Underground carders market. Translation of the book "KingPIN". Chapter 15. "UBuyWeRush"

Kevin Poulsen, editor of the magazine WIRED, and in his childhood blackhat, the hacker Dark Dante, wrote a book about " one of his acquaintances ."

The book shows the path from a teenager-geek (but at the same time pitching), to a seasoned cyber-pahan, as well as some methods of the work of the special services to catch hackers and carders.

The beginning and the translation plan are here: “ Shkvoren: schoolchildren translate a book about hackers ”.
')
I have the following logic for choosing a book for working with schoolchildren:

• there are few books about hackers in Russian (one and a half)
• There are no books about carding in Russian at all (there was one UPD )
• Kevin Poulsen - WIRED Editor, No Stupid Comrade, Authoritative
• to introduce young people to the translation and creativity on Habré and get feedback from elders
• schoolchildren-students-specialists work in spike very effectively for training and shows the significance of the work
• The text is not very hardcore and is accessible to a wide range, but touches upon issues of information security, vulnerabilities of payment systems, the structure of the carding underground, basic concepts of the Internet infrastructure
• the book illustrates that "feeding" in underground forums - ends badly

The book has been completely translated , now we are translating the articles of Paul Graham . Who wants to help - write in a personal magisterludi .

Chapter 15. "UBuyWeRush"

(thanks for the translation thanks to habster ungswar )

A shabby shopping center was located in the vast plain interior of Los Angeles, which would hardly have been printed on a postcard. Far from the ocean and so far from the hills that squat plastered structures could become the Hollywood scene, where the inexpressive blue sky behind them would play the role of a chromakey, which would be filled with mountains or trees during post-production.

Chris parked the car in the parking lot littered with garbage. On the Marquise in front of the entrance, the top sign advertised the saloon of “The Country of the Cowboys”, below was a typical set for the south of Los Angeles: a wine shop, a pawnshop, a nail salon. Another was not quite normal: UBuyWeRush (You Buy We We Break) is the only store sign in Los Angeles, which was also a nickname on CarderPlanet (Planet of Carders) and Shadowcrew (Shadow Team).

He went inside the office, where an empty reception desk offered to rent the premises of the former medical clinic at 60 cents per square meter. On the wall was a map of the world in the Mercator projection, bristled with office pins. Chris warmly met UBuy personally - Caesar Carrens.

Caesar came to the underground in a roundabout way. In 2001, he graduated from the DeVry Institute with a degree in programming and hoped to find work on the Internet. When he couldn’t find one, he decided to try himself as an independent entrepreneur on the net.

From an ad in the Daily Commerce newspaper, he learned about the upcoming auction, where owners of a public warehouse in Long Beach sell the contents of containers abandoned by tenants. Having arrived at this auction, he found that a very specific ritual was being observed there. The manager, armed with an impressive bolt cutter, cut the unscrupulous owner’s lock in front of the auction participants and opened the door. Participants - there were about twenty - tried to assess the contents of standing at a distance of several meters. The winner could close the container with his padlock and had to clear it from its contents within 24 hours.



Experienced bidders were easily identified by locks and lanterns hanging from their belts to peer into dark containers. Caesar was not so prepared, but was full of enthusiasm. He was the only one who made a bid for the first auction lot, having obtained a container full of old clothes for $ 1.

He sold clothes at a garage sale and on eBay for about $ 60. Realizing that he had found a good niche, Caesar began to attend more auctions in warehouses and business liquidations by breaking up large lots and selling them on eBay with fairly good profits. He put the money back into the business and opened his own showcase in the Long Beach shopping center to take goods from neighbors: office furniture, lounge chairs, jeans of unknown manufacturers, and sell them online.

It was a good, honest job — not his last business. For most of the years in the 90s, Caesar dealt with credit card fraud. He was much happier now when he was selling through eBay, but memories of the past made him think: what if there was a specialized equipment shop that he used as a fraud. He ordered several MSR206 (magnetic stripe encoder cards, out of production - editor's note ) from the manufacturer and placed them in his UBuyWeRush store on eBay. He was impressed with how quickly they were snapped up.

One of his new customers told him about sites where he could really sell. He introduced Caesar to Script, who approved UBuyWeRush as a seller on CarderPlanet. Caesar posted his opening remarks on August 8, 2003: “I decided to provide you with all the things you guys need to do a lot of bucks,” he wrote. “So if you need me, I sell card printers, embossers, tippers, encoders, small readers, and so on. I know it sounds like an advertisement, but this is for you, a SAFE place to shop. ”

The business took off that night. Caesar created his own website, started trading on Shadowcrew, received a phone number 800 and began to accept e-gold, the favorite anonymous online currency of carders. He has earned a reputation for excellent customer service. With clients in any time zone, he was very scrupulous and answered phone calls whenever they happened - day or night. There was always money on the other end.

Being a responsible businessman, he guaranteed shipping on the day of the order and lined up relations with his competitors, so that if he suddenly had a shortage of one of the goods, he could replenish the stocks of a competitor to fulfill orders and leave his buyer satisfied. Such strategic moves soon made UBuyWeRush a top supplier of equipment for hackers and hijackers of personal data around the world.

“A really good person who is pleasant to deal with,” wrote Karder, who calls himself Fear, advising the newcomer site Shadowcrew. - “Do not throw UBuyWeRush, because he is a cool guy and will keep information about you in secret.”

Soon Caesar expanded the assortment to hundreds of units: skimmers, special cameras for photo on documents, presses for foil stamping, clean plastic, barcode printers, embossers, receipt paper, magnetic ink cartridges, even cable TV decoders. The equipment trade itself was legal until it was used for criminal purposes. He even had law-abiding customers who bought his equipment for the manufacture of company certificates and school lunch tickets.

Heaped up with orders, Caesar advertised to find helpers in the appropriate section and began hiring workers for keeping records, packing and sending goods. When the next room opened, he joined them as an additional warehouse, doubling and then tripling its area. Enchanted by the global reach of his modest little shop, he bought a wall map and, each time sending an order to a new city, stuck a button to the place of departure. Six months later, the map was studded with buttons, like a porcupine, across the United States, Canada, Europe, Africa and Asia. An impassable forest of metal on the map grew south-west of Russia on the Black Sea. In Ukraine.

Chris and Caesar became friends. He even invited him to dinner with Mrs. UBuyWeRush - Klara, as well as his two sons Chris - well-mannered children, who remained at the table until the dessert itself. Chris especially liked to hang out at Caesar's office. You never know who will come to UBuyWeRush. Carders are too paranoid to order the delivery of illegal equipment even to a front person, so in most cases they were ready to make a trip to Los Angeles and take their belongings personally, opening the door with a shirt sleeve, so as not to leave fingerprints, and paid in cash. Foreign carders vacationers in California drove in just to see the legendary warehouse with their own eyes and shake hands with Caesar.

That day, the man who came in to pick up the MSR206 was the last one Chris had expected to see in Caesar's shop — a two-meter-long hacker with long hair gathered in a ponytail.

Chris was shocked. Max rarely left San Francisco lately, and he didn’t say anything about going to the city. Max was just as surprised to see Chris. They awkwardly exchanged courtesies.

There was only one reason that would have made Max secretly get to Los Angeles to buy a personal magnetic stripe encoder - Chris knew that. Max decided to stop sharing the most valuable data.

- Max had a hand in one of the biggest security mistakes in banking history, one that most consumers would never have heard of, while it was enriching carders with millions of dollars.

Commerce Bank - a medium-sized bank in Kansas City, Missouri - may have been the first to understand what is happening. In 2003, the bank security manager was warned about the need to check client accounts, from which sums of 10 to 20 thousand dollars were withdrawn from ATMs in Italy during the day - he would come on Monday and find that his bank had lost 70 thousand dollars over the weekend. When he conducted the investigation, he realized that the affected clients were victims of phishing attacks aimed specifically at stealing the numbers and PIN codes of their debit cards.

But something in this story did not make sense: the CVV codes should have prevented this kind of fraud. Without a CVV security code stored on a magnetic stripe card, the information stolen using phishing should not work on any ATM in the world.

He dug deeper and found out the truth: his bank simply did not check the CVV codes either at ATMs or when making purchases on debit cards, where the buyer enters a PIN for authorization. In fact, the bank could not conduct such a check, even if it wanted to - the third-party processing network used by the bank did not even transmit the secret code. Italian phishers could make any nonsense in the CVV field and the map would be accepted as valid.

The manager changed the processing network and reprogrammed the server for CVV verification. The mysterious withdrawals of money from Italy ceased that night.

But Commerce Bank was just the beginning. In 2004, about half of US banks, credit and savings organizations and credit unions still didn’t care about verifying CVV at ATMs and debit transactions, so inboxes were filled with phishing emails aimed at banks ’PIN codes that carders called" cashable. "

Citibank - the largest national bank in terms of deposits - was the most famous victim. "This message was sent by the Citibank server to clarify your email address" - you could read in a message from Russia during the September 2003 campaign - "You must complete this process by clicking on the link below and entering your card number in the appeared small window Citibank and the PIN you use at an ATM. ”

More creative messages in 2004 made use of client-based cyber-crime fears. “Not so long ago there was a large number of attempts to steal personal data sent to Citibank customers,” read the message, decorated with the logo of Citibank. - “In order to secure your account, we ask you to update the PIN of your Citibank card.” Clicking on the link, the bank client got on a perfectly prepared similarity of the original site, hosted on a hosting in China, where the victim was asked to enter data.

Perfect for direct cash withdrawal, PINs were the holy grail of carding. And there was King Arthur from the CarderPlanet site, which was most successful in his search. The king, as his friends called, led an international network that specialized in attacks on Citibank customers. He was a legend in the world of carding. One of the deputies of King Arthur, an American expat in England, once mentioned to a colleague that the King makes $ 1 million a week in international operations. And he was just one of many East European immigrants who had been cashing in America.

Max got involved in the story of Citibank in his own way: he infected an American cashman under the nickname Tux (Tux) with a Trojan and began intercepting PIN codes and account numbers that he received from his supplier. After a while, he contacted the source of supplies - an anonymous East European, who, as Max suspected, King Arthur himself was hiding - and frankly confessed to him that he had done: he said that Taks was guilty of a careless security attitude . To be sure, Max added the unsuccessful accusation of the cashier in robbing his supplier.

The supplier immediately ended the relationship with the Taxi and began to send PIN-codes directly to him, recognizing the hacker as his new cashier.
When the PIN codes began to arrive, Max handed them over to Chris, who had burst into them with all his might. Chris shot $ 2,000 in cash — the daily limit of ATMs — then sent the girls shopping in stores until the bill was completely empty. He gutted the cards. Max didn't like it. The whole point of cashing was to get cash, and not to resell items only for a fraction of their value. By adding a bit of finesse to the scheme, it was possible to make the cards more liquid.

Then it occurred to him that he did not need his partner for these specific operations at all.

Returning from UBuyWeRush with his own MSR206, Max started doing business on his own. He coded a pack of Visa gift cards with billing information and wrote her PIN on each piece of paper attached to each card. Then he got on his bicycle or walked along a winding path through the whole city, visiting small private ATMs located in places inaccessible to surveillance cameras.
He entered the PIN, the withdrawal amount and the clack, clack, clack, clack - ATM dispensed cash as a slot machine in a casino. Max cleared the money, wrote down a new balance on the card’s account, looked around to make sure he didn’t get too much attention, and took out the next card from the set. In order not to leave fingerprints, he pressed the buttons through a piece of paper or nails, or covered the tips of his fingers with hydroxyquinoline, a transparent, sticky antiseptic that was sold in pharmacies as a liquid adhesive.

Max regularly sent a percentage of his revenue to Russia through Western Union's MoneyGram system, according to their contract with the supplier. Now he was in fact a criminal and was engaged in a uniquely underground business. Even after he got his own coder, Max continued to give away some PIN codes to Chris, who continued to force his team to aggressively squeeze the bills to the end.

Obviously, Max’s fishing wasn’t particularly similar to Robin Hood’s activities, but Max felt moral comfort from the fact that cash withdrawal always ended with card blocking. This meant that fraudulent cash withdrawals were discovered and Citibank would be forced to compensate for the loss of its customers from thieves.

A few months later, Max got a good job at the losses of Citibank: he and Charity moved to a house worth $ 6,000 / month. in Cole Valley, San Francisco, and set up a cash deposit box of $ 250,000.

His profit was only a small part of all losses from a CVV-code error. In May 2005, analysts from Gartner (Gartner) surveyed 5,000 online consumers and, after extrapolating the results, summed up: this error cost US financial institutions $ 2.5 billion. In just 1 year.

To be continued...