This excerpt from Chapter 10 of Spies Among Us is reprinted with the permission of Wiley Publishing, copyright 2005.
I considered dozens of cases for inclusion in this book. The cases described up to this point demonstrate some compromise of computer systems, but only as part of a more coordinated attack that represents the most costly kind. Although attacks that focus on computer hacking via the Internet are clearly the most numerous, they are not the most devastating. However, there are such cases that do result in large losses and demonstrate great technical expertise.
Back in the late 1990s, news stories started reporting that banks were being extorted by computer hackers. The stories described how criminals would contact banks and provide them proof that they had administrator access to their system. The criminals then demanded money for not disclosing the attacks and for not creating damage to the systems in the future. In the new millennium, more e-commerce sites came online, and the attacks started targeting these new sites that popped up out of nowhere and thought little about security.
So, when it came time to choose a case of a computer-based attack, I wanted one that demonstrated both clear criminal activity and as many aspects of computer crime as possible. The fact that the case covered here also included the hacking of banks and the indictment of an FBI undercover agent made it all the better.
I tracked down Alexey Ivanov, who together with his partner, Vasily Gorshkov, extorted tens of thousands of dollars, if not more, from companies processing financial transactions throughout the United States. They had at least 56,000 credit card numbers in their possession at the time of their arrest. The judge determined that they caused more than $25,000,000 in damage to organizations that included at least one bank, eBay, Amazon.com, PayPal, and a wide variety of Internet service providers (ISP) and credit card processors. Alexey accomplished a great deal in his life for a 20-year-old from Russia.
Alexey grew up in Chelyabinsk, Russia, which has the reputation of being one of the most polluted cities in the world. This industrial city has a population of about 1.2 million people. Alexey began playing with computers in 1993 at the age of 13. I had to admit that I was taken aback when he said that he was most interested in computer viruses because of their ability to take on a life of their own. Although he said he wrote viruses as tests, he claimed to have never released any. He started a bulletin board system in 1996 for the sharing of virus information.
By this time, he was also breaking into computers. This was at a time when Unix was the most commonly used system on the Internet, and he became very skilled in cracking those systems. The most common and simple attack that he used was exploiting the "finger" command, which basically provided him with a list of accounts on remote systems. He just guessed passwords of the accounts and accessed the accounts. From there, he had a valid account and used other exploits to get elevated privileges. That was of course assuming that the accounts he compromised did not already include the administrator's account.
He graduated high school in spring 1997 and moved out of his home at around that time. He did, however, need employment. After hacking the local ISP, he told that company about his break-ins and was offered a job in early 1998. He also started to attend Chelyabinsk State University and study computer science. Given all of Alexey's experience, he was learning little in his computer classes.
That was OK because by this time he was already breaking into computer systems on a regular basis. He accessed the Internet Relay Chat (IRC) channel specific to Chelyabinsk and found several people to help mentor him and expand his computer knowledge. With their help, he moved on to breaking into many Internet systems, especially online merchant systems in which credit card information was plentiful.
Going Pro
Here's some background. It was on IRC where Alexey met his future co-conspirators. Most important among them was Vasily Gorshkov, who became the local ringleader. Alexey was among the most talented with regard to finding and compromising merchant systems, and he bartered credit card numbers for a variety of purposes. Alexey's hacking and IRC activities took up four hours of his time, which was on top of going to school full-time and working at the ISP.
This schedule eventually took its toll on Alexey; in June 1999 he stopped attending Chelyabinsk State University, quit the ISP and started working for a local moving firm. As fits the stereotype of Russia, he made more money moving furniture than maintaining the computer systems of an ISP. Computer hacking and IRC still filled his spare time. The group also started to physically meet in local bars. It was at one of these meetings that Gorshkov recommended that the group become more organized and profit-motivated in its activities.
The group evolved into a formal business relationship. Despite the fact that Alexey was physically well-suited to moving furniture all day, it became physically taxing, and he welcomed a less physical and more profitable alternative. Using Alexey's other strength of compromising credit cards, the group focused on fraud as its primary modus operandi. Specifically, it used stolen credit cards to purchase things online and then resell those goods to legitimate wholesalers and retailers in Chelyabinsk. The group created PayPal accounts with stolen credit card numbers and free e-mail accounts, using these when convenient.
The group's favorite online sources were Amazon.com and eBay. At this time, Amazon.com provided primarily DVDs, CDs, and books. EBay and a few other sites provided access to the more valuable commodities, such as computer equipment and other merchandise. Initially, the materials were ordered to locations in Chelyabinsk. However, antifraud measures soon determined that fraud was too rampant among orders going to Russia, so the group had to think of alternatives.
Chelyabinsk is approximately 150 miles from the Kazakhstan border. Although it is still a former Soviet republic, and fraud runs rampant in that country as well, the world and Web merchants treat that country differently than Russia. Gorshkov took a six-hour drive to Kostunay, which is the city in Kazakhstan that is closest to Chelyabinsk, 150 miles inside Kazakhstan. There he went through the local paper and looked through the classified ads.
You have to understand the culture of the former Soviet republics to understand the group's scheme. Kazakhstan is infamous for its corruption and criminal activity. There are few jobs that pay well that are not associated with organized crime. Women are frequently solicited to enter prostitution, and consequently, there are classified ads from women offering to do any work that is legal and not involved in prostitution. Gorshkov would respond to those ads and tell the women that all they had to do was receive packages.
They were paid 50 rubles, or about $2 per package they received. To show the women that they were not part of a criminal activity, they would open the packages in front of the women to show them that there were no drugs, guns, and so on in the packages. This way the women were comfortable and not inclined to inform the police or organized criminals to claim rewards.
With the pieces in place, they could start initiating their fraud. Basically, they would create accounts on Amazon.com and eBay using stolen credit cards and free e-mail accounts, and buy things using those accounts. The merchandise was shipped to the women in Kostunay, and Alexey and Gorshkov would periodically drive to Kostunay to pick up the packages.
To make sure that the border guards didn't give them any troubles as they were crossing back into Russia, they would stop on the way to the border and drive into the woods. There they would take everything out of the boxes and just try to toss them into the car to make them appear to be nothing valuable. They would throw jackets or blankets on top of the merchandise whenever possible.
This is really the phase that created problems within the organization. Actually, the choice of merchandise ordered is what created the problems. The group had six people at this time. Alexey and Gorshkov preferred to order/steal computer and memory chips. These items were extremely valuable, given their weight and size, and not likely to be understood as valuable by border guards. Most of the other accomplices liked to order items for a more youthful consumer, such as game controllers and toys. These items stood out and were also less profitable. It was also these things that the border guards would tend to "confiscate" or take as bribes, thereby putting the rest of the merchandise at risk.
When the merchandise was in Chelyabinsk, the group would sell it to the wholesalers and retailers. Books, DVDs, and CDs, which were sold retail for approximately $30, tended to net the group $10 apiece. For the computer equipment, the group found a wholesaler in Chelyabinsk that would typically give the group $80 per chip and resell the items for $100.
Going separate ways
In January/February 2000, within six months of coming up with their grand vision, group members became greedy and the team began to split up. Alexey and Gorshkov went their separate ways to focus on the higher-return merchandise; the other four people went off to form their own group focused on game controllers and other toys. Alexey believes, however, that Gorshkov maintained involvement with the other group.
Also in January 2000, Gorshkov believed that they had to set up a legitimate front organization. For that reason, he put up a shingle and set up a Web design company. Alexey and Gorshkov were the principals of this company, and they hired several programmers. Although they took on legitimate Web design business, they used the programmers to further their own criminal endeavors. In this way, tech.net.ru was born.
Alexey decided that the fraud they were committing was inefficient. He wanted to automate the different tasks involved in fraud, allowing for more volume. He began to task the hired programmers with different pieces of the puzzle. This way, the programmers would not be able to put together what was really going on. For example, one programmer would create an e-mail program. Another would create a database access program. Alexey would integrate the different programs with one another. The programs when finished were to create many seemingly valid PayPal and eBay accounts that had great feedback and seemingly posed little risk to sellers.
As part of the effort, Alexey decided to try some phishing schemes. He basically used some eBay "power functions" and was able to pull down lists of thousands of eBay users with PayPal accounts. He created a Web page that looked like a legitimate eBay page that asked for account information. He decided to test only a small sample and sent offers of a $50 bonus to 150 users. He received the account information from 120 of the solicited accounts.
Luckily for these people, and many, many other eBay users, Alexey never had time to fully implement his automated fraud scheme.
More profitable endeavors
Alexey realized that although there was a lot of money to be made through his and Gorshkov's fraud, there were more profitable ways for them to make money. Remember, Alexey got his first job as a result of hacking into an ISP. He was also breaking into the sites of Web merchants to steal credit card numbers and enable the fraud. So, he started to offer his expertise to help some sites fix their systems.
In 1999, Alexey broke into several Web-hosting companies. These companies hosted many Internet sites, including many online merchants. If he compromised one system on the network, he had access to hundreds of Web sites.
One of these companies was Lightrealm, which has since been purchased by Micron Electronics. Through IRC, Alexey was able to gain access to an account. The computers were using the BSD operating system, which is basically a version of Unix. The systems themselves were maintained securely; however, Alexey looked around the computers and found some administration programs that were written by the Lightrealm staff to automate some administration functions. Alexey was able to modify the programs to give him superuser privileges. Having the privileges, Alexey installed some back doors, giving him access to the system even if the Lightrealm administrators found him and kicked him off.
The Lightrealm administrators did find him and tried to kick him off. At this point, he started negotiations for payment. He offered to fix the vulnerabilities that he had compromised and to find other vulnerabilities. The administrators refused to pay and kept trying to kick him out. He kept breaking back in. The administrators apparently did not want to let their management know that they were compromised and couldn't keep the assailant out, no matter what they knew to try.