Slashdot Mirror
Massive Online ID Fraud Ring Busted
Iphtashu Fitz writes "CNet News is reporting that the US Secret Service in conjunction with authorities in six foreign countries have arrested 28 people in the last 48 hours on charges of identity theft, computer fraud, credit card fraud and conspiracy. Dubbed Operation Firewall, the Secret Service identified a group of people who stole over 1.7 million credit card numbers as well as a passport-forging facility in Bulgaria. The investigation started in July 2003 when the Secret Service began investigating an unspecified financial crime. They identified the website Shadowcrew.com whose members traded tutorials and information about identity theft and forgery and exchanged sensitive personal and financial information. The Shadowcrew website has since undergone a makeover thanks to the Secret Service. A press release about the operation can also be found on their website."
At the risk of *sounding* like a troll, what does this have to do with what I thought was the sole task of the United States Secret Service -- protecting the President of the United States? I would have thought this would have been a task for the FBI. What gives?
I find the website hilarious, especially the bottom line:
"RECENT NEWS REPORTS SHOULD INFORM YOU THAT THE SECRET SERVICE IS INVESTIGATING YOUR CRIMINAL ACTIVITY. CONTACT YOUR LOCAL UNITED STATES SECRET SERVICE FIELD OFFICE....BEFORE WE CONTACT YOU!!"
That is a hilarious signature they have left, but this seems so funny that I'm actually surpised that the Secret Service is having this much of a ball on the website, not something I expect, but like to see!
Proxies, VPNs, IP Spoofing, Encryption, etc....You Are No Longer Anonymous!!
Hmm .. that suggests that the feds have broken strong encryption, is that true? I don't think so!
But do you really think the secret service changed the website? Very unprofessional of them in that case... IMHO a more appropriate action would have been to just take it down.
Martin
In Soviet Russia, the Secret Service local field office contacts YOU before you contact them!
Back on topic, at my last job I worked with the FBI and Secret Service on bank fraud, kiddie porn, etc cases that were hosted on our web servers. Think what you may about them, but they really have their shit together on these types of events and are dead eager to get the offenders in question. The smart person, if they are trying to do anything highly illegal, would do well to go about their business without using the internet. Once you get the attention of the Feds, its usually lights out for the perp. One case I assisted with was a conspirancy ring involving the sale of illegal guns in the UK, using a US based hosting company (my old job). That case broke earlier this year with several arrests and the destruction of the ring. Scotland Yard was the lead on it with backup from the FBI, with cheerful cooperation from us. Our policy was not to go "fishing" for questionble content on our web servers, but once we were made of illegal activity we would preserve evidence and work with the authorities. I've seen pictures on some website that puts tubgirl to shame, usually involving kids. Made me happy when the Feds would follow up with us and would tell us that they got their man (or men)...
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
Been There -- I've had to deal with identity theft. Trying to clean up the mess is like having a part time job. Your are victimized twice for each instance, once by the dirtbag who did it, and once by the "creditor". The collection agency will also try a number of illegal tactics also, don't give them any bank account information. These people need to get some real prison time, 10+ years, so the word gets out.
I was recently brought on to an e-commerce project...day 1 was stopping the fraudulent orders being sent to Malaysia or to the drop sites in the US. All it takes is a 30 second call to the card company to get the issuing bank's number...99% of the bad cards were verified as stolen from the bank. One card wasn't reported as stolen yet...yay for me.
If Paypal, IIS, etc can figure out key encryption, why can't we?
1) Credit card company creates keys and issues it to the customer...the card number is replaced by a number identifying the key.
2) Payment request certificates are sent to the customer who either signs it or doesn't sign it.
3) Transactions are encrypted using keys....you, your bank, the merchant and the card company can decrypt the info, no one else.
Didn't I just describe SSL/GPG? Oh wait..I did.
It boils down to this: if you can't handle the technology (aka keep spyware off your machine, keep it updated, and keep your card number safe), DON'T USE THE TECHNOLOGY. Write a check...but of course, that's digitized now thanks to Check 21...that old technology will be deprecated very soon in favor of direct debit.
Possbily, but since the USSS now seems to be in control of the shadowcrew website you can bet that they have all the server logs, posting histories, etc. from that site. By analyzing all that data they could very well identify other people to investigate. And if they managed to infiltrate this website then it means they can locate & infiltrate others.
Shadowcrew. I knew I recognized that name.
These guys did some weird stuff. For example, they spammed our internal email addresses at the IRS with offers to host child porn sites. For example, here's one of the emails they sent to an IRS employee, namely me.
But here's where I run out of expertise in how these things work. What on earth were they hoping to accomplish by sending out these spams? Are people actually dumb enough to dial up a phone number sent to them in spam and say "I'd like to host a child porn site. Please set it up for me. Here's my credit card info."?
Or is that phone number one of those things that charges you outrageous sums just for calling it? I wouldn't know; I certainly didn't ring 'em up out of curiosity.
These shadowcrew folks just strike me as weird. I wish I understood their "business model." OTOH, I'm just glad I won't be getting any more emails from them that I have to forward to our investigators.
I just sent a complaint email to the abuse team responsible for Net access at a particular USA educational institution that is now hosting, at time of writing, a fake eBay 'phish' site. Presumably, it's just a compromised system cracked by outsiders--if not, then somebody there at said institution has got some 'splaning to do!
The Feds may pay lip service to the spam email problem with Band-Aid approaches like the CAN-SPAM Act, but fvck with the USA money supply (via ID theft in this case) and they will take notice!
Wouldn't the best way then to base the resulting hash off a combination of your CC# and the place of business (whatever name they register the charge with your CC company as).
That way, when 5555-5555-5555-5555 221 is mixed with "Denny's Seattle," and "2004-10-26-23-22-11" (time/date). the latter half of a verification code comes up with ID "EDJLLKJEWO-2."
The first part could be a MD5-style hash (semi-random), so that one can't generate your own hash by knowing the encoding method. The latter part, however, could be reversed back using your CC # to get "Denny's Seattle 2004-10-27 11:22:11pm" and bust the dude working front desk at Denny's during that time.
*Denny's is used purely as example, I've never known anyone to have their CC# hijacked from there.
What you are all failing to understand is that it is not the USSS that put that page up there. It is funny, but not the work of our Gov't. It is the sites owner, and not the first time he has done this on the site. It used to say something about the FBI taking the site down...
Having received one of the above mentioned spam mails, and having looked at the site redesign, I think that this is NOT courtesy of the USSS. When I received my spam I actually did a bit of digging to uncover what the site was about, since I got several types of Joe Job aimed at them in my inbox (terrorist items, and so on). I traced the Joe Job back to a Finnish DSL net, and passed on the details to the relevant Police Computer Crimes Division, and to abuse@finnishisp.com.
The real life arrests, and whatnot would be legit, but the site redesign screams out that it is an amateur defacement.
At the least, as a government agency, the USSS would know that this would be made public, and would not have implemented such a hackish takeover of the site. If they had done it, it would have been more tasteful in terms of appearance.
This is probably a defacement by the same people Joe Jobbing them, timed to coincide with the news of the arrests. Expect to see this appear on the defacement lists, and for the site to fade quietly into the background like before.
InfoSec that matters, when it counts.