Slashdot Mirror
How the Secret Service Busted ShadowCrew
plover writes "In the story Hacker Hunters, BusinessWeek Online documents how the Secret Service turned a member of the ShadowCrew and was able to arrest dozens of the members of the phishing ring.
From the article: 'Law enforcement officials are often loath to reveal details of their operations, but the Secret Service and Justice Dept. wanted to publicize a still-rare victory. So they agreed to reveal the inner dynamics of their cat-and-mouse chase to BusinessWeek. The case provides a window into the arcane culture of cybercriminals and the methods of their pursuers. ' "
yes it was: http://it.slashdot.org/article.pl?sid=05/05/22/172 2243&from=rss
Now I haven't RTFA completely yet, but I have just one question.
Why would somebody in a phishing group give out their information to fellow members? This kind of thing seems to happen so often, you'd think that there would at least be a layer of secrecy between the members, just in the case somebody is going to rat on them.
I'm all for catching these guys, but I wonder about publicizing the details at this time. Is this supposed to make us feel better about the Patriot Act -- "look here! See how we can bust the bad guys with the 'right' tools!" -- or are we just supposed to be happy that something was done about this gang of thieves? I don't expect everything to be about freedom and democracy, but it is too easy anymore to question why authorities give us this information, rather than look at the information for information sake...if that makes any sense.
Law enforcement needs to stop worrying about (and identifying as such) the average script kiddie and focus on the large mob-like operations. I'm guessing they'll get much more bang for their buck that way. I can't see how 150 million dollars is not enough to take down at least a couple of the big rings given that they operate on Jolt and Hot Pockets (or whatever passes for that in Romania).
Its not a dupe to everyone.
I'm sure lots of people missed it first time round.
(yes, I am getting peeved at slashdot milk monitors, not specifically the parent)
liqbase
Scary stuff. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters.
There is a really good book by a guy called Cliff Stoll called Cuckoo's egg about how he chased down a hacker in the early days of the Internet.
It wasn't even really the Internet as we know it today.
It will be nostalgia for old timers and a history lesson for the "noobs" around here.
Anyway, it is very interesting. I recommend it highly.
The Internet is full. Go Away!!!
It used to be the Secret Service wasted their time going after people publishing electronic magazines like Craig Neidorf (Phrack), people making a board game with "Hacker" as the name like Steve Jackson Games, or people looking to just break into computers for fun and understanding.
Now they're going after actual criminals that the above people warned us about. I've got to say that's a real improvement. Of course it took actual electronic criminals to make them realize who the real enemy is.
AccountKiller
You think someone in the public service is going to say, "We had plenty of money. I just fucked up and browsed slashdot all day rather than actually do something usefull with it."
Paying taxes to buy civilization is like paying a hooker to buy love.
I have the huge list of e-mail addresses that were compromised. If you want to know if you're on it, please reply with your e-mail address and password and I'll get back to you if you're on the list!
[zer0kewl] AFK BEING RAIDED
[zer0kewl] BBL OFF TO WHITE COLLAR RESORT PRISON
[zer0kewl] OMFG OFF TO FEDERAL POUND ME IN THE ASS PRISON!!!
*HXXR84 is now snitch4l
[snitch4l] L8R suxx0r!
I received an unusual spam message advertising warez, cardz, etc. and took the time to trace the message back to the shadowcrew website. The forums on this site were amazing. Basically it was a hub for people to advertise very highly illegal services, or sell lists of credit cards, passwords, etc... a hub for Identitity theives, and fraudsters.
I reported this site to the FBI, and received the following response from them (back in October of last year).
"Thank you for your submission to the FBI Internet
Tip Line. Inasmuch as the FBI has recently
received numerous reports concerning the
"www.shadowcrew.com" Web site, there is no need to
forward any such additional emails to us. Our
Cyber Division is aware of this Web site, and is
addressing the matter."
It was only a matter of time until these idiots were caught. You can't be this open about such illegal activity and not expect a response from the feds.
Last time I looked at a catalog (a while ago) you could mix-n-match the modes of operation, as evidenced by the selector: safe (one white bullet), semi (one red bullet), two-round burst (two red bullets), three-round burst (three red bullets), and full-auto (seven red bullets). You could order one with any trigger group you want--like safe, semi, two-round, and full; or safe, semi, and three-round burst only. (But if you call up and ask for 'full auto only and no safe, please' they'd probably hang up on you. :-) )
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
From TFA: For months, agents had been watching their every move through a clandestine gateway into their Web site, shadowcrew.com.
I read a much more interesting version of this story somewhere else. I can't find the link right now, but it explained more fully how they really caught them. This sentence above just glosses over it.
Apparently, they did this:
They got to one of the members of shadowcrew and convinced them to work with them. This guy then proceeded to go onto the shadowcrew IRC channel and told everyone that he had setup a new encrypted gateway VPN type channel that would allow them to connect to the shadowcrew servers in a "more secure" fashion. He convinced everyone to go through this proxy. Little did they know, the proxy was actually an FBI server that was monitoring and recording all traffic that passed through it.
This just goes to show, no matter how smart you are, the best hacks are social engineering hacks, not technical.
They should have been smart and used Tor instead, then they probably wouldn't have been caught.
I'm glad they got caught though. These guys were losers of the worst kind.
"When the president does it, that means it's not illegal." - Richard M. Nixon
It's cute how there are so many dupes of messages saying that the article is a dupe.
Here's the thing - if it's a dupe, do you REALLY need to say that it is? If so, why? Moral superiority? Some sort of misplaced dedication? Ego trip?
Come on - as with listservs, when someone asks how to unsub, just send a message offline and leave it be. There's no need to launch into a tirade saying how slashdot has gone down hill, etc, etc.
Come on, people - this is a nice sandbox. Let's all place nice.
(I'm not suggesting the parent isn't playing nice, but he was the second "this story is a dupe.")
You see, the thing about action-based MMORPGs is that people want to play them, and if people want to play, they will pay to play! So if i make a game with puzzles and intergalactic bounty hunters, people will buy it and I could make millions. I found out that if I was a game designer, I'd probably be employed at a game company, not a grocery store, so China and India wouldn't make money off of outsourcing. Also, because of that my car, without ABS I might add, would handle like some new kind of competetive, multiplayer Tetris game that only netcafe strategies from Korea could defeat. But I get ahead of myself. True A.I. is easy. Ask me, and I'll say, "Hey! Yah, true A.I. is easy! Let's make one!" Then you'll say, "Cool! That's neat! Let's research bees while our A.I. makes us spaceships." So why can't i get a job at DARPA or Google? Because there is no way for me to show my skills. It's not like rap music, where you can rap and people hear you. Also, and I know I'm dragging on so please indulge me, I think that if you combined 3rd person action with Transformers I'd be the world ranked Warcraft III player. Roaming Dragon was my idea, just like DNA and P2P, but you don't see me getting upset that someone stole my ideas and made millions. I think it is important for these things to exist and that is why I'm not suing anyone. Plus, world peace is important if we are all to get along and stop playing unimaginitive MMORPGs like World of Warcraft. I think that if someone combined Crystal Space with Fire Polar Bears and Contra (the hard way) they could make millions.
"But theres things mightier than a sword, and there are things mightier than pens. Guns and rap." - CrazyJim1
I'm not sure what you're talking about here. The punishment for computer crime is significantly harsher than that of its non-technical counterpart.
You could walk into a bank and rob it at gun point, all the while threatening to kill people, and there's a good chance you'd only be jail for about 7 years.
On the other hand, rob the same bank, of the same amount of money, without a gun, and without threatening anyone, but do it with a computer, and you could be looking at 20 years!
In Canada, a simple DOS attack will get you 10 years in prison.
Also, under the Youth Offenders Act, youngsters who commit computer crimes are always punished to the maximum extent (3 years). In comparison, some children convicted of murder have been let go in one year.
Computer crimes carry a harsh penalty.
Despite this, cybercrime is still attractive? Precisely because it's easy, and non-confrontal. I don't think it has as much to do with the risk/reward ratio as you may think... because those who are actually considering committing these crimes are very aware of not only how easy it is to get caught, but how strict the penalities are.
It's not like the good 'ol days when you could hack a Gibson across state lines. Now days if you do something big enough, people will notice, and unless you have a huge crime syndicate protecting you, you're going to get caught.
Having said that... I think I'm going to go walk into a bank with an axe. To me, the risk/reward ratio on that one seems really good! Way better than this computer crime crap. Why waste time learning all those damn c0dez when I can just walk down the street in a crazed fit!
Let me be the devils advocate here for a moment.
...
Postulate the existence of a cryptographically secure, anonymous peered infrastructure overlay for the internet. Not much of a strech because lots of folks happen to be working on just this sort of technology (I2P, Tor, and many others).
Then postulate the existence of an online currency based on secure cryptographic algorithms. Kind of like a digital bearer bond, if you will. This is a bit more questionable, since most research into digital cash has been directed at ways to make transactions *less* anonymous than actual hard cash transactions. On the other hand, if the aforementioned anonymous peered network exists, you just need a non trivial set of community rated key escrow and transaction settling agents to mediate transactions and currency exchange. It is hard to see how this sort of transaction would work for actual physical goods, but for digital goods (a portion of the market economy that will only increase in size) or anonymous services one can see how anonymous transactions could fairly easily take place. Designing a cryptographically secure anonymous currency is an interesting problem, however.
So, lets assume that you have both an anonymous, secure network, and a variety of well respected anonymous digital currencies. This assumption does not really seem too far fetched to me, although it may be 10 years or so before early versions of secure and anonymous digital currency become sufficiently established.
In any case, the implication here is that some individual (lets call him potential felon X) could complete a completely anonymous transaction with some supplier (potential felon Y) for digital goods and/or services utilizing a secure digital currency issued by an online bank (bank Z). None of the parties in this transaction can know who any of the other parties are.
This raises an interesting point. In this sort of environment, how do you enforce legal standards on the *process* without compromising both the buyer or the seller *independently*? Normal law enforcement proceedure is to compromise one of (X,Y,Z) and use that entity to sweep in the other parties to the transaction, but the problem becomes exponentially more difficult if none of the parties to the transaction connect.
It strikes me that this is an interesting conundrum we will have to deal with as a society in the relatively near term - if you cant track the money, and you cant connect the agents, how do you enforce societal standards of behavior except by catching folks as individuals during or after they commit whatever infraction is in question? This is true for a wide range of transactions (e.g. free speech, terrorist plots, tax evasion, collusion, fraud, identify theft, assassination, political conspiracy, insider trading, music sharing, IP infringement, copyright infringement, etc) some of which we support as a society and some of which we condemn.
The tech is coming, it seems to me that someone ought to be thinking about the implications
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
The other thing to remember is that they're going to spend money to enforce laws that are the most visible to the most people. "Identity Theft" is a very popular headline these days. Most people have inboxes full of spam. By equating these annoyances with "identity thieves," spending money on fighting them becomes a politically smart manouever. And because we are collectively so stupid that we believe everything the news tells us, it doesn't even matter whether or not it has any effect on our inboxes! As long as a politician can use it to say "I'm doing something!" the money to fight it will be there.
John
I was thinking along the same lines when I read this. It appears that higher-up feds have been generally interested in stopping computer crimes which have been committed against large companies, as opposed to crimes committed against individual citizens, and that always bothered me.
A hacker that does little more then break into a multi-national corporation's computer for the sake of curiosity and adventure is somehow public enemy #1. On the other hand, an organized group of thieves who steal the money and identities of thousands of innocent people and cause them incredible amounts of difficulty rebuilding their credit is something "we'd like to handle, but we really don't have the resources".
I can't say for sure, but I suspect operations like the one mentioned in the article are more likely motivated by pressure from credit card companies losing money on fraud and identify theft protection "insurance", not the pleas of hundreds of thousands of individual citizens who are actually victims of those crimes.
It amuses me when they talk about "damage" in dollar amounts of a worm or virus. Let's say virus A hits millions of home users destroying their individual work, financial records, and costs them time and money to get their computer running right again, while Virus B hits a few thousand machines at a select few large corporations. The dollar amount of "damage" virus A is calculated to be very small, and may only consider an increase in an ISPs or computer manufacturer's queues for telephone tech support. Virus B's damage is calculated to be some unrealistic number in the billions based not only in the real costs of repairing the damaged machines, but on subjective estimates in "loss of productivity" which always make it sound much worse then it really is.
While virus A does far more damage in the aggregate, Virus B is given a higher priority due to companies claiming outrageously over inflated "damages" based on vague and misleading estimates. Or, to put it more cynically, tracking down the perpetrators of Virus B is more important to law enforcement because it hurt big business, while Virus A really isn't a big deal because it only hurt regular people.
I realize this line of thought treads dangerously close to the "tin-foil hat wearing big business controls the government" camp. But consider this: How many individuals have been investigated, arrested and convicted for gaining unauthorized access to a corporation's computer, obtaing private or confidential information without the willing consent of that corporation? I don't know the exact number, but I'm sure there's been more then a few.
On the other hand, how many companies out there have been fined, or their corporate officers jailed for producing software which covertly installs on millions of private individual's machines without explicit permission from the user? Software like spyware which operates 'behind the scenes', is nearly impossible to remove, causes computer performance to suffer, and sends private or confidential information back to the company. None that I know of, despite the fact that many of these companies operate in the United States with offices and mailing addresses.
My guess this is because for the most part what these companies are doing is not illegal. Our laws are written in such a way where what an individual does to a single company is a criminal offense while the same action by a company against millions of innocent people is alright. In my opinion, burying a sentence littered with legalese, but which says something to the effect of "User also agrees that in using this software, certain third party software may be installed on the user's computer which may send information to various third parties" deep within the text of a EULA does not mean the end user is really making an informed decision in allowing the spyware to be installed when they click 'yes'.
So far, there have been no laws passed which require companies that produce spyware to accurately inform
The Internet is generally stupid
FBI relying on the cooperation of arbitrary(?) choosen commertial anti-virus developer and implicitly promoting them doesn't sound right. It's as if FBI subcontracted part of their work to private secutity company to break some crime ring. It should be other way around. FBI should have experts of such quality that anti-virus companies would ask them for advice.