Sunday, May 13, 2018

How to Steal a Million: The Memoirs of a Russian Hacker

As a University researcher specializing in cybercrime, I've had the opportunity to watch the Russian carding market closely and write about it frequently on my blog "Cybercrime & Doing Time."  Sometimes this leads to interactions with the various criminals that I have written about, which was the case with Sergey.  I was surprised last January to be contacted and to learn that he had completed a ten year prison sentence and had written a book.   I have to say, I wasn't expecting much.  This was actually the third time a cybercriminal had tried to get my interest in a book they had written, and the first two were both horrible and self-promotional.  I agreed to read his first English draft, which he sent me in January 2017.

I was absolutely hooked from page 1.  As I have told dozens of friends since then, his story-telling vehicle is quite good.  The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil  needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait.  What is a white card?"
My copy of the book!

As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling.  These and many of the other characters in this book appeared regularly in this blog.  (A list is at the bottom of this article)

Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them.  Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.

The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison.  Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside.  The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.

Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work."  It's clear that he took feedback like this seriously.  The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.

A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker

The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.

I seriously debated whether I should support this book.  Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job.  It is a moral dilemma.  Do I lend assistance to a many who stole millions of dollars from thousands of Americans?  Read the book.  To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison.  I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."

Links to selected blog articles that feature Pavlovich's cast of characters:

May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.

August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.

August 8, 2008 TJX: the San Diego Indictments where the US government indicts:
  • SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
  • DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
  • SERGEY VALERYEVICH STORCHAK, aka Fidel
and charges them with violation of "18 USC Section 1029(b)(2) Conspiracy to Traffic Unauthorized Access Devices"

May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.

Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.

Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.



Sunday, February 18, 2018

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.

Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.

On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page appeal that he files March 24, 2011 from his prison cell in Milan, Michigan.

At one point, he claims that he explained to Agent Ward that he owed a Russian criminal $5,000 and he couldn't afford to pay it.  According to his appeal, he claims Ward told him to "Go do your thing, just don't get caught" and that Agent Ward later asked him if he had "handled it." Because of this, Gonzalez (who again, according to his own sentencing memo, likely has Asperger's) claims he believed that he had permission to hack, as long as he didn't get caught.

Over Christmas 2007, Gonzalez and his crew hacked Heartland Payments Systems and stole around 130 million credit and debit cards.  He was also charged with hacking 7-Eleven (August 2007), Hannaford Brothers (November 2007) where he stole 4.2 million credit and debit cards. Two additional data breaches against "Company A" and "Company B" were also listed as victims.  In Gonzalez's indictment, it refers to "HACKER 1 who resided in or near Russia" and "HACKER 2 who resided in or near Russia."  Another co-conspirator "PT" was later identified as Patrick Toey, a resident of Virginia Beach, VA.  (Patrick Toey's sentencing memorandum is a fascinating document that describes his first "Cash out trip" working for Albert Gonzalez in 2003. Toey describes being a high school drop out who smoked marijuana and drank heavily who was "put on a bus to New York" by his mother to do the cash out run because she needed rent money.  Toey later moved in with Gonzalez in Miami, where he describes hacking Forever 21 "for Gonzalez" among other hacks.

Gonzalez's extracurricular activities caught up with him when Maksym Yastremskiy (AKA Maksik) was arrested in Turkey.  Another point of Gonzalez's appeal was to say that Maksik was tortured by Turkish police, and that without said torture, he never would have confessed, which would have meant that Gonzalez (then acting online as "Segvec") would never have been identified or arrested.  Gonzalez claims that he suffered from an inadequate defense, because his lawyer should have objected to the evidence "obtained under torture."  These charges against Gonzalez were tried in the Eastern District of New York (2:08-cr-00160-SJF-AKT) and proved that Gonzalez was part of the Dave & Buster's data breach

On December 15, 2009, Gonzalez tried to shrug off some of his federal charges by filing a sentencing memo claiming that he lacked the "capacity to knowingly evaluate the wrongfulness of his actions" and asserting that his criminal behavior "was consistent with description of the Asperger's discorder" and that he exhibited characteristics of "Internet addiction."  Two weeks later, after fighting that the court could not conduct their own psychological exam, Gonzalez signed a guilty plea, agreeing that the prosecutor would try to limit his sentence to 17 years. He is currently imprisoned in Yazoo, Mississippi (FBOP # 25702-050) scheduled to be released October 29, 2025.

Eventually "HACKER 1" and "HACKER 2" were indicted themselves in April 2012, with an arrest warrant issued in July 2012, but due to criminals still at large, the indictment was not unsealed until December 18, 2013. HACKER 1 was Drinkman.  HACKER 2 was Alexandr Kalinin, who was also indicted with Drinkman and Smilianets.

Shortly after the Target Data Breach, I created a presentation called "Target Data Breach: Lessons Learned" which drew heavily on the history of Drinkman and Smilianets. Some of their documented data breaches included:
VictimDateDamages
NASDAQMay 2007  loss of control
7-ELEVEN August 2007
Carrefour October 2007 2 million cards
JCPenneyOctober 2007
HannafordNovember 2007 4.2 million cards
Wet SealJanuary 2008
CommideaNovember 2008 30 million cards
Dexia Bank BelgiumFeb'08-Feb'09
Jet BlueJan'08 to Feb '11
Dow Jones2009
EuroNetJul '10 to Oct '11  2 million cards
Visa JordanFeb-Mar '11  800,000 cards
Global Payments SystemsJan '11 to Mar '12
Diners Club SingaporeJun '11
IngenicardMar '12 to Dec '12

During the time of these attacks, Dimitry Smilianets was also leading the video game world.  His team, The Moscow 5, were the "Intel Extreme Masters" champions in the first League of Legends championship, also placing in the CounterStrike category.   Smilianets turned out not to be the hacker, but rather specialized in selling the credit cards that the other team members stole.  Steal a few hundred million credit cards and you can buy a nice gaming rig!

Smilianets with his World Champion League of Legends team in 2012

 How did these databreaches work?


Lockheed Martin's famous paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" laid out the phases of an attack like this:

But my friend Daniel Clemens had explained these same phases to me when he was teaching me the basics of Penetration Testing years before when he was first starting Packet Ninjas!

1. External Recon - Gonzalez and his crew scan for Internet-facing SQL servers
2. Attack (Dan calls this "Establishing a Foothold") - using common SQL configuration weaknesses, they caused a set of additional tools to be downloaded from the Internet
3. Internal Recon - these tools included a Password Dumper, Password Cracker, Port Scanner,  and tools for bulk exporting data
4. Expand (Dan calls this "Creating a Stronghold")  - usually this consisted with monitoring the network until they found a Domain Admin userid and password.  (for example, in the Heartland Payments attack, the VERITAS userid was found to have the password "BACKUP" which unlocked every server on the network!
5. Dominate - Gonzalez' crew would then schedule an SQL script to run a nightly dump their card data
6. Exfiltrate - data sent to remote servers via an outbound FTP.

In Rolling Stone, Gonzalez claims he compromised more than 250 networks
In the Rolling Stone article, "Sex, Drugs, and the Biggest Cybercrime of All Time" , Steven Watt, who was charged in Massachusetts for providing attack tools to Gonzalez in October 2008.  Watt's tools were used in breaches, including BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and OfficeMax.  As part of his sentencing, Watt was ordered to repay $171.5 Million dollars.

Almost all of those databreaches followed the same model ... scan, SQL Inject, download tools, plant a foothold, convert it to a stronghold by becoming a domain admin, dominate the network, and exfiltrate the data. 

How did the TARGET Data breach happen, by the way?  Target is still listed as being "Unsolved" ...   but let's review.  An SQL injection led to downloaded tools, (including NetCat, PSExec, QuarksPWDump, ElcomSoft's Proactive Password Auditor, SomarSoft's DumpSec, Angry IP Scanner (for finding database servers), and Microsoft's OSQL and BCP (Bulk Copy)), a Domain Admin password was found (in Target's case, a BMC server monitoring tool running the default password), the POS Malware was installed, and data exfiltration begun. 

Sound familiar???

Justice?

With most of Gonzalez's crew in prison by 2010, the data breaches kept right on coming, thanks to Drinkman and Smilianets. 

Drinkman, the hacker, was sentenced to 144 months in prison.
Smilianets, the card broker, was sentenced to 51 months and 21 days, which was basically "time served" -- he was extradited to the US on September 7, 2012, so he'll basically walk.

Will Smilianets return to video gaming? to money laundering? or perhaps choose to go straight?

Meanwhile, Alexandr Kalinin, of St. Petersburg, Russia; Mikhail Rytikov, of Odessa, Ukraine; and Roman Kotov, of Moscow, Russia, are all still at large.  Have they learned from the fate of their co-conspirators? or are they in all likelihood, scanning networks for SQL servers, injecting them, dropping tools, planting footholds, creating strongholds, and exfiltrating credit card data from American companies every day?

Kalinin (AKA Grig, AKA "g", AKA "tempo") is wanted for hacking NASDAQ and planting malware that ran on the NASDAQ networks from 2008 to 2010.  (See the indictment in the Southern District of New York, filed 24JUL2013 ==> 1:13-cr-00548-ALC )

Mykhailo Sergiyovych Rytikov is wanted in the Western District of Pennsylvania for his role in a major Zeus malware case.  Rytikov leased servers to other malware operators.  Rytikov is also indicted in the Eastern District of Virginia along with Andriy DERKACH for running a "Dumps Checking Service" that processed at least 1.8 million credit cards in the first half of 2009 and that directly led to more than $12M in fraud.  ( 1:12-cr-00522-AJT filed 08AUG2013.)  Rytikov did have a New York attorney presenting a defense in the case -- Arkady Bukh argues that while Rytikov is definitely involved in web-hosting, he isn't responsible for what happens on the websites he hosts.

Roman Kotov, and Rytikov and Kalinin, are still wanted in New Jersey as part of the case 1:09-cr-00626-JBS (Chief Judge Jerome B. Simandle ). This is the same case Drinkman and Smilianets were just sentenced under.

Tuesday, February 13, 2018

On the Anniversary of the Islamic Revolution, 30 Iranian News sites hacked to show death of Ayatollah Khamenei

February 11th marked the 39th aniversary of the Islamic Revolution in Iran, the day when the Shah was overthrown and the government replaced by the Ayatollah Khomeini, called "The Supreme Leader" of Iran.  February 10th marked something quite different -- the day when hackers gained administrative control of more than 30 Iranian news websites and used stolen credentials to login to their Content Management Systems (CMS) and share a fake news article -- the death of Ayatollah Khamenei.

The Iranian Ministry of Communications and Information Technology shared the results of their investigation via the Iranian CERT (certcc.ir) which has announced the details of the hack in this PDF report.  All of the websites in question, which most famously included ArmanDaily.ir, were hosted on the same platform, a Microsoft IIS webserver running ASP.net.

Most of the thirty hacked websites were insignificant as far as global traffic is concerned.  But several are quite popular.  We evaluated each site listed by CERTCC.ir by looking up its Alexa ranking.  Alexa tracks the popularity of all websites on the Internet.  Three of the sites are among the 100,000 most popular websites on the Internet.


NewsSiteAlexa Ranking
SharghDaily.ir33,153
NoavaranOnline.ir43,737
GhanoonDaily.ir79,955
Armandaily.ir104,175
BankVarzesh.com146,103
EtemadNewspaper.ir148,450
BaharDaily.ir410,358
KaroonDaily.ir691,550
TafahomNews.com1,380,579
VareshDaily.ir1,435,862
NimnegahShiraz.ir2,395,969
TWeekly.ir2,993,755
NishKhat.ir3,134,287
neyrizanfars.ir3,475,281
Asreneyriz.ir7,820,850
Ecobition.ir8,819,111
saraFrazanNews.ir9,489,254
DavatOnline.ir9,612,775

These rankings would put the online leadership for the top news sites listed as similar to a mid-sized American newspaper.  For example, the Fort Worth Star-Telegram ranks 31,375, while the Springfield, Illinois State Journal-Register is 84,882.  (For more examples, the Boston Globe is 4,656, while the New York Times is #111.)

Hacked Sites not listed by Alexa among the top ten million sites on the Internet included: Aminehamee.ir, armanmeli.ir, Baharesalamat.ir, bighanooonline.ir, hadafeconomic.ir, kaenta.ir, naghshdaily.ir, niloofareabi.ir, sayehnews.com, setarezobh.ir, shahresabzeneyriz.ir.

CERTCC.ir's report notes that the primary explanation of the attack is that all of the attacked news sites have "the default user name and password of the backup company" and a "high-level" gmail.com email account with the same username and password had permissions to all sites.

Although the official Islamic Republic News Agency says the source of the attack was "the United Kingdom and the United States", that accusation is not entirely clear after reviewing the report from the CERT.  The IP address 93.155.130.14 is listed by the Iranian CERT as being a UK based company using AS47453.  Several sources, including Iranian site fa.alalam.ir, point out that this is actually a Bulgarian IP address.  AS47453 belongs to "itservice.gb-net" with support details listed in Pleven, Bulgaria.

93.155.130.14 - mislabeled in the original CERTCC.ir report
This error of IP address does seem to have been human error, rather than deception, and the CERT has released an updated version of the Iranian news site hacking report which can be found here, showing the corrected information.

The Corrected version of the report ... (created Feb 12 0408AM)

The CERT report is rather uncomplimentary of the hackers, mentioning that there seem to be several clumsy failed reports to dump a list of userids and passwords from the Content Management System database via SQL Injection attacks, as well as several other automated attacks.  In the end, however, the measure of a hacker is in many ways SUCCESS, and it does seem that the objective, shaming the Ayatollah by declaring his death on the eve of the Islamic Revolution holiday, was achieved.

While a source IP address cannot serve exclusively to provide attack attribution, Newsweek reports that on the day the attack began (Thursday, February 8, 2018), that Ayatollah Ali Khamenei gave a speech to commanders of the Iranian Air Force in which he claimed that the United States had created the Islamic State militant group and that the USA is responsible for all the death and destruction ISIS has caused.  That could certainly serve as a motive for certain actors, although the holiday itself, called by American politicians "Death to America Day" included as usual occasional American, Israeli, and British flags burning, as well as several instances of Donald Trump efigees being burned, overall the protests seemed more timid than in the past.

from: http://www.newsweek.com/iran-says-us-even-worse-isis-bombing-supreme-leader-allies-syria-802257