Internet Dreams Turn To Crime

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A2619-2003May17.html

By Ariana Eunjung Cha
Washington Post Staff Writer
Sunday, May 18, 2003

First of three articles 

CHELYABINSK, Russia -- Vasiliy Gorshkov did not set out to be a thief. 

Relatives and friends say he had wanted to build a dot-com like those 
he had read about on the other side of the world -- the Amazon.coms, 
eBays and Yahoos that were becoming household names even in this 
industrial expanse of dilapidated tenements and factories. 

But in the spring of 2000, just three months after he sank his 
inheritance into a quixotic start-up to build Web sites for 
corporations, Gorshkov was getting squeezed. Few merchants here wanted 
to hear about the Internet, much less invest in it. What's worse, 
Gorshkov told several associates, local crime bosses had started to 
demand that he hand over a percentage of his earnings to avoid smashed 
windows, theft of merchandise and broken bones. 

Gorshkov, then 24, didn't have the cash. Business associates recalled 
that he didn't even have enough money to keep paying his four 
programmers. 

But one of those programmers, 19-year-old Alexey Ivanov, said he knew 
how to raise the protection money, according to lawyers familiar with 
the conversation. Goshkov could offer a protection service of his own. 
To online businesses. Six thousand miles away in the United States. 

Soon, U.S. prosecutors said, Gorshkov and Ivanov were scouring the 
Internet looking for security vulnerabilities in the computer networks 
of American corporations. When they found a way in, they would steal 
credit card numbers or other valuable information. They would then 
contact the site's operator and offer to "fix" the breach and return 
the stolen data -- for a price. 

Within a few months, banking, e-commerce and Internet service 
providers across the country, including Central National Bank of Waco, 
Tex.; Nara Bank NA of Los Angeles; and Internet service provider 
Speakeasy Inc. of Seattle, became victims. The hackers also used 
online payment service PayPal Inc. to turn pilfered credit card 
numbers into cash by setting up phony accounts. The men would 
eventually expose American businesses to perhaps tens of millions of 
dollars in losses, the prosecutors said. 

Gorshkov and Ivanov are two of the hundreds, perhaps thousands, of 
virtually untraceable hackers who are overwhelming cyberspace. Hackers 
have stolen customer databases, company blueprints and credit card 
numbers. They have unleashed viruses, crashed computer systems, placed 
phony orders for merchandise, rerouted e-mail communications and 
committed various other mischief. 

Over the past few years, the U.S. Justice Department, the FBI, the 
Secret Service and other government agencies have accelerated efforts 
to counter cybercrime. Last week, Attorney General John D. Ashcroft 
said one joint operation resulted in the arrest of more than 130 
people suspected of using the Internet to defraud 89,000 consumers and 
businesses of $176 million since the beginning of the year. 

Businesses are expected to spend $25 billion this year to fend off 
online intruders, according to market researcher IDC Corp. About 65 
percent of all online attacks originate overseas. 

"The Internet makes moving money across continents faster, less of a 
hassle -- and easier to hide," said Louise I. Shelley, director of the 
Transnational Crime and Corruption Center at American University. 

International law is often ill-suited to deal with the problem, with 
conflicting views on what constitutes cybercrime, how -- or if -- 
perpetrators should be punished and how national borders should be 
applied to a medium that is essentially borderless. 

"We don't think about the FBI at all," Gorshkov told a potential 
business partner. "Because they can't get us in Russia." 

Gorshkov was wrong. The events that led to his and Ivanov's arrest 
open a window on the elusive and lucrative world of computer hacking 
-- where many perpetrators no longer fool with computers just because 
they are bored or want to make political statements. They're in it for 
the money. 

The events were reconstructed from interviews with relatives, friends, 
co-workers, classmates and acquaintances of the hackers. Key details 
were corroborated by court records, prosecutors, defense lawyers and 
government intelligence officials. Gorshkov answered several questions 
in a letter; Ivanov declined to be interviewed. 

Their case is unusual only because they were caught. Most online 
thieves, computer security investigators and prosecutors said, get 
away with it. 

Chelyabinsk might be the most polluted place on earth, because of an 
explosion in a nuclear-bomb-making factory in the 1950s that dumped 
radiation through its Ural Mountain river valley but was kept secret 
for decades. Monuments to Stalin's industrial push dominate the city 
of 1.2 million. During the Cold War, many residents lived well, 
working in state-of-the-art military installations that were so secret 
they were known only by their numbers. But since the collapse of the 
Soviet Union, the region has struggled and many residents have had 
trouble finding work comparable to what once was available. 

Gorshkov and Ivanov grew up here, though they didn't know each other 
until they were adults. Gorshkov is described as outgoing, with a gift 
for talking people into anything. He graduated from the area's top 
school, Southern Ural State University, with a mechanical engineering 
degree. Unlike most of his urbanite peers, who favored clothes in 
black and gray, Gorshkov -- a thin, muscular guy with a chiseled face 
-- would occasionally shock friends by showing up at gatherings 
wearing orange and purple shirts. 

Ivanov's life was more troubled. He left home at 16 and lived in a 
small fourth-floor apartment attached to the local prison. He is 
described as a computer whiz, having had the opportunity when he was 
very young to play with machines in the office of his mother, who is a 
history teacher. Ivanov briefly studied computers at Southern Ural 
State University, but he was kicked out after twice failing freshman 
exams, according to school officials. 

Gorshkov's company and its Web site, known as tech.net.ru, were born 
in February 2000 when he quit his auto-parts job and struck out on his 
own, plunking down $40 for the first month's rent for Room No. 502 at 
the Chelyabinsk Textile Factory. It was a shoestring operation. Desks 
were built from scrap materials. The chairs were hand-me-downs from a 
Coca-Cola marketing campaign. But his programmers were first-class. 

The first few months he was in business, Gorshkov negotiated contracts 
to build Web sites for two companies. But he did the work at a 
severely discounted price and it wasn't long before Gorshkov's money 
began to run out and Ivanov introduced him to a group called the 
Expert Group of Protection Against Hackers. 

The group was made up of several dozen loosely affiliated hackers at 
any given time, 12 to 15 in Chelyabinsk and others in Russian cities 
including Moscow and St. Petersburg, though it is unclear how many 
people in all were involved. There were lots of good programmers 
scattered throughout the country, but very few good jobs for them. In 
Chelyabinsk, a programmer might earn $200 to $300 a month, but the 
jobs available were anything but the cutting-edge perches for 
programmers in the biotech, telecom and Internet companies in other 
countries. So some of them looked for other ways to put their skills 
to work. 

The hackers typically worked in groups of twos and threes, according 
to U.S. law enforcement officials. Sometimes members knew each other 
only by their online aliases. Some did not know each other at all. 

Each group or cell operated somewhat independently -- using its own 
methods and determining its own targets for online hacking -- but paid 
30 percent of what it collected to a krisha, or "protector" whom no 
one was willing to identify. "I don't know and I don't want to know," 
said one person involved with the group. 

Gorshkov suddenly found himself in a profitable business. 

He, Ivanov and another programmer, Michael -- a 19-year-old Siberian 
and college classmate of Ivanov's -- were one cell. Each had a 
distinct role, Michael said. Gorshkov was the coordinator, Ivanov the 
hacker. Michael poked around the exposed computer systems, hunting for 
data that might be useful. 

The tech.net.ru computers were meticulously organized to make the 
crimes as efficient as possible, investigators said. Each victim's 
information was kept in its own file; the hacking programs were placed 
in a folder labeled "badstuff." 

At first, the target companies were chosen pretty much at random, said 
Michael, who is known online as Hermit and spoke on the condition that 
his real name not be used.. They could be any e-commerce or banking 
companies that sounded like they had money. 

Ivanov created a program that would search on Google for keywords such 
as "bank" or "casino" or "electronics" to find targets. They would 
then run potential victims through a program that scanned the 
companies' networks for known vulnerabilities. 

The group had only one rule about choosing victims: Stay away from 
Russian businesses. 

"You may go to jail and that's the best case," Michael said. "More 
likely, you'll be killed." 

The main way they broke into corporate Web sites was through a 
well-known vulnerability in the widely used Microsoft NT server 
software. Often, they only had to type in the default username and 
default password created by the manufacturer and then, just like that, 
they were inside the network, said security consultant Kevin Mandia, a 
cybercrime consultant who helped U.S. law enforcement agencies 
investigate Gorshkov and Ivanov. 

Their attacks were brazen. The hackers rarely bothered to cover their 
tracks. Mandia described their technique as akin to "storming a bank 
with a machine gun." 

"You could take five months to plan a super-secret operation, but if 
your chances of getting caught were minimal why bother?" Mandia said. 

The first contact between the hackers and their victims would 
typically be an e-mail sent to the company's chief executive or 
systems administrator. It was a form letter that Ivanov had shown to a 
lawyer to make sure it was legal under Russian law. 

It was in rough but polite English. "Hello Mr.," it began. "We are a 
security consulting group specialized in banking and credit card 
services, big online shops, insurance companies. Due to our job we 
have to work on the territory that can't be controlled by U.S. 
authorities. Our government and laws are loyal to that kind of 
computer activities." It then listed the number and a description of 
insecure computers on the company network and offered their security 
services. The group typically signed off with an ominous warning: 
"YOUR SITE IS TOTALLY INSECURE!!!. It's not just bluff. Any user on 
the net can get ALL the personal information concerning any account." 

As later detailed in court documents, Ivanov would follow up with 
another e-mail, an online chat request or a phone call, and say he 
used stolen calling card numbers or had commandeered satellite voice 
systems, talking leisurely with the cell's victims. 

Ivanov was so bold he sometimes sent his résumé -- and even photos -- 
to prove that he was a serious security consultant. The documents 
listed his home phone number and detailed his previous experience, 
noting that he was an expert in a half-dozen computer languages and 
that he had a passport but needed "visa support." 

The hackers asked for as little as a few hundred dollars from some 
start-ups and several hundred thousand dollars from corporations that 
sounded rich. 

In an interview, Michael claimed that his group made as much as 
$500,000 during one nine-month period, much of it wired to accounts in 
the Russian Federation, Romania and Cyprus. U.S. authorities have only 
been able to account for about $10,000 of the extortion fees paid to 
the hackers. 

It's unclear how many of the tens of thousands of stolen credit card 
numbers Gorshkov and Ivanov used. The "Expert Group" traded files of 
credit card numbers with each other and with other associates and sold 
the information, prosecutors say, making it a difficult if not 
impossible task to assess who used them. A U.S. spot-check found that 
nearly 1,300 of the credit card numbers on tech.net.ru were used for 
fraudulent purchases in Canada, France, Guatemala, Israel and many 
other countries. 

Reaction to the hackers varied widely among their victims. Some cursed 
them and others befriended them. 

Speakeasy, a company that started as an Internet cafe and then 
expanded to offer network services to homes and businesses, was among 
the most troublesome. The company refused to pay up even after Ivanov 
threatened, deleted files and posted customer information on a Web 
site. In online chat, Max Chandler, a systems administrator for 
Speakeasy, was tough, telling Ivanov that hacking is illegal, 
according to court documents. 

Ivanov was unmoved and typed in this response: "If you want put me to 
jail you never can do it because laws in my country is not work and my 
country don't have strong computer crime laws." 

Later on in the conversation, however, Ivanov sounded almost 
child-like as he asked Chandler for career advice. 

Ivanov: I need job only because I need money. Okay? . . . 

Ivanov: What name of companies where you have friends? 

Chandler: Well, Microsoft of course . . . Amazon. . . . 

Ivanov: Hey hey. Cool company. I'm steal a lot of CD/DVD/books from 
Amazon. . . . Max, is it possible to get job in Microsoft or Amazon? 

Chandler: Sure. They're hiring all the time. 

Ivanov: I mean for me? 

Chandler: Well, you need to send them a résumé but I can put a word 
for you in certain departments. 

Ivanov: Okay. Please do it. 

Some companies treated the extortion demands as regular business 
transactions. When Brian Miller, chief executive of Cambridge, 
Mass.-based Internet service provider Channel 1 Communications, heard 
from Ivanov about a breach in its computer systems, he concluded that 
it would be better to have Ivanov on his team than to fight with him. 
He wired $250 to an account that Ivanov provided and thanked him for 
his help. 

"I had a lot of sympathy for him," Miller said. "He seemed like a 
bright kid who just wanted to make some money and get out of his 
country. I thought maybe he would move on to better things." 

Gorshkov, meanwhile, still believed he could get his legitimate 
business off the ground. He paid his programmers $150 a month to 
pursue projects that he hoped would change the way Russians use the 
Internet in the same way the Silicon Valley dot-coms were transforming 
American culture. One employee was working on a more robust e-mail 
filtering system. Another person was trying to set up an Internet 
dating service. Yet another person was programming an online auction 
site. 

Two of Gorshkov's programmers, Maxim Semenov and Denis Bukarov, who 
U.S. authorities say were not involved in the extortion scheme, said 
they loved working for the company because of its ambition. Their boss 
encouraged them to spend part of their time tinkering with new 
technologies. 

"It's a problem to find an interesting job like the one I had" at 
tech.net.ru, Bukarov said. 

Michael said the hackers felt invincible, and in some ways they were. 
He described nights when none of the other programmers were around and 
the three of them would sit drinking vodka and singing songs. Ivanov 
loved tunes from old Russian movies and would begin to belt them out, 
off key. Gorshkov and Michael would join in. 

The more happy and playful their mood, he said, the more generous they 
would be to their would-be victims. 

Take the U.S.-based network administrator for a Singapore Internet 
service provider. Michael said he threatened to crash her system 
unless she paid up but she sounded so nice online that they felt bad 
about the whole thing. He told her that if she called up on the phone 
and sang "Happy Birthday" they would leave her alone. She did and he 
kept his promise to drop the extortion demand. 

No one would say what the group did with all its money. To friends and 
relatives, the changes in the men's lifestyles were subtle. They 
apparently didn't splurge on lavish dinners or buy expensive clothes. 
Ivanov wore secondhand jeans and old scruffy boots, said his 
grandmother, Raisa Gorshkova, 73. "He even smoked very cheap brand of 
cigarettes. Nobody smokes these anymore." 

Ivanov, though, bought a used car and a $1,000 cell phone. Gorshkov 
got an apartment for himself and his fiancee, Masha Milegova, who he 
met on a trolley on the way home one night and who was pregnant with 
their first child. 

The hackers also used the credit card numbers they had purloined from 
companies that refused to pay their fee. Once, they ordered 15 DVD 
players and had them delivered to a mailbox across the border in 
Kazakhstan, less than an hour from their homes. They also ordered 
music CDs, movies, laptops, cell and satellite phones and other 
electronics. They also abused the PayPal system to turn the stolen 
credit card numbers into cash by setting themselves up as seller and 
buyer in online auctions. (PayPal officials said they have since taken 
steps to reduce the chances that perpetrators of that type of scam 
will succeed.) 

Later, in November 2000, Gorshkov threw a housewarming party for 
himself. One of the half-dozen or so close friends in attendance, a 
medical student named Yvgenia Peleskova, recalled that they drank beer 
and watched "Gone in 60 Seconds," a movie about ingenious car thieves 
who could break any lock, get past any alarm and never get caught. 

Peleskova remembered that it was a "big hit" with the people in the 
room. 

But while Gorshkov and Ivanov were laughing about their good fortune, 
they had become the target of a manhunt originating in America. Some 
of the companies the hackers thought were cooperating with them were 
actually working for the FBI. 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.