How to steal a million?
0x00 Preface
In childhood we watched Hackers, Hacking, Password Swordfish, and other Hollywood creations. Despite our young age, having been inspired, we were looking for information about hacking, phreaking wherever possible. I remember then still CDs went with sets of marc from different echo conferences. They mastered programming, comprehended the device of IP networks, operating systems and all kinds of hardware. Games in industrial espionage and other delights of childhood. The dream to steal a million and preferably bucks with the help of computers firmly sat in our heads. But ... childhood passes, the school ends, attempts at own business, work in various telecommunication companies, and now the desire to steal has formed into a desire to build an honest high-tech business, which turned out to be more difficult, and therefore more interesting. However, no wonder they say, the possibility of stealing creates a criminal.
0x01 Who from IT people live well or how it all began.
')
In our business, the best reputation is its absence. (with)
In 2008, there was a payment system that was not big, but not small, and they all had an admin who was familiar with information security and programmers who could write code that was not perfect, but quickly. And the administration of the substation came up with the introduction of automated workplaces from which replenishment could be carried out. No sooner said than done. AWP written and delivered. True, the administration either for parking or naively sincerely forgot to change the passwords on test accounts. And quietly peacefully, the admin was born a new "business", replenishing the balance of anything at half price. It so happened that on the occasion of a break in the IT department, layoffs began, and the admin fell under them. He didn’t worry too much when he quit; he filled up cellular and Internet with his friends. It was possible not to work and live relatively freely. Left sim card and mobile modem allowed to be anonymous. But such a long course naturally could not have happened, and in 2009 one fine spring day the interface was covered up, or the password was changed, or the IP was cut. And the admin is already used to getting money with minimal risk out of thin air. And thought.
0x02 Knowledge is power.
“If you are troubled, dregs are quiet. If the phone is not familiar, do not pick up the phone ”(c)
Since the entire infrastructure of the payment system was built by the admin, he naturally knew both the weak points and the internal structure of the network. It took about two weeks to get inside. After hitting the gateway, nc was quickly raised with forwarding to the RemoteAdmin duty manager. And once on a dark evening at half past twelve at night, sitting three blocks from the office of the payment system, in a small cramped room, three were bending over the monitor. PgAdmin is running on the screen in order not to fall under the vigilant eye of the insert log. SQL queries are written in pens, recalling the table fields that are responsible for posting payments from memory. Nerves are not to hell, the trinity manages to drive a few lines. After that, the mouse started to twitch on the screen, apparently on that side noticed that something really was not happening on the monitor =). And instead of calling Department K, the administrator on duty did not think of anything better than to close RemoteAdmin, although in essence it was possible to look at where the “hackers” hang and track. Connection broken. Two times in one river are not included. Those behind the monitor nervously smoking. Nerves also add calls from the PS to the mobile. Apparently, the PS decided that only former employees could do this. In general, they were not far from the truth.
0x03 Freebie.
“Here, as in the market, I grabbed it, and it’s good if the right back is near” (c)
One and a half months after that unsuccessful night. However, the idea to grab a piece, firmly sat in the head of the former administrator of the payment system, all this was discussed with some individuals who could come up with something. According to a long tradition, all this was discussed in the kitchens under a certain amount of alcohol. And on one of these evenings, luck gave herself a catch by the blue tail. Then there were two in the kitchen. The third being a tuner of the terminals of the payment system was called "to drink beer", he appeared after working with beer. And a working laptop. How long did his laptop go for a short while, or did mobile modems test on it for something, what’s the story about it keeps dead silence. It is only known that at one fine moment when distracted by a smoke, he and the owner of the apartment (he is the former administrator) came out of a cramped kitchenette, another dark personality quickly searching for a folder with terminal software, moved it to the USB flash drive by copying. Beer drank, the tuner is gone. The whole next week was spent by the admin to get somewhere either CashCode, a thermal printer, and an old computer where you can plug it all. After this has been found, assembled is turned on and connected. A pair of VDS in Belgium with completely disabled logs for anonymity, payment for Web mania from initial accounts, and VPN. Orders from acquaintances, after a night transfer of money, emulating terminals from different areas of the city. In the morning, the issuance of PIN-codes on hand to activate. Then some friends who are in the "topic" began to collect orders and began to take in bulk. It turned out about 30-40 thousand per month, but this began to seem a little, then one of my acquaintances offered to reduce it with the owner of the electronic money exchanger. The first order amounted to 150 thousand. Further more. Probably these were the most unfortunate days for the payment system, since everything was done from the left mobile modems with the left SIM cards and the numbers that were used 1 time and then thrown away. Along the way, the business of trading with left-handed SIM cards was mastered. Sales staff and employees. almost all mobile operators happily hammered in the left passport data for small fees.
0x04 cache.
- I stole a lot when I was little. But I never stole one candy, I stole the whole box. And I also liked to break into the houses to the people and walk on them. I found it quite comfortable being in someone’s empty house. (with)
It would seem that the case is put on stream, what else is needed? But the admin consciousness wanted to play for the biggest. The preparation was appropriate. Fake notarized copies of passports for sending to WebMoney and Yandex Money. The time when it is possible to transfer the maximum amount is found out. By connecting all the necessary devices to the computer, and sticking a line from a well-known provider into the computer, armed with a 5000 note, he began the process. First, breaking into the payment system database again, he turned off the restriction on manual wire payments, for which you only had to change one boolean field in the payment settings table, then holding the bill acceptor “curtain” he began to throw money into several accounts. Having prokidav more than 1 million rubles. He turned it off and went to bed.
The dream came true in the accounts, even if they were virtual, there were more than a million money, but this could be done more than once.
0x05 Instead of an epilogue.
They'll give you a lie, and you don't steal. (with)
True to the dreams of the iteration of this process was not destined to come true. At a time when the clock was about 6 in the morning, employees of Department K entered the apartment. It turned out that the employees of the payment system read the logs as a novel for the night for 3 months in a row. And before that they could not determine who and from where, makes these bold raids. This time, something went wrong. Whether the sim card refused to work, or a modem. And our hero went through his Belgian VPN-tunnels directly from the home provider line. Stupid? Probably yes. Having illuminated your real IP about 2 nights, an hour later department K knew the address for which to leave. Further arrest. SIZO. 9-long months of waiting for a court decision. Then 4.5 years conditional. The truth remains one vague question - what if the “conditionally anonymous” communication channel were used again? Would you take it on cash? or did the throwing through any RBC-Money do its job? :)
PS: Answers to questions that are likely to appear after reading or during it:
All the events described are real and took place in 2009.
Well, I say at once, I am the author of the post, not the hero of this novel, I just had the opportunity to see all this with my own eyes, and know some details well enough. Therefore, I thought that perhaps the habraobschestvu it will be interesting.
In childhood we watched Hackers, Hacking, Password Swordfish, and other Hollywood creations. Despite our young age, having been inspired, we were looking for information about hacking, phreaking wherever possible. I remember then still CDs went with sets of marc from different echo conferences. They mastered programming, comprehended the device of IP networks, operating systems and all kinds of hardware. Games in industrial espionage and other delights of childhood. The dream to steal a million and preferably bucks with the help of computers firmly sat in our heads. But ... childhood passes, the school ends, attempts at own business, work in various telecommunication companies, and now the desire to steal has formed into a desire to build an honest high-tech business, which turned out to be more difficult, and therefore more interesting. However, no wonder they say, the possibility of stealing creates a criminal.
0x01 Who from IT people live well or how it all began.
')
In our business, the best reputation is its absence. (with)
In 2008, there was a payment system that was not big, but not small, and they all had an admin who was familiar with information security and programmers who could write code that was not perfect, but quickly. And the administration of the substation came up with the introduction of automated workplaces from which replenishment could be carried out. No sooner said than done. AWP written and delivered. True, the administration either for parking or naively sincerely forgot to change the passwords on test accounts. And quietly peacefully, the admin was born a new "business", replenishing the balance of anything at half price. It so happened that on the occasion of a break in the IT department, layoffs began, and the admin fell under them. He didn’t worry too much when he quit; he filled up cellular and Internet with his friends. It was possible not to work and live relatively freely. Left sim card and mobile modem allowed to be anonymous. But such a long course naturally could not have happened, and in 2009 one fine spring day the interface was covered up, or the password was changed, or the IP was cut. And the admin is already used to getting money with minimal risk out of thin air. And thought.
0x02 Knowledge is power.
“If you are troubled, dregs are quiet. If the phone is not familiar, do not pick up the phone ”(c)
Since the entire infrastructure of the payment system was built by the admin, he naturally knew both the weak points and the internal structure of the network. It took about two weeks to get inside. After hitting the gateway, nc was quickly raised with forwarding to the RemoteAdmin duty manager. And once on a dark evening at half past twelve at night, sitting three blocks from the office of the payment system, in a small cramped room, three were bending over the monitor. PgAdmin is running on the screen in order not to fall under the vigilant eye of the insert log. SQL queries are written in pens, recalling the table fields that are responsible for posting payments from memory. Nerves are not to hell, the trinity manages to drive a few lines. After that, the mouse started to twitch on the screen, apparently on that side noticed that something really was not happening on the monitor =). And instead of calling Department K, the administrator on duty did not think of anything better than to close RemoteAdmin, although in essence it was possible to look at where the “hackers” hang and track. Connection broken. Two times in one river are not included. Those behind the monitor nervously smoking. Nerves also add calls from the PS to the mobile. Apparently, the PS decided that only former employees could do this. In general, they were not far from the truth.
0x03 Freebie.
“Here, as in the market, I grabbed it, and it’s good if the right back is near” (c)
One and a half months after that unsuccessful night. However, the idea to grab a piece, firmly sat in the head of the former administrator of the payment system, all this was discussed with some individuals who could come up with something. According to a long tradition, all this was discussed in the kitchens under a certain amount of alcohol. And on one of these evenings, luck gave herself a catch by the blue tail. Then there were two in the kitchen. The third being a tuner of the terminals of the payment system was called "to drink beer", he appeared after working with beer. And a working laptop. How long did his laptop go for a short while, or did mobile modems test on it for something, what’s the story about it keeps dead silence. It is only known that at one fine moment when distracted by a smoke, he and the owner of the apartment (he is the former administrator) came out of a cramped kitchenette, another dark personality quickly searching for a folder with terminal software, moved it to the USB flash drive by copying. Beer drank, the tuner is gone. The whole next week was spent by the admin to get somewhere either CashCode, a thermal printer, and an old computer where you can plug it all. After this has been found, assembled is turned on and connected. A pair of VDS in Belgium with completely disabled logs for anonymity, payment for Web mania from initial accounts, and VPN. Orders from acquaintances, after a night transfer of money, emulating terminals from different areas of the city. In the morning, the issuance of PIN-codes on hand to activate. Then some friends who are in the "topic" began to collect orders and began to take in bulk. It turned out about 30-40 thousand per month, but this began to seem a little, then one of my acquaintances offered to reduce it with the owner of the electronic money exchanger. The first order amounted to 150 thousand. Further more. Probably these were the most unfortunate days for the payment system, since everything was done from the left mobile modems with the left SIM cards and the numbers that were used 1 time and then thrown away. Along the way, the business of trading with left-handed SIM cards was mastered. Sales staff and employees. almost all mobile operators happily hammered in the left passport data for small fees.
0x04 cache.
- I stole a lot when I was little. But I never stole one candy, I stole the whole box. And I also liked to break into the houses to the people and walk on them. I found it quite comfortable being in someone’s empty house. (with)
It would seem that the case is put on stream, what else is needed? But the admin consciousness wanted to play for the biggest. The preparation was appropriate. Fake notarized copies of passports for sending to WebMoney and Yandex Money. The time when it is possible to transfer the maximum amount is found out. By connecting all the necessary devices to the computer, and sticking a line from a well-known provider into the computer, armed with a 5000 note, he began the process. First, breaking into the payment system database again, he turned off the restriction on manual wire payments, for which you only had to change one boolean field in the payment settings table, then holding the bill acceptor “curtain” he began to throw money into several accounts. Having prokidav more than 1 million rubles. He turned it off and went to bed.
The dream came true in the accounts, even if they were virtual, there were more than a million money, but this could be done more than once.
0x05 Instead of an epilogue.
They'll give you a lie, and you don't steal. (with)
True to the dreams of the iteration of this process was not destined to come true. At a time when the clock was about 6 in the morning, employees of Department K entered the apartment. It turned out that the employees of the payment system read the logs as a novel for the night for 3 months in a row. And before that they could not determine who and from where, makes these bold raids. This time, something went wrong. Whether the sim card refused to work, or a modem. And our hero went through his Belgian VPN-tunnels directly from the home provider line. Stupid? Probably yes. Having illuminated your real IP about 2 nights, an hour later department K knew the address for which to leave. Further arrest. SIZO. 9-long months of waiting for a court decision. Then 4.5 years conditional. The truth remains one vague question - what if the “conditionally anonymous” communication channel were used again? Would you take it on cash? or did the throwing through any RBC-Money do its job? :)
PS: Answers to questions that are likely to appear after reading or during it:
All the events described are real and took place in 2009.
Well, I say at once, I am the author of the post, not the hero of this novel, I just had the opportunity to see all this with my own eyes, and know some details well enough. Therefore, I thought that perhaps the habraobschestvu it will be interesting.
Source: https://habr.com/ru/post/148625/
All Articles