Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (12 page)

When it was introduced by Visa in 1992,
the CVV began driving down fraud costs immediately, from nearly .18 percent of Visa transactions that year to around .15 percent a year later. In the 2000s, the innovation proved a strong bulwark against phishing attacks, in which a spammer spews thousands of falsified e-mails aimed at luring consumers into entering their credit card numbers into a fake bank website. Without the CVV on the magnetic stripe—which consumers didn’t know, and thus couldn’t reveal—those stolen numbers were useless at real-world cash registers. Nobody could walk into a Vegas casino, slap down a card derived from a phishing attack, and get a pile of black chips to carry to the roulette table.

MasterCard followed Visa’s lead with its own Card Security Code, or CSC. Then in 1998, Visa introduced the CVV2, a different secret code printed on the backs of cards for consumers to use exclusively over the phone or the Web. That further reduced crime losses and completed the Chinese wall between fraud on the Internet and in real life: Accounts stolen from e-commerce sites or in phishing attacks could only be used online or over the phone, while magstripe data could be used in-store but not on the Web, because it didn’t include the printed CVV2.

By 2002, the security measure had turned raw magstripe data into one of the underground’s most valuable commodities and pushed the point of compromise closer to the consumer.

Hackers began breaching transaction-processing systems for the data, but the most straightforward way for ordinary crooks to steal the information was to recruit a cash-hungry restaurant employee and equip him with a pocket-sized “skimmer,” a magstripe reader with built-in memory. As small as a cigarette lighter and readily concealed in the apron pocket of a fast-food worker or the suit jacket of an upscale maître d’, a skimmer can hold hundreds of cards in its memory for later retrieval through a USB port. A server needs only a second of privacy to swipe a customer’s card through the device.

In the late 1990s, thieves began fanning out in big cities across the United States, eyeing waiters, waitresses, and drive-through attendants who might be interested in a little extra cash, typically $10 a swipe. Though it was riskier, gas station managers and retail workers could get in on the action as well by installing tiny skimming circuit boards in pay-at-the-pump readers and point-of-sale terminals. Some of the data would be exploited locally, but much of it was sent to Eastern Europe, where the swipes were sold over the Internet ten, twenty, a hundred, or even thousands at a time.

The carders call these “dumps”; each contained just two lines of text, one for each track on a credit card’s three-inch-long magstripe.

A dump was worth about $20 for a standard card, $50 for a gold card, and $80 to $100 for a high-limit corporate card.

Chris decided to try some carding himself. He determined that Script, the godfather of CarderPlanet, was the most reliable source of dumps in the world. He paid the Ukrainian $800 for a set of twenty Visa Classic
numbers and elsewhere parted with around $500 for an MSR206, the underground’s favorite magnetic stripe encoder.

Once the shoebox-sized MSR206 was plugged into his computer and the right software installed, he could take an anonymous Visa gift card, or one of his own credit cards, and encode it in two quick swipes with one of Script’s dumps.

With the reprogrammed card burning a hole in his pocket, Chris browsed his local Blockbuster and some retailers to scope out the opportunities. Simple magstripe fraud might be cheap and easy, but it had severe limitations. Through observation, Chris quickly determined that shopping for consumer electronics or expensive clothes would be tough: To guard against what Chris was contemplating, many high-end stores require the checkout clerk to physically type the last four digits from the face of the credit card; the point-of-sale terminal rejects the card, or worse, if the digits don’t match what’s on the stripe. A reprogrammed card was only good at spots where employees never get to lay their hands on the plastic, like gas stations or drugstores.

Chris made his move at a local supermarket. He loaded his cart indiscriminately and checked out, sliding his plastic through the point-of-sale terminal. After a moment, the word “Approved” flickered across the display, and somewhere in America a random consumer was charged for $400 in groceries.

Chris delivered his ill-gotten groceries to an Orange County couple in worse financial shape than himself and then took the husband—a contractor who’d recently had his tools stolen—to a local Walmart to purchase new construction gear. Word spread that Chris had credit cards, and he began doling out his reprogrammed plastic to a few friends, who were always thoughtful enough to make small purchases for Chris as a thank-you.

He could see the outlines of a business plan in his circulating plastic. Drop everything else, he told Max. The real money is in dumps.

ax broached his plan obliquely with Charity over the rare indulgence of a sushi dinner. “Which institutions would you say deserve to be punished the most?” he asked.

He had the answer ready: the moneylenders. The greedy banks and credit card companies who saddle consumers with $400 billion in debt each year while charging usurious interest and hooking kids on plastic before they’ve graduated college. And because consumers were never held directly liable for fraudulent charges—by law they could only be billed for the first $50, and most banks waived even that—credit card fraud was a victimless crime, costing only these soulless institutions money.

Credit wasn’t real, Max reasoned, just an abstract concept; he would be stealing numbers in a system, not dollars in someone’s pocket. The financial institutions would be left holding the bag, and they deserved it.

Charity had learned to accept the bitterness Max brought back from prison: Living with him meant never again watching a crime drama on TV, because any depiction of the police as good guys set Max fuming. She wasn’t entirely sure what Max had in mind now, and she didn’t want to know. But one thing was clear. Max had decided he was going to be Robin Hood.

•  •  •

Max knew exactly where to get the magstripe data Chris wanted. There were thousands of potential sources sitting in plain sight, right on CarderPlanet and Shadowcrew. The carders themselves would be his prey.

Most of them weren’t hackers, they were just crooks; they knew a bit about fraud but little about computer security. They certainly wouldn’t be much harder to hack than the Pentagon. It was also a morally palatable proposition: He would be stealing credit card numbers that had already been stolen—a criminal was going to use them, so it might as well be Chris Aragon, his criminal.

He started by choosing his weapon, picking out the slick Bifrost Trojan horse program already circulating online and customizing it to evade antivirus detection. To test the results, he used the computer emulation software VMware to run a dozen different virtual Windows boxes on his computer at once, each loaded with a different flavor of security software.

When the malware went undetected on all, he moved to the next step: harvesting a list of carders’ ICQ numbers and e-mail addresses from public forum posts, collecting thousands of them into a database. Then, posing as a well-known dumps vendor named Hummer911, he fired off a message to the entire list. The note announced that Hummer911 had acquired more American Express dumps than he could use or sell, so he was giving some away. Click here, Max wrote, to get your free Amex.

When a carder clicked on the link, he found himself looking at a list of fake Amex dumps Max had generated, while invisible code on the Web page exploited a new Internet Explorer vulnerability.

The exploit took advantage of the fact that
Internet Explorer can process more than just Web pages. In 1999, Microsoft added support for a new type of file called an HTML Application—a file written in the same markup and scripting languages used by websites but permitted to do things on a user’s computer that a website would never be allowed to do, like creating or deleting files at will and executing arbitrary commands. The idea was to let developers already accustomed to programming for the Web use the same skills to craft fully functional desktop applications.

Internet Explorer recognizes that HTML Applications can be deadly and won’t execute them from the Web, only from the user’s hard drive. In theory.

In practice, Microsoft had left a hole in the way the browser screened content embedded on a Web page. Many Web pages contain OBJECT tags, which are simple instructions that tell the browser to grab something from another Web address—typically a movie or music file—and include it as part of the page. But it turned out you could also load an HTML Application through the OBJECT tag and get it to execute. You just had to disguise it a little.

While Max’s victims salivated over the bogus American Express dumps, an unseen OBJECT tag instructed their browsers to pull in a malicious HTML Application that Max had coded for the occasion. Crucially, Max had given the file a name ending in “.txt”—a superficial indication that it was an ordinary text file. Internet Explorer saw that file name and decided it was safe to run.

Once the browser started downloading the file, however, Max’s server transmitted a content type indicator of “application/hta”—identifying it now as an HTML Application. Essentially, Max’s server changed its story, presenting the file as a harmless document for the browser’s security check, then correctly identifying it as an HTML Application when it came time for the browser to decide how to interpret the file.

Having judged the file safe based on the name, Internet Explorer didn’t reevaluate that conclusion once it learned the truth. It just ran Max’s code as an HTML Application instead of a Web page.

Max’s HTML Application was a tight Visual Basic script that wrote out and executed a small grappling-hook program on the user’s machine. Max named the grappling hook “hope.exe.” Hope was Charity’s middle name.

The grappling hook, in turn, downloaded and installed his modified Bifrost Trojan horse. And just like that, Max was in control.

•  •  •

The carders converged like hungry piranhas on his poisoned page: Hundreds of their machines reported back to Max for duty. Excited, he began poking around the criminals’ hard drives at random. He was surprised by how small-time it all looked. Most of his victims were buying small batches of dumps, ten or twenty at a time—even less. But there were lots of carders, and there was nothing to keep him from returning to their machines over and over again. In the end, the Free Amex attack would score him about ten thousand dumps.

He siphoned the dumps to Chris as he found them and vacuumed other useful data from his victims: details on their scams, stolen identity information, passwords, mailing lists used in phishing schemes, some real names, photos, and e-mail and ICQ addresses of their friends—useful for future attacks on the underground.

With a single well-constructed ruse, he was now invisibly embedded in the carders’ ecosystem. This was the start of something big. He’d be a stick-up man among the carders, living off whatever he could skim from their illegal economy. His victims couldn’t call the cops, and with his anonymous Internet connection and other precautions, he’d be immune to reprisal.

It wasn’t long, though, before Max discovered that not all of the carders were what they seemed to be.

The victim was in Santa Ana. When Max strolled into the computer through his back door and began poking around, he saw at once that something was very wrong.

The computer was running a program called Camtasia that keeps a video record of everything crossing the computer’s screen—not the kind of information a criminal normally wants to archive. Max foraged through the hard drive, and his suspicions were confirmed:
The disk was packed with FBI reports.

Chris was shaken by the discovery of an FBI cybercrime agent in his
own backyard, but Max was intrigued—the agent’s hard drive offered potentially useful insight into the bureau’s methods. They talked about what to do next. Some of the files indicated the agent had an informant who was providing information on Script, the CarderPlanet leader who sold Chris his first dumps. Should they warn Script that there was an informant in his circle?

They decided to do nothing; if he were ever busted, Max figured, he might be able to play this as a trump card. If it got out that he’d accidentally hacked an FBI agent, it could embarrass the bureau, maybe even cost them some convictions.

He returned to his work hacking the carders. But he knew now that he wasn’t the only outsider worming into the crime forums.

alm trees rose at the entrance of Villa Siena, a sprawling gated community in Irvine, half a mile from John Wayne Airport. Beyond the front gate, European-inspired fountains bubbled in the manicured courtyards, and four swimming pools sparkled blue beneath the sunny Southern California sky. Residents were enjoying the clubhouse, relaxing in the spas, getting in a workout at one of the three fitness rooms, or perhaps visiting the full-time concierge to make plans for the evening.