Friday, November 26, 2010

Schoolboy Hackers steal $18 Million (£12 Million pounds)

The Background



Back in August one cybercrime story we were watching came to our attention via ZDNet's story Teenagers accused of running cybercrime ring. In that story most of the public learned for the first time of a criminal online forum called GhostMarket.net, run by a pair of 18-year-olds, Nicholas Webber and Ryan Thomas. Webber owned and operated the forum, which had over 8,000 members, while Thomas did day-to-day moderating and operations tasks.

The pair had actually been arrested back in October 2009 when they tried to pay a high-end hotel bill of around £1,000 with a stolen credit card. At the time of his arrest, Thomas' laptop revealed that he had a leading role on Ghostmarket.net. Webber actually had business cards calling himself "N2C AKA Webber". N2C was the main administrator of GhostMarket.

The pair jumped bail in October but were arrested when they returned to the UK on January 31st at the Gatwick airport. A laptop they were carrying at that time revealed the details of 100,000 credit cards and identified an additional co-conspirator, 21-year-old Gary Paul Kelly. Kelly had been previously identified as being involved with a Zeus botnet associated with the domain "TotalUnix.net". (several pieces of malware used totalunix.net IRC rooms to spread themselves as shown in this TeamElite report, this Wepawet report, or this Prevx report, or this malwareurl report.) ZeusTracker.abuse.ch listed the "woot/gate.php" file on totalunix as a confirmed Zeus distribution point as well.

Despite previously fleeing when they had posted bail, they were allowed to post bail a second time, on the condition they did not use the Internet. They entirely ignored this condition, and continued to perform their duties on GhostMarket.

In addition to Webber, Thomas, and Kelly, 20-year-old Shakira Riccardo and 21-year-old Samantha Worley were charged as well for their role in controlling two Halifax building society accounts used to handle proceeds from GhostMarket.

PCeU officers called the case Operation Pagode.

Born and raised in Guernsey, Nick Webber now attends school at St John's College in Southsea, Hampshire, where he lives on Cavendish Road.


According to The Guernsey Press, Webber's hometown paper, 65,000 bank accounts had been drained of approximately £8 million in what were called "linked frauds". The forums also contained bomb-making information, and Webber was said to have discussed his desire to blow up the home of the detective he believed was the head of the e-Crime unit.

Accusations against Webber, Thomas, Kelly, and Ricardo include "conspiracy to commit fraud", and "encouraging or assisting offcences" between 12 April 2009 and 4 November 2009, namely providing Ghostmarket credit card data, and tutorials on various crimes, including hacking, phishing, spamming, and manufacturing crystal meth.

Kelly is also charged with "conspiracy to make or supply articles for use in fraud" and "unauthorised modification to computers", while Ricardo was charged with "possession of articles for use in fraud" and "acquiring criminal property".

Worley is also charged with "acquiring criminal property" including a Tiffany ring and an H Samuel platinum chain.

The Crimes



Mikko Hyponnen found an interesting post on an underground forum the day before Kelly went back to trial, and shared it on his blog, "I possibly won't be back for a while...".

In that thread, Kelly points back to this SkyNews article about his original Zeus arrest, Two Arrested Over Computer Virus Plot from November 18, 2009.

Kelly, who used the hacker name "Cache" on several boards, was a sometime malware author, selling a "crypter" that he authored that would help protect malware from discovery. He also has been seen offering to buy "installs" from others when "his DNS got screwed up" and he lost a botnet he was controlling. He preferred to chat with Yahoo messenger using the name "snapperofirc@yahoo.co.uk" which was often associated with his alias "Mike Wilson".

He claims to have been charged with having 15,000 controlled Zeus bots, 2 million lines of stolen Zeus log data, for scamming a casino for 10,000 pounds, stealing $9,000 via Western Union, and other related crimes. He also was running a #ccpower IRC server, according to a post he made in January 2010 asking his fellow hackers how much prison time he might get for Zeus.

Nick Webber, who used the alias "N2C" to run Ghostmarket was teased when the full version of the abbreviation was shared: nick2chocolate@hotmail.com

He used that as his MSN chat handle, to register the domain name "gh0stmarket.net" (with a zero) and for his YouTube page where he posted videos on hacking, such as this one called Advanced VBV / MSC Phisher (that's VBV as in Verified By Visa).

He also used that email with the N2C alias as his member email on spiralforce.eu, which was outed in RM #2 back in 2008. Back then he was logging in from BT Central on 86.154.181.8.



The Trial


Webber and Thomas have now plead guilty to their charges, and Gary Kelly has admitted to being behind a particular Zeus trojan. The two others charged have admitted to their role as money mules. According to The Porstmouth News story, Teenage admits £12m internet banking fraud the sentencing is expected to be quite lenghty.

'You used your enormous skills and education in what looks like an enormous conspiracy to defraud and steal people's credit cards and bank accounts.

'These are such serious matters that there may well be substantial periods of imprisonment.'

Webber pleaded guilty to conspiracy to commit fraud, conspiracy to make or supply articles for use in fraud and encouraging or assisting offences, at Southwark Crown Court.

Kelly, of Swinton, Manchestor, pleaded guilty to the same charges as well as an additional count of conspiracy to make or supply articles for use in fraud and a further charge of conspiracy to cause unauthorised modifications to computers.

Ricardo, of Kings Road, Swansea, admitted conspiracy to commit fraud, conspiracy to make or supply articles for use in fraud, possession of articles for use in fraud and acquiring criminal property.

Worley, also of Kings Road, Swansea, admitted one charge of acquiring criminal property.


Webber and Kelly will be held until their sentencing, but the remaining three are out on bail.

The Daily Mail has the best photos of the group that I've seen, including:

Nick Webber



Samantha Worley



and Gary Kelly

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!