Cybercrime flourishes in online hacker forums By Byron Acohido and Jon Swartz, USA TODAY
SEATTLE -- Criminals covet your identity data like never before. What's more, they've perfected more ways to access your bank accounts, grab your Social Security number and manipulate your identity than you can imagine.
Want proof? Just visit any of a dozen or so thriving cybercrime forums, websites that mirror the services of Amazon.com and the efficiencies of eBay. Criminal buyers and sellers convene at these virtual emporiums to wheel and deal in all things related to cyberattacks -- and in the fruit of cyberintrusions: pilfered credit and debit card numbers, hijacked bank accounts and stolen personal data.
The cybercrime forums gird a criminal economy that robs U.S. businesses of $67.2 billion a year, according to an FBI projection. Over the past two years, U.S. consumers lost more than $8 billion to viruses, spyware and online fraud schemes, Consumer Reports says.
In 2004, a crackdown by the FBI and U.S. Secret Service briefly disrupted growth of the forums. But they soon regrouped, more robust than ever. Today, they are maturing -- and consolidating -- just like any other fast-rising business sector, security experts and law enforcement officials say. In fact, this summer a prominent forum leader who calls himself Iceman staged a hostile takeover of four top-tier rivals, creating a megaforum.
Security firms CardCops, of Malibu, Calif., and RSA Security, a division of Hopkinton, Mass.-based EMC, and volunteer watchdog group Shadowserver observed the forced mergers, as well, and compiled dozens of takeover-related screen shots. "It's like he created the Wal-Mart of the underground," says Dan Clements, CEO of CardCops, an identity-theft-prevention company. "Anything you need to commit your crimes, you can get in his forum."
The Secret Service and FBI declined to comment on Iceman or the takeovers. Even so, the activities of this mystery figure illustrate the rising threat that cybercrime's relentless expansion -- enabled in large part by the existence of forums -- poses for us all.
In the spy vs. spy world of cybercrime, where trust is ephemeral and credibility hard won, CardersMarket's expansion represents the latest advance of a criminal business segment that began to take shape with the formation of the pioneering Shadowcrew forum.
Shadowcrew, which peaked at about 4,000 members in 2004, arose in
2002. It established the standard for cybercrime forums -- set up on well-designed, interactive Web pages and run much like a well-organized co-op. Communication took place methodically, via the exchange of messages posted in topic areas. Members could also exchange private messages.Shadowcrew gave hackers and online scammers a place to congregate, collaborate and build their reputations, says Scott Christie, a former assistant U.S. Attorney in New Jersey who helped prosecute some of its members.
In the October 2004 dragnet, called Operation Firewall, federal agents arrested 22 forum members in several states, including co-founder Andrew Mantovani, 24, aka ThnkYouPleaseDie. At the time, Mantovani was a community college student in Scottsdale, Ariz. In August, he began serving a 32-month federal sentence for credit card fraud and identification theft.
Shadowcrew as catalyst
Shadowcrew's takedown became the catalyst for the emergence of forums as they operate today. With billions to be made, new forums have reformed like amoebas, splintering into 15 to 20 smaller-scale co-ops. "They learned that it's best to disperse," says Yohai Einav, director of RSA Security's Tel Aviv-based fraud intelligence team.
Forum leaders have become increasingly selective about accepting new members. "Vouching" for new members is now the norm, requiring a member in good standing to extend an invitation to new recruits. Some forums charge an initiation fee; others limit the power to invite new members to the forum leaders.
Veteran vendors and buyers typically do business in multiple forums simultaneously, in case any particular forum shuts down.
"If criminals get caught one way, they modify their behavior," says Kevin O'Dowd, an assistant U.S. Attorney in New Jersey who prosecuted the Shadowcrew case.
Some forums have become known for their specialties, such as offering free research tools to do things such as confirming the validity of a stolen credit card number or learning about security weaknesses at specific banks. A few offer escrow services, handling the details of complex deals for a fee.
The better-run forums invest in tech-security measures that have become the norm in the corporate world, such as use of encrypted Web pages. All forums run aggressive campaigns to identify and sweep out rippers -- the con artists who gain membership and instigate deals, only to renege on their part of the bargain.
From this post-Shadowcrew milieu, Iceman has emerged as a forum leader to watch.
RSA Security has tracked Iceman's postings on CardersMarket since October 2005; CardCops has compiled an archive of hundreds of postings on several forums by someone using the nickname Iceman since January
2006.In the boastful world of cybercrime, nicknames, or nics, are sacrosanct. It's not unusual for a hacker or cyberthief to go by two or three different nics, but unthinkable for two or three people to knowingly share the same nic, says RSA Security's Einav. "I believe we're talking about one guy and not a group hiding behind his name," he says.
Hostile takeover
Clearly enterprising and given to posting rambling messages explaining his strategic thinking, Iceman grew CardersMarket's membership to
1,500. On Aug. 16, he hacked into four rival forums' databases, electronically extracted their combined 4,500 members, and in one stroke quadrupled CardersMarket's membership to 6,000, according to security experts who monitored the takeovers.The four hijacked forums -- DarkMarket, TalkCash, ScandinavianCarding and TheVouched -- became inaccessible to their respective members. Shortly thereafter, all of the historical postings from each of those forums turned up integrated into the CardersMarket website.
To make that happen, Iceman had to gain access to each forum's underlying database, tech-security experts say. Iceman boasted in online postings that he took advantage of security flaws lazily left unpatched. CardCops' Clements says he probably cracked weak database passwords. "Somehow he got through to those servers to grab the historical postings and move them to CardersMarket," he says.
Iceman lost no time touting his business rationale and hyping the benefits. In a posting on CardersMarket shortly after completing the takeovers he wrote: "basically, (sic) this was long overdue ... why (sic) have five different forums each with the same content, splitting users and vendors, and a mish mash of poor security and sometimes poor administration?"
He dispatched an upbeat e-mail to new members heralding CardersMarket's superior security safeguards. The linchpin: a recent move of the forum's host computer server to Iran, putting it far beyond the reach of U.S. authorities. He described Iran as "possibly the most politically distant country to the united states (sic) in the world today."
At USA TODAY's request, CardCops traced CardersMarket's point of origin and confirmed that it is registered to a computer server in Iran.
If Iceman succeeds in establishing CardersMarket as the Wal-Mart of forums, its routing through an Iranian server will make an already complex law enforcement challenge that much more difficult, security experts say.
"Chasing these carding fraudsters is like chasing terrorists in Afghanistan," says RSA Security's Einav. "You know they are somewhere out there, but finding their caves, their underground bunkers, is almost impossible."
The U.S. Secret Service declined to answer questions about Iceman and CardersMarket. It would not acknowledge whether they are under investigation as part of Operation Rolling Stone, the most intensive federal probe of cybercrime since Operation Firewall. This year, 35 suspects have been arrested. No names were initially released, but a few have surfaced after indictments were unsealed.
Suspects include Binyamin Schwartz, 28, of Oak Park, Mich., indicted in July in Nashville for allegedly trafficking more than 100,000 Social Security numbers, and Paulius Kalpokas, 23, of Lithuania, whose extradition to Nashville on charges of trafficking stolen credit card data has been requested.
Schwartz "got caught up in something on the Internet but did not profit from it," says Sanford Schulman, Schwartz's attorney. "He inquired about acquiring information online without criminal intent, nor was he involved in a sophisticated enterprise."
Secret Service spokesman Thomas Mazur says Operation Rolling Stone is designed to "disrupt and dismantle any of these carding forums," but he declined to say which forums or how many are being investigated.
Security experts worry that CardersMarket's emergence as a model for setting up hypersafe forums could translate into a spike of activity by the best and brightest cybercrooks.
"It's called bulletproofing," says CardCops' Clements. "Guys will now migrate to CardersMarket because they really are untouchable there."
Trust a thief?
Iceman's masterstroke rattled his rivals and raised suspicions among his peers.
In the tech industry, companies routinely spread what they call FUD -- fear, uncertainty and doubt -- about a competitor's business model. Shortly after Iceman swept up TalkCash's 2,600 members onto CardersMarket's website, TalkCash's leader, nicknamed Unknown Killer, e-mailed a shrill warning to TalkCash members: "I've talked to a number of guys and all say that they didn't merge a (expletive) with that site ... so please beware as they can be feds."
Speculation abounds on the Internet that the FBI helped install Iceman as head of a dominant forum set up to lure kingpin cybercrooks into capture.
In busting up Shadowcrew, law enforcement had used a high-ranking member of Shadowcrew as an inside informant, beginning in August 2003, according to court records. Security experts say it's possible, though unlikely, Iceman could be an informant. While not commenting directly about Iceman, FBI spokesman Paul Bresson says, "The FBI is not in the business of exposing Americans to fraud."
Instead of being admired by his peers, Iceman found himself scrambling to deal with an intensifying backlash. A forum member, nicknamed Silo, posted this public comment on CardersMarket: "How Can we TRUST you and this boards admin? You breached our community's security. Stole the Databases of other forums ... you've breached what little trust exist's (sic) in the community."
Ten days after the forced mergers, the deposed leaders of DarkMarket and ScandinavianCarding managed to reconstitute forums under those names. And CardersMarket appeared to be under assault, with some of the features on its website functioning sporadically, according to RSA Security's Einav.
Security experts expect the infighting to run its course. They say Iceman's attack prompted forum leaders to beef up database passwords and patch other security holes, making both hostile takeovers and law enforcement investigations more difficult. Most experts expect the activity level of the forums to rise, because many consumers and businesses are uninformed or apathetic.
Consumers' lax attitudes
Consumers continue to exhibit lax attitudes, even as Internet intrusions and scams rise in frequency and sophistication. John Thompson, CEO of anti-virus giant Symantec, contends Internet users must adopt the same "sixth sense about security" they use when they get in their cars or leave home.
Meanwhile, the commercial sector has been slow to ask consumers to take other steps, such as using a smartcard or fingerprint reader ? along with typing a log-on and password ? to prove they are who they say online.
Thomas Harkins spent two decades as operations director for MasterCard International's fraud division, gaining an insider's view of cybercrime's breakneck rise. Now COO of security firm Edentify, based in Bethlehem, Pa., Harkins says identity theft is poised to increase by a factor of 20 over the next two years.
"There's so many stolen identities in criminals' hands that (identity theft) could easily rise 20 times," Harkins says. "The criminals are still trying to figure out what to do with all the data."
Meanwhile, stories such as Kevin Munro's will continue to pile up. In late August, the name, Social Security number and other data of the
51-year-old Warsaw, N.Y., building inspector turned up for sale on a forum monitored by CardCops. Munro recalls changing checking accounts after a thief tried to cash several bad checks in 2002. Since then, his personal data have persisted in circulation.Cybercrooks have used it online to order magazines, purchase three Dell computers and attempt to take out a real estate loan. Recently, MasterCard notified Munro that an account he's had for 20 years and uses infrequently was being canceled.
"I work for a living," Munro says. "I do everything on the up-and-up, and some lowlife comes by and takes it away."
Acohido reported from Seattle, Swartz from San Francisco.
Find this article at:
Copyright 2007 USA TODAY, a division of Gannett Co. Inc.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at