[ISN] Hacker Hunters

InfoSec News isn at c4i.org
Wed May 25 03:38:09 EDT 2005

Forwarded from: "eric wolbrom, CISSP" <eric at shtech.net>


Hacker Hunters
By Brian Grow, with Jason Bush in Moscow
May 30, 2005

In an unmarked building in downtown Washington, Brian K. Nagel and 15
other Secret Service agents manned a high-tech command center, poised
for the largest-ever roundup of a cybercrime gang. A huge map of the
U.S., spread across 12 digital screens, gave them a view of their
prey, from Arizona to New Jersey. It was Tuesday, Oct. 26, 2004, and
Operation Firewall was about to be unleashed. The target: the
ShadowCrew, a gang whose members were schooled in identity theft, bank
account pillage, and the fencing of ill-gotten wares on the Web,
police say. For months, agents had been watching their every move
through a clandestine gateway into their Web site, shadowcrew.com. To
ensure the suspects were at home, a gang member-turned-informant had
pressed his pals to go online for a group meeting.

At 9 p.m., Nagel, the Secret Service's assistant director for
investigations, issued the "go" order. Agents armed with Sig-Sauer 229
pistols and MP5 semi-automatic machine guns swooped in, aided by local
cops and international police. The adrenaline was pumping, in part,
because several ShadowCrew members were known to own weapons.  
Twenty-eight members were arrested, most still at their computers. The
alleged ringleaders went quietly, but one suspect jumped out a
second-story window. Agents nabbed him on the ground. Later, they
found a loaded assault rifle in his apartment. The operation was swift
and bloodless. "[Cybergangs] always thought they operated with
anonymity," says Nagel, a tall, chiseled G-man. "We rattled them."

There's a new breed of crime-fighter prowling cyberspace: the hacker
hunters. Spurred by big profits, professional cyber-criminals have
replaced amateur thrill-seeking hackers as the biggest threat on the
Web. Software defenses are improving rapidly, but law enforcement and
security companies understand they can no longer rely on technology
alone to deal with the plague of virus attacks, computer break-ins,
and online scams. Instead, they're marshaling their forces and using
gumshoe tactics to fight back -- infiltrating hacker groups,
monitoring their chatter on underground networks, and when they can,
busting the baddies before they do any more damage. "The wave of the
future is getting inside these groups, developing intelligence, and
taking them down," says Christopher M.E. Painter, deputy chief of the
Computer Crime section of the Justice Dept., who will help prosecute
ShadowCrew members at a trial scheduled for October.

Step by step, the cops are figuring out how to play the cybercrime
game. They're employing some of the same tactics used to crush
organized crime in the 1980s -- informants and the cyberworld
equivalent of wiretaps. They're also busy coming up with brand new
moves. FBI agent Daniel J. Larkin, a 20-year vet who heads up the
bureau's Internet Crime Complaint Center, taps online service
providers to help pierce the Web's veil of anonymity and track down
criminal hackers. In late April, leads supplied by the FBI and eBay
Inc. (EBAY ) helped Romanian police round up 11 members of a gang that
set up fake eBay accounts and auctioned off cell phones, laptops, and
cameras they never intended to deliver. "We're getting smarter every
day," says Larkin.

Smarter and more collaborative. While the FBI and other investigators
have been criticized for fighting each other almost as fiercely as the
criminals on traditional cases, they cooperate more than ever when it
comes to cybercrime. Local, state, and federal agencies regularly
share tips and team up for busts. The FBI and Secret Service, which
received jurisdiction over financial crimes when it was part of the
Treasury Dept., have even formed a joint cybercrime task force in Los
Angeles. Public agencies also are linking with tech companies and
private security experts who often are the first to discover crimes
and clues.

This makes the hacker hunters an eclectic bunch. Larkin ends up
working in tandem with people like Mikko H. Hypponen, director of
antivirus research at Finnish security outfit F-Secure Corp. Larkin is
a straitlaced, 45-year-old native of Indiana, Pa., who honed his
skills during Operation Illwind, the 1980s investigation into
kickbacks paid to Pentagon officials by defense contractors. Hypponen
is a 35-year-old computer whiz who lives on an island southwest of
Helsinki populated by fewer than 100 people and a herd of moose.

On a Rampage

There's a clear reason for this newfound collaboration: The bad guys
are winning. They're stealing more money, swiping more identities,
wrecking more corporate computers, and breaking into more secure
networks than ever before. Total damage last year was at least $17.5
billion, a record -- and 30% higher than 2003, according to research
firm Computer Economics Inc. Among the computers compromised were
those at NASA, a break-in in which one of the prime suspects is a
16-year-old from the Swedish university town of Uppsala.

Part of the problem is that cops don't have all the weapons they need
to fight back. They clearly lack the financial resources to match
their adversaries' technical skills and global reach. The FBI will
spend just $150 million of a $5 billion fiscal 2005 budget on
cybercrime -- not including personnel -- in spite of its being given
the third-highest priority. (Terrorism and counterintelligence come

The Secret Service won't discuss the funding breakdown for cybercrime.  
Both agencies are aggressively lobbying Congress for more money.  
Cybercrime laws haven't been much of a help. Hacking into computer
networks was long seen as little more than a prank, and punishment was
typically a slap on the wrist. That's beginning to change, however.  
Prosecutors are starting to make aggressive use of the Computer Fraud
& Abuse Act, which carries penalties of up to 20 years in prison. The
lengthiest sentence so far has been nine years, issued last December.  
Now prosecutors plan to send a message with the ShadowCrew case.  
Several members face prison sentences of 5 to 10 years if convicted.  
"There have to be consequences," says Painter.

The wiliest of the hackers still run rings around the cops. A Russian
gang called the HangUp Team has been pummeling e-commerce Web sites
and taunting its pursuers for two years, police say. The gang plants
software bugs in computers that allow it to steal passwords, and it
rents out huge networks of computers to others for sending out viruses
and spam. HangUp Team hides in plain sight. Its Web site --
rat.net.ru/index.php -- is decorated with a red-and-black swastika
firing off lightning bolts. Its blog discusses hacker tactics and
rails against Americans. Its motto: In Fraud We Trust. "We think we
know what they've done, where they are, and who they are," says Nagel.  
But authorities haven't been able to nab them so far. The Secret
Service won't say why.

Trojan Horse

Devilish trickery keeps the criminals one step ahead. In January,
2004, a new virus called MyDoom attacked the Web site of the SCO Group
Inc. (SCOX ), a software company that claimed the open-source Linux
program violated its copyrights. Most security experts suspected the
virus writer was a Linux fan seeking revenge. They were wrong. While
the SCO angle created confusion, MyDoom acted like a Trojan horse,
infecting millions of computers and then opening a secret backdoor for
its author. Eight days after the outbreak, the author used that
backdoor to download personal data from computer owners. F-Secure's
Hypponen figured this out in time to warn his clients. It was too
late, however, for many others. MyDoom caused $4.8 billion in damage,
the second-most-expensive software attack ever. "The enemy we have
been fighting is changing," says Hypponen.

Indeed, today's cybercrooks are becoming ever more tightly organized.  
Like the Mafia, hacker groups have virtual godfathers to map strategy,
capos to issue orders, and soldiers to do the dirty work. Their
omertà, or vow of silence, is made easier by the anonymity of the Web.  
And like legit businesses, they're going global. The ShadowCrew
allegedly had 4,000 members operating worldwide -- including
Americans, Brazilians, Britons, Russians, and Spaniards. "Organized
crime has realized what it can do on the street, it can do in
cyberspace," says Peter G. Allor, a former Green Beret who heads the
intelligence team at Internet Security Systems Inc. (ISSX ) in

Yet there may be hope for a shift in the fortunes of battle. Among
cybercops, the ShadowCrew case is seen as a model for taking the
battle to the Black Hats. Law enforcement officials are often loath to
reveal details of their operations, but the Secret Service and Justice
Dept. wanted to publicize a still-rare victory. So they agreed to
reveal the inner dynamics of their cat-and-mouse chase to
BusinessWeek. The case provides a window into the arcane culture of
cybercriminals and the methods of their pursuers.

The story starts with an unlikely partnership. Andrew Mantovani was a
part-time student at Scottsdale Community College in Arizona. David
Appleyard was a onetime mortgage broker who lived in Linwood, N.J.,
just outside of Atlantic City. This is the duo who led the ShadowCrew
from 2002 until they were arrested last fall, according to an
indictment filed in U.S. District Court in New Jersey -- the state in
which their servers were located. The two are believed to have met
online, although the details of their first encounters are unknown.  
>From their home computers, Mantovani, now 23, and Appleyard, 45,
allegedly ran shadowcrew.com as an international clearinghouse for
stolen credit cards and identity documents. "It was a criminal
bazaar," says Nagel, a 22-year veteran who served on the protection
teams for Presidents George H.W. Bush and Bill Clinton.

ShadowCrew, it appears, was largely Mantovani's creation. A business
student at Scottsdale, he became a true entrepreneur in front of his
computer screen. He was previously a member of a different cybergang
that mainly stored stolen data, Justice Dept. officials say. He then
allegedly came up with the idea of bringing together buyers and
sellers in an online community so they could auction off stolen goods
and share hacking tricks. Once the ShadowCrew site was established, he
often reminded members in online chats that he could help them rise or
fall in the gang depending on their loyalty to him, says Scott S.  
Christie, a former assistant U.S. attorney who helped build the legal
case. "It was important [to Mantovani] to be recognized as the
spiritual leader of ShadowCrew," says Christie.

If Mantovani was the brains, Appleyard was the brawn, according to the
indictment. The older man adopted the online persona of a former
soldier. He went by the nickname "BlackOps" and stood ready to mete
out punishment to anyone who stepped out of line. One time, a gang
member known as "ccsupplier" failed to deliver merchandise he had sold
-- and then failed to refund the money that had been paid. Appleyard
allegedly posted the guy's real name, address, and phone numbers on
the ShadowCrew Web site, immediately putting him out of business. On
another occasion, police say he threatened somebody with physical
harm, in an online message. All the while, the former mortgage broker
was living with his wife, two kids, and mother, who suffers from

The ShadowCrew gang got hold of credit-card numbers and other valuable
information through all sorts of clever tricks. One of the favorites
was sending millions of phishing e-mails -- messages that appeared to
be from legit companies such as Yahoo! Inc. (YHOO ) and Juno Online
Services Inc. but in fact were fakes designed to steal passwords and
credit-card numbers. The gang also excelled at hacking into databases
to steal account data. According to sources familiar with the
investigation, the ShadowCrew cracked the networks of 12 unnamed
companies that weren't even aware their systems had been breached.

Because most of the gang members held day jobs, the crew came alive on
Sunday nights. From 10 p.m. to 2 a.m. hundreds would meet online,
trading credit-card information, passports, and even equipment to make
fake identity documents. Platinum credit cards cost more than gold
ones. Discounts were offered for package deals. How big was the
business? One day in May, 2004, a crew member known as "Scarface" sold
115,695 stolen credit-card numbers in one trade. Overall, the gang
made more than $4.3 million in credit-card purchases during its
two-year run. The actual tally could be more than twice as large, the
feds say. It was like an eBay for the underworld.

Too Big to Hide

The operation was quite sophisticated. Mantovani, who used the handle
"ThnkYouPleaseDie," and Appleyard, who went by "BlackBagTricks" as
well as "Black Ops," were the "administrators," according to the
government's indictment. They were in charge of strategic planning,
determined which ShadowCrew aspirants got access to the Web site, and
collected payments from participants to keep it running. "Moderators"  
hosted online forums where gang members could share tips for making
fake IDs or ask questions about creating credible phishing e-mail.  
Below them were "reviewers," who vetted stolen information such as
credit-card numbers for quality and value. The largest group, the
"vendors," sold the goods to other gang members, often in online
auctions. Speed was essential, since credit-card numbers had to be
used quickly before they were canceled.

But their operation was too big to escape notice by the cops. In
mid-2003, the Secret Service launched Operation Firewall to nab
purveyors of fake credit and debit cards. They quickly focused on
ShadowCrew, says Nagel, because it was among the largest gangs
operating openly on the Web. Within months, agents turned one of
ShadowCrew's members into a snitch. While they decline to name the
person or detail how he was flipped, an affidavit says he was a
high-ranking member of the gang, and one of its moderators. Last
August the man helped the Secret Service set up a new electronic
doorway for ShadowCrew members to enter their Web site and then spread
the word that the new gateway was a more secure way in. It was the
first-ever tap of a private computer network under a 1968 crime act
that set legal guidelines for wiretaps. "We became shadowcrew.com,"  
says Nagel.

This was a big break, since the cops could use the doorway to monitor
all the members' communications. Among the communiqués: Omar Dhanani,
aka Voleur (French for "thief"), bragged he could set up a special
payment system for cybercrime transactions, police say. For a 10%
commission, he would exchange cash for "eGold," an electronic currency
backed by gold bullion. The Secret Service watched as he laundered
money from at least a dozen deals for ShadowCrew members.

The online taps helped the cops set up real-world stakeouts, too. They
started by subpoenaing records from Internet service providers such as
Time Warner Inc.'s (TWX ) Road Runner. They then traced the computing
addresses to actual houses and apartments so they could observe their
prey in person. One target: Rogerio Rodrigues. Investigators say they
saw him load a bulging bank-deposit bag into his Ford Explorer and
drop it off at a Citibank (C ) branch. Later, he stopped into a
Kinko's (FDX ), where agents believe he picked up counterfeit

Cutting-edge digital monitoring combined with old-fashioned shoe
leather resulted in reams of incriminating evidence. At the peak of
the investigation, a dozen Secret Service agents worked 18-hour days
to sift through the gang's communiqués. E-mail, instant messages, and
computer addresses led them to the suspected ringleaders. Mantovani,
it turned out, lived with another alleged ShadowCrew member, Brandon
Monchamp. Dhanani operated from a quaint stucco house in Fountain
Valley, Calif. Addresses in hand, the Secret Service was ready to
conduct last fall's bust.

The ShadowCrew case is far from over, though. Charged with credit-card
fraud and identity theft, most of the suspects arrested that day have
been released on bail pending trial. Mantovani returned home to live
with his parents on Long Island and works as a construction laborer.  
His lawyer, Pasquale F. Giannetta, insists Mantovani is no criminal.  
"He is like a normal 23-year-old boy," Giannetta says. Appleyard has
not issued a plea in the case, pending additional evidence from the
government. His lawyer, William J. Hughes Jr., says Appleyard was just
a techie running the ShadowCrew Web site, not a criminal profiting
from it. Brandon Monchamp's lawyer, Elizabeth S. Smith, declined to
comment. Dhanani's and Rodrigues' attorneys did not return calls
seeking comment.

Global Reach

The bust yielded a treasure trove of evidence. So far the Secret
Service has uncovered 1.7 million credit-card numbers, access data to
more than 18 million e-mail accounts, and identity data for thousands
of people including counterfeit British passports and Michigan
driver's licenses. They say the ShadowCrew pillaged more than a dozen
companies, from MasterCard Inc. to Bank of America Corp. (BAC ) The
bust has yielded evidence against more than 4,000 suspects and links
to people in Bulgaria, Canada, Poland, and Sweden. "We will be
arresting people for months and months and months," says Nagel.

Now, with the ShadowCrew bust as their inspiration, cops and security
experts are becoming more aggressive. They're tapping shady Web sites
and chat rooms, stepping up cooperation with investigators in other
countries, and flipping informants to build cases. In the past six
months, the FBI persuaded members of several spam and phishing rings
to rat on their accomplices. Larkin says some of these cases will
become public in the coming months.

Despite these successes, cops face major hurdles as they try to get
cybercrime under control. The biggest? Their global scope. Gang
members hide out in countries with weak hacking laws and lax
enforcement. They can even shelter servers in a separate country,
snarling the trail for investigators. Their favorite hideouts: Russia,
Eastern Europe, and China.

And little wonder. In Russia, the authorities can appear at times to
be more interested in protecting cybercrooks than in prosecuting them.  
In 2000, the FBI lured two Russian hackers to Seattle with job offers,
then arrested them. Agents involved in the case later downloaded data
from the duo's computers, located in Chelyabinsk, Russia, over the
Web. Two years after that, Russia filed charges against the FBI
sleuths for hacking -- alleging the downloads were illegal. "When you
have a case that involves servers in Russia, you can almost hear the
law-enforcement officials sigh," says Hypponen.

The HangUp Team has been operating in Russia with impunity for years.  
Some members are allegedly based in Archangelsk, an Arctic Circle city
of rusting Soviet nuclear submarines and nearly perpetual winter. In
2000 the alleged original members of the team, Alexei Galaiko, Ivan
Petrichenko, and Sergei Popov, were arrested for infecting two local
computer networks with malicious code. But Russian authorities let
them off with suspended sentences.

Little was heard from the HangUp Team for the next two years. But in
2003 the gang released the viruses Berbew and Webber. Then last year
the group infected online stores with a fiendish piece of software
called the Scob worm. Scob waited for Web surfers to connect, then
planted software in their hard disks that spied on their typing and
relayed thousands of passwords and credit-card numbers to a server in
Russia, police say. "These guys have set a new standard for
sophistication among criminal hackers," says A. James Melnick, 51,
director of threat intelligence at iDEFENSE, a Reston (Va.)  
cybersecurity firm.

The HangUp crew isn't even covering its tracks. Each of the three bugs
contained a telltale signature: "Coded by HangUp Team." With HangUp
operating so publicly, it's not clear why its members have been so
hard to catch. Russian authorities say they have been hampered by the
red tape of securing warrants, coordinating with U.S. and British
police, and translating documents.

It's one more sign that the battle for cyberspace has changed forever.  
Criminals are swarming the Web, and their attacks come from the most
remote corners of the globe. There are no easy answers. But one thing
is clear: The old practice of erecting defenses out of software isn't
enough. "That's a Band-Aid," says Larkin. "If you don't try to take
these guys down, they'll come back. You have to find a way to get to
the live bodies and take them out at their roots. If you don't, you
aren't solving the problem." Investigators scored an impressive
success in taking down the hackers behind the ShadowCrew. But the hunt
is just beginning.

More information about the ISN mailing list