Despite Busts, Web Mobs Keep Growing

On Oct. 26, 2004, after a year-long investigation, the U.S. government brought down the Shadowcrew—a Web mob engaged in the booming business of auctioning off stolen and counterfeit credit cards and identification cards. While key members were engaged in simultaneous online chats arranged by an informant who had secretly penetrated the group, the Secret Service, the FBI and local police knocked on their doors and arrested them.

The Shadowcrew ran a worldwide online marketplace for 4,000 members, in which 1.5 million credit card numbers, 18 million e-mail accounts, and scores of identification documents—from passports to driver’s licenses to student IDs—were offered to the highest bidder, according to the Secret Service. Losses to banks and credit-card issuers were $4 million and climbing at the time of the arrests.

The Shadowcrew was just one of a number of organized cybercrime rings the government has pursued and shut down. The others had equally ominous names such as Carderplanet, Stealthdivision and Darkprofits. New alliances continued to pop up in 2005, however. In October, for example, three men were arrested in the Netherlands on suspicion of infecting 1.5 million computers with bots—robotic pieces of code that can be ordered to send spam and commit other mischief. And the practitioners of cybercrime are growing more skillful at avoiding law enforcement, according to Christopher Painter, deputy chief of the Computer Crime and Intellectual Property Section in the criminal division of the U.S. Department of Justice, whose office helped investigate the Shadowcrew.

These emerging cybercrime organizations are using new tools, engaging new partners—and creating new fears among businesses and consumers alike. Painter cites the rise of “botnets,” armies of robotic pieces of code like the ones used in the Netherlands that are for sale online and may be used by cybercriminals to attack companies’ networks as a way to extort money.

“Before, there were tech-savvy hackers in it for glory and less-competent fraudsters in it for money—those two have merged,” Painter told a meeting of the High Technology Crime Investigation Association in Monterey, Calif., in August. “They are sharing information and teaching tools of the trade. There are organized groups online, and it’s always international.”

Furthermore, fewer companies are reporting cybercrimes to law enforcement, mostly because they fear negative publicity, according to the 2005 Computer Security Institute/FBI survey, which cites a multi-year decline in such reports.

But such fear hampers law enforcement’s ability to solve these crimes, according to Painter. In the Shadowcrew case, victimized companies quietly cooperated with investigators, Painter says.

The case is now working its way through U.S. District Court in Newark, N.J. By early December, a half-dozen of the 19 defendants—Rogerio Rodrigues, Wesley Lanning, Kim Taylor, Jeremy Zielinski, Jeremy Stephens and Omar Dhanani—had pleaded guilty to one count of conspiring to transfer stolen identification documents with intent to commit unlawful activity. A sixth, Andrew Mantovani, whom the Secret Service identified as one of the leaders of the Shadowcrew, pleaded guilty to an additional count of transferring 18 million e-mail accounts with unlawful intent.

In its indictment, the government describes the group as being organized into “administrators” who controlled the direction of the Shadowcrew, “moderators” who ran discussion forums, “reviewers” who evaluated the products to be auctioned on Shadowcrew’s site, “vendors” who sold products to other members of the group, and “general members” who mostly used the site to gather information on committing fraud.

Painter promises there will be more cases like the Shadowcrew. But he says law enforcement cannot successfully prosecute them without cooperation from private industry.

The twentysomethings who make up the bulk of these groups are technically savvy—and careful.

The Secret Service says the Shadowcrew used a number of methods to evade the law. They hid behind computer nicknames, or nics, such as BlackOps and Kingpin. They bounced their messages through more than one Web server, which made their communications harder to trace. As an added precaution, members also encrypted their electronic messages, scrambling the text so it couldn’t be read by spies, i.e., law-enforcement agencies.

One of the group’s defenses was the use of “proxy” servers to make their online activities hard to trace. A proxy sits between a sending and a receiving server. When someone accesses a Web site through a proxy server, the site records the Internet protocol (IP) address of the proxy, not the IP address of the computer that initiated the original Web request. This has the effect of hiding the IP address of a computer making a Web page request.

The use of proxies was often augmented by “anonymizers,” according to court documents. One type: a virtual private network that lets many computers connect to it at the same time. They share one IP address, and if a person tries to trace a page request, he finds the IP address of the VPN, not the computer that initiated the session.

“They had this comfort level,” says Secret Service Special Agent Larry Johnson, “thinking ‘nobody would catch us.'”

But the Secret Service, which tracked the group for a year, had a couple of aces in the hole as it began to dig in 2003. One was its ability to override the VPN defense. Another was an inside source who fed information to the agency. The informant, who was highly placed in the organization and ran one of the group’s servers, helped the agency set up and run its undercover operation.

The Secret Service operated the VPN that many of the Shadowcrew defendants used. The agency filtered traffic through software that could “trap and trace” its contents—basically capturing a message and stripping out and recording the sender’s IP address. Then, using the public Whois database, which provides Internet domain registration information, they could map those IP addresses back to the Internet service provider that owned and assigned the numbers. The provider would then be served with a subpoena that required it to disclose customer records and billing addresses.

Another ace was a reported Title III wiretap, which the Secret Service had to get approved by a Federal judge to record electronic messages between Shadowcrew members.

But the biggest break was the informant, whom the Secret Service won’t identify. “They can get to you fairly easily,” says Johnson about the Web mobs.

Prevention and Defense

The electronic infrastructure that could help catch Web mobsters does not yet exist, say technology experts such as David Jevans, chairman of the Anti-Phishing Working Group.

But many of today’s computer security problems aren’t really new—just trickier, nastier and more pervasive. Here are some of the more serious threats, along with countermeasures to protect yourself from participating, unwittingly, in the activities of a Web mob.

PROBLEM: You have a glut of forged or “spoofed” e-mail addresses saying their messages come from your Internet domain when they do not.

RESOLUTION: Monitor bounce-backs to your e-mail servers—messages that come back with subject lines such as “Mail delivery failed: returning message to sender,” says Johannes Ullrich of the SANS Internet Storm Center. Inspect them for clues for where the e-mail actually originated, such as routing data in the message header.

PROBLEM: A Web site masquerades as a legitimate one—yours.

RESOLUTION: Identify fake sites and alert your customers. Log the “referrer” header, part of the invisible data automatically transmitted to your Web server, when a user clicks through or is forwarded to your site from an unknown site.

Once you discover a criminal site, you can display a warning to consumers who are referred from that address.

PROBLEM: User names and passwords are your best defense.

RESOLUTION: Consider reusable passwords. The federal government, for example, wants banks to require two forms of ID for online transactions by the end of 2006. Alternatives include one-time passwords, hardware security tokens and digital certificates.

PROBLEM: Your servers and computers are turned into bots, controlled remotely to send spam, generate automated page requests that flood sites, or participate in other Internet attacks.

RESOLUTION: Keep your antivirus and intrusion detection systems in top shape. Stay current on patches to your operating systems and applications. Set your firewall to block Internet Relay Chat connections, which attackers frequently use to communicate with their bots.

Also consider a “defense in depth” strategy that requires each computer on a network to have its own protection as well.

—David F. Carr