Underground carders market. Translation of the book "KingPIN". Chapter 24. "Exposure"

Kevin Poulsen, editor of the magazine WIRED, and in his childhood blackhat, the hacker Dark Dante, wrote a book about " one of his acquaintances ."

The book shows the path from a teenager-geek (but at the same time pitching), to a seasoned cyber-pahan, as well as some methods of the work of the special services to catch hackers and carders.

The book translation quest started in the summer in the IT camp for high school students - “ Kingpin: schoolchildren translate a book about hackers ”, then Habrayusers and even a little editorial staff joined the translation.
')

Chapter 24. "Exposure"

(for the translation, thank you satandyh)

Conviction

“Tea, these girls are white trash. Better not be friends with them, "- said Chris, -" They have different brains. "

They sat in Naan and Curry, a 24-hour Indian-Pakistani restaurant in the theater district of San Francisco. This happened three months after the moment when Thea met Chris and was with him on one of his trips to the Bay area, where he met his mysterious hacker friend Sam, just before dawn. They were only four blocks away from Chris's safe house, but Tea had not yet been introduced to the hacker — neither now nor before. Nobody met Sam in person.

She was fascinated by how it all worked: the cashless nature of the crimes and the way Chris organized his team. He told her everything when he decided that she was ready, but he never asked her to shop in stores like the others. She was special. He didn’t even like hanging out with her and his cash team at the same time, for fear that they might harm her somehow.

Tea was also the only unpaid worker. After she refused 40 bucks left by Chris on the nightstand, he decided that Tea would not take any money from him, despite the long hours she spent on CardersMarket and Russian crime bulletin boards. Chris took care of renting the house for Tea, bought clothes for her and paid for her travels, but she still found this existence a bit strange: living online, traveling with confirmations, not plane tickets. She became a ghost, her body was in the Orange country, and her mind was most often projected into Ukraine and Russia, supporting the leaders of organized cybercrime as the emissary Iceman — that is, World Carders of the West.

She decided that Iceman was pleasantly cold to her. He was always respectful and friendly. When Chris and his partner left for one of their battles, each person began to whine and gossip about Thea through others, just like children. From a certain moment, Iceman talked to her about a lot of shit and suggested that she go into her own business, such a move made Chris annoyingly piss off.

Somehow Chris and Thea were hanging out in an Indian eatery; a tall man with a pigtail came in from the street and proceeded into the depths of the hall to the checkout, his eyes slid along them just for a moment, before he took the bag to go and disappeared.

Chris smiled: "It was Sam."

Returning to the Orange Country: Chris’s fake operations were enough to send his children to private schools, cover Thea’s apartments and in July start looking for a big and good accommodation for him and his family. He went looking for a house with Jennon and in the coastal town of Kapistrano Beach found a rented spacious two-story house, towering on a cliff above a sandy beach at the end of a quiet road deadlock. There were friendly neighbors, basketball hoops hanging over the garages, and a boat moored to a nearby pier. The move was scheduled for July 15th.

Jennon flew back to the holidays in honor of July 4th — Chris’s last holiday in his old apartments — but had to go back to Thea’s house while Chris spent time with his family. It happened all the time; Jennon was supposed to fly to John Wayne airport, hoping to hang out in clubs with Chris, but instead he was forced to either hide from one team or be a nurse for Chris' boys at his home. Thea was quite tolerant, unlike the part of the cheap girls who cash out Chris cards, but the time in Dana Point’s apartment was just dragged out.

He called Chris and complained that he was bored. “Come home,” said Chris, they were in the pool, “Wife is here with the children.”
Jennon invited Thea, who had never seen the hotel complex of Chris, located just four miles from her. When they arrived, Chris, Clara and a couple of boys were splashing in the pool, enjoying the sunshine. Jennon and Tea said hello and settled down on the lounge chairs by the house.

Chris was dumbfounded. “I see you brought your girlfriend,” he said irritably to Jennon.

Clara knew Jennon, the nurse, but never saw Tea. She looked at the stranger, then at Jennon, then again at the Mongolian, and then the awareness and anger twisted her face.

It came to Jennon that he did something stupid. Both women looked strangely alike. Thea was the young version of Chris's wife, and judging from the first look, Clara knew that her husband was sleeping with this woman.

Chris pulled himself out of the pool and with a neutral face walked to the place where they were located. He squatted in front of Jennon, the water from his hair dripping onto the concrete. “What are you doing?” He said in a low voice: “Get out of here.”

They left. For the first time since she joined Chris Aragon and his gang, Thea felt dirty.

Chris was not angry - yes he is guilty, but he enjoyed being the alpha male from the spectacle of Thea and Clara in one place. But nevertheless, Thea's fascination became a problem. He really really attached to her and her unusual habits, but she became an undesirable complication.

He found the perfect way out. He simply bought her a plane ticket for a long vacation in her homeland: he literally drove his fiery mistress to Outer Mongolia.

While Chris was distracted by his confused love life, CardersMarket consumed more and more of Max’s time, he was still running his business in the role of Digit, running. He now worked in the catering industry, and it was more than paying for itself.

This began in June 2006, when a serious security hole appeared in RealVNC software, a “virtual network console” —a remote control program used to administer Windows machines over the Internet.

The error was in the short handshake procedure that preceded each new session establishment between the VNC client and the RealVNC server. The critical part of the handshake procedure occurred when the server and client agreed on the type of security applied to the session. This is a two-step handshake. To begin, the RealVNC server sent the client an abbreviated list of security protocols configured to support it. The list is just an array of numbers: for example, [2, 5] means that the VNC server supports a second type of security, a relatively simple password authentication scheme, and type 5, a fully encrypted connection.

At the second stage, the client told the server which of the announced security protocols he wants to use, sending back the corresponding number, like an order of Chinese food in the menu.

The problem was that the RealVNC server in the first place did not check the answer from the client to find out if it was in the menu provided. The client could send back any type of security, even one that the server did not declare, and the server unconditionally accepted it. Even including type 1, which was almost never announced, because type 1 meant the lack of security completely, it allowed you to log in to RealVNC without a password.

Changing the VNC client, forcing it to always send type 1, turning it into a master key, was a trifling matter. Such an attacker, as Max could put his hacked software on any box with the vulnerable RealVNC running, and instantly enjoy unhindered access to the car.

Max started scanning for vulnerable installations of RealVNC as soon as he found out about this gaping hole. He watched in amazement as the results filled his screen lower and lower, there were thousands of them: computers in the homes and dormitories of colleges, cars of Western Union offices, banks and hotel lobbies. He logged in at random into one; and found himself looking at the corridors through security cameras located in the lobby of a closed office building. The other computer was from the Midwest Police Department, where he could listen to 911 calls. The third one transferred it to the owner of the house with the climate control system, he raised the temperature ten degrees and moved on.

A tiny fraction of all systems was more interesting and also familiar due to its ongoing invasion of Pizza Shmizza. These were restaurant service systems. It was money.

Unlike simple and stupid terminals, sitting on the shelves of wine shops and grocery stores, restaurant systems became more complex all-in-one solutions that supported everything: from receiving an order to finishing seating, and all were running Microsoft Windows . To support machines remotely, service providers installed them with commercial backdoors, including VNC. With his master key for VNC, Max could open many of them at will.

So, Max, who once scanned the entire US military network, looking for vulnerable servers, was fishing all day and night with his computers on the Internet, searching and hacking pizzerias, Italian restaurants, French bistros and American grill bars - he collected data from magnetic stripes credit cards wherever they found them.

In accordance with Visa security standards, this should not be possible. In 2004, companies were banned from using any points of sales that preserve data on magnetic strips of credit cards after the completion of transactions. To meet the standards, all major suppliers have made patches that allow them to protect their systems from carders. But restaurants did not rush to install them.

Max's scanning technique had several interacting parts. The first was aimed at finding established VNCs using the “port sweep” fast pass, a standard intelligence method that relies on Internet openness and standards.

From the outset, Internet networking protocols were designed to allow computers to combine different types of connections at the same time — today they can include email, web traffic, file transfer, and hundreds of other more exotic services. To keep it all separate, computers establish new connections using two information parts: the destination machine's IP address and the virtual “port” on it — a number from 0 to 65535 — that identifies the type of service for the desired connection. The IP address is similar to the telephone number, and the port is similar to the extension number that you drive into the company switchboard, and therefore it can send your call to the right department.

Port numbers are standardized and published online. The e-mail software knows that the port for sending the message is 25, the web browsers connect to port 80 to get to the website. If the connection on a specific port is denied, then this is like a call without an answer, which means that the service you are looking for is not available on this IP address.

Max was interested in the 5900 port - the standard port for the VNC server. He tuned his cars to a wide Internet address space, sending only one sixty-four byte synchronization packet to each address, which checked whether port 5900 was open for service.

The addresses that responded to his fishing were transmitted to the script written by Max PERL, which connected to each machine and tried to log in using an error in RealVNC. If the exploit did not work, the script tried to use common passwords: 1234, vnc, or an empty string.

If he got inside, the program pulled out some preliminary information about the computer: the name of the car, as well as the resolution and color depth of the monitor. Max neglected computers with low quality displays, suggesting that they were home computers and not for business. This operation was very fast: Max launched it on five or six servers at once, each of which looked through a class B network, about sixty-five thousand addresses, in a couple of seconds. Thus, his list of established vulnerable VNCs grew by about ten thousand entries every day.

Point of sale systems were needles in a huge haystack. He could define a few simply from the name: "Aloha" means most likely the Aloha POS terminal, produced in Atlanta based on the system from Radiant Systems, his favorite target; Maitre'D was a rival product from Seattle-based Posera Software. For the rest, it was necessary to guess. Any machine with the name “Server”, “Admin” or “Manager” required a second look.

Slipping through his VNC client, Max could see the computer screen as if he was sitting in front of him. Since He worked at night, the display of an inactive PC was usually dark, so he did not push the mouse obsessively, thereby stopping the screensaver. If someone was in a room nearby, it could look a bit creepy: remember the time when the monitor of your computer lights up for no reason, and the cursor was twitching? It could be Max Vision, a quick glance at your screen.

This part of the checkout was slow. Max hired Thea to help - he gave her a VNC client and started feeding her lists of vulnerable machines, at the same time throwing off instructions on what to look for. Soon, Max was connected to snack bars across America. Burger King in Texas. Sports Bar in Montana. Trendy nightclub in Florida. Californian grill bar. He moved to Canada and found even more.

Max started selling stolen dumps from a single restaurant. Now he had as many as a hundred, giving him credit card details almost in real time. Numbers will have a lot more work.

With such a large amount of work, Dave "El Mariachi" Thomas chose a bad time to become a real pain in Iceman's ass. In June, Thomas did something almost unheard of in the narrow circle of the computer underground: he brought conversations from the forums to the public, to ordinary cyberspace, thus attacking Carders Market in the comments of a widely read computer security blog, where he accused Iceman of "OP" - law enforcement agencies.

“This is a site located in Fort Lauderdale, Florida,” Thomas wrote, “In fact, it’s located in someone’s house. However, the OP refuses to close them. Despite the fact that this site sells PIN codes and numbers PayPal, eBay and so on, OP all this time looking at other players. "

“The OP claims that they can do nothing with a site located in the United States. But, to tell the truth, OP themselves launched this site just as they did with the Dark Artel. ”

Emphasizing the accommodation arrangements for the Carders Market, Thomas aimed at Iceman's Achilles' heel. The site has so far continued to purr peacefully because Affinity has so far not noticed the illegal server among ten thousand of its legitimate sites. El worked to change this situation, again and again complaining to the company. Such tactics lacked logic: if the Carders Market was really under the control of the government, then the complaints flew into deaf ears; Only if it was a truly criminal site, would Affinity remove it. If Iceman drowned, he is not a witch.

A week after Thomas’s post, Affinity abruptly chopped off the Carders Market. Closing upset Max, he would have a good thing in ValueWeb (hosting). Well, he had to look for a new foreign legitimate hosting, which could be opposed by El Mariachi, in companies located in China, Russia, India and Singapore. It always came out the same way - they would ask for some money in advance as the cost of entry, and then they would roll out the red ribbon in front of the front door, while asking for a passport and business license or corporate documents.

“This is not a ride because you have a bit of a stupid idiot saying 'here is CARDERS' or 'this is the MARKET of CARDERS'.” So, maybe? ”- Thomas wrote, teasing Iceman,“ Maybe if you didn’t shout 'CARDERS WORK HERE,' then you could have a small working site with the possibility of its further growth to an animal in which you desperately you need. "

Now it was personal: Thomas hated Iceman, whether he was a federal or not, and this feeling became reciprocal.
Finally, Max climbed to Staminus, a California-based firm specializing in high-bandwidth hosting to protect against DDoS attacks. By that time, Thomas was ripping and throwing metal into it in the comments of one random blog called “Life on the Road.” Blogger quoted Thomas’s comments on the Carders Market in a brief note about the forums, unwittingly turning his blog into a new battlefield in the El Mariacian War against Iceman.

Iceman picked up a glove and posted a long public denial against Thomas’s convictions, accusing his enemy of "hypocrisy and slander."

Carders Market is not a “bulletin board for crime” or “empire”, or any other such nonsense accused of this. We are just a forum that has chosen the opportunity to allow discussing financial crimes. We also provide the right to judge which of the participants is real and who is fake, but all this is just our opinions, we do not make money from it. We are only a MEDIUM of information, we are a FORUM through which this connection can pass without harassment. Carders Market is not involved in any crime at all. Managing the forum and allowing discussion is not illegal.

On craigslist.com, there are individuals who make announcements about prostitution, narcotic compounds, and other obvious crimes, but people are not yet calling craigslist as a “one-stop shop for whores and drag dealer” or a criminal empire. He is regarded as the MEDIUM, who is not responsible for the content of posts on it. This is the position of the Carders Market.

The bold defense completely ignored the fact that there are detailed guidelines on crimes and system reviews on the Carders Market, not to mention the hidden component of the site: giving Max a platform for selling stolen data.

Knowing that his California hosting would not satisfy the underground, Max continued his search abroad. Next month, he hacked into a new server for himself, this time in a country that was as far from the United States as anyone else on the Web; in a country that is unlikely to respond to complaints from Dave Thomas or even the American government.

“Carders Market is now in IRAN,” he announced on August 11, “Registration is renewed.”

To be continued