ZIFFPAGE TITLEGeekfather, or College Student

By Deborah Gage Print this article Print

Crime is now organized on the Internet. Operating in the anonymity of cyberspace, the Shadowcrew and Web mobs like it threaten the trust companies have spent years trying to build with customers, online.

? contd.">

Geekfather, or College Student? contd

Once a vendor came into possession of stolen goods such as credit card numbers or identity papers, the merchandise had to be vetted by a reviewer.

If the goods were in electronic formats, the vendor could just send the product in a file to an inspector such as Monchamp or Palacio. If the goods were actual plastic cards or paper documents, they had to be moved along through drop boxes at retail outlets such as a UPS or Kinko's store.

Naturally, mailboxes were rented out to individuals using false names, according to the complaint. Crew members also changed the location of drop boxes regularly to avoid detection.

Once in a reviewer's hands, the goods were scrutinized thoroughly. One procedure was the "dump check," in which reviewers would hack into a retailer's cash register system. Frazzini, the former Secret Service agent, says hackers can enter through back doors used by technical support personnel to maintain or repair the system remotely.

Once in, the reviewer could test a group of cards by entering nominal amounts, a dollar or two, against a few of the accounts to see if the charges were approved or declined. If the charges were accepted, says Christie, the reviewer would know that the "dump" of numbers was good.

The reviewer would then write up and post detailed descriptions of the merchandise. For a driver's license or bank card, the quality of the photos, the hologram, the printing of names and numbers, the color scheme and the card thickness would be described, almost like a used book on Amazon might be described by its seller.

The comments might be: "'This is the best I've ever seen' or 'This is a really good driver's license for people who are not looking too closely,'" Christie says. "That level of detail."

Once certified by a reviewer, goods would be put up for sale. Transactions usually involved just a handful of numbers at a time. But, on occasion, illicit goods got shipped in bulk.

In May 2004, one Shadowcrew member moved 110,000 stolen credit card numbers, according to the indictment. And the value of each bank customer's credit card number? Not much. Special Agent Johnson says credit cards with $10,000 limits could sell for anywhere from $1 to $10 or more.

Personal information is just as easily and cheaply trafficked. On Sept. 27, 2004, Mantovani allegedly "transferred" approximately 18 million e-mail addresses along with associated user names, passwords, dates of birth and other personal information.

The selling price of each e-mail address and related information might be a few cents each, according to Mark Rasch, a senior vice president of security consultancy Solutionary and a former attorney in the Department of Justice's Export/Espionage and Fraud sectors.

Credit cards, e-mails and other items were posted with prices on the Shadowcrew Web site. But vendors also had the option to sell their wares through an auction forum that worked "much like eBay," according to Christie.

Listings, such as "three counterfeit Arizona driver's licenses" or "1,000 stolen Visa credit card numbers," were posted to the forum, he says. The auction would open and a time would be given for when the last bid would be taken. Potential buyers came to the auction forum and progressively bid until that auction closed, with the item going to the highest bidder.

Once a "buy" went down, according to court documents, a member would send payment using Western Union money transfers or electronic currency, such as e-Gold, to the seller. And, of course, the member might as well use a stolen card number to pay for the transfer, Christie points out. At e-Gold, they could even purchase gold bullion and transfer the bullion to other e-Gold account holders.

The goal was to avoid holding on to cash. "You don't want to keep a lot of it around," Frazzini says, because U.S. banks keep detailed records.

This article was originally published on 2005-03-07
Senior Writer
Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.