Thursday, April 26, 2012

SOCA & FBI seize 36 Criminal Credit Card Stores

Today the Serious & Organised Crime Agency (SOCA) in the UK announced the completion of a joint operation targeting 36 criminal websites dealing with stolen credit card and online bank account information. The April 26th Press Release indicates that the operation targeted a particular type of e-commerce platform known as an Automated Vending Cart, or AVC. Here's an advertisement from one of the sites, CVVPlaza.com:

The seized domains are now redirected to a website controlled by the FBI which reads:

The United States Government has seized this domain name pursuant to a seizure warrant issued by the United States District Court for the Eastern District of Virginia under the authority of 18 U.S.C. §§ 981(a)(1)(A) & (b)(2). A United States Magistrate Judge issued that seizure warrant after finding that a sworn affidavit established probable cause that this domain name was personal property involved in a transaction or attempted transaction in violation of section 18 U.S.C. § 1956(a)(2)(A) & (h)
If you registered this domain name, or otherwise claim an ownership interest in this domain name, you should consult an attorney about your rights.


(click for full size)

SOCA has requested that we not provide a full list of the domain names at this time, but two which they have revealed in their own products are "cvvplaza.com" and "ccstore.biz". The others will be added once permission is received.

Some of the screenshots provided by SOCA include:

a site offering an inventory of more than 37,000 confirmed credit cards:

and a fairly nice "search screen:

SOCA has recovered more than 2.5 million card numbers or credentials that they say would have granted the criminals access to more than £500 million (about $809 million US Dollars!) These were NOT the value of the cards currently available for sale in these card shops, but rather the value of the cards that have been recovered from criminals who purchased the cards from these card shops. The total inventory is expected to be much higher. SOCA is leading the way in international cooperation. In this case they worked with the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police, the Romanian National Police and of course the FBI in the United States. These recoveries took place over the course of the past two years. The operator of at least one of these AVC stores was arrested in Macedonia by the Macedonian Ministry of the Interior's Cyber Crime Unit. Some online card shops have very simplistic interfaces, such as this: while others have extremely beautiful websites. Check out the login page for this site: Our friend Dancho Danchev has written extensively about the online carding markets, for example in his article: Exposing Market for Stolen Credit Cards. Brian Krebs has also written extensively on the topic with articles such as How much is your identity worth?

Tuesday, April 03, 2012

UK Zeus user G-Zero Sentenced

According to today's Daily Mail, court details have now emerged regarding Edward Pearson, a 23 year old hacker from York, England known online as "G-Zero", and his activities involving the Zeus and SpyEye trojans.

Pearson was ultimately arrested after his girlfriend, Cassandra Mennim, tried to pay for hotel rooms at the Cedar Court Grand Hotel and the Lady Anne Middleton Hotel, both in York, using stolen credit cards. (Pictures of the hotels were in the Daily Mail's original story on this case on February 20 - Computer whizz faces jail for writing programme to steal personal details of 8 MILLION people, including 400 PayPal accounts.

G-Zero Gets Doxed (June 2011)


Although these details are not shared in court, the Hacker world has known who Pearson was for some time ... on June 3, 2011, on the hacker forum "OpenSC.ws" - a site where Trojan authors and botnet herders meet and greet and buy and sell from one another, a user named "cr333k" posted these details. His post read:

"I dedicate this post to ED aka G-Zero because he is the reason I obtained this material" (referring to the leaked version of SpyEye v.1.2.8.0 and v.1.2.99.39).

"So in his honor, I will chase him off the internet."

Cr333k then proceeds to document G-Zero's use of Spyeye, claiming that G-Zero was in charge of the Spyeye servers at 89.149.202.104 [Leaseweb in Germany] and 91.211.11.192 [a serverbox.de account hosted in the UK], and claiming that his main IP address was 178.86.2.40 [a Ukrainian IP], but that he also used the IPs 94.12.53.50 [a SkyNet broadband account in the UK] and 77.103.230.142 [a VirginMedia/Telewest residential cable modem in the UK].

He provides userids and passwords to several of his sites, including the details of his "webnames.ru" account in the name of "GZero" and his hosting.ua account in the name of "rogue2" (with the same password.)

He claimed at that time that his name was Edward Pearson, and that he was in control of the email accounts gzero@9.cn, eddypearson@gmail.com, solipsis@w.cn, cellar@9.cn.

He gave his address as: Edward Pearson, 11 Regatta Court, Oyster Row, Cambridge, Cambridgeshire, cb58ns, UK, and shared his userid and password for his Liberty Reserve online money account

Cr333k claims to have stolen $5500 from Pearson's account...no idea if that is true.

(Eddy also had his superstrong password hash dumped by the guys at Zero For Owned. When they dumped Eddy's details out of the RootCult website after SQL-injection of their database, Eddy's GroundZero password was shown to have an MD5 hash of c8837b23ff8aaa8a2dde915473ce0991. Bad news. That would mean his password was "123321". Not a good password choice for a bad ass hacker. Of course that dump was from 2006, so Eddy would have been ... 17??)

Loose Lips


Probably not a good idea to tie your bad-ass hacker name to your real name in such things as your SoundCloud account (Userid: GZero Name: Edward Pearson, Cambridge, Britain (UK) soundcloud.com/eddypearson

He did the same thing back in 2009 when he was trying to share his online video ripping system on the forum DigitalSpy. His ripper service was distributed from "ripple.net" which he registered with his true personal details, but advertised in the DigitalSpy forum with his hacker handle "GZero".

Domain name: RIZZLE.NET

Administrative Contact:
Pearson, Edward eddypearson@gmail.com
93 Brampton Road
Cambridge, Cambridgeshire CB1 3HJ
GB
+44.7912558447

GZero's post on July 13, 2010 to "HackForums.net" was also pretty interesting:

Alright guys,
Basically I've not been part of the "scene" for many years, long before botnets, around the "how do i hack hotmail?" era. I got very bored of the bunch of rude little pricks that seemed to engulf the place.

Who remembers Zebulun hey? :p

Anyway, I a freelance programmer (C,C++,PHP,Python+many more) and pentester, the legit kind!

I was playing with one of the public copies of the the Zeus botnet, and I have simply fallen in love!

Basically, I'm have all the skills to really do some cool stuff here, coding is my day job, and have until now been working with a private group to make a bit of cash on the side, just not with bots.

Basically, I can do Programming, Custom Hacking, Bulletproof hosting, Setups of anything, FUDding things, Some very sneaky stuff to do with botnet takeovers, CC stuff, Been stealing the latest drive by sploits (NOT the packs), reversing em and then hopefully I'll make a real nice exploit pack if I have the time.

Basically I only just got onto botnets, and I LOVE WHAT I SEE. That said, I have been working with malware, hacking, financial stuff and the darker side of things for many years, just with a group I trust, not involved in the "scene"

Long story short, I want to to talk to people, learn more about the way things are done, and ideally work with somebody, or do some work for them in exchange for a decent copy of Zeus.

Basically, I'm trying to get on this and I have everything else pretty much setup, but I'm just not happy with using a public Zeus. REALLY want to get everything JUUUST right before really get stuck in ;)

MSN me guys, even if you don't have what I want, a interesting discussion is always nice and I'm always nice and helpful. I do have some vaguely private softs to share, but really this is my problem, for this to be GOOD, I need a good bot, and I LOVE Zeus...

MSN:
gzero@9.cn
solipsis@w.cn




8 Million Identities?


According to the police, on one of Pearson's computers they recovered 8,110,474 names with birthdates and postcodes for adults living in the United Kingdom. He also had details of 2,701 credit or debit cards stolen between January 1, 2010 and August 30, 2011.

At one point Pearson used a program he had written in Python to test potential PayPal accounts, and successfully confirmed more than 200,000 PayPal account details.

David Hughes, the prosecutor in the case, says that Pearson also hacked into systems belonging to Nokia and AOL, which caused Nokia to disable certain of its systems for two weeks while it reviewed the intrusion.

(The Nokia intrusion is believed to be the August 2011 SQL Injection of the "developers.nokia.com" website)

Intellectual Challenge?


Although the crown paints Pearson as a criminal mastermind, his defense attorney, Andrew Bodnar, claims that he was not interested in large-scale theft, but considered this merely an intellectual challenge. To support his point, he claims that the total documented theft, despite possession of thousands of cards, was only £2,351 or about $3700 US Dollars, mostly in the form of fastfood orders, pizza, and to pay his cell phone bills.

This is quite a difference between the original charge, that Pearson "plotted a £350,000 fraud" ($560,000 USD).

Mennim's lawyer called her a "vulnerable young woman who found comfort in Pearson following a difficult previous relationship." He describes her as a straight A student who is ashamed of her actions and will pay back the money she owes the hotel.

Pearson was sentenced to two years and two months, and Mennim to 12 months of supervised release. Although Pearson did not SELL the details he had gathered, it was demonstrated that he shared them with other hackers online, and the judge took this into consideration in the sentencing, as she said "Your computers and software were a devastating tool kit. I accept you didn't sell this information, but you shared it with other computer programmers, and you had no way of knowing how THEY might use this information."

The ultimate charges, to which the pair plead guilty:

Pearson - "Making an article for used in fraud and two counts of possession of an article for use in fraud."

Mennim - "Two counts of obtaining services dishonestly."

According to the original charges, the couple were also dealing the drug MDVP, also called "super cocaine". Apparently those charges were dropped. They seem consistent with his lifestyle - for instance, see this post on Cannabis.com from October 2007 where Eddy announces he has just moved to Cambridge and is looking for "connections" via his MSN chat account, eddypearson@gmail.com. This is consistent with some of his HackForums.net posts where he describes himself as "High and Pissed Off".