Editor's note: This article first appeared on www.PoliceLedIntelligence.com.
Two significant cybercrime stories are making the rounds: the roll-up of an international sting against carders (see below) and details of a well-coordinated cyber operation targeting corporate bank accounts. There’s plenty of analysis out there on each of these stories so we’re going to give you some overview, some links to resources to get smart on each, and some broader analysis of how this relates to what we’ve been discussing related to cybercrime and enforcement.
DOJ Sting Operation: CarderProfit.cc
Yesterday the Department of Justice announced the arrest of 24 people in 13 countries–including 13 in the U.S.–for theft and wholesale of 411,000 compromised credit and debit cards.
The feds also notified 47 organizations, including private companies, government agencies and educational institutions, of breaches.
For excellent coverage and analysis of the arrests and the program, see Brian Krebs’ reporting. You can also read the complaints themselves on the DOJ website (scroll down and you’ll see them, starting with U.S. vs. Peter Ketchum)
That arrests took place in the UK, Germany, Italy, Japan, Bosnia, Bulgaria and Norway indicates a raised level of coordination and cooperation between international law enforcement agencies dedicated to attacking this kind of crime. That it took two years to build the cases indicates that we still have so far to go, but that’s par for the course, isn’t it?
This isn't by any means related only to cyber; in an interview with Paddy Ryder of the Nassau County Police Department for an upcoming Law Officer article Dave and I are writing, Paddy was telling us about something similar with respect to something as old fashioned as running a heroin wire.
The feds want to keep building charges and charges and charges to ensure that the ultimate case is totally foolproof. Meantime, related crimes (committed by those involved with the wire, whether it’s related directly to the activity under monitor or not) continue.
In the carderProfit case, the feds trumpet (and let’s accept at face value, for argument’s sake) that they informed networks of breaches and prevented $205 million in losses, but one must wonder how much they didn’t prevent in fraudulent activity in the name of protecting the case.
Ryder, commenting on a generic heroin wire:
“Take down the heroin wire with 80 buyers and it may save you the 300 crimes they will commit to support their habit,” he begins, in a Long Island accent right out of Central Casting. “You got junkies out there, doing larcenies, domestics, assaults, overdoses, DWIs where he’s running the wrong way on the parkway endangering lives – take them down quick, and all those numbers get reduced. Sure, we’ll chase the Kilo Fairy, that one crime number. It’s a bad crime.
“But it’s one crime.”
In this case, though, the FBI was doing what apparently is an outstanding job of luring criminals to participate in a new carder forum. Starting in June 2010, the FBI established CarderProfit, where criminals interested in buying and selling stolen credit and debit cards could meet and discuss and transact business.
These “Carder forums” are relatively common, and the FBI had the presience to require that members vouch for new members to cut down on the riff-raff and ensure that new members were good LE targets. It also allowed the FBI to harvest identifying information–from IP addresses to environmentals–on those participating in the site.
From the FBI press release:
"Since individuals engaged in these unlawful activities on one of many other carding websites on the Internet, the FBI established the UC Site in an effort to identify these cybercriminals, investigate their crimes, and prevent harm to innocent victims. The UC Site was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. The UC Site also allowed the FBI to record the Internet protocol (“IP”) addresses of users’ computers when they accessed the site. The IP address is the unique number that identifies a computer on the Internet and allows information to be routed properly between computers."
Once again, we see the nonsense about IP addresses ruling the roost in LE. I digress and add that the release by the FBI is an outstanding example of realistic definitions, non-hyperbole-based reporting and an all-around great example of how LE agencies should write one of those things. Hats off to whomever wrote it.
Operation High Roller
While the FBI was running this (and likely other) sting, criminals around Europe, and then the rest of the world, were running (and continue to run) operations of their own, targeting the rich recesses of corporate bank accounts.
Using malware designed to capture keystrokes and other information from infected computers, the gangs then make transfers and initiate payments from corporate coffers to a variety of destinations.
The moneys are then aggregated and moved using a range of techniques including money mules (sometimes unsuspecting dupes) to comingle and launder ill-gotten gains.
Having worked incidents at corporations in which this very thing has happened I can state that it’s a frequent and diabolically difficult-to-spot occurence that people steal from corporate bank accounts.
We note the participation of the transaction anomaly detection firm Guardian Analytics in the paper released by Guardian Analytics and McAfee describing the activity, and would be willing to bet dollars to donuts that it was GA which first spotted the weirdness.
From the report:
"So far, we estimate the criminals have attempted at least €60 million (US$78 million) in fraudulent transfers from accounts at 60 or more financial institutions (FIs). If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, the total attempted fraud could be as high as €2 billion."
In any event, some of the numbers they’re dealing with (in the chart below it’s Germany only) are pretty impressive – considering that today, the Euro is worth $1.25:
Sum of compromised account balances | €8,339,981 [$10.4m] |
Sum of transactions initiated to mules | €962,335 |
Avg balance of victim accounts | €47,924 |
Avg transaction initiated to mule | €5,499 |
The narrative of what Guardian Analytics and McAfee found is very much worth reading and gives an in-depth look at how these kinds of activities are run, including the spear phishing example shown at the top of this post.
Some Analysis
The FBI and DOJ and all internationally participating agencies should be applauded–we should give them a standing ovation – for their excellent efforts here. They have proved that when we work together, LE from vastly different backgrounds can accomplish great things.
The fact that the operation netted 24 and will likely net more in arrests in time (the reports from DOJ state that there are at least four people at large, and we assume there will be a second and even a third wave of arrests) tells us that even a highly aggressive operation such as this one takes avery long time, involves logts of moving parts and requires tremendous application of resources and expertise and coordination.
The fact that Guardian Analytics and McAfee have exposed the High Roller operation tells us that large, well coordinated, well financed and relatively sophisticated organizations are out there working tirelessly on new ways to digitally separate people and corporations from their hard earned real-world money.
This gives us two primary categories of thought:
No Agency Can Do This Alone
The FBI continues to aggressively push for dominance in cyber enforcement and they’re hopelessly outgunned, despite showpiece roll-ups like yesterday’s. America’s 18,000 local, county, tribal and state agencies simply must get into the game. To do that, they need training and resources. I say again, if every agency in the U.S. took just one cyber case this year, we’d have 18,000 precedent-setting examples of how non-federal agencies can investigate, arrest and prosecute cyber criminals.
This Is Some Real Money, Y’all
Even if we accept at face value with $205 million that the FBI claims it prevented from being stolen in CarderProfit, this amount is dwarfed to a rounding error by the $2.5 billion stolen or attempted in High Roller. Non-federal agencies must understand that cyber crime isn't nickel and dime stuff committed by kids in their parents’ basements, but a serious source of illicit revenue engaged in by professional, organized criminal gangs and groups.
We'll of course continue to cover these issues and think more about the two categories mentioned above. Of course, we want your feedback. Let’s hear it!