Posted by david b. on April 4, 2012
Read previous: The machinery of cybercrime 2: terror funding via the Internet
Jeff Bardin entirely dedicates the final part of “The Machinery of Cybercrime” talk to the card and ID markets as a substantial component of the large-scale worldwide criminal effort. Some of the specifics touched upon are peculiarities of carder sites, notorious kingpins of this fraud, and the ways this malign industry overlaps with terrorist activities.
Carderplanet forum screenshot
Well, let’s move into card and ID markets and where this tie to terrorism comes into play. The card and ID markets is where you actually go out and buy your information. This one here, ‘Carderplanet’, is no longer up, but if you look closely at the screenshot you can see some of the information here: it’s articles out there from experts on how to go about stealing information; hacking tools; how to go and create IDs, buy IDs out there, where they are sold and manufactured; information on how to write malware is out here.
And as you dig deeper into this you get a lot more information. You have to enroll on the site, you have to create an ID, and you have to start to be trusted. Sometimes you come in and you’re kind of a junior partner on this site. You have to build up a reputation on this site as someone that’s being trusted, which means you start buying this information and using it out there because you start to buy.
Along with English-speaking carder sites, there are Spanish, there are Russian ones – there are a lot of different sites as they put it in multiple languages since it’s a worldwide underground cybercrime effort.
So ‘Carderplanet’ was one the first ones out there. And you can get all the information on anonymity and security: how to make sure you are anonymous when you come on these sites and maintain that when you’re acquiring this information and then using it.
So why would they offer this type of information? Because they want repeat buyers, they want them to come back, they don’t want these folks to get caught, so they offer them instruction on how not to, so that they can continue to feed the cycle of fraud.
Shadowcrew forum screenshot
Now, this site was ‘Shadowcrew’ (see screenshot). ‘Shadowcrew’ was definitely known to be used by terrorists. So, terrorists come into these sites as well and they participate in them. They will use a little bit of money to go out and buy a series of credit cards, and that money then builds – they steal the money using the credit cards, they get a lot more money, and it just continues to build just up to that 3.5 million dollar market, which these folks have done over and over again.
So, they participate in these sites. Now, a lot of these sites though were owned and managed and delivered by people here in the U.S., so unbenounced to them or known to them, they were actually aiding terrorists activities by allowing anyone to come in with the money to acquire these credit cards and to go ahead and be part of the forum.
So this one here – ‘Shadowcrew’ – was definitely known to be used by Younis Tsouli and Tariq al-Daour. And so, they were on this site, they tracked it on their PCs and laptops when they were arrested back in 2003, and found that they had used it heavily, that they had participated here, and that they had stolen credit cards here. They’d learned how to do this stuff through these sites. Some of the hacking instructions came from Iran, IDs and passports were acquired through these which they then in turn used within the terrorist environment.
What eventually happened is a gentleman came around. This gentleman was known as Max Ray Vision, and he’s cited, you know: “There is no honor among thieves.” He had his own site called ‘CardersMarket’, and these other sites were up there. So what he decided to do is, you know: “I want to take them over” – basically a hostile takeover.
He hacked each one of these sites, he stole the credit card information, he siphoned it to his own database, he deleted their databases, knocked down these sites and created just one credit card forum.
So, that was basically hacker’s overthrow of this and hostile takeover. That upset a lot of people in the community out there but it made him the kingpin.
Forum post on DarkMarket
And one of the sites that was actually knocked down here was ‘DarkMarket’. If you look at this site (see screenshot), one of the things that ‘DarkMarket’ offered was a minimum of 1,500 dollars for Western Union or MoneyGram order, so: “I’ll give you a dump and this dump gives you credit card information”. And if this information is from U.S. and Canada, and this is Visa, Master Card Classic – it’s 20 dollars a piece. Gold, Platinum, Business, Corporation, Signature cards are 30 dollars, American Express for all of them is 15 dollars, Discover cards are 20-30 dollars. And nowadays, it can be down from 50 cents to a couple of bucks per card. Why? Because the market’s been flooded with credit cards, because we are still exposed. So, it’s supply and demand: if the supply is huge the price will come down, if it’s not – it goes up. So from 2003-2006 time frame, the price was pretty high but now it’s actually dropped down.
And if you want, you can look at Europe and Asia, get different information out there. And then you’ve got ICQ in the red down on the bottom, that’s an Internet relay chat ID, and when you start communicating, they will give you some other information as we build some trust and before we start the transaction.
Again, Gold, Platinum cards here – 80 dollars. Why? Because they are unlimited, unlimited spend on it in a lot of cases: American Express, Gold – unlimited. You have to pay every month the full balance, but if it is unlimited spend you can really make a lot of money quickly off those types of cards.
So, we go back here, one thing here is Max Vision – ‘DarkMarket’ was actually dropped and knocked offline, but it was brought back online by the FBI, and my colleague Keith Mularski was one of the main people on this site. He actually had developed a persona, where he was accepted on this site.
Eventually, Max Ray Vision, better known as Max Butler, who is now serving jail time – he believed that Keith and company under his persona was a federal agent, but he couldn’t get anybody to believe him, largely because he’d cried wolf before. So Mr. Mularski was able to maneuver around this. And eventually, there was no one who knew who Max Ray Vision was, except one person. And they were able to arrest that person, that person gave up information on Max Ray Vision known as Max Butler, and eventually he was arrested. And most of that occurred right here in San Francisco. He was set up sharp in hotels, in the financial district, in stealing information off of wireless networks amongst other things that are setting up these markets.
So ‘DarkMarket’ came back up and eventually was used to help take down Max Butler and company.
But in the meantime, it was too late for a lot of information that had been siphoned off to terrorists and used by them to fund their activities.
Credit card numbers check tool
So, another tool they used here is this list of credit card numbers (see screenshot). And if you go back to that “How do I know what credit cards I am using?”, you can use that to determine a card. So, 55 is a Master Card; 40, I think it is probably a Visa. And you can go back and determine where these are with that information. And you can see some of the transactions occurring here: authorization codes, what type it is, debit or credit, and the banks it’s used on – City Bank South Dakota, Chase Bank National Association, Metro Credit Union, Northern Bank & Trust Company. For different banks around the U.S. this was being used. Even location of this: Atlanta, New York, Wilmington, Newark (Delaware) – all the big banking areas where Chase and others have locations, Massachusetts and so on… So, this is one of the tools that you can see how they used it, and they have check numbers, they are pretty sophisticated.
So let’s go back to the ties to terrorism. And we talked here about some of the malware and botnets where they siphon this information off. And of course it’s the path of least resistance, and lots of the days it’s been consumers, because banks have hardened their perimeter, but they are getting in through consumers who don’t necessarily take care of their desktops the same way as the corporate accounts do.
So, path of least resistance – we install the software there, we keystroke log, follow the information back. The cybercrime ties to terror are definitely significant, and they are allowed to do this because it’s for a cause, and it is Halal, it is permitted, and therefore they can buy drugs and credit cards to use to fund their activities.
And the funding from drugs that comes from out of Afghanistan through opium and heroin is still huge, and that goes back into the pockets of Taliban and al-Qaeda and different extremist groups. And they use the Internet to communicate securely back and forth to set up these transactions and drops, or to launder money.
The airline fraud was huge, it’s not quite as bad today as far as I know, but it was at that time and it still can happen: you steal a credit card and you go and buy yourself a bunch of different tickets out there.
And then there are the online cybercrime markets. And they still pop up from day to day, they have gone into buying and selling software that actually goes out and does this, so it takes the cybercriminals and removes them from the direct activities in a lot of cases by getting others to buy into it. And if they go down, this is just a skin off of their back, and they are still generating their revenue.
So, this is continuing to occur but there is a significant effort to defend against it, the FBI has had some successes. And of course there are other activities, I am sure, that are going on but that they cannot discuss.