Developers Club geek daily blog

2 years, 10 months ago
Underground market of crankcases. Transfer of the book "KingPIN". Chapter 26. "What’s in Your Wallet?"Kevin Poulsen, the editor of the WIRED log, and in blackhat childhood the hacker of Dark Dante, wrote the book about "one acquaintance".

In the book the way from the teenage geek (but at the same time rolling), to the experienced cyberkingpin, and also some methods of work of intelligence agencies on capture of hackers and crankcases is shown.

The quest on transfer of the book began in the summer in Itshny camp for seniors — "The Pin: school students translate the book about hackers", then were connected to transfer also Habrayuzera and even a few edition.

Chapter 26. What in your wallet?

(for transfer thanks of al_undefined)

Sale of 100% of the checked fresh dump (USA), discounts:

$11 of MasterCard
$8 of Visa Classic
$13 of Visa Gold/Premium
$19 of Visa Platinum
$24 of Visa Signature
$24 of Visa Business
$19 of Visa Corporate
$24 of Visa Purchasing
$19 of American Express = reduction of price (there was 24)
$24 of Discover = reduction of price (there were 29)
The minimum order — 10 pieces.

Sale on types of cards. Not on Bin'am (a lane comment — the identifier of issuing bank).


The aggressive capture turned by Max was made with the purpose to integrate community forces, but not for the purpose of personal enrichment. Nevertheless, its business selling stolen data from magnetic bands of plastic cards after consolidation of forums prospered more than ever — it received about one thousand dollars a day, selling dump to crankcases worldwide, in addition to five — to ten thousand that he received from partnership with Chris.

On public, during meetings FTC (Federal Trade Commission) or anywhere, the industry of credit cards very much tried to hide effects of the becoming frequent facts of theft of data from magnetic bands worldwide. Visa, the leader in the field of credit cards, supported the report of the Javelin Strategy and Research company financed by the industry (a lane comment — the agency which is engaged in an assessment of risks and opportunities in areas: mobile devices, payments, multichannel financial services, fraud and safety), who accused in the circumstances consumers (clients), but not the company — sources of draining of these credit cards and thefts of personal data: 63% of the occurred cases are caused by loss or theft of a purse with the subsequent theft of data by the entrusted partners, theft of e-mail and research of contents of garbage containers (Dumpster diving).

The report was very deceptive — only calculation of cases in which the victim was aware by what method was conducted information was stolen. Private data of the company Visa were talked a real situation. The stolen purses were not the main source of fraud from the middle of 2001 — theft of data of the card from e-commerce sites broke all records of growth among other types of fraud with cards, issuing when carrying out transaction on phone or in the Internet as result falsification — "information on the card is not provided" (card-not-present, such type of fraud was most widespread at that time).

In 2004 when information stolen from magnetic tracks became mass goods in community underground losses according to counterfeit cards grew with the same precipitancy. In the first quarter 2006 counterfeit of cards in Chris's style of Aragon (Chris Aragon) beat out a type of fraud of card-not-present from the first place, having exceeded $125 million quarterly losses of Visa partner banks (without other types of fraud).

Almost all these losses were connected with emergence of price lists as at Max. At the forum Carders Market the number of pages with positive responses about the seller of Digits grew and, of course, its reputation as fair dealer grew. It was a subject of pride of Max and a sign of moral values, other than the majority, that was inherent in it since the childhood. Max could crack with the great pleasure the crankcase and copy all information stored on its hard drive, but if the client paid it for information, then he did not even consider option of any intervention.

Max's generosity was held in high esteem too. If Max had dump with the expiration date approaching end, then he preferred to give them free of charge, but not to leave to be unused. Approximate business and quality of the sold product brought Max in the five of the best damper (dumps vendors) in the world though usually in the market sellers from Eastern Europe dominated.

Max was careful with procedures of automatic sale (a vending, vending). Refusing to sell dump on Bin'am (bank identification number, the identifier of issuing bank) he made heavier work to federals: the government could not just purchase twenty dump relating to the same financial institution and to ask bank to check the general (similar) point of purchase on transactions. Instead all interested persons had to cooperate closely with each other to reveal a source.

In addition, only a few the most entrusted colleagues knew that Digits and Iceman this same person — in the majority it were administrators, for example, as Chris, the Canadian crankcase under the alias NightFox and the new member of team under Th3C0rrupted0ne nickname.

With all people from a scene that met only Max. Th3C0rrupted0ne had approximately similar past of hacking. Being still a teenager of C0rrupted found a scene about Varese content in systems of electronic bulletin boards switched by dial-up the modem and then was engaged in hacking for entertainment, having risen under the beginnings of Acid Angel, - null-and other hackers. It cracked the websites (defaced) for entertainment and joined later group of hackers of Ethical Hackers Against Pedophiles — vigilante gray hats (Ethic hackers against pedophiles are volunteers in gray hats (a lane comment — gray hats were worn earlier by legalists that were engaged in fight against (mafia) organized crime)) who fought against a child pornography on the Internet.

As well as Max he considered earlier himself as the good guy, there was no Th3C0rrupted0ne yet.

If to speak about other lines — they had nothing the general. The product of the difficult childhood in the big city of sleeping building (big-city housing project) of C0rrupted became drug dealers at early age and got the first penal, for carrying the weapon, in 1996 when he was 19 years old. In college from began to do fraudulent identity documents (identifiers, IDs) for friends and somehow time its Internet research (it is about search of methods of counterfeit of certificates) brought him to fakeid.net — an electronic bulletin board where such experts as ncXVI began the activity. He graduated from the university, having had an opportunity to get a low-wage job and to be engaged in fraud with credit cards, just when Shadowcrew stopped the existence, and then searches brought it to successors of the board which stopped existence. (He graduated to small check and credit card scams around the time Shadowcrew went down and then found his way to the successor sites.)

The diplomacy and tranquility of C0rrupted everywhere were pleasant to participants of a scene and he enjoyed modersky or administrator's privileges that it was given at the majority of forums. Max charged it the administrator's position on Carders Market in the summer of 2005 and made him the unofficial representative after hostile absorption (hostile takeover). Approximately a week later after C0rrupted was engaged powers of the administrator Maks devoted it in the secret about that, as Iceman, and Digits, both of these aliases, belong to Max.

"It is obvious that Digits is I too. Could tell it directly after I was burned in ICQ (speaking about our "forum" and other things).
In general it is quite big splinter in a bum — to hold it unknown to people whom I know and to whom I trust, for example, from such as you. Here somehow so …

Anyway, a difference such is that Iceman completely within the law. Digits — on the contrary, breaks it. I considered that if I am able to separate two activity thus, then there will be no legal support on which it will be possible to rely, having taken the administrator's position after "me" (I assumed if I could keep it separate there would be no legal leg to stand on for coming after "me" as the forum admin.)."

Chris remained the greatest threat for Max's safety. Max remembered every time when they faced foreheads that it is vulnerable and he deals with the only crankcase which knows him by sight and is involved in its real private life. "I cannot believe how much you know about me" — it squeezed out, maliciously on itself(himself).

Meanwhile Chris tried to acquaint Max with idea that they need to be engaged in something serious, to hit a jackpot that will force them to leave criminal business and to be engaged in something legal as option, to base a new legal startup for Chris in the District of Orange. He made the chart and the step-by-step plan for both and called it "Whiz List" ("The list of virtuosos").

It was supposed that Max will get into banking network and will have an opportunity to transfer millions of dollars to accounts that Chris will give. It has to finish in what he was engaged from the very beginning of their partnership, since that time when it worked from Chris's garage when it cracked small banks, accounts and loans. It possessed to accesses to hundreds of such accounts and loans and could transfer money from customer accounts — the desire was necessary only. But the final of the scheme hung up in development because of Chris. It had to find a safe haven for money that Max — some will steal the offshore storage where they could transfer money without risk that the affected bank will withdraw transfer.

So far it did not manage it.

Thus, in September when Max found critical vulnerability of zero day in new Internet Explorer he shared this news not with Chris, and with other partner who possessed big knowledge of the international finance — the Carders Market administrator under NightFox nickname.

The gap in safety was catastrophic — one more buffer overflow this time conceived for drawing of vector graphics on client side (the visitor of the page). Unfortunately for Max, hackers from Eastern Europe found vulnerability before him and already in all used it. The company of a computer security already found out an exploit from the Russian hackers that infected computers at visit of a porn of the websites and sent it to Microsoft. The department of internal security published quite stupid instruction for users of IE — "Do not open unwanted links".

Vulnerability was known, but the patch was not yet. All users of IE were vulnerable. Max received an exploit of the Russian hackers early in the morning on September 26 and with undisguised enthusiasm hurried to share it with NightFox.

"Let's assume that we will receive the free ticket for an attraction — have any company today", Max wrote in messaging system of Carders Market. "Ok, please. Any restrictions. visa.com. mastercard.com. egold.com. Any electronic box of employees for any purposes. Google. Microsoft. Not important. All can be had though right now."


Microsoft was let out by a patch later on the same day, but Max knew that even days or weeks on installation of updating on all computers of employees will be necessary for the companies taking safety seriously. The Russian exploit already was obnaruzhay an anti-virus software therefore it made to it changes that characteristics differed (signature) and banished through the anti-virus laboratory to be convinced of lack of a possibility of detection.

The only thing that remained — social engineering — Max needed to deceive the purposes that they visited the website with an exploit. Max stopped on the choice of domain name of financialedgenews.com and placed it at a hosting of ValueWeb provider.

NightFox returned with the list of the purposes — CitiMortage, GMAC, Experian’s Lowermybills.com, Bank of America, Western Union MoneyGram, Lending Tree and Capital One Financial — one of the largest issuers of credit cards in the country. NightFox had extensive bases with internal addresses of staff of the companies which it received from company "competitive investigation" (acquired from a "competitive intelligence" firm) and he sent to Max thousands of addresses of each company at which they aimed.

On September 29 Max loaded software of the address in the spam and began to shoot the personalized letter in the victims. "Gordon Reily", with the return address of g.reily@lendingnewsgroup.com was registered as the sender of the letter.

I am a reporter of Lending News and I investigate (doing a follow up story) a recent story about data leakage of clients of Capital One. I noticed mentioning of the name Mary Rheingold in article in Financial Edge and would like to agree about interview for illumination of big details in new article.
financialedgenews.com/news/09/29/Disclosure_Capital0ne

I will be very grateful if you find time for further discussion of parts of above-mentioned article.


Each copy of the letter was customized (personalizirovna) therefore each employee will think that his or her name is mentioned in the article Financial Edge. In Capital One, 500 employees, beginning from heads and finishing PR representatives and IT specialists received the message. About 125 of them followed the link and were transported on the village with the normal report of the financial industry. While they puzzled over the page, the hidden exploit (hidden payload) filtered via the corporate firewall on their machines.

The exploit opened an opening (opened a back door) allowing Max to slip at a leisure on hard drives of the victims and to rummage in search of competitive information, to analyze an internal bank traffic and to steal passwords. It not strongly differed from what it did with thousands of computers of the Ministry of Defence many years ago. When it was simple mischief because of curiosity.

To be continued

The published transfers and the plan of publications (a status for December 24)
PROLOGUE (School students of GoTo camp)
1. The Key (Grisha, Sasha, Katya, Alyona, Sonya)
2. Deadly Weapons (Young programmers of FSB of the Russian Federation, 23 Aug)
3. The Hungry Programmers (Young programmers of FSB of the Russian Federation)
4. The White Hat (Sasha To, ShiawasenaHoshi)
5. Cyberwar! (ShiawasenaHoshi)
6. I Miss Crime (Valentin)
7. Max Vision (Valentin, 14 Aug)
8. Welcome to America (Alexander Ivanov, 16 Aug)
9. Opportunities (jellyprol)
10. Chris Aragon (Timur Usmanov)
11. Script’s Twenty-Dollar Dumps (Georges)
12. Free Amex! (Greenhouse of social technologies)
13. Villa Siena (Lorian_Grace)
14. The Raid (Georges)
15. UBuyWeRush (Ungswar)
16. Operation Firewall (Georges)
17. Pizza and Plastic (is ready)
18. The Briefing (Georges)
19. Carders Market (Ungswar)
20. The Starlight Room (???)
21. Master Splyntr (Ungswar)
22. Enemies (Alexander Ivanov)
23. Anglerphish (Georges)
24. Exposure (+)
25. Hostile Takeover (fantom)
26. What’s in Your Wallet? (done)
27. Web War One (Lorian_Grace?)
28. Carder Court (drak0sha)
29. One Plat and Six Classics (+)
30. Maksik (+)
31. The Trial (+)
32. The Mall (Shuflin+)
33. Exit Strategy (done)
34. DarkMarket (Valera of an ak Dima)
35. Sentencing (comodohacker+)
36. Aftermath (ex-er-sis?)
EPILOGUE

This article is a translation of the original post at habrahabr.ru/post/273943/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus