I was invited to give a talk on the psychology of hackers to Fidelity National Information Services (FIS) at its annual get-together in Milwaukee, Wisconsin in April this year. FIS is one of the biggest providers of technology and card services to the banking industry worldwide. Unsurprisingly, cyber security is among its top priorities.
The talk went well and when answering the audience’s questions, I referred to a recent cybercrime case in Calgary, in Alberta, Canada, in which a cybergang had hacked into the computer system of a company that provides pre-paid debit cards. These are aimed at young people and those who can’t get credit through the normal channels.
The scam was impressive in its simplicity and effectiveness. The gang bought a number of pre-paid debit cards in different locations and placed US$15 on each card. Once they had broken into the computer system of the company that issued them, they found the network area that dealt with the limits placed on each card. They sought out the cards they had purchased and, using the control they had established over the company’s networked system, they electronically raised the spending limit on the cards from US$15 to tens of thousands of US dollars. Over one weekend, they extracted around US$1 million using the affected cards in ATM machines around the world.
My remarks seemed to strike a nerve, although I couldn’t put my finger on why. Three months later, the reason suddenly became clear to me when arguably the finest investigative reporter who researches cybercrime, Brian Krebs, posted a note on his Web site about a major security breach at a payment technology company: my old friends at FIS.
However, not only that — it turned out that FIS was a victim of exactly the same pre-paid credit card scam as the company in Calgary. Except that FIS had lost US$13 million and the scammers, according to krebsonsecurity.com, had used just 22 rigged pre-paid credit cards to siphon off this vast amount of money.
Traditional bank robbers must be absolutely gobsmacked when they hear sums like this being hoovered up by cybercriminals week in, week out. Krebs went on to point out that the FBI had made no arrests in the FIS case. Nobody expected anyone to be nabbed anytime soon. So I thought I would make some inquiries in the cyberunderworld. One of my contacts was acquainted with the mastermind of the pre-paid scam at FIS. Over a three-year period, my contact told me, his organization had earned US$34 million. Who knows? They might well have been responsible for the Calgary heist.
The Mr Big who orchestrated the whole operation, I was told, kept 70 percent of those profits for himself — only 30 percent went to the hackers and the so-called “cash-out” team — that is, the people who have somewhat laboriously to go from ATM to ATM and extract up to US$500 each time (before, of course, transferring 70 percent back to Mr Big).
To my knowledge, the gang has not visited any companies in the UK. However, Britain, along with the US, Canada, western Europe, Australia and New Zealand, is a top target for cybercriminals.
The British are dangerously vulnerable to cyber attack of all shapes and sizes, according to the latest report on cyber security from the UK think tank Chatham House. It is high time, the report argues, that we got our act together. It is no longer the case that banks are the prime targets; any business, be it manufacturing, military, legal or financial, is now computer-based and therefore vulnerable to attack. A few hours after the publication of the Chatham House document last week, the government unexpectedly announced it would be postponing the presentation of its new cyber security strategy to parliament. A sign of nerves, perhaps? Certainly, getting this strategy wrong might prove very expensive.
What exactly are we protecting ourselves against? We have heard some dire warnings in recent months about the extent of the threat posed by illegal activity on the Internet. In 2009, the White House suggested that cybercrime and industrial espionage inflicted damage of around US$1 trillion a year — almost 1.75 percent of global GDP. Can it be true? The answer is that, whatever anyone may say, nobody has the faintest idea. The US$1 trillion could be a wildly exaggerated figure put out there by the cyber security industry in order to generate sales. Or it could be the result of some hyperactive algorithms. Or it could be true. However, nobody can assert with any confidence which it is.
The activities of the pre-paid gang, according to my underworld source, were only discovered because they committed an uncharacteristic error, allowing FIS’ defenses to pick up on the presence of a foreign body in its networked system. If that had not happened, the gang might still be ripping off FIS and everyone else, unbeknown to the rest of the world.
Although there is no precision about figures out there, there is no doubt that threats do exist. Crime on the Web is changing very rapidly. Until recently, most of it took place on so-called “carder” sites with names such as CarderPlanet, Shadowcrew and DarkMarket (a “carder” is a hacker who deals in credit cards or card details). These were in effect department stores for criminals.
The first and the most celebrated among thieves was CarderPlanet. Members would come to this Web site, run out of Odessa in Ukraine, to buy and sell stolen credit card details, to purchase viruses, trojans and worms with which they could compromise victims’ computers, to take tutorials in how to deploy the latest cyberweapons, or to hire a botnet — a network comprising thousands of zombie computers — to use in an attack against their enemies.
CarderPlanet’s significance in the history of cybercrime lies in its founders’ introduction of an escrow system. This worked almost like a criminal version of PayPal, using legitimate channels such as Western Union, and enabled them to overcome the central problem facing all cybercriminals — how to trade with somebody on the Web when you know that, as a criminal, he or she, like you, is inherently untrustworthy. Escrow, whereby a neutral officer from the Web site would hold both the credit card details being sold and the money from the purchaser until they were satisfied that both sides were genuine, solved that problem at a stroke. It also led to the industrialization of crime on the Web.
One of the co-founders of CarderPlanet, the Ukrainian hacker known as Script, described the pioneers of digital thieving as “lone wolves.” In an interview with Hacker (Xakep.ru), the great chronicler of Russia’s cyber-underworld, he explained: “They don’t huddle together in groups or form their own distinctive networks; everyone works by himself, for himself.” However, in the past few years, the lone wolves have begun to form packs, usually under the leadership of charismatic individuals such as Mr Big, from the pre-paid scam. “Carder” sites such as DarkMarket have slipped out of fashion because they were too easily infiltrated by law enforcement agencies such as the FBI and the Serious Organised Crime Agency in Britain. Instead, the lone wolves have started to form packs with trusted friends and these look more like traditional organized crime groups with a clear hierarchy and division of labor.
One of the most lucrative scams revolves around so-called “scareware,” malicious software that plays on the fear of virus infection, which was perfected by a Ukrainian-based company called Innovative Marketing (IM). IM employed dozens of young people in the Ukrainian capital Kiev, most of who believed they were involved in a startup company that was selling legitimate security products. Except that they weren’t. Computer users who had clicked on a certain link placed by a hacker on a legitimate Web site had become infected. Hackers, in turn, triggered a pop-up on the browser warning the users that their machine had been compromized by a virus. The only way, the advert explained, they could rid their computers of the electronic critters now crawling all over their hard disk and memory was to click on a link and purchase Malware Destroyer 2009, to name but one of their countless products. Once you had downloaded Malware Destroyer (for 40 euros, or US$54), IM would instruct you to remove your existing anti-virus system and install its product. Once installed, however, it did precisely nothing — it was an empty piece of software, although now, of course, you were open to infection by any passing virus and you had paid for that dubious privilege.
A researcher for the software company McAfee in Hamburg, Dirk Kolberg, began to monitor this operation. He followed the scareware back to its source in east Asia and found that the administrator of IM’s servers had left some ports wide open, so Kolberg was at liberty to wander into it and peruse at will. What he uncovered was quite breathtaking.
IM was making so much money that it had established three call centers, one in English, one in German and one in French, to assist baffled customers who were trying to install their non-functioning products. This was one of the most theatrical examples of Internet crime yet discovered. Kolberg worked out from trawling through the receipts that he also found on the server that the scareware scam had generated tens of millions of US dollars in revenues for the management. The FBI busted the US end of that operation but its two alleged masterminds, a Swede and an Indian, who are on the agency’s most-wanted list, remain on the run.
Innovative Marketing Kiev was probably the most lucrative operation to date, but by no means the only one. Yet although lucrative, it was, for the perpetrators, labor intensive. Streamlining in cybercrime, though, has led to outsourcing. Sophisticated hackers and criminals are now able to control vast armies of zombie computers — ordinary PCs that you or I might be using this minute, but whose computing power can be redirected to commit criminal acts on the Internet. The only clue that this could be happening in the background would be the computer running more slowly. This army is then rented out for a significant fee to opportunistic criminals who do not want or do not have the ability to amass such a formidable computing weapon.
This network can breach its targets and intended victims (usually banks, financial institutions or, of course, ordinary account holders) by sending e-mail after e-mail to overload the system, creating a diversion that allows hackers to gain access. It can also seek out serial numbers, login IDs and financial information such as credit card numbers. Eventually money is transferred to so-called money mules. These are (largely) unwitting characters, usually Americans or western Europeans, who respond to advertisements offering good returns for work carried out from your home computer. Successful candidates are then required to use their personal bank accounts on behalf of their new employer. The mules would receive, say, US$200 and then forward US$180 to Mr Big, holding back US$20 as their commission. In a recent major FBI case, codenamed Operation Trident Tribunal, the mules had been instructed to send the money to a bank in Latvia, one of the three Baltic republics, along with Lithuania and Estonia, whose role in cybercrime is out of all proportion to their combined population of 7 million people.
The emergence of such outsourcing accentuates one of the greatest problems that police face in dealing with organized crime. The structure acts as a mask that obscures the real moneymakers: The people who assemble the zombie networks and the Mr Bigs who use their services. The mules are easy to catch, but they are very small cogs in a ruthless machine.
The next challenge for law enforcement is not unlike that facing the Untouchables in Al Capone’s Chicago. Capone, of course, was eventually busted for tax evasion. But how can you track down a digital Al Capone when you don’t know who he is or where he is?
In an article published in Newsweek on Monday last week, President William Lai (賴清德) challenged China to retake territories it lost to Russia in the 19th century rather than invade Taiwan. “If it is really for the sake of territorial integrity, why doesn’t China take back Russia?” Lai asked, referring to territories lost in 1858 and 1860. The territories once made up the two flanks of northern Manchuria. Once ceded to Russia, they became part of the Russian far east. Claims since then have been made that China and Russia settled the disputes in the 1990s through the 2000s and that “China
Trips to the Kenting Peninsula in Pingtung County have dredged up a lot of public debate and furor, with many complaints about how expensive and unreasonable lodging is. Some people even call it a tourist “butchering ground.” Many local business owners stake claims to beach areas by setting up parasols and driving away people who do not rent them. The managing authority for the area — Kenting National Park — has long ignored the issue. Ultimately, this has affected the willingness of domestic travelers to go there, causing tourist numbers to plummet. In 2008, Taiwan opened the door to Chinese tourists and in
Taiwan People’s Party (TPP) Chairman Ko Wen-je’s (柯文哲) arrest is a significant development. He could have become president or vice president on a shared TPP-Chinese Nationalist Party (KMT) ticket and could have stood again in 2028. If he is found guilty, there would be little chance of that, but what of his party? What about the third force in Taiwanese politics? What does this mean for the disenfranchised young people who he attracted, and what does it mean for his ambitious and ideologically fickle right-hand man, TPP caucus leader Huang Kuo-chang (黃國昌)? Ko and Huang have been appealing to that
On Tuesday, President William Lai (賴清德) met with a delegation from the Hoover Institution, a think tank based at Stanford University in California, to discuss strengthening US-Taiwan relations and enhancing peace and stability in the region. The delegation was led by James Ellis Jr, co-chair of the institution’s Taiwan in the Indo-Pacific Region project and former commander of the US Strategic Command. It also included former Australian minister for foreign affairs Marise Payne, influential US academics and other former policymakers. Think tank diplomacy is an important component of Taiwan’s efforts to maintain high-level dialogue with other nations with which it does