, 2005:
"Hi, I need eBay logins with mail access, please icq 271-365-234."
A few hours later, Shtirlitz replied:
"I know good vendor. ICQ me: 80-911."
Once equipped, someone could log into those eBay accounts and use them to buy goods with the owner's money, while emptying the money out of their PayPal account. "The Web sites are more like a dating service," says Yohai Einav, an analyst at RSA Security Inc. (RSAS ). "Then you can conduct transactions in private chat rooms. I can click on someone's name and start doing business with them."
The technical tools to steal credit-card numbers and online bank account log-in data are often just as valuable as the stolen goods themselves. Smash is being investigated by the Postal Inspection Service on suspicion that he helps hackers hack. The picture, or avatar, that accompanies Smash's posts in online chat rooms shows a fallen angel. From 25 to 30 years old and based in Moscow, he is believed to be an expert in building spyware programs, malicious code which can track Web surfers' keystrokes and are often hidden in corrupted Web sites and spam e-mail. U.S. enforcement officials say Smash's Russia-based company, RAT Systems, openly hawks spyware on the Web at www.ratsystems.org. E-mails requesting comment were not returned.
On its home page, RAT Systems denies any malicious intent: "In general, we're against destructive payloads and the spreading of viruses. Coding spyware is not a crime." But the "terms of service" guarantee that its spyware products will be undetectable by the antivirus software made by security companies such as McAfee Inc. (MFE ) and Symantec Corp. (SYMC ). One product, called the TAN Systems Security Leak, created for attacking German companies, sells for $834. "It's like [saying]: 'Yes, I sell guns to someone who sells crack, but I'm not responsible for them,"' says the Postal Service's Crabb.
Postal Inspection Service officials are also investigating Smash's activity as a senior member of the International Association for the Advancement of Criminal Activity, which they describe as a loose-knit network of hackers, identity thieves, and financial fraudsters. Smash and another sought-after hacker named Zo0mer jointly operate IAACA's Web site, www.theftservices.com, one of the most popular and virulent data trading sites, according to U.S. officials. Hosted by a Web service in Malaysia, the theftservices.com home page boasts cartoon ads of fraudsters using credit cards at banks and stores as police cars give chase. Smash, listed as a moderator on the site, did not return e-mails seeking comment.
KING OF SPAM
On May 11, 2005, Massachusetts Attorney General Tom Reilly filed a lawsuit against Leo Kuvayev and six accomplices, accusing them of sending millions of spam e-mails to peddle counterfeit drugs, pirated software, fake watches, and pornography. Kuvayev, a 34-year-old native of Russia who uses the nickname BadCow, is one of the world's top three spammers, according to anti-spam group Spamhaus. State officials allege that Kuvayev and his associates used a number of Web-hosting services from the U.S. and around the world to launch attacks. Kuvayev was charged with violating the federal CAN-SPAM Act of 2003, which requires that unsolicited commercial e-mail be accurate and honest.
Massachusetts was able to go after Kuvayev because he listed a Massachusetts address on his driver's license and conducted business using a Boston Post Office box. On Oct. 11, 2005, after none of the defendants appeared to answer the charges, a Superior Court judge issued a default judgment against them. The judge found the spammers in violation of state and federal consumer protection laws and ordered a permanent shutdown of dozens of illegal Web sites. Kuvayev and his co-defendants were ordered to pay $37 million in civil penalties for sending nearly 150,000 illegal e-mails.
Federal law enforcement officials believe Kuvayev's operation was pulling in more than $30 million a year. State officials suspect Kuvayev fled to Russia before he was sued. "The problem is, Russia does not have any antispamming laws at the moment," says Crabb. "It's hard to catch someone who isn't breaking the law." Kuvayev did not respond to requests for comment e-mailed to Web sites affiliated with him, and phone numbers listed under his address were not working.
GOT YOUR NUMBER
Bank robbers rob banks because that's where the money is. For hackers, the best loot is often found inside the networks of credit-card processors, the middlemen that handle card transactions for merchants and banks.
Postal Inspection Service officials say they are investigating Roman Khoda, aka My0, on suspicion he could be connected to the theft of a million credit card numbers in recent years.
A 26-year-old Russian with a university degree in physics, Khoda once worked with the leading members of carderplanet, according to Schambura. U.S. officials describe carderplanet as one of the largest online marketplaces used to buy and sell pilfered bank-account and card data, until it was broken up by U.S. and foreign officials in August, 2004. But Khoda is unlike some cocky hackers who often write their own digital signatures into malicious code, says Crabb; he operates with stealth. At carderplanet and successor Web sites, he has not left a detailed trail connecting him directly to stolen data. Crabb says Khoda and two accomplices conducted extensive due diligence on the computer networks of targets, even setting up fake companies with accounts at credit-card processors to test for holes in the system. Then they lugged PCs to a rented apartment on the Mediterranean island of Malta, according to Crabb. Using proxy servers in the U.S., China, and Ukraine to hide their Internet connection, Khoda & Co. unleashed their attacks.
Investigators say Khoda even keeps a low profile in the often-gabby cybercommunity. A search of popular underground trading sites turns up little evidence of My0. A woman who answered a Russian phone number for Khoda provided by U.S. law enforcement said it is no longer registered to him. E-mails and instant messages sent to Khoda's ICQ instant messaging number were not returned.
But in instant messages viewed by officials at the National Cyber-Forensics and Training Alliance, a cybercrime intelligence unit jointly operated by the FBI and Postal Inspection Service, in partnership with universities, Khoda complains how his life would be upended if his real identity were exposed. The reason? U.S. officials say he worries that information about his online activities could hurt his offline businesses in Russia.
The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.