Alert: E. Europe ID Hacks

Investigation

Warnings about Eastern European cybercrime that counterfeits cards and drains bank accounts have increased in the past six months. Groups from the region have targeted large retailers, banks and card-processing agencies.

October 2, 2009

Last month, a leading financial services advisory group warned that Eastern European hackers were headed further down the chain and targeting small and medium sized businesses. Nor are hackers in the region working alone. In April, Verizon Business warned that nearly one-quarter of all external breaches registered last year originated in Eastern Europe. “We do have a great deal of evidence that malicious activity from Eastern Europe is the work of organized crime,” the Verizon report said.

“Eastern Europe” in this case doesn’t mean the grim coal-dust cities of the old Warsaw Pact.  Today it means the former Soviet Union, some other neighboring countries and the southeastern European country of Romania. Regional hackers steal millions of dollars from people and companies every year. Sometimes the criminals play on people’s greed or other vices to commit the crimes. Fortunately, law enforcement experts say, countries are waking up to the threat and that companies and people are increasingly likely to come forward and not hide losses as they did in the past. 

Why does the region play such a large role in these thefts? Excellent tech schools, penurious salaries and dubious legal systems have created what network services manager VeriSign called a “perfect storm” for cybercrime.

For example, an IT professional working legitimately in Moscow makes about $2,000 a month. “My rent is $2,000 a month,” said Kimberly Zenz, a senior threat analyst at VeriSign’s iDefense section. “You can do it – live out of the center of the city in some horrible apartment – but it’s not a particularly attractive lifestyle. They’ll be offered $10,000 a month working in the criminal world.”

Good Pay, Low Risk

The lucrative salaries combine with a low possibility of being arrested. Even dedicated cops, prosecutors and judges in the region are not usually experts on computers or forensic analysis. And big cybercrime groups are protected from the law anyway, Zenz said. “They are affiliated with Russian organized crime and they have serious protection. It’s not like they say, ‘Let’s form a cyber-criminal group,’” she said. “It’s individuals and smaller networks, but as they get more successful, they need money laundering services and protection, and they come to the attention of criminal groups and they become incorporated.”

Today the region leads the pack in almost every type of cybercrime. Hackers turn computers and networks into evil robots that spew spam or steal information. They install malicious software that steals online banking passwords or credit card information. They print counterfeit credit and debit cards to use at ATMs for cash, or to buy goods that are shipped back overseas and fenced on the black market.

Interpol estimates that Russian hackers have stolen more than $65 million from foreign banks since 2005. Some of the recent examples of thefts were obviously well planned.  In 2006, 12 Russians stole more than €1 million from bank customers in France after installing sleeper bugs on their computers.

Last November, thieves in 49 cities around the world took just 30 minutes to withdraw a total of $9 million from 130 different ATMs. The network was thought to be based in Russia and used stolen data from the US-based payment processor RBS WorldPay – a division of the Royal Bank of Scotland – to make the counterfeit debit cards they used in the crime. 

And in the largest-ever data breach in US history, an American last month pleaded guilty to 19 charges related to masterminding a scheme that stole card data from large American retailers. Albert Gonzalez was charged last year with 10 other people from five countries for allegedly stealing 41 million credit card and debit card numbers from several major retailers, including Barnes & Noble and Boston Market. In another case, he was indicted with two unnamed Russian co-conspirators last month for stealing 130 million more numbers from credit card processor Heartland Payment Systems and retailers including 7-Eleven. Lawyers are now arguing over whether evidence the US Secret Service got from a server in Latvia and from a laptop computer used by a Ukrainian arrested in Turkey can be used in court.

The Gonzalez case highlights how complicated it can be to investigate these cases. “Our biggest challenge is breaking through in terms of who exactly is doing it,” said Jeffrey Troy, the head of the criminal section in the FBI’s Cyber Division. “More importantly, are they doing it for their own benefit, or for an organization, or for customer who’s requested them to do what they’re doing.

Groups Maturing, Organizing

“I don’t think that all hackers have acted as lone wolves in the past,” Troy said. “But what we’re seeing right now is that there are groups that are maturing into well-organized groups…that understand the industries they’re trying to affect. And that’s a talent that you see in other organized crime groups.”

It’s no help to law enforcement that people are less likely to come forward after cybercriminals have preyed on their vices – for example, a sick interest in child pornography or simple greed. Ninety percent of commercial child pornography originates in Russia, according to a prominent anti-child pornography group. The Association of Sites Advocating Child Protection (ASACP) said earlier this year that the lure of pornography provided an easy way for sites to steal credit card numbers and IDs through the sites’ false billing pages.

“The victims…are less likely to complain to the authorities or their bank,” said Tim Henning, ASACP’s technology and research director. “When they see their statement and put two and two together, they’re more likely to cancel the credit card or report it lost, rather than saying to their bank, ‘I was trying to buy illegal images of child pornography.’ ”

Other crimes, like cyber-robbery, use Westerners’ greed to pull off the heists. Criminals need to move the money and goods they’ve stolen. To do that, they openly post job offers on boards like Monster that greedy or naïve Westerners are sometimes only to happy to apply for. These so-called “money mules” send money or merchandise to Russia, Ukraine or other countries in two different scams. In a shipping-receiving scam, the mules’ homes serve as drop-off points for goods – usually electronics – that the criminals bought with stolen credit cards. The mules then ship the goods overseas before either the credit card holder or the credit card company catch on. Criminals then fence the goods on the black market. In a payments-processing scam, the money mule will accept stolen money into his or her bank account and wire it on to Russia, Ukraine or other countries. In both cases the mule may get a cut of what’s being transferred. In some cases, the criminals will disappear before paying the mule.

In one example of a shady job posting, a “Vasily Kazakov” sent emails to job-seekers on careerbuilder.com, offering them jobs to help Kazakov’s company do “processing payments online by merchant account.” It was a classic payments-processing lure. One job-seeker, though, used the web to protect herself, posting Kazakov’s offer on scam-watch site 419legal.org, and asking about the offer’s legitimacy. Responders denounced the offer as a scam. One wrote, “Google Vasily Kazakov and you will see a very interesting article.” The article was a New York Times obituary of a Soviet aircraft minister from 1981.

Vigilance Promoted

Vigilance from users is what job boards like Monster are trying to promote. Though Monster, the most prominent online job offers company in the world, does monitor the postings on the site, the company’s website has a security section warning users about the different types of scams. The company also warns that by taking these “jobs,” people are helping criminals steal and could therefore be prosecuted themselves.

Other vigilance, and being open and honest about breaches, is what the FBI has been trying to push in the US. Rather than investigating breaches after they happen, the FBI has been trying to get information out to industries and companies that they think might be at risk before they’re breached. And in the past six months, small businesses have shown more interest in admitting their hacks to the FBI than they were in the past. Troy, the FBI Cyber Division criminal section head, also said that international cooperation on this front is as high as he’s seen it in more than two decades with the agency.

“Everyone is understanding that, when it comes to cybercrime, you don’t want to look at just what has occurred in terms of losses – you need to look at the threat that’s out there because systems can be penetrated. That concern has led to a tremendous amount of intelligence sharing across the globe as we try to find these organizations and neutralize them as soon as possible,” he said. Romania, he said, is an excellent example. Four years ago they didn’t even have a cybercrime investigation squad. Today hundreds of suspects have been arrested in Romania and the US, and an FBI agent works there with the national police, rather than as a liaison contact in the US embassy. But Troy said the problem is not just confined to any one country.

“The Internet has created a melting pot for cybercriminals, and there are some very talented cybercriminals in all eastern European countries,” he said. “When we penetrate organizations and arrest them, we find someone in Russia, but we find someone in another eastern European country and they were just as much part of it as someone else. Money comes into one country and is then shared throughout organization. It’s an accurate portrayal that these organizations aren’t specific to one particular country, they’re multinational groups looking for whoever can contribute to the goals of the criminal project.”

-- Beth Kampschror