Underground carders market. Translation of the book "KingPIN". Chapter 16. “Operation Firewall”

Kevin Poulsen, editor of the magazine WIRED, and in childhood blackhat, the hacker Dark Dante, wrote a book about " one of his acquaintances ."

The book shows the path from a teenager-geek (but at the same time pitching), to a seasoned cyberpahan, as well as some methods of the work of special services to catch hackers and carders.

The book quest for translation began in the summer in the IT camp for high school students - “ Kingpin: students translate a book about hackers, ” then Habrayusers and even a little editors joined the translation.
')
The second quest for “book translation quest” was due to Edison when I gave them a draft to read, and they shared their experience in creating a VPN-network for anonymous customers.

Someone addressed them through anonymous ICQ, wrote in a distorted way, as if through a translator. Gave TK in English, paid webmans. He said that even if they were tracking him, he took care of everything. 2 programmers worked on the task for a month, they passed in time, there were no complaints. (There are few details that can be described in a separate article, if anyone is interested)

Chapter 16. Operation Firewall

(thanks for the transfer thanks to the Find_The_Truth habraiser )

Something strange was happening with ShadowCrew .

Max tried not to shine on one of the most criminal sites in the entire Internet. For him, ShadowCrew was just a platform where it was possible to hack a couple of carders. However, in May 2004, the site administrator made a statement that caught Max’s attention. Admin CumbaJohnny (Cumbajohnny) introduced a new VPN service for site members only.

VPN is a virtual private network used to provide remote access to the network on top of another network. For example, employee access from home to the company's office network. But the main reason for the emergence of a VPN service was the ability to encrypt data transmitted through these networks. For the underground, it was an ideal option to secure their transactions from curious providers or law enforcement agencies, since any attempts to track down criminal activities will end where they begin.

KumbaJonny was the last addition in the manual, - the former moderator quickly rose in the hierarchy of the site and began to influence the mood of the forum. Other admins even noted an increase in user activity on the forum. At the top of the site were banners: “Stop talking, make money. Place an ad here. Contact KumbaJohnny. ”ShadowCrew looked like a sign in Las Vegas: flashing banners that promise an everlasting party, women and lots of money.

Gollumfun, a well-known founder, publicly announced his retirement from the ShadowCrew affair when another BlackOps founder also set out to leave. He wrote: “Being an excellent platform, ShadowCrew humiliatingly fell among children who do not value knowledge, skills and communication with other members of the site in a positive way. Those thoughtful tutorials have disappeared, dear users have disappeared, civilization has disappeared. We will no longer help newcomers look for their vocation, henceforth we will dishonor them until they leave the site, until they realize that there are no new users and there will not be. BlackOps, you will be missed. Thank you for your contribution. ”KumbaJonny responded very briefly:“ ShadowCrew is changing. It's for the best."

Max was not particularly interested in the changes in the political arena of the site, but the appearance of a VPN rather puzzled him. It turned out that KumbaJonni was selling the services of his personal VPN to the top of ShadowCrew for three months. Now Kumba wrote that any member of ShadowCrew, who does not have fines, can buy a piece of peace of mind for 30-50 dollars a month.

However, it is well known that VPN networks have one weak point - everything that is transmitted over the network passes through a central point in an unencrypted and vulnerable form. As one of the forum participants noted: “If the FBI or someone who really needs to get data gets into the data center and changes some settings of the VPN server, then the users of this server will be hard times.” “But this is just paranoia.” He admitted.

KumbaJonia hurried to reassure him: "No one can poke around in the VPN without my knowledge."

Max, these messages seemed not convincing. Being a white hat, he somehow he wrote a program for the Honeynet project, called Privmsg. It was a PERL script that took data from a data packet sniffer and recovered IRC chat based on it. When the attacker started hacking one of the honeypot traps, he tried to keep in touch with other hackers. Through the Max PRIVMSG program, specialists could see all this correspondence. It was a strong breakthrough in the fight against hackers, turning passive honeypots into powerful traps, shedding light on the motives and culture of the underground.

At the moment, Max observed the same picture with the interception of data in the Kumba proposal. There were other reasons to suspect Kumbu. Hacking a random card reader, Max saw a message sent to the ShadowCrew administrator, which looked like an instruction to an informant for a federal agency. Something told Max that the changes from ShadowCrew turned the site into a new Honeypot. After discussing his conjectures with Chris, Max posted several messages on the forum, expressing his suspicions. Messages disappeared immediately. Max's suspicions were confirmed.

New York police caught Albert Kumba Johnny Gonzales nine months ago when he was withdrawing money from an ATM on the Uper West Side. Originally from Miami, Gonzales was the 21 year old son of two Cuban immigrants. For a long time he was engaged in hacking, deciding once to visit Def con in Vegas in 2001. Communicating with Gonzales in custody, the Secret Service quickly realized the usefulness of Kumba. Albert lived Kearney’s garden house for $ 700 a month, had a debt of $ 12,000 and was officially unemployed. But as Kumba-Johnny, he was a confidant and colleague at carders around the world and, most importantly, a moderator at ShadowCrew. He was in the lair of the beast and, properly prepared, he could deal a crushing blow to the forum.

Under her responsibility, the Secret Service freed Gonzales and began using him as an informant. VPN was a masterful gimmick agency. The equipment was bought and paid for by the feds, and they also received warrants to intercept the data of all users of the site. KumbaJonny just invited carders to this freak show.

ShadowCrew's big players immediately came under the supervision of the Secret Service. Leaking a VPN exposed the entire process of carding, which until then had remained in the shadows - tough negotiations that were conducted via e-mail and instant messengers.

Every day and every night there were any deals, with a surge of trading on Sunday evenings. Deals ranged from small to giant. On May 19, agents watched the transfer of Scarfeis and another member of the site for 115695 credit cards; in July, the APC handed over a fake British passport; In August, the Ministry of Infloss sold a fake New York driver's license, health insurance card and student card of the City University of New York to a person who requested a full set of documents. A few days later another Scarface deal went through - this time only two credit cards; after MALPADRE, I bought nine at once. In September, Dack sold his expertise as a database of 18 million hacked e-mail addresses that contained usernames, passwords, and users' birth dates.

Fifty agents worked for the Secret Service, who tracked every transaction on the site, preparing the charge base. However, the worst thing was that most of the inhabitants of ShadowCrew paid to be monitored by Secret Service agents.

Soon the agents learned that there seemed to be gaps in their seemingly thought-out operation against hackers. On July 28, 2004, Gonzales told his merchants that the carder under the nickname Myth (Myth), one of King Arthur's kesher, somehow got one of the Agency's secret documents, which described Operation Fayervol. The myth immediately boasted this news in the IRC-room.

The feds ordered Gonzales to find the source of the leak as quickly as possible. Gonzales contacted Myth under his nickname and found out that the voiced documents were only a drop in the sea of ​​the Secret Service data. The myth also said that a criminal case was being conducted against ShadowCrew, he even said that the agency had an ICQ account.

Fortunately for Gonzales, the documents did not mention the informant. The myth refused to give Gonzales his source, but agreed to arrange a meeting. the next day, Gonzales, Myth and the mysterious hacker who used the temporary nickname "Anonyman", met in IRC. Gonzalez tried his best to earn the trust of Anonyman before the hacker revealed his identity.

It was Etiks (Ethics), a supplier whom Kumba already knew from working at ShadowCrew. The leak was beginning to take shape. In March, the Secret Service noticed that Etics was selling access to a database of a major mobile phone operator T-mobile. He wrote on the forum: “I offer access to customer information by the T-Mobile operator number. At a minimum, you will receive a name, social security number, and client’s birth date. As a maximum, you will receive a username and password to access the Internet, a voicemail password and a secret question / answer. ”

T-Mobile could not fix the critical gap in the protection of the server application that was purchased in San Jose from BEA Systems. The hole, which was discovered by third-party researchers, was offensively simple to use - an undocumented function allowed you to delete or change files in the system by submitting a special web request. BYA issued a patch for this bug in March 2003 and assigned it a high hazard rating. In July of the same year, researchers who discovered the hole made a report at the Black Hats Collection in Vegas about this bug. Thus, pre-Def Con gathered 1,700 information security professionals and corporate executives, and gave a new round of information about the security gap in T-Mobile.

Etix found out about the BEA hole, wrote 21 exploits on Visual Basic and started scanning the Internet for potential victims who could not or forgot to patch the applications. By October 2003, he dipped T-Mobile into the mud. Etix wrote an application with which he could at any time access the customer database.

For starters, he used his access to get data from Hollywood stars. He managed to get candid photos of Paris Hilton, Demi Moore, Ashton Kutcher and Nicole Richie, stolen from their communicators. Now it was obvious that soon he would become an assistant to the Secret Service.

A simple search in Google by Etix's ICQ number gave out his real name, which is indicated in the 2001 resume when looking for a job in the field of computer security. It was Nicholas Jacobsen, a 21-year-old Oregonian who moved to Irvine, California to work as a sysadmin. All that the Secret Service needed to charge Jacobsen was important information on his communicator.

Here Gonzales again showed himself in all its glory. Now, being on friendly terms with KumbaJohnny, Etiks became interested in the ShadowCrew leader’s VPN service, explaining that he could use T-Mobile base more safely using a virtual network. Gonzales happily agreed to help, and his Secret Service masters began to watch, rubbing his hands, as Etix wandered through the T-Mobile database, using the login and password of Agent Peter Caviccia III, a cybercrime veteran who had become famous for arresting an AOL employee for stealing 92 million e-mails of customers for sale to spammers.

Leak was found. Caviccia calmly resigned three months later, and Etix was added to the squeak of the goals of Operation FireWall. There was another threat to the investigation and, oddly enough, it came from one of the assets of the FBI.

David Thomas, a crook of life, discovered a criminal forum in the Fake Library and soon became one of the crooks in the criminal community. Now 44 years old, El Mariachi, as he called himself, was one of the most respected members of the carders community, assuming the role of mentor for young fraudsters, giving advice for all occasions, starting with identity theft and ending with life lessons he learned on the outskirts.

However, his experience did not help him avoid the dangers of his profession. In October 2002, Thomas appeared in a park near an office in Isakwa, Washington, where he and his partner rented shelter for one of the founders of CarderPlanet. They hoped to get $ 30,000 in merchandise at Outpost.com commissioned by a Ukrainian. But instead they were waited by the local police.

Having arrested Thomas, the detective read out his rights to him and gave him a signature paper confirming that he understood them. Just thinking that the local cop was trying to interrogate him, Thomas laughed. “You don't know who you got.” Thomas asked the detective to call the feds. The secret service was supposed to know who El Mariachi was who could give them a case of Russians and "millions of dollars."

The Secret Service visited him in the county jail, but was not impressed with his business for $ 30,000. Then an agent appeared from the local FBI office in Seattle. At the second meeting, the agent brought with him the assistant US attorney and the proposal - the feds cannot help Thomas in his local arrest, but when Thomas is released from prison, he will be able to work in the Northwest Cyber ​​Crime Investigation Task Force.

It would be a reconnaissance mission, the official name for an FBI operation without preliminary targets. The bureau would give Thomas a new computer, put him in a luxurious apartment, pay all his expenses and give $ 1,000 a month for pocket expenses. In return, Thomas was supposed to collect information about the underground and report all the news to the target group.

Thomas hated the informers, but he liked the idea of ​​getting paid for the opportunity to observe and comment on the underground, which he was obsessed with. However, the collection of information is not an informant, he believed. He could use material that he collected to write a book about carding, about something he had been thinking about a lot lately.

He also definitely knew how to collect information about the target group itself.

Thomas was released from prison five months after his arrest. And in April, the FBI received a new asset in the war against cybercrime — El Mariacci and his brand-new, state-funded forum called the Grifters. ( WIRED article )

While living in a Seattle billed office, Thomas very soon gathered enough information about his carder brothers, especially from Eastern Europe. Although Tomasi worked for the FBI, he did not feel the relationship with other government agencies, and the appearance of news about the VPN service prompted him correctly - Kumba Johnny was an informant for the feds.

Thomas stuck on exposing his rival. Ignoring the prescriptions of his FBI curator, he constantly shouted the name Gonzales on the forums. Gonzalez also did not remain in debt, he found a copy of the police report on the arrest of Thomas and sent it to the carders of Eastern Europe, paying attention to the lines where Thomas offered help in catching the Russians. Due to the war of two informers, a large-scale war broke out between the FBI and the Secret Service.

It was not the right time for Western Europeans to be dissatisfied with the American drama of carders. In May 2004, one of the Ukrainian founders of CarderPlanet was extradited to the United States after being arrested while on holiday in Thailand. The following month, the British National Police moved to Leeds, the site for English-speaking administrators.

The script, which the FBI baked from Orange County and the American Postal Inspection, was removed from the site, leaving King Arthur at the head. On July 28, 2004, the King made a statement.

He wrote: “It's time to let you know the bad news - the forum should be closed.” “Yes, it really means closing and there are many reasons for that.”

He explained in broken English that CarderPlanet had become a magnet for law enforcement agencies from around the world. When carders came across, the police knocked out facts about the forum and its leaders. Under constant pressure, he could be wrong. “We are all just people and each of us can make mistakes.”

Having closed the CarderPlanet site, he will deprive his enemies of the fattest piece.

“Our forum prepared them well, constantly keeping in shape and reporting about all the news in the world of the underground. Now everything will be the same. They will not know where the wind is blowing from and what to do with it, ”said Arthur.

With this farewell speech, King Arthur, a ten-time millionaire, became a legend carders. He will be remembered as a man who carefully hatched the great CarderPlanet before anyone else could enjoy the destruction of it.

ShadowCrew leaders are less fortunate. In September, the FBI gave up on an operation with Thomas and gave him a month to leave the apartment and end his war with Kumba Johnny. The following month, October 26, sixteen Secret Service agents gathered at the command center in Washington, ready to launch Operation FireWall. Their goals were marked on the map of the United States, filling the screens of computers. The agents knew that each of their victims should be at home, - by order of the Secret Service, Gonzales made an online meeting for that evening, and no one denied Kumbe.

At nine o'clock in the evening, agents armed with semi-automatic MP5s broke into the houses of a member of ShadowCrew, seizing the three founders, hacker Etix and sixteen other buyers and sellers. It was the biggest raid on thieves in American history. Two days later, the federal jury issued sixty-two convictions, and the Ministry of Justice gave the public information about Operation FireWall.

“This sentence struck the very heart of the organization, which positioned it as a universal market for thieves of personal data.” Said prosecutor John Ashcroft. “The Ministry of Justice seeks to catch those involved in theft or data fraud, regardless of whether they are online or not.”

With the help of Gonzales, the Secret Service blocked the remaining 4,000 site users and replaced the home page with the Secret Service banner in the form of a grid. The new page contained a new slogan "You are no longer anonymous !!"

In a panic, carders around the world began to read the news and watch television in search of information, as they were concerned for their future and for the future of their countrymen. They gathered in a small forum called the Stealth Division to assess the damage and accept the rest. “I’m scared to death for my family, for my children,” wrote one of the cyber criminals.“I just realized that every step I took was tracked.”

Gradually, the remaining members of the site realized that Kumba Johnny was not on the list of the accused. It was then that he appeared on the network to make the final statement.

“I want everyone to know that I am on the run and I have no idea where the US Secret Service came from to do what they did. From the news I found out that they had access to the VPN and to ShadowCrew. This is my last post, good luck. ”

Nick Jacobsen, Etix, was not allowed to press release and was held in Los Angeles. After the agency collected all the awards for Operation FireWall, Ethics was charged with hacking the Secret Service email. Still, it was a clear victory for the government. CarderPlanet was closed, ShadowCrew closed forever, their leaders, except Gonzales, in prison.

Carders were dumbfounded, exhausted and at the moment deprived of shelter. “It will take dozens of years for something like ShadowCrew to appear on the Internet. And even if it does, the power of justice will defeat it again. And knowing what payment will follow this crime, I doubt that someone will risk starting a new business. ”


To be continued