Book excerpt: Spies Among Us

1 2 3 Page 2
Page 2 of 3

As was Alexey's modus operandi, he had captured many credit card numbers and threatened to expose them if he was not paid. In September 1999, the administrators let their management know what was going on, and management made a deal with Alexey. He was to be paid $80 per month, and an additional $50-$100 per vulnerability found. By January 2000, Alexey was paid approximately $1,000.

One thing that is notable is that Alexey was very open about his identity. He made little to no effort to disguise it. He also made no effort to launder any money, but had the money sent straight to his account. He even started distributing his resume and posted it to Dice.com. Alexey had no concern about U.S. law enforcement. His big concern was just to stay away from the Russian mafia.

There were several other break-ins that primarily focused on hosting companies that hosted Web merchants and Unix systems. Until January 2000, Alexey was pursuing these extortion attempts on his own, supplementing his income from the eBay and Amazon fraud endeavors. When Gorshkov and Alexey spun off tech.net.ru, Alexey introduced Gorshkov to his side job and convinced him that they should be doing more of this.

Given that Alexey previously focused on Unix systems, it is likely that Gorshkov was the one who suggested a more efficient way of finding victims. The pair started using the Yahoo search engine to find vulnerable sites. They searched for banks, online merchants, online casinos and other organizations that processed financial transactions; then they did a cross-search to look for signs that the sites used the Microsoft IIS Web server software. The IIS Web server has many known vulnerabilities that are likely to be present if the systems are not well maintained. Of course, they were very successful.

One of their first successes was Casinovega.com. He was initially able to break into the site and manipulate the database to make it look as though he had won money. He then cashed out, contacted the administrators, and was quickly paid.

Alexey and Gorshkov then moved on to more stubborn companies. In January 2000, Alexey first broke into Online Information Bureau of Vernon, Conn., a processor of financial transactions, using a widely known IIS vulnerability. He stole some credit card information and went through the typical extortion threats of releasing the information. They refused to give in, called the FBI and hired a security consultant for $5,000 to lock him out. Alexey was still able to get in time and time again.

All told, there were claims that more than a dozen companies were hit by Gorshkov and Ivanov. It appears that Alexey would perform the break-ins, and Gorshkov would typically perform the extortion.

A legitimate job offer

Ironically, throughout the whole effort, Alexey and Gorshkov always appeared to hope for a legitimate job. Their hopes seemed to start coming true in June 2000. Alexey received an e-mail from a company called Invita, offering him a job/partnership. Soon, Alexey told the company that he had a partner who was also interested. After a few months and some back and forth, Invita arranged for a visa for Alexey and Gorshkov. Alexey and Gorshkov paid for their own airfare and flew to Seattle on Nov. 10, 2000.

After having a long but otherwise enjoyable flight over, and some alcohol, they were met at the airport by the Invita owners and driven to their offices. The Invita staff welcomed them, and asked them to demonstrate their skills. Gorshkov used one of Invita's computers to log onto his tech.net.ru servers to download some tools. Alexey, however, felt uncomfortable with that and decided to use his own laptop to log on and give the demo.

After a successful meeting, they got back in the car to go to their hotel. During the ride, they were stopped by FBI agents and arrested. Invita was an FBI front company set up specifically for this sting.

There was a keystroke logger on the Invita computer that Gorshkov used. After Alexey and Gorshkov left, the FBI used the captured password to log on to Gorshkov's account at tech.net.ru. They searched his files and found stolen credit card numbers and a variety of other incriminating evidence. This gave them enough evidence to arrest the pair.

Following the advice of a public defender, Alexey gave the FBI the password for his laptop. Unfortunately for him, he used the same password on the tech.net.ru system, and the FBI was able to go into his account on the system and find more evidence that helped convict him.

Case summary

Many things about this case are highly unusual. One of the more ironic events was that an FBI agent was actually indicted by the Russian government for the sting. Russia basically charges that the FBI agent destroyed data on the tech.net.ru systems while he broke into the systems to gather evidence against Gorshkov and Ivanov. Remember, tech.net.ru did take on legitimate projects. At this point, if the FBI agent sets foot in Russia, he will be arrested. So far, Russia hasn't attempted to extradite him.

Newspaper accounts of these events implied the involvement of the Russian mafia, with many independent cells all being coordinated under a central authority. There is no evidence supporting any real involvement of the mafia. Although Gorshkov probably controlled two cells, one with Alexey and one with the other members of the original group, this was likely a haphazard result of his being the leader of the original group. There are, sadly, plenty of other individuals and mafia groups who can put hacker cells together, and they won't go looking for legitimate employment.

Gorshkov's and Ivanov's major weakness was the desire to get a legitimate job. It was likely extremely easy for the FBI to tie Alexey's e-mail that he used for extortion to the resume on Dice.com and many other sites. The pair also disclosed a great deal of personal information to their victims in their pursuit of legitimate work from those companies. The FBI was able to use this information to social engineer the pair into a sting.

A judge decided that Gorshkov and Ivanov caused or intended to cause more than $25,000,000 in damage. United States law now says that every stolen credit card is worth $500 when calculating punishment on top of the actual damages. Gorshkov was sentenced to three years in jail and ordered to pay $700,000 in restitution. He served some time and then left the United States and went back to Chelyabinsk.

Alexey Ivanov is another story. He pleaded guilty to similar charges in August 2002. However, it took more than a year to sentence him because Alexey wanted to stay in the United States. He was also believed to be the more dangerous of the two. The judge had several psychological evaluations performed to see whether Alexey was likely to be a repeat criminal. After reviewing the assessments, the judge decided to sentence him to four years and ordered him to pay $900,000 in restitution. He was let out approximately a year later and remains in the United States, where he is starting to pay the restitution. Several of his victims have since gone out of business, through no fault of Alexey's.

One of the more upsetting things to Alexey is that part of his restitution involves paying the fees of several consultants who were hired by his victims. His issue is that many of the consultants failed to stop him and should not be paid at all.

Again, credit card fraud and cyberextortion continue at an increasing rate. Many companies are readily paying extortion. Individuals are putting up with the aggravation of having their credit cards stolen and abused, and merchants absorb the losses. Although the FBI and several other agencies have made arrests in other cases as well, the majority of similar cases go unsolved.

Vulnerabilities exploited

There are many vulnerabilities exploited from many different perspectives in this case. The crimes committed here are so common that individuals should carefully look to see whether they do the same things as the victims in this case. Sadly, many of the vulnerabilities that expose personal information are beyond the control of the individual. Even if a person is careful about whom he or she does business with, this case shows that third parties, such as credit card processing services, can expose people's personal information. So look through these vulnerabilities carefully and see what applies to your company and to you personally.

Known vulnerabilities

All the crimes committed by Alexey and Gorshkov began with known vulnerabilities, such as widely known software security vulnerabilities and poor system configurations. Vulnerabilities were found on all common operating systems, including both Unix and Windows. A poorly maintained system is a poorly maintained system. Systems that processed financial data were not immune and continue to be vulnerable.

Errors in custom-written code

As mentioned in Chapter 5, any software is subject to vulnerabilities. It is somewhat common for administrators to write their own software to assist in their daily tasks. The administrator tools in this case not only had vulnerabilities but also were written in computer languages that allow anyone to read the executable program. This means that anyone who found the programs could read, find vulnerabilities, and modify the programs. The software should have been better written or at least tested for security concerns. Additionally, software that uses administrator access should have been better protected.

Failure to detect compromises

Alexey was running rampant over hundreds of systems, and except for extremely rare occurrences, people learned of the break-ins only after he told them about it. If he just wanted credit card numbers, he stole the cards, and nobody knew until people saw charges against their accounts. Even then, it was unlikely that the victims actually knew that a computer system was hacked to get the card. The lack of any intrusion-detection software enabled attacks to continue indefinitely.

Failure to want to alert others to compromises

In the case of Lightrealm (which is no longer in business) and several other victims, the administrators did not want to alert their management to the break-ins. The administrators did not know whether Alexey was doing other things or had already started abusing the credit cards stolen. These administrators exposed their company to extra liability.

Many other companies, such as Casinovega.com, apparently did not notify law enforcement or its customers about the compromise of information. This allowed the criminals to continue their exploits and use the credit cards at will.

Poorly skilled administrators

Again, the critical enabler of all the attacks was the presence of known vulnerabilities on the systems. Although even good administrators may have a vulnerability or two on their systems, the vulnerabilities encountered were rampant. Not only that, it became clear that they were not capable of properly responding to a major incident. Some of them didn't even know where to start.

Poorly skilled security consultants

To me, the most heinous vulnerability encountered was poorly skilled security consultants. People who claimed to have sufficient skills to repel hacker attacks charged thousands of dollars in fees and were unable to do the job. In most other cases, such a situation not only emboldens criminals but also angers them to commit retaliatory actions. Also, it is likely that if the security people didn't actually stop the attacks and do anything productive, they wasted money that could be better spent on other security efforts. The situation also perpetuates the hacker myth that hackers have some super skills, and weakens the profession as a whole.

Incident response is one of the most difficult tasks in the security profession. It is not for people who dabble in the field or fancy themselves as security professionals. They have to be able to go in prepared to fend off skilled attackers who probably know more about the systems than the people in the organization you are working for do. They have to know how to take the systems off-line and reload the software from scratch, which requires strong administration skills.

At least two compromised companies, E-money.com and Online Information Bureau, hired consultants for several thousand dollars to prevent future attacks. Both of the consultants failed miserably, especially considering that Alexey used extremely basic attacks. The consultants should have never put themselves in this position. Additionally, the victims should have looked harder at their credentials in the first place, and considered alternatives. At the very least, they should have asked for several references.

Companies believing security is an expensive option

As is typical of all hacker cases, Alexey's victims want reimbursement not only for the damages and expenses caused by him and his team but also for the cost to implement security countermeasures that should have been there in the first place. The twisted argument is that if nobody would break in, then they would not need security. The fact is that people will attempt to compromise any organization, and Alexey specifically targeted organizations processing financial data. Security should have been a business fundamental in his victims' cases.

A corollary to this type of mind-set is that of companies that give security work to the lowest bidders. For example, Online Information Bureau spent $5,000 on the security consultant. Having personally worked on many incident responses, I would put the cost for repelling a hacker who appears to be able to completely control a company's infrastructure at $50,000 to be extremely conservative.

1 2 3 Page 2
Page 2 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon