Underground carders market. Translation of the book "KingPIN". Chapter 25. Hostile Takeover

Kevin Poulsen, editor of the magazine WIRED, and in his childhood blackhat, the hacker Dark Dante, wrote a book about " one of his acquaintances ."

The book shows the path from a teenager-geek (but at the same time pitching), to a seasoned cyber-pahan, as well as some methods of the work of the special services to catch hackers and carders.

The book translation quest started in the summer in the IT camp for high school students - “ Kingpin: schoolchildren translate a book about hackers ”, then Habrayusers and even a little editorial staff joined the translation.
')
The second breath "quest for the translation of the book" was due to the company Edison .

MagisterLudi : “I apologize, towards the end of the year the confusion began again with the ready chapters, we lay out what we have, not in order.”

Chapter 25. "Capture the territory"

(thank you for the translation of fantom)

“In the war, the most important thing is speed: you have to master what he managed to reach; follow the path he does not think of; attack where he is not careful. "

Sun Tzu's "The Art of War" was Max's reference book. Sitting in his secret refuge, he sketched a plan of attack. There were five underground English-language carding sites, and four of them were redundant. Weeks went to study the enemy: ScandinavianCarding, Vouched, TalkCash and, his main enemy, DarkMarket. This English site appeared a month before CardersMarket and made great efforts to achieve a reputation for being protected from hacking.

In a certain sense, Max’s plans to penetrate other platforms were based on his positive qualities. It played into his hands that he was not greedy, and that he was doing business at CardersMarket. The shadow carding scene was destroyed, and when Max came across something broken, he could not refuse to restore it, just like he did several years ago for the Pentagon.

Played a role and pride. It seemed that the whole carding world thought that Iceman was just an administrator who could only install software. Max saw a great opportunity to show carders how wrong they were.

There was a weak spot on DarkMarket. British carder JiLsi used this site. He used the same password: “MSR206” everywhere, including CardersMarket, where Max had access to all passwords. Now Max could penetrate and host the DarkMarket.

But Vouched was a fortress, you could not even enter the site without a trusted digital certificate installed on your browser. Fortunately, JiLsi was registered here, and even had moderator rights. Max found a copy of the trusted certificate on one of the JiLsi email accounts that was protected with the regular password “MSR206”. Now it was necessary only to come on Vouched as JiLsi, and all database was available.

Max found that TalkCash and ScandinavianCarding site search was vulnerable to SQL injection attacks. Max was not a pioneer in this matter. Vulnerability to such an attack is commonplace for sites. SQL injection uses the architecture of complex sites. When you visit a website with dynamic content: news notes, blog entries, stock quotes, online shopping sites, the site’s software provides information retrieved from the database. This database is usually located on another computer and not on the host to which your computer is connected. The website is a facade, and the server with data is blocked. Ideally, it is generally not accessible from the Internet. The site software communicates with the server storing the data in SQL (Structured Query Language structured query language). For example, the SELECT command queries the server for all the information that fits certain criteria. INSERT adds information to the database. A rarely used DROP instruction deletes large amounts of data. This is a dangerous tool, because often the software must send a request from the site visitor as part of the SQL command to the server. If a site visitor writes in the search bar:
Sinatra
The site software will request information from the server as follows:

SELECT titles FROM music_catalog
WHERE artist = 'Sinatra';

SQL injection happens when the software incorrectly processes a user's request before passing it as a command to the server. Punctuation can be confusing. If in the above example, write in the search box of the site:

Sinatra '; DROP music_catalog;

pay attention to the apostrophe and semicolons, because of them the server will receive a command in the form:

SELECT * FROM music_catalog
WHERE artist = 'Sinatra'; DROP music_catalog; ';

For a database, these are two consecutive commands, separated by semicolons. The first one will find Sinatra albums, the second one will delete the music catalog.

SQL injection is a common weapon in the hacker’s arsenal. Even today, this way they penetrate sites of all levels, including e-commerce sites and bank sites. So, in 2005, the TalkCash and ScandinavianCarding software came under fire.

To take advantage of the TalkCash vulnerability, Max checked in and sent an innocent-looking message. The body of the message hid a SQL command written in a font whose color coincided with the background color, and therefore invisible to the eye. He entered the search query, and the site software transferred the hidden command to the database where it was executed. This team was an INSERT, and it added another administrator to the site - Max. He did the same on ScandinavianCarding.

By August 14, Max was ready to show the world of carding what he can do. He penetrated the sites through secretly done holes, and, using his fake administrator account, copied the databases. Such a plan was worthy of Sun Tzu: no one from the competing platforms expected attack and capture. Most carders avoided publicity, did not show themselves. A hostile takeover was unprecedented.

Having finished with the English-language sites, Max switched to Eastern Europe. There was a desire to unite Eastern European carders with Western ones, but Tea's efforts were fruitless. Russians liked American Tea, but they didn’t trust him. Diplomacy failed, it is time to act. He found that sites such as Cardingworld.cc and Mazafaka.cc are no better protected than Western ones, and soon he downloaded private correspondence and articles from the forums from there. Cyrillic megabytes floated to his computer. Secrets of fraudulent operations, stories about hacker attacks that were conducted against the West and continued for months, now received a permanent residence permit on Max’s hard drive in Tendeloyn, San Francisco.

Having completed the download of the database, on each site he launched the DROP command, erasing the original. ScandinavianCarding, TalkCash, Vouched, DarkMarket, Cardingworld - all these troublesome, round-the-clock trading platforms used by about 10 thousand people, who served the shadow economy and turned over billions of dollars, ceased to exist. Six-digit sums of criminal structures; money for expenses issued to children, wives or mistresses; police bribes; mortgage amounts, debit accounts, payments - all this disappeared in the blink of an eye. Inescapably. Money is lost. They all had to learn the name Iceman.

Max continued to work with the stolen information, ignoring the Eastern European data. After removing duplicate and unwanted entries from four English-language sites, 4,500 new members remain for CardersMarket. He added all of them to the database of his site, so now they could log in using their old logins and passwords. CardersMarket now had six thousand users. More than Shadowcrew ever.

He announced a forceful merger in a mass mailing to his new members. When morning came in San Francisco, he saw them all together, confused and furious, in his joint forum. Matrix001, the German administrator of DarkMarket, demanded an explanation from Iceman.

Usually the silent spam king, Master Splyntr, began to criticize the organization of materials stolen by Iceman. All the contents of competing sites are now placed in a new section of CardersMarket, which was called “The history of records from absorbed forums.” These records were unsorted and it was difficult to find anything; Max believed that this information is worth preserving, but not sorting. At first, Max watched from the outside, then entered into a conversation and made it clear who was behind all this.

@Master Splyntr: “If you do not have anything constructive or new, your comment is undesirable. If you do not like the organization of the calculation, go ahead and come back later, because it is not yet sorted. ”

@ matrix001: “The old forums were careless about security issues, using shared hosting, refusing data encryption, logging in to IP addresses, using 1234 as the administrative password (yes, indeed, it is!) and the permissiveness of administrators. Some, such as Vouched, gave a false sense of security, which, as you know, is even worse.

You ask what all this means? If you mean the merging of five carding forums together, then the short answer is this: because I have neither the time nor the desire to add four more of the nine remaining. Essentially this step has matured. Why have five forums with the same content, the separation of sellers and buyers, with weak security, weak administration, weak moderation. It’s not just that, it’s good for everyone. With the correct moderation, we will return to the original "hard" leadership with an intolerance of ripping and anarchy in the discussion of topics and promotions. Now there is a lot of garbage from the old forums, but we will clean it up.
For what? Security. Convenience. Improve quality and reduce interference. Bring order to the mess ... "

A Canadian hacker, Silo, said that Iceman had destroyed social ties that kept the carders community together. He destroyed trust.

Silo: “You have ruined the security of our community. Stole data from other forums. Could your merge happen with the consent of the administrators of all forums? What is the difference if I hack your mail and read it or publish it on the forum? No matter how you look, you showed how little you should trust in our community. My suggestion is: you must delete the data you stole. It will be correct to ASK the site administrators; Is it true that a single platform is in the interests of our community; and wait for them to answer. That's my opinion. ”

There are a lot of people with Iceman skills. It depends on society how they use them.

Vouched is back online, but not for long. This was supposed to be a private, secure forum, open only to the elite. After the trick of Max, trust in him was shaken, and no one wanted to return. ScandinavianCarding and TalkCash were doomed, they did not have backup copies of databases. Most of their clients stayed at CardersMarket.

In addition to the Russian forums, which Max could not use because of ignorance of the language, Max’s triumph was overshadowed by only one thing: DarkMarket. "His main rival had backups and started restoring, promising to return to work in a few days. reach for yourself and for the community. The war has begun.

Meanwhile, in Orange County, Chris also integrated his business. He decided that it would be convenient for all full-time employees to live in one place. The apartment complex Archstone (Archstone), rented out via the Internet, perfectly fit into his plans. Those interested could fill out an application on the company's website, pay a deposit of $ 99 and a fee for the first month of the card. Chris could do everything via the Internet, and his employees could not show up until the day of entry, when they should appear in the landlord's office, present their ID and get the keys to the apartments. He sent two of his employees and Marcos, his liaison at Archstone Mission Viejo, furnished rooms in the form of mansions, painted in sunset colors and adjacent to a hill dotted with palm trees and high-voltage lines, five minutes walk from his house. He also wanted to increase his team. One employee went to Toledo after the secondary bankruptcy of her shop, and the other two disgustedly refused to work when teenage girlfriend Chris got pregnant from him. Now he paid for the apartment of a young mother and their son, whose existence was hidden even from his mother.

At the NCFTA office in Pittsburgh, Keith Mularski (Keith Mularski), who wrote under the name Master Splyntr, received a secret message from Iceman two days after the capture. Hacker apologized for some rash words on the forum. Waiting for the next stage of confrontation between DarkMarket and CardersMarket, Iceman boasted that it would easily repel any DDoS attack on his site. Later, after searching the Internet for information about the Master Splinter, he learned that this is a world-famous spammer and an army of bots. It seems Iceman unwittingly made from a simple critic of an implacable enemy.

“Do not be offended by my comments. It is true that if someone tries to attack my site, I will track it and fill it in or overwhelm it. But I did not want to challenge. No one wants to waste time on such matters, truly DDoS does not bring joy and therefore, please do not make wrong decisions :-) "

Mularsky began to realize that new opportunities were opening up before him. Nobody trusted anyone else. Everyone got angry at everyone. If he plays for both sides, he will be able to raid the territory of both administrators while they fight in the battle for users. He had three independent accounts. He used one to answer.

“No problem, bro, we are a team. I myself can blurt out something in a temper. Why do I need to attack. Hell, my bots aren't even set to attack yet. Mailings bring me much more. I do not do anything that does not bring income. Only if I do not declare a vendetta, which is not yet. And if you are attacked, I am also good at tracking and attacking, knock me on ICQ 340572667 if I need help. :-) MS "

Mularsky sat in front of the monitor, waiting for a response. A few minutes later the inscription appeared on the screen:

“Thank you so much :-), by the way, do you have any business considerations besides trivial advice on organizational issues? I'm going to make changes and now you can offer services and you can choose any nickname for yourself. I don’t know if you provide email services, but I think it’s cool to have your own network. I am sure that we should be able to hire you. Also, if you have suffered a loss in business, I apologize. I saved some vendors, but some were lost. Just bring to your notice. Thank you, bro :-) Also added you to the VIP group. ”

This was a promising answer. Mularsky discussed everything with his inspector. Then he turned to headquarters of the leadership of Group II. Two steps below the "undercover participation" by the FBI, but one step above its role as a "passive observer." His position would not allow him to participate in any illegal affairs, but he could finally actively fight the underground. He called CardersMarket, and everything related to the work site, was the subject of investigation.

Permission came quickly. But, despite the encouraging words, Iceman tested a dubious partner; he kept Mularski at a distance, did not share secrets, and only chatted through the site. The FBI agent was more fortunate on the other side. He was one of the first members of DarkMarket, and after brief negotiations, JiLsi, the founder of the site, quickly accepted Master Splintr as a manager. In early September, Splintr moderated the site.

The war flared up. Despite the lessons of the August invasion, JiLsi could not achieve the full protection of DarkMarket. Iceman began to regularly penetrate the database and delete random accounts, just to annoy JiLsi. When DarkMarket responded with a violent DDoS attack against Iranian host CardersMarket, Iceman responded in kind. Both sites cracked under the pressure of unnecessary packages. Iceman secretly rented a place from an American hosting company with a wide channel, passing traffic through them, clearing it, and forwarding it to its real server via an encrypted channel. JiLsi was tearing his hair, sharing his troubles with Master Spintrom. Mularsky shifted his attention from Iceman to the boss of the British cyber criminals, who began to treat him like a friend. He guessed that JiLsi wondered who to trust DarkMarket for the time being to make an invulnerable hosting. Someone who is used to supporting the work of a site that everyone hates. Spammer.

“Well, you know what I'm capable of,” he wrote in the chat, “I am good at building servers, I guard them around the clock. I can do this for you. ”

Mularski conceived the original plan. In the past, both Secret Service and the FBI had informers administrators: Albert Gonzalez at ShadowCrew and Dave Thomas at the Grifters. But to actually work on the site would give access to everything from the IP addresses of the cards, to any sensitive information. If Master Splintr had started the site, he would have received such confidence that no agent could even dream of. JiLsi became interested in Master Splintr's proposal, and Mularsky prepared for the next trip to Washington, DC.

To be continued