Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online
Authors: Kevin Poulsen
Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology
Chris had become friends with Cesar. He’d even had him over for dinner, along with Mrs. UBuyWeRush, Clara, and Chris’s two boys—well-mannered kids who stayed at the dinner table all the way through dessert. Chris particularly liked hanging out at Cesar’s office. You never knew who would show up at UBuyWeRush. Carders too paranoid to have counterfeiting gear shipped even to a drop would make a pilgrimage to Los Angeles to pick up their items in person, opening the front door through their shirtsleeve to leave no prints and paying in cash. Foreign carders vacationing in California would stop by just to see the legendary warehouse with their own eyes and shake Cesar’s hand.
On this day, the man walking in to pick up an MSR206 was the last person Chris expected to see in Cesar’s shop, a six-foot-five hacker with a long ponytail.
Chris was stunned; Max rarely left San Francisco these days, and he hadn’t said anything about coming to town. Max was equally surprised to see Chris. They exchanged pleasantries awkwardly.
There was only one reason Max would sneak into Los Angeles to buy his own magstripe encoder, Chris knew. Max had decided to stop sharing his most valuable data.
Max had become privy to one of the biggest security blunders in banking history, one that most consumers would never hear about, even as it enriched carders to the tune of millions of dollars.
The midsized Commerce Bank in Kansas City, Missouri, may have been the first to figure out what was going on. In 2003, the bank’s security manager was alarmed to find that customer accounts were being sacked for $10,000 to $20,000 a day from cash machines in Italy—he would come in on a Monday and find his bank had lost $70,000 over the weekend.
When he investigated, he learned that the victim customers had all fallen for a phishing attack aimed specifically at their debit card numbers and PINs.
But something didn’t make sense: CVVs were supposed to prevent exactly this kind of scam. Without the CVV security code programmed onto the magnetic stripe of the real cards, the phished information shouldn’t have worked at any ATM in the world.
He dug some more and discovered the truth: His bank simply wasn’t checking the CVV codes on ATM withdrawals, nor on debit card purchases, where the consumer enters the PIN at the register. In fact, the bank couldn’t perform such a check consistently if it wanted to; the third-party processing network used by the bank didn’t even forward the secret code. The Italian phishers could program any random garbage into the CVV field, and the card would be accepted as the real thing.
The manager moved the bank to another processing network and reprogrammed his servers to verify the CVV. The mysterious withdrawals from Italy halted overnight.
But Commerce Bank was just the beginning. In 2004, nearly half America’s banks, S&Ls, and credit unions still weren’t bothering to verify the CVV on ATM and debit transactions, which is why America’s in-boxes were being flooded with phishing e-mails targeting PIN codes for what the carders called “cashable” banks.
Citibank, the nation’s largest consumer bank by holdings, was the most high-profile victim. “This e-mail was sent by the Citibank server to verify your e-mail address,” read a message spammed from Russia in a September 2003 campaign. “You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM.”
A more artful message in 2004 capitalized on consumers’ well-founded fears of cybercrime. “Recently there have been a large number of identity theft attempts targeting Citibank customers,” read the spam, emblazoned with Citi’s iconography. “In order to safeguard your account, we require
that you update your Citibank ATM/Debit card PIN.” Clicking on the link took customers to a perfect simulacrum of a Citibank site, hosted in China, where the victim would be prompted for the data.
Good for direct cash, PINs were the holy grail of carding. And it was CarderPlanet’s King Arthur who was most successful in the quest. King, as he was known to his friends, ran an international ring that specialized in hitting Citibank customers, and he was a legend in the carding world. One of King Arthur’s lieutenants, an American expat in England,
once let it slip to a colleague that King was making $1 million a week from the global operation. And he was just one of many Eastern Europeans running cash-outs in America.
Max plugged himself into the Citibank cash-outs in his own way: He Trojaned an American mule named Tux, and started intercepting the PINs and account numbers the carder was getting from his supplier. After a while, he contacted the source—an anonymous Eastern European whom Max suspected of being King Arthur himself—and told him candidly what he’d done: Tux, he said, had been guilty of the crime of slipshod security. For good measure, Max claimed falsely that the mule had been ripping off the supplier.
The supplier cut off Tux on the spot and began providing Max with his PINs directly, anointing the hacker as his newest cash-out mule.
When the PINs first started rolling in,
Max had passed them all to Chris, who tore into them with a vengeance. Chris would pull $2,000 in cash—the daily ATM withdrawal limit—and then send his girls out to make in-store debit purchases with the PINs until the account was drained dry. He was raping the cards. Max didn’t like it. The whole point of a cash-out was to get
cash
, not merchandise that sold for a fraction of its worth. With a little finesse, the PINs could be producing a lot more liquid.
Then it occurred to him he didn’t need his partner at all for this particular operation.
When he returned from UBuyWeRush with his very own MSR206, Max went into business for himself. He programmed a stack of Visa gift
cards with the account data and wrote each card’s PIN on a sticky note affixed to the plastic. Then he’d get on his bicycle or take a long meandering walk through the city, visiting small, customer-owned cash machines at locations free of surveillance cameras.
He’d enter the PIN, then the withdrawal amount, and
chump, chump, chump, chump
, the ATM spat out cash like a slot machine. Max would pocket the money, write the new, lower account balance on the Post-it, then look around discreetly to make sure he hadn’t drawn any attention before drawing the next card from his deck. To keep his prints off the machines, he’d press the buttons through a piece of paper or with his fingernails, or coat the pads of his fingers with hydroxyquinoline—a clear, tacky antiseptic sold in drugstores as the liquid bandage New-Skin.
Max dutifully sent a fixed percentage of his take to Russia via Western Union MoneyGram, per his agreement with the supplier. He was an honest criminal now, doing straightforward business in the underground. And even after getting his own magstripe writer, Max continued to give some of his PINs to Chris, who continued tapping his crew to burn through the cards aggressively.
On the surface, Max’s ATM visits weren’t much of a Robin Hood operation, but Max took moral solace in the fact that the cash-outs always ended with the cards being canceled. That meant the fraudulent withdrawals were being discovered, and Citibank would be forced to reimburse its customers for the thefts.
After some months, Max built a nice nest egg from Citibank’s losses: He moved with Charity to a $6,000-a-month house rental in San Francisco’s Cole Valley and installed a safe for his profits: $250,000 in cash.
His earnings were just a tiny piece of the losses from the CVV gaffe. In May 2005, a Gartner analyst organized a survey of five thousand online consumers and, extrapolating the results, estimated that it had cost U.S. financial institutions $2.75 billion.
In just one year.
here was something fishy going on with Shadowcrew.
Max kept his presence on the Internet’s top crime site low-key; to him, Shadowcrew was just a hunting ground conveniently stocked with hackable carders. But in May 2004, a Shadowcrew administrator made an offer on the board that got Max’s attention. The admin, Cumbajohnny, was announcing a new VPN service just for Shadowcrew members.
A VPN—virtual private network—is typically used to provide telecommuters with access to their employer’s network from home. But a trustworthy underground VPN appealed to carders for another reason. It meant every byte of traffic from their computers could be encrypted—immune to sniffing by a nosy ISP or a law enforcement agency with a surveillance warrant. And any attempt to trace their activities would get no farther than Cumbajohnny’s own data center.
Cumbajohnny was a recent addition to Shadowcrew’s leadership—a former moderator who was growing in power and influence and changing the mood on the board. Some other admins were complaining about a new mean-spiritedness on the forum.
Banner ads appeared at the top of the site: “Stop talking. Do Business. Advertise here. Contact Cumbajohnny.” Shadowcrew was taking on the feel of the Las Vegas strip, with
flashy ads promising a lifestyle of partying, beautiful women, and piles and piles of cash.
Gollumfun, an influential founder, had already publicly retired from the site when another founder named BlackOps announced he was leaving as well. “Shadowcrew has been reduced from its once lustrous form to a degrading environment of children who lack knowledge, the skills or desire to interact with other members in a positive way,” he wrote. “Gone are the well thought out tutorials; gone are the well-respected members; and gone is the civility. No longer do we help the newbies find their way, we simply flame them to death until they leave and then complain that there aren’t any new members.”
“BlackOps, you will be missed, thank you for your services,” Cumbajohnny wrote tactfully. “SC is changing, and for the best.”
Max paid little attention to the politics of the carding scene. But the VPN announcement made him uneasy. It turned out Cumbajohnny had been privately selling his VPN service to Shadowcrew’s leaders for three months. Now, Cumbajohnny wrote, any Shadowcrew member in good standing could buy the same peace of mind for $30 to $50 a month.
But VPNs have one well-known weakness: everything transpiring over the network has to be funneled through a central point, unencrypted and vulnerable to eavesdropping. “If the FBI, or whoever, really wanted to they could get into the datacenter and change some of the configs on the VPN box and start logging, and then you would be kinda screwed,” one member noted. “But that is just straight paranoia,” he conceded.
Cumbajohnny reassured him. “No one can touch the VPN without me knowing about it.”
Max wasn’t convinced. In his white-hat days, he’d written a program for the Honeynet Project called Privmsg—a PERL script that took the data from a packet sniffer and used it to reconstruct IRC chats. When an intruder was lured into cracking one of the project’s honeypots, the attacker would often use the system to hold online conversations with his fellow hackers. With Privmsg, the white hats could see the whole thing. It
had been a strong innovation in hacker tracking, turning passive honeypots into digital wiretaps and opening a window into the underground’s culture and motives.
Max could see the same wiretap tactic at play now in Cumbajohnny’s VPN offer. There was other evidence, too; while hacking random carders, he saw a message to a Shadowcrew administrative account that read like a federal agent giving orders to an informant. Max couldn’t shake the feeling that someone was turning Shadowcrew into the ultimate honeypot.
After talking it over with Chris, Max posted several messages to Shadowcrew summarizing his doubts.
The posts disappeared at once.
Max’s suspicions were right on the money.
The NYPD had nabbed Albert “Cumbajohnny” Gonzalez nine months earlier pulling cash out of a Chase ATM on New York’s Upper West Side. Originally from Miami, Gonzalez was twenty-one years old and the son of two Cuban immigrants. He was also a longtime hacker who’d been dedicated enough to trek to Vegas for the 2001 Def Con.
The Secret Service interviewed Gonzalez in custody and quickly ascertained his worth. The hacker was living in a $700-a-month garden apartment in Kearny, New Jersey, had $12,000 in credit card debt, and was officially unemployed. But as “Cumbajohnny,” he was a trusted confidant and colleague of carders around the world and, most importantly, a moderator at Shadowcrew.
He was in the belly of the beast, and properly handled, he might strike a deathblow against the forum.
The Secret Service took over the case and sprang Gonzalez to use him as an informant. The VPN was the agency’s masterstroke. The equipment was bought and paid for by the feds, and they’d obtained wiretap warrants for all the users. Cumbajohnny’s carder-only VPN service was an invitation to an Internet panopticon.
Shadowcrew’s biggest players were drawn inexorably into the Secret
Service’s surveillance net. The tapped VPN laid bare all the wheeling and dealing the carders kept off the public website—the hard negotiating that unfolded mostly in e-mail and over IM.
There were deals every day and every night, with a weekly surge in trading Sunday evenings.
The transactions ranged from the petty to the gargantuan. On May 19, agents watched Scarface transfer 115,695 credit card numbers to another member; in July, APK moved a counterfeit UK passport; in August, Mintfloss sold a fake New York driver’s license, an Empire Blue Cross health insurance card, and a City University of New York student ID card to a member in need of a full identification portfolio. A few days later, another sale by Scarface, just two cards this time; then MALpadre bought nine. In September, Deck sold off eighteen million hacked e-mail accounts with user names, passwords, and dates of birth.