An FBI Agent's 3 Years Undercover With Identity Thieves

← Back to Stories (view on slashdot.org)

An FBI Agent's 3 Years Undercover With Identity Thieves

Posted by timothy on Wednesday January 21, 2009 @08:25AM from the doing-my-best-nelson-laugh dept.

snydeq writes "InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws, the infamous underground carding board hacked by Max Butler and later transformed by Mularski into an FBI sting operation. The three-year tour sent Mularski deeper into the world of online computer fraud than any FBI agent before, resulting in 59 arrests and preventing an estimated $70 million in bank fraud before the FBI pulled the plug on the operation in October."

52 of 196 comments (clear)

Min score:

Reason:

Sort:

Actually by DoofusOfDeath · 2009-01-21 08:29 · Score: 4, Funny

InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws,
How on earth are we supposed to believe it's the real Agent Mularski now?
I like the way the government thinks by jollyreaper · 2009-01-21 08:30 · Score: 5, Funny

Cool hacker name = geek culture reference + creative misspellings/capitalizations
Sample names:
Dark JedEYE
FeloniouS MonK
POPP3R SMRF
TERRORByTE
G\/\/B
I predict you will hear of these handles in future busts.

--
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
1. Re:I like the way the government thinks by Compuser · 2009-01-21 08:33 · Score: 4, Funny
  
  George Washington Bridge? What's so cool about that.
2. Re:I like the way the government thinks by Abreu · 2009-01-21 08:46 · Score: 5, Funny
  
  Those are also the initials for George W. Bush, a former president of the USA.
  Since we all are already trying very hard to forget him, I guess you get a pass
  
  --
  No sig for the moment.
3. Re:I like the way the government thinks by gEvil+(beta) · 2009-01-21 09:12 · Score: 2, Funny
  
  Aw "terabyte" was my original handle...and I thought it was clever because it sounded like "terror."
  
  Well, if you wanna go for that retro feel you can always use killabyte.
  
  --
  This guy's the limit!
4. Re:I like the way the government thinks by Daravon · 2009-01-21 09:43 · Score: 2, Funny
  
  Don't be silly. We all know the real supervillian is P3dobyte.
  
  --
  I traded all my mod points for these magic beans.
5. Re:I like the way the government thinks by Dark+JedEYE · 2009-01-21 09:56 · Score: 5, Funny
  
  Oh fuck.
6. Re:I like the way the government thinks by jollyreaper · 2009-01-21 10:03 · Score: 2, Funny
  
  That was two V's.
  No, they were back and forward slashes, alternating. That's the beauty of the G\/\/B handle, you can try googling it but you'll never get it right! And I thought the "non-space non-printing character" hidden directory name in DOS was awesome.
  
  --
  Kwisatz Haderach
  Sell the spice to CHOAM
  This Mahdi took Shaddam's Throne
7. Re:I like the way the government thinks by dubbreak · 2009-01-21 10:20 · Score: 4, Funny
  
  Former president of the University of South Australia? I question how many people know that the current one is Professor Peter HÃj let alone the previous president.
  
  I assume the USA must be the Australian equivalent to MIT.
  
  --
  "If you are going through hell, keep going." - Winston Churchill
8. Re:I like the way the government thinks by genner · 2009-01-21 10:24 · Score: 3, Interesting
  
  George Washington Bridge? What's so cool about that.
  It's an awesome bridge.
  Don't mock it.
9. Re:I like the way the government thinks by genner · 2009-01-21 10:28 · Score: 2, Funny
  
  I predict you will hear of these handles in future busts.
  I find that highly unlikely. After all, these are computer geeks; they've probably never gotten near enough to any woman except their mother to...
  Oh...
  Never mind!
  They hand access to free credit cards. Some how I think women could stand to be around them.
Re:How much more... by mi · 2009-01-21 08:33 · Score: 2, Insightful

How much more such operations could they conduct if they weren't so clueless by having agents investigate peaceful protesters and non-criminal **HACKERS**
All crimes or suspected crimes deserve thorough investigation. Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.

--
In Soviet Washington the swamp drains you.
Re:How much more... by TheRealMindChild · 2009-01-21 08:35 · Score: 3, Funny

FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large. We have no names, man. No names. We are nameless!

HACK THE PLANET!

--

"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Re:oh lord by oodaloop · 2009-01-21 08:36 · Score: 4, Insightful

I had heard about this at a law enforcement/fraud analysis/intelligence analysis conference a while back. Basically, ALL the major sites were running in the open. Before all the crackdowns, I guess they thought the anonymity of the web meant they were untouchable. After the FBI cracked down on a bunch, they got wise and went underground.

--
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Re:How much more... by pete-classic · 2009-01-21 08:42 · Score: 3, Insightful

Sure. But, given finite resources, should there not be some rational priorities set?
-Peter
Fencing by planckscale · 2009-01-21 08:44 · Score: 4, Insightful

From an article I read on Wired what seemed to have brought the downfall upon Butler was some of his associates got nabbed for trying to use stolen cards to buy expensive retail items and then fence them on Ebay for cash. Seems to me that old fashioned F**k-ups are the way these guys usually get taken down. Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

--
Namaste
1. Re:Fencing by CannonballHead · 2009-01-21 08:48 · Score: 3, Insightful
  
  Don't ever buy anything, and never eat out?
2. Re:Fencing by Anonymous Coward · 2009-01-21 08:49 · Score: 3, Insightful
  
  Cash
3. Re:Fencing by AKAImBatman · 2009-01-21 09:00 · Score: 4, Interesting
  
  Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?
  As long as we use credit cards, you and I can't protect ourselves. However, the credit card companies could. Using public key authentication via smartcard technology would make it easy to verify physical access to a credit card. Yet the only instance I can think of, of anyone trying to roll this out is American Express's Blue card. Even that was mostly ineffective as the smart card circuitry appears to go mostly unused.
  
  --
  Javascript + Nintendo DSi = DSiCade
4. Re:Fencing by ericlondaits · 2009-01-21 09:12 · Score: 2, Interesting
  
  There's a very cool british TV program called "The Real Hustle" in which they perform popular cons with a hidden camera and then explain them.
  In one episode they show how a waiter can hide a card reader stuck to the side of their leg or under an apron and swipe it after purposely dropping it to the floor and then either picking it up or cleaning it. In this cases the waiters were using the portable reader that goes to your table, and they still were able to steal data.
  
  --
  As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
5. Re:Fencing by Applekid · 2009-01-21 09:12 · Score: 2, Interesting
  
  I have eaten at places that get mobile credit card readers and swipe it at your table. This way, the card never leaves your sight.
  Sure... they'll just swipe over at the server those mobile readers upload to instead. :)
  I've wondered if people with photographic memories get involved with crimes like these since all they'd have to do is glance at a card in passing and they'll catch it.
  
  --
  More Twoson than Cupertino
6. Re:Fencing by Grimbleton · 2009-01-21 09:27 · Score: 4, Funny
  
  My girlfriend would NOT approve if I stopped eating out.
7. Re:Fencing by samkass · 2009-01-21 09:30 · Score: 4, Informative
  
  I think you're right here in the US. When I visited London last year, though, it seemed like every single person had chips in their cards. I felt like a Luddite asking the guy to actually swipe the magnetic strip on a card (and him having to try a couple times before it took), then go find a pen, sign it, then find a place to put the paper signature. Us old-fashioned Americans.
  
  --
  E pluribus unum
8. Re:Fencing by Creepy+Crawler · 2009-01-21 09:36 · Score: 4, Interesting
  
  Or if you hand your CC to a drive-thru to pay for food/drink.. Our receipt paper is thin enough to easily take an imprint of a CC. All you'd need to do is remember 3-4 numbers, the CVV2.
  I found out this accidently, while holding a customer CC while rubbing it: it indented the CC, expr, and name perfectly.
  Good thing im honest in dealings... They wouldnt catch me if I wasnt. I know decent stat to calculate my danger, and how to mitigate any possible repercussions.
  --
  
  Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
9. Re:Fencing by atamido · 2009-01-21 09:38 · Score: 4, Interesting
  
  I had an experience nearly identical to this in London when a shop clerk asking if we had a card with a chip in it to use. The friend I was with didn't even know what he was talking about. I explained things to her, and then told the clerk we didn't, but could wander off and find an ATM to use instead. He dug around some and found a card reader, but it was obvious he hadn't used it in a while.
10. Re:Fencing by vux984 · 2009-01-21 09:55 · Score: 4, Insightful
  
  Mod parent +5 insightful. Cash is accepted everywhere and stolen cash can't be used for identity theft.
  1) Tons of places won't accept 50's or 100's anymore. And carrying enough cash to live in 20's gets bulky.
  2) Carrying lots of cash (see above) gets noticed (see below).
  3) If you get robbed of cash its gone. No, phoning your bank to let them know your card was stolen. No contesting the purchases made with your stolen cash. Your insurance company won't even replace stolen cash. Its just gone.
  While having my card lifted is a hassle, it won't actually likely cost me anything, even if my identity is stolen it will most likely be a hassle more than anything else. Getting robbed however is much more permanent.
11. Re:Fencing by Cramer · 2009-01-21 10:37 · Score: 2, Informative
  
  According to Visa and Mastercard policies, it is illegal for the terminal to record the number -- either in print or memory. If you see anyone still printing the card number on your receipt, report them immediately. Once the transaction is processed, they have a transaction ID and authorization code and no longer need the card number.
  I'd recommend writing the verification number down somewhere else and removing it from the card.
12. Re:Fencing by pjt33 · 2009-01-21 10:41 · Score: 3, Insightful
  
  The problem with that system is that it protects the banks and not the customers. Before you could contest the signature: now all they have is a PIN, and there's no way of proving who typed it in. It would be better to use chip, PIN and signature, but people will usually choose convenience over security.
13. Re:Fencing by Bemopolis · 2009-01-21 10:50 · Score: 4, Funny
  
  Does it really take that many calories to reinflate her?
  
  --
  "I guess the moral of the story is, don't paint your airship with rocket fuel." -- Addison Bain
14. Re:Fencing by halcyon1234 · 2009-01-21 11:40 · Score: 3, Interesting
  
  It's coming to North America, but slowly. Mainly because it will be expensive, and only serves to protect the consumer.
  Contrast that with the UK banks that have implemented the "chip and pin", where the courts ruled that due to the PIN, they aren't responsible for theft. The banks practically orgasamed all over themselves to get it going.
  It still doesn't offer complete protection. You can take the UK card to Germany, where merchants have not implemented the PIN. Or you can still shop inside the UK; just damage the chip. The card will fallback into "swipe and sign" mode that is used for cards without a PIN (such as those visiting from America).
  Or, even with the chip and pin, all one needs to do is some shoulder surfing. Everyone covers their PIN at an ATM. In other situations, people aren't used to doing that (restaurant, etc). Once you've identified a PIN, pick the person's pocket.
  Or buy things online.
  Or steal a lot of cards, and attempt to brute-force the PIN.
  Or there's an interesting relay attack:
  
  Consider the following scenario: You go for lunch in a small restaurant in London, and pay using your chipcard at the end of the meal. What you don't know is that the waiter at the restaurant is corrupt. You ask for the bill, and the waiter goes off to fetch a handheld Chip and PIN machine that he brings over to you. Meanwhile, on the other side of town, his accomplice is loitering in a jeweller's store. The waiter sends an SMS message to his accomplice, who goes up to make a purchase. Just as you insert your card into the waiter's terminal, the accomplice puts a fake card into the jeweller's terminal. The waiter's sabotaged reader simply forwards all the traffic from your card wirelessly to the card in the reader at the jewellers, and pretends to ask you to pay for lunch. You enter the PIN, thinking you're paying for lunch, but in fact you're buying the crooks a diamond!
  
  - "Chip and Spin", http://www.chipandspin.co.uk/
  
  --
  UTF-8: There and Back Again
15. Re:Fencing by garett_spencley · 2009-01-21 13:06 · Score: 3, Interesting
  
  I have a serious solution to that problem: learn how to cook. As in, learn how to cook SERIOUSLY GOOD food.
  I can spend more on raw ingredients for a single meal than it would cost to take my wife out to a fancy restaurant (not that I do often, just saying that I can), or I can make something amazing for cheaper. And girls dig guys who can cook! Most geeks should like cooking too because there's tons of science involved and most of us like to tinker and make things. Plus when you're done you've got the most amazing meal that, unless you live in New York or LA, can afford to eat at a fine dining restaurant and are lucky enough to get a reservation, you're not going to get eating out.
  My wife and I never eat out any more. We're in a mid-sized town and every time we eat out it's always disappointing. Over priced and something I could make way better at home.
  I recommend "Zingerman's Guide to Good Eating" as a starting point for anyone looking to get into cooking. It explains how to choose the best ingredients, gives you the history of food's as well, and has some simple recipes too.
16. Re:Fencing by Anonymous Coward · 2009-01-21 13:40 · Score: 2, Informative
  
  ) Tons of places won't accept 50's or 100's anymore.
  If someone refuses to accept cash in order to settle a debt, then they release you from that debt obligation. (provided you are paying in full)
  Read your money, it's on there in plain English.
  This doesn't usually work at retail stores, since they can just refuse to conduct business with you at all, but can be good for some fun at the gas station if they don't make you pre-pay.
  Just remember, it's only required when settling a DEBT.
  As for safety, I keep several bank accounts. One is used just for online purchases, and is a pre-paid credit card which I have to load up ahead of time. Another is for paying bills, and unless you are on the approved vendor list you simply can't get an auth for a transaction on it.
  If you think having your identity stolen is just a "hassle", then you've never had someone run all over the internet trying to buy kiddie porn with your credit card. Even after you get the financial side sorted out, you'll spend years trying to find all the law enforcement databases that list you as a sex offender and get removed.
17. Re:Fencing by dotancohen · 2009-01-21 19:46 · Score: 3, Informative
  
  The problem with that system is that it protects the banks and not the customers. Before you could contest the signature: now all they have is a PIN, and there's no way of proving who typed it in. It would be better to use chip, PIN and signature, but people will usually choose convenience over security.
  I had to contest a cash withdrawl recently, and because the PIN was entered correctly the bank concluded that it was an authorized purchase and would not be covered. They treat the 4-digit PIN just as they treat a signature.
  
  --
  It is dangerous to be right when the government is wrong.
Re:oh lord by betterunixthanunix · 2009-01-21 09:00 · Score: 3, Interesting

As far as I know, the general idea was that the transactions would happen so quickly that even if someone was watching, the money would be long gone before anyone could track it. Keep in mind that these stories are published long after the arrest occurs, so by the time you learn about what happened, the criminals have moved deeper underground.

--
Palm trees and 8
Re:Yeah, well... by Volante3192 · 2009-01-21 09:05 · Score: 4, Informative

You mean like at http://www.fbi.gov/quickfacts.htm ?
The FBI's jurisdiction is essentially being the nation's police force as opposed to your local city force. You can't say "ignore these sections of the state, county or city code" to a local police force just like you can't tell the FBI to ignore the U.S. Code.
Re:How much more... by Anonymous Coward · 2009-01-21 09:06 · Score: 2, Interesting

Stopping 70million in bank fraud is useless? Allow me to ask... what then does it take to be usefull?
Re:How much more... by Anonymous Coward · 2009-01-21 09:07 · Score: 3, Insightful

Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.
Crimes like peaceful protesting, you mean?
Re:How much more... by morgan_greywolf · 2009-01-21 09:07 · Score: 5, Insightful

All crimes or suspected crimes deserve thorough investigation. Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.
Right. Because the FBI is out investigating every single federal crime within their jurisdiction, right?
No. Because the FBI does have limited resources, cases not specifically brought to their attention by promising, credible leads -- or at least serious media attention -- don't get investigated. Those with credible leads that may not look so promising might sit on the backburner -- often for months or years.
While the FBI does investigate people who turn out to not have been criminals, that's more the exception than the rule.

--
My blog
Re:Yeah, well... by morgan_greywolf · 2009-01-21 09:13 · Score: 3, Informative

The FBI does have certain, specific areas of jurisdiction. Ever read the FBI website? They say with specificity what their areas of jurisdiction and current criminal priorities are.

--
My blog
Re:This is SOOO cool. by betterunixthanunix · 2009-01-21 09:14 · Score: 4, Informative

He probably wants a new assignment that involves less time at a computer. Did you RTFA? He was spending 18 hours a day on his computer, and was online every day of the week. His relationship with his wife was strained because he had to be available on his computer as often as possible to avoid suspicion and to keep his credibility up. He had to report his vacations to the people he was trying to bust weeks ahead of time, to keep up that reputation. To me, that sounds like the sort of assignment that you only participate in once, if only to keep your heart healthy.

--
Palm trees and 8
Patience by copponex · 2009-01-21 09:22 · Score: 3, Interesting

Buy things at small retailers unlikely to have complicated security policies or good video surveillance. Use local criminals to do the deal for you, promising a cut if they are successful getting the item out of the store. Keep the purchases under $2,000.00
Sell those things for cash on the street. Don't sell in the same area that you bought the items. Stick to big cities, as the police have way more to deal with than small-time theft. Once you get a big enough stash, use it to start a cash friendly business or find a way to get it to a trusted party in the third world and do the same thing.
The object is to not piss one person off to the point where they dedicate themselves to finding you. As long as the victim has the credit card company to turn to for a refund, and the police don't think the fraud is connected, no one will even bother opening up a case number.
1. Re:Patience by Otter · 2009-01-21 10:08 · Score: 5, Insightful
  
  Sell those things for cash on the street. Don't sell in the same area that you bought the items. Stick to big cities, as the police have way more to deal with than small-time theft. Once you get a big enough stash, use it to start a cash friendly business or find a way to get it to a trusted party in the third world and do the same thing.
  In other words, crime is more work with less reward than just keeping your day job writing Java middleware.
  
  --
  What I'm listening to now on Pandora...
Reloadable cards. by khasim · 2009-01-21 09:28 · Score: 5, Interesting

I'm still wondering why the various banks don't offer reloadable cards for their customers. Why wander around with your ENTIRE credit limit in your wallet?
And for debit cards, your ENTIRE checking account balance.
Instead, allow the user to transfer the amount that he thinks he will need to a secondary card. That way, if anything compromises that card, the MOST they can get is whatever he put on that card.
As for online purchases, how about one-use card numbers? Just go to the bank site, put in how much you want to pay and the bank will give you a one use number for that amount. Then the maximum you lose if the online site is fake is that specific amount. They never get the real numbers to your real accounts.
1. Re:Reloadable cards. by Anonymous Coward · 2009-01-21 10:03 · Score: 2, Informative
  
  Looks like you invented the e-wallet. Don't know about the 'states, but it exists in France (called Moneo) and Belgium (called Proton). It's money stored on your bank card, that you can reload at any terminal using your PIN. Purchases made using this system are quick, as they don't require you to enter the PIN nor sign the recipt upon payment.
  So it's pretty much like cash in that it's for small amounts (up to 125 Euros IIRC), there's no authentication, and if your card is stolen whatever e-money you had loaded on the chip is lost forever (whereas your bank will obviously still cover for purchases made using the regular "debit card" function, under certain circumstances).
2. Re:Reloadable cards. by tubapro12 · 2009-01-21 10:41 · Score: 3, Informative
  This makes sense to me and I believe there are some services attempt to do stuff like this.
  
  OTOG (Off the Top of Google):
  
  Citi Card Virtual Account Numbers
  AmEx disposable credit cards
  PayPal Virtual Credit Card Payment
3. Re:Reloadable cards. by kb9vcr · 2009-01-21 11:02 · Score: 5, Informative
  
  For online purchases one-use card numbers already are available.
  Bank of America has them, it's called 'Shopsafe' and it's a free feature if you have a card with them. I've used it for every web purchase now for years and it works great. You set your limit & expiration date, generate a number and your set. Easy and it limits your exposure.
  (MBNA developed shopsafe and then Bank of America got it when they bought them out. Probably other companies have something similar)
Re:oh lord by Anonymous Coward · 2009-01-21 09:38 · Score: 2, Insightful

Don't you mean all the KNOWN sites were running in the open?
Re:rarely asked for my ID by Achromatic1978 · 2009-01-21 11:08 · Score: 4, Informative

Because the merchant agreement specifically states that they are not to use the "Ask For ID" thing as a credit card processing mechanism. In fact they can have their merchant account revoked if sufficient complaints are received about requesting ID for CC transactions and not others (though I know in your case you're asking for it).
TECHNICALLY, under YOUR agreement with Mastercard, Visa, or Amex, NOT signing your card with your signature is a breach of your cardholder agreement. In fact (though granted, in practice rarely), Visa requires merchants who come across an unsigned / ASK FOR ID card are supposed to not finish the transaction until the card is signed. If you refuse to sign, at least up until recently, the last time I looked at a merchant contract, they're meant to retain your card (uh oh, you do remember the clause in your cardholder agreement that states that the card remains the property of the issuer, not you, right?).
Not good advice.
Sounds like many jobs I've had... by Klootzak · 2009-01-21 11:10 · Score: 2, Insightful

So Agent Mularski got a taste of what it's like to be a SysAdmin? I think it's a good thing, now he would understand what it's like to work in IT, he'll (hopefully) be more sympathetic to IT staff that he works with... We should get more Law-Enforcement officers into undercover IT "busts"!!!

Now, if he had a pager that would buzz him in the 6 hours he got "off" from the computer, that would be JUST like being a SysAdmin ;)

--
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
Re:How much more... by Maestro485 · 2009-01-21 11:13 · Score: 2, Funny

While the FBI does investigate people who turn out to not have been criminals, that's more the exception than the rule.
They leave that to the Department of Homeland Security ;-)
Sure by copponex · 2009-01-21 11:20 · Score: 3, Funny

If you can make 1,000 a day, tax free, working thirty hours a week. And if they throw you in prison, you can take some classes and write J# middleware when you get out.
The downside is the anal raping. For most people, I mean.
Re:How much more... by beav007 · 2009-01-21 11:56 · Score: 5, Funny

FBI does do some drug crimes I guess, but usually by accident. They're more into the "cool" crimes like Murder, Sex, and Cyber.
This post is so much entertaining (and possibly accurate) when read without context...