An attractive brunette in a business suit is making her online pitch. “Are you tired of searching for legit CVV shops?” her animated form asks from the corner of the Web site. “Search no more,” she promises. This site has “handpicked cards” with “high balances.” “What are you waiting for? Register now.”
It looks like a legitimate business Web site, one for small business financing perhaps. However, I’m being shown this site — and asked not to identify it — by FBI special agent Keith Mularski in the offices of the National Cyber-Forensics & Training Alliance (NCFTA), a Pittsburgh-based alliance between international law enforcement agencies, businesses and academics that has been charged with tackling the growing menace of cybercrime. This is a site at the cutting edge of crime.
CVV stands for card verification value. This site, and its equally professional rivals, are selling stolen credit card information to criminals who snap them up like songs on iTunes. A dollar buys enough information to use someone else’s card online, US$30 buys a “dump,” all the information you need to copy a card and set off on your own real-world shopping spree with somebody else’s plastic.
There are millions of stolen accounts available, hacked from banks and online sellers, or swiped at cash machines. The FBI recently reclaimed 1.5 million numbers from one seller alone. You can sort by type, MasterCard, Visa, or American Express, by geography, or just stick to business cards for their higher balances. There is no need to fear getting ripped off. Criminals peer-review each other’s sites. It’s eBay for crooks.
Mularski knows a thing or two about cybercrime. For two years he ran one of the biggest underworld crime sites in the world. Using the pseudonym Master Splynter (a nod to the cartoon Teenage Mutant Ninja Turtles) Mularski masqueraded as a spammer, winning the confidence of online crooks and eventually taking over as host of Dark Market, at the time the largest online forum for cybercriminals.
The sting was a big victory for the US authorities, which, along with other governments, have struggled to keep up with the rapidly spreading threat.
Police officers from the UK, Germany, Netherlands, Australia and other countries work alongside the FBI at the NCFTA. The organization has about 500 business partners, from the big banks to technology companies and links with academics at local universities Carnegie Mellon and Pittsburgh.
The scale of the problem they are tackling is dizzying. According to a recent study by the British government, cybercrime is endemic and costs UK businesses alone an estimated ￡27 billion (US$44 billion) a year.
The criminals that buy this information operate a vast, international enterprise that employs teams of “mules” to buy goods either in person or online and yet more mules to launder their cash. They pay each other via digital currencies.
“Would you take a credit card if you were one of these guys?” Mularski asks.
These are multimillion-dollar businesses with serious costs.
“This is serious money,” he said.
And it is serious criminals that are doing it. Mularski says he hates the term “hacker.”
“It’s so generic,” he said. “Traditionally we have thought of this cybercriminal as a geek. When I first started in cybercrime, the impression I got was [of] the movie War Games, Matthew Broderick sitting in his parents’ basement. That’s not the case anymore. These are serious businessmen with serious skills.”