SIM Swapping, Crypto Theft, and Sentencing in the United States

As you know from the title of my blog, "CyberCrime & Doing Time," I'm very interested in cybercrime and the criminal justice system. This week I've been looking at SIM Swapping cases and wanted to share what I learned from reading the sentencing memos sentencing transcript for Ricky Handschumacher.

Ricky was one of the members of "The Community" - a group of six OGUsers/HackForums punks who decided to go into the crypto theft business. They haunted crypto community forums gathering data on people who over-shared about their crypto earnings and then did the social media intelligence (SOCMINT) work to id their target, assess their holdings, get their online credentials, and then pay a phone company contractor or employee to SIM Swap their device and steal their crypto.

They stole over $50 Million dollars.

Ricky was the last guy to get sentenced.  The other members of the group (not their phone store patsies, but the core group) were: 

• Conor Freeman, 20, of Dublin, Ireland.  Conor was sentenced to three years in Ireland.
• Colton Jurisic, 20, of Dubuque, Iowa. He was sentenced to 42 months and restitution in the amount of $9,517,129.
• Reyad Gafar Abbas, 19, of Rochester, New York.  He was sentenced to 24 months and restitution in the amount of $310,791.
• Garrett Endicott, 21, of Warrensburg, Missouri.  He was sentenced to 10 months and restitution in the amount of $121,549.
• Ryan Stevenson, 26, of West Haven, Connecticut.  He got two years probation.  Minor player.

Ricky pleads guilty to a single count of "18 USC § 1349 - Conspiracy to Commit Wire Fraud" and in exchange the court agrees to drop several additional charges of: 
18 USC §§ 1343 and 2 - Wire Fraud, Aiding and Abetting 
18 USC §§ 1028A(a)(1) and 2 - Aggravated Identity Theft, Aiding and Abetting

Anyway, Guilty plea is received, family all lines up to say what a good boy Ricky is, blah blah blah, and how he was such a good boy while he was out on bond.

Sentencing Guidelines 

Here's how our sentencing Guidelines work ...

The base crimes each have a number of "sentencing points" that they are assigned.  Then there are a whole host of modifications that can be applied based on other factors.  This score is then further modified by how many prior criminal convictions the individuals have.

Conspiracy to Commit Wire Fraud has a base score of 7.  With no criminal history, that would give a sentence of 0-6 months. But that would be a crime with no victims, no losses, and the most basic conspiracy.  All of the other factors add points. 

The following modifications are then applied.

+2 - the number of victims matter.  In this case, they are charging "ten or more victims." 

Ricky's score is now a 9.  Sentencing guideline: 4-10 months.

+2 - sophisticated means. Because this was a high-tech crime with a lot of technology and a lot of moving parts.

Ricky's score is now an 11.  Sentencing guideline: 8-14 months. 

+2 illicit authentication.  To curb identity theft and the flippant use of stolen credentials, crimes that involve stolen identities get an automatic +2. 

Ricky's score is now a 13.  Sentencing guideline: 12-18 months.

+18 - Theft of between $3.5 million and $9.5 million.  The two greatest "adjustments" in the sentencing world are Number of Victims, and Amount Stolen. This is a huge modification, however, they stole a lot of money!  Many victims lined up to say they lost 100% of their life savings.  One of them even appeared at the Sentencing hearing and said so.  He told the court he had lost everything, and had been waiting FOUR YEARS for justice to be served.  It definitely needs consideration.  

Ricky's score is suddenly a 31.  108-135 months.  That's 9 to 11 years.

-3 - Because Ricky was cooperative and accepted responsibility for his crimes, apologizing to the court and to the victims, his sentencing guideline score is dropped by three points.  That's huge, actually.

Ricky's score is now 28.  78-97 months. 

In their sentencing memo, the prosecution says they would be happy to accept the "mid-point" of that range and asks for an 88 month sentence.

The Judge Speaks

The judge in this case is The Honorable Denise Page Hood in the Eastern District of Michigan.  I appreciate that she puts a great deal of explanation in before rendering her verdict.  She shares with us each of the things she is charged with considering as she builds her decision on what sentence to impose.  All of the following is quoted from the Sentencing Transcript available on PACER, although the emphasis added is mine.  

1. "The factors I'm supposed to consider are these: The nature and circumstances of the offense and the history and characteristics of the Defendant, and I'm satisfied that, while I don't think that -- well, I think the age of the other individuals involved really didn't have anything to do with you. What it really has to do with is whether or not you were a more mature person and maybe should have had some other indication of this wrongdoing and made a better judgment than someone who perhaps is still young and a bit naive might be. Like I know one of the people, I was convinced that person was much more naive than other individuals involved in this. You, however, aren't one of those.

"I have here also that I think that the nature and circumstances the offense are serious, because there's a lot of money stolen, and it's stolen from individuals who, number one, are unsuspecting, and, number two, some of them are like Mr. S.S., who is here in court today, that this was not, you know, some organization or anything. It was an individual and their personal money, their, as he describes it, his life savings that were involved, and I think that makes it a little bit different than stealing from a company that might have some other means of recovering that than an individual. I'm also satisfied that it seemed like kind of a we're going to go out there and just do these things. We're just going to hack. We don't have any sense of caring very much, until it's over, about people who might be involved in this and where the money might be coming from and where it might go, and so, to some extent, on the part of everybody involved, it seemed like it was kind of a relaxed look at what you were doing and just kind of like a greed thing. I mean it wasn't -- particularly in your case, it wasn't that you were destitute or anything. You had some education, and you had the ability to have a job. So it wasn't that you couldn't go out and make money on your own, and that is kind of the nature of these kind of things, but I think it's a very serious offense in this particular scheme of things.

2. I'm also to look at the history and characteristics of the Defendant, and, for that, I would note that in the scheme of people who come into court,  you're on the young end of that. You may not think you are, but you really are on the young end of those people who commit crimes within our system.

I'm satisfied that you had a decent childhood. I had some notes here that you were and athlete and well-integrated into your experiences as a youth, and, also, that, unlike some other people, you did not seem to be someone who was just, you know, isolating themselves and unliked by others and, therefore, kind of a person who might reach out to do something like this because of a bad situation that they were in. Not that that excuses that behavior, which is exactly what I told them, that it doesn't excuse that behavior.

I'm also satisfied that -- I don't know whether it's better or worse that there are hackers out there that don't know one another, and maybe that adds a little bit to the frivolousness and the unaccountability of it relative to one another. Otherwise, I don't think there's anything in your history or characteristics that is a negative to you. I had one thing I wanted to note here. Okay, I wanted to note that it does not appear that you have any physical problems or that you have any mental health diagnosis or received any mental health treatment. It does not appear that you have any substance abuse problems.

It appears that you graduated from high school and that you were able to have some employment, including an employment from July of 2019, on Paragraph 44, until – at least at the time that this report was written, and that prior to that, that you have worked -- you had been unemployed for a time but that you were also employed by the city of Port Richey, and, prior to that, in a grocery store, and for the short period of time that you've been an adult, that's a significant amount, as far as I'm concerned, of employment.

The other thing I want to say is thatI'm to consider whether or not the sentence that I'm going to craft will reflect the seriousness of the offense. I've already spoken to that. Promotes respect for the law and provides just punishment, and I'm sure that you're aware now of the seriousness of the offense. That may be enough to promote respect for the law. I don't know that. You know, I don't know that in these particular kind of instances whether people look at it and say, you know, I've been involved in this. It was easy. I just happened to get caught. I'm never going to get caught again because of the nature of how this is done and how hard it is to investigate and to find out what each person involved in it is doing. So I don't know that my sentence will promote respect for the law, but at least I have taken it into consideration.

I'm also to fashion a sentence that provides just punishment, and I know that in all of the cases during the pandemic, where people have been on bond, they have noted I've been, you know, really good, in quotes, on pretrial release, and that shows that I am rehabilitated, and, to some extent, that may be true. To the other extent, the opportunity was that you would not be on pretrial release and you would be in custody where everyone else is attempting to get out of custody because of Covid-19. So I see that people would be, to a very great extent, well-behaved on pretrial release at this time, especially when they don't want to be incarcerated. So I don't give that a lot of weight. I know it's a long time to wait, but I'm sure it is far less onerous conditions than if you were waiting in jail to be able to proceed.

5. I'm also to consider whether or not I will afford adequate deterrence to criminal conduct, and I recognize that this may have been an opportunistic crime, but it's still illegal. You still have to answer for it, and some of it, the deterrence, I think, is not only deterring yourself, meaning that something happens to you that makes you not want to do this ever again even if you think the opportunity to be caught is very small, and it's going to become less small. The Government is going to get better at uncovering this type of crime and uncovering it earlier, but I also think that we deter others by letting them know that we're not going to just let this kind of crime go unaddressed

6. I'm also to fashion a sentence that protects the public from the further crimes of the  Defendant, and I will do that in this case by requiring, since it's your first contact with law enforcement, and to some extent the presentence report indicates it's a deviation from your otherwise law-abiding life, that you will have to participate in the Computer Internet Monitoring Program for the entire time that you're connected to the Court by being incarcerated, if you're put in a halfway house, or while you're on supervised release, and you'll have to abide by that agreement, which addresses all of the computers to which you would have any contact, okay, and it allows them to not only search but at reasonable times and places, but to also be for you to provide other people using the computers with the understanding if you're using their computer, it's subject to search as well.

 
7. I'm to fashion a sentence that provides you with needed education and vocational training, medical care, or other correctional treatment in the most effective manner, and it does not appear that you're unhealthy, or, as I said, have any mental health or substance abuse concerns. I know you have a high school diploma, and you have had some employment that's consistent with that, and so I would note that you should have the opportunity to engage in any programs that you think are beneficial to you to enhance that, but I don't have any that I'm going to particularly point out.

8. I also have to consider the kinds of sentences available, and that is the 78 to 97 months of incarceration, and that it will be followed by a term of supervised release, and I'm also to consider the need to avoid unwarranted sentencing disparities among defendants with similar records having been found guilty of similar kinds of conduct, and I have these other codefendants, all of whom seem to have various roles in conducting this conspiracy, and I think that my sentence will reflect how I think the various roles and the history and characteristics and other factors have impacted those people, all of whom, so far, have received a sentence that is below the guideline range. 

9. I'm also to consider the need to provide restitution to any victims of the offense, and I am going to order a restitution against you relative to this. I will also recommend that the amount that you're forfeiting go against the restitution, but, you know, part of it is that, you know, the amount of restitution is really high, and I think it's really difficult for anybody, although you're a young person and so are the others, to pay back seven-and-a-half-million dollars. That's a tremendous amount of money, and the amount that it is apparent that you're forfeiting doesn't really approach that. It doesn't approach $7 million, and so, you know, the Court is always wondering what happened to the money that was stolen away from people and whether or not people have spent it or they hid it away, especially if there's nothing really apparent. There is, in some cases, something apparent to show for it, but I have considered that as well.

I've said in the other sentences, because in the other instances, people also ask for  noncustodial sentences, that I don't think that a noncustodial sentence is appropriate in these cases. I mean we think, kind of like we do in other kinds of cyber crimes, that you don't see what's happening. It's not done with some -- it's not like you went in and robbed a place where some people were standing there and you had to deal with the actual people that you might be stealing the money from, or had to confront an actual bank teller who might be afraid or anything like this. This is kind of done on your own on the computer. You don't really have any real people in front of you. It's not maybe very -- it does not seem very personal to the people committing the crime, but it's really personal against the people that the crime is committed, and so I don't think that a noncustodial sentence is appropriate.  Even with the halfway house and the like, I don't think it's appropriate, and I think you can tell that from the other sentences that I've imposed.

The Sentence

And, therefore -- but I should also say that I think the 78 to 97 months is driven, as many as of these monetary crimes are, by the amounts of loss, and I think, in this particular instance, where I have people before me and you who don't have prior serious offenses or any offenses at all, that I give credit for that in most other instances of fashioning a sentence, and the credit for it actually goes to the amount of time that you have to be incarcerated usually, and I don't see any reason why I shouldn't do that in this particular instance. In all of these instances, I think I have before me people who have the ability to do one of two things. They can grow and become productive members of society and attempt to pay back the victims the money that was, you know, secretly stolen from them and computers used to do that, and, therefore, I think that a sentence within the guideline range is too much for the charges that I'm presented with here for the reasons that I've stated.

 
And, therefore, with respect to Count 1 of the indictment, pursuant to the Sentencing Reform Act of 1984, the Court, having considered the advisory guidelines and the factors contained in 18 U.S.C. §3553(a), commits the Defendant to the custody of the Bureau of Prisons for a term of 48 months. And, upon release from imprisonment, the Defendant will be placed on supervised release for a term of three years. 

... I'm ordering that you pay that restitution to the clerk of the court for disbursement to the victims identified below in the amounts below for a combined restitution order of $7,681,570.03, which is due immediately. While on supervised release, payments must be made at a rate and schedule determined by the probation department, approved by the Court, and they are going to these victims:
Victim with initials D.M. in the amount of $116,387.12;
Mr. S.S. in the amount of $1,967,146.57;
And S.B. in the amount of $5,598,036.34.

Thoughts on Sentencing 

I am always frustrated when judges choose to depart from the recommended sentence, especially in a way that I feel does not take cybercrime seriously.  As we look at the rationale behind the sentence though, I think it boils down to this:

In the world of Big Crypto and with the pathetic security in place that means a kid in a phone shop can facilitate a $5.5 Million theft, how do we balance the trivial means of stealing that money with the fact that someone's life savings have been destroyed?

In this case, restitution will start with the fact that Ricky is giving up 38 BTC and 900 Ethereum from what he stole.  At the time of this writing that is about $1.8 Million.  How is a kid with a high school degree and a criminal record going to pay back the other $5.8 Million?  He's not.  The parole board will come up with a garnishment of future wages, but if he ends up in a minimum wage job, that is likely to be repaid at a rate of $100 per month, so the victims will get the rest of their money slowly over the next four thousand eight hundred years or so.

I would really like to hear your thoughts on this.  Feel free to comment below.  Thank you!

Chinese "COVID-19" Hackers indicted after 11 year hacking spree

On July 7, 2020, a Grand Jury in Seattle was presented with evidence about the eleven year campaign of Computer Network Intrusion being conducted by two former classmates who hacked for personal profit and the benefit of the Chinese Ministry of State Security. Li Xiaoyu 李啸宇 and Dong Jiazhi 董家志.  The pair met when they were studying Computer Application Technologies at the University of Electronic Science and Technology ("UEST") in Chengdu, China.  UEST has as its motto:  求实求真 大气大为  -- "To Seek Facts and Truth, To Be Noble and Ambitious."  This pair certainly "sought facts" and were "ambitious," though not in a way that many would consider "Noble."  The University was admitted into Project 985 in 2001, a project that supported 34 top universities encouraging each to become a global leader in their chosen specialty, and incidentally kicking off a new ambitious era of global cyber espionage to help them gain competitive advantage.

Or maybe it was exactly the plan.  In 2007, likely the year that Dong would have started his college experience at UEST, the School of Software boasted that as part of the 11th Five Year Plan, their textbook, 计算机病毒技术 (Computer Virus Technology), received national acclaim.  The following year, they announced the completion of their Information Technology textbook series of 8 books, adding "Network and System Attack Technology" and "Network and System Defense Technology" to the series.  In the United States, "Network and System Attack Technology" ( 网络与系统攻击技术)  is mostly taught in the military and intelligence communities, not in undergrad computer science courses.  In 2017 the course was taught by Li Hongwei (李洪伟), whose slides are online.  In 2019 the instructors were 李洪伟 and 吴立军.

Network and System Attack Technology - Cao Yue and Yu Shengji 

An example slide from a previous version of the course which bother of our hackers would have taken:  (Lecture 2, "Information Retrieval")

The text explains one of the tools from the "experimental" portion of the class, "MS06040Scanner": 

The working principle of MS06040Scanner is to first obtain the operating system type and open ports through port scanning and operating system scanning. If it is a windows2000 system, TCP 139 or TCP 445 port is opened, and the returned data packet matches the definition in the vulnerability library. It means that the host may have MS06040 vulnerabilities, we can use MS06040 exploit programs to carry out remote overflow attacks on it

The second slide demonstrates the "X-Scan" tool which would be used to find vulnerabilities allowing data exfiltration.

The Attacks 

According to the Department of Justice Indictment, Dong was the one who researched victims and means of exploiting them while Li primarily did the hacking. 

美国司法部对34岁的李晓宇(音译)和31岁的董佳芝(音译)提出11项指控称，称他们侵入了数百家公司、政府机构以及持不同政见者和神职人员的电脑系统。

Here's how the indictment describes the "Manner and Means of the Conspiracy" -- 

"The defendants research and identified victims possessing information of interest, including trade secrets, confidential business information, information concerning defense products and programs, and personal identifying information ("PII") of victim employees, customers, and others, using various sources of information including business news websites, consulting firm websites, and a variety of search websites.

The defendants then gained unauthorized access to victims possessing the information sought by the conspiracy.  They stole source code from software companies, information about drugs under development, including chemical designs, from pharmaceutical firms; students' PII from an education company; and weapon designs and testing data from defense contractors.

The defendants usually gained initial access to victim networks using publicly known software vulnerabilities in popular products.  Those vulnerabilities were sometimes newly announced, meaning that many users would not have installed patches to correct the vulnerability. ... They also targeted insecure default configurations in common applications."

The defendants used their initial access to place a "web shell" on the victim network, allowing remote execution of commands on a computer.  The most frequently deployed was the "China Chopper" web shell.  They most frequently did so by hiding the file with the name "p.jsp" in an obscure directory on a public-facing website.  (They also sometimes named their webshell's "tst.jsp", "i.jsp", or "/SQLTrace/i.jsp".) The indictment includes a screenshot of China Chopper which is lifted from the FireEye blog post "Breaking down the China Chopper" ... if you are interested, you should also read the Talos Blog post: "China Chopper still active 9 years later" 

(FireEye explains China Chopper)

They would then plant software for stealing passwords, identifying computer users with Administrator access, and then studying the network for useful data.  The data was compressed as a .RAR file, but then often renamed as a ".jpg" file and placed in the victim's recycle bin until it could be retrieved.

The Victims 

The indictment makes clear that there were "hundreds" of victims between September of 2009 and early 2020, not only the ones listed in this indictment. To characterize the range of victims, they list types of companies, date ranges, amount of data stolen, and type of data gathered. 

Victim 1: California-based technology and defense firm

Dec 2014-Jan 2015

200GB "Radio, laser, and antennae technology; circuit board and related algorithms designs for advanced antennae; testing mechanisms and results."

Victim 2: Maryland-based technology and manufacturing firm - 64GB 

Victim 3: Hanford Site, Department of Energy, Washington State - information about network and personnel, including lists of authorized users and administrator accounts

Victim 4: Texas: 27GB of space and satellite application data 

Victim 5: Virginia Federal Defense contractor - 140GB of project files, drawings and documents related to Air Force and FBI investigations.  PII on 300+ employees

There were many more victims detailed, including:

 a US Educational Software company with "millions of students and teachers' PII." breached from Nov 2018 to Feb 2019, 

 a California pharmaceutical company - 105GB of data in Feb and March 2019 

 a Massachusetts medical device company - 83 GB of source code just as the victim was engaging in a contract with a Chinese firm to produce some of their components.

Other victims were listed in other places, including a large electronics firm in the Netherlands, a Swedish online gaming company (169GB of files including source code and player usernames and passwords), a Lithuanian gaming company, and other companies in Germany, Belgium, the Netherlands, an Australian defense contractor (320GB of data!), a South Korean shipbuilding company, an Australian solar energy company, a Spanish defense firm, and a UK AI firm focused on cancer research.

The Hackers' MSS Connection

The DOJ indictment mentions the Ministry of State Security 19 times, specifically referring to an unnamed "MSS Officer 1." 

"After stealing data and information from their victims and bringing that data and information back to China, Defendants then sold it for profit, or provided it to the MSS, including MSS Officer 1." 

"Li and Dong did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC Government's Ministry of STate Security ("MSS"). LI and DONG worked with, were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department, "GSSD"). 

"When stealing information of interest to the MSS, LI and DONG in most instances obtained that data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the US and abroad, they stole information regarding: military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems. 

In other instances, the Defendants provide the MSS with personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents including: 

• a Hong Kong community organizer
• the pastor of a Christian church in Xi'an
• a dissident and former Tiananmen Square protestor
• emails to and from the office of the Dalai Lama
• emails belonging to Chinese Christian "house" church pastor in Chengdu (who was later arrested)
• emails form a US professor and organizer
• two Canadian residents who advocate for freedom and democracy in Hong Kong

MSS Officer 1 assisted LI and other hackers.  When LI had difficulty compromising the mail server of a Burmese human rights group, MSS Officer 1 provided him with 0day malware for a popular browser which exploited a bug not known to the software vendor or security researchers.

MSS Officer 1 claimed to be a researcher at the "Guangdong Province International Affairs Research Center" but in fact was an intelligence officer working for the GSSD at Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu Distring, Guangzhou.

Example Tools and Techniques 

In several attacks, the attackers (in 2018) targeted ColdFusion vulnerabilities published in 2018 (CVE-2018-15961) attempting to gain access to CKEditor and the associated FileManager, using a ColdFusion web shell program named "cfm backdoor by ufo."  (This tool was actually used in a cool Canadian Government Training on APT groups, although in their training it was an Iranian hacker group using the tool.) 

In some cases, the hackers were clearly operating for personal profit.  Sometimes sending emails with subjects like "Source Code To Be Leaked!" and demanding a ransom payment to prevent publication of their software.

COVID-19 Targeting

On January 25 and 27, 2020, Li searched for vulnerabilities at a Maryland biotech firm who had publicly announced their role in researching a potential COVID-19 vaccine.

On February 1, 2020, Li searched for vulnerabilities in the network of a California biotech firm that had announced the previous day they were researching antiviral drugs to treat COVID-19. 

On May 12, 2020, Li searched for vulnerabilities in the network of a California diagnostics company publicly known to be developing COVID-19 testing kits. 

On June 13, 2020, Li conducted reconnaisance related to a Virginia defense and cybersecurity contractor, Hong Kong protestors, a UK Messaging app used by HK protestors, a Webmail provider used by HK protestors, a Massachusetts biotech firm, and a California space flight firm.

FBI's Crime Data Explorer: What the Numbers Say about Cybercrime

What do the numbers say about Cybercrime?  Not much.  No one is using them.  

There is a popular quote often mis-attributed to the hero of Total Quality Management, Edward Deming:  "If you can't measure it, you can't manage it."Its one of the first things I think about every year when the FBI releases their annual Crime Statistics Report, as they just did for 2017.   (The "mis-attributed" is because for all the times he has been quoted, Deming actual said almost the exact opposite.  What he actually said, in "The New Economics," was:  "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.")

Despite being a misquote, I've used it often myself.  There is no way to tell if you are "improving" your response to a crime type if you don't first have valid statistics for it.  Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics.  This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases.  Want to test it yourself?  Call your local Police Department and tell them your computer has a virus.  See what happens.

It isn't for lack of law!  Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered "hacking."  A quick reference to all 50 states computer crime laws is here:  State Computer Crime Laws - and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.

You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation.  UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):

murder and non-negligent homicide, rape, robbery, aggravated assault, burglary, motor vehicle theft, larceny-theft, and arson.

The data for calendar year 2017 was just released this week and is now available in a new portal, called the Crime Data Explorer.  Short-cut URL:  https://fbi.gov/cde

To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS - the National Incident-Based Reporting System.  This system primarily focuses on  52 crime categories, and gathers statistics on several more.  Most importantly for us, it includes several categories of "Fraud Crimes"

• 2 / 26A / False Pretenses/Swindle/Confidence Game
• 41 / 26B / Credit Card/ATM Fraud
• 46 / 26C / Impersonation
• 12 / 26D / Welfare Fraud
• 17 / 26E / Wire Fraud
• 63 / 26F / Identity Theft
• 64 / 26G / Hacking/Computer Invasion

Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate.  The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:

https://www.fbi.gov/file-repository/ucr/nibrs-countdown-flyer.pdf

In the just-released 2017 data, out of the 18,855 law enforcement agencies in the United States, 16,207 of them submitted SRS "old-style" UCR data.  Only 7,073 (42%) submitted NIBRS-style data.

Unfortunately, the situation when it comes to cybercrime is even worse.  For SRS-style reporting, all cybercrimes are lumped under "Fraud".  In 2016, SRS reported 10.6 Million arrests.  Only 128,531 of these were for "Fraud" of which cybercrime would be only a tiny portion.

Of those eight "fraud type" crimes, the 2017 data is not yet available for detailed analysis  (currently most of state data sets, released September 26, 2018, limit the data in each table to only 500 rows.  Since, as an example, Hoover, Alabama, the only city in my state participating in NIBRS, has 3800 rows of data, you can see how that filter is inadequate for state-wide analysis in fully participating states!

Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes.  In 2016, 6,191 law enforcement agencies submitted NIBRS-style data.  Of those 5,074 included at least some "fraud type" crimes.  Here's how they broke down by fraud offense.  Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:

type - # of agencies - fraud type description
==============================================
 2 - 4315 agencies -  False Pretenses/Swindle/Confidence Game
41 - 3956 agencies -  Credit Card/ATM Fraud
46 - 3625 agencies - Impersonation
12 - 328 agencies - Welfare Fraud
17 - 1446 agencies - Wire Fraud
63 - 810 agencies - Identity Theft
64 - 189 agencies - Hacking/Computer Invasion

Only 189 of the nation's 18,855 law enforcement agencies submitted even a single case of "hacking/computer invasion" during 2016!  When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered "64 - Hacking/Computer Invasion".  To explore on your own, visit the NIBRS 2016 Map.  Then under "Crimes Against Property" choose the Fraud type you would like to explore.  This map shows "Hacking/Computer Intrusion."  Where a number shows up instead of a pin, zoom the map to see details for each agency.

Filtering the NIBRS 2016 map for "Hacking/Computer Intrusion" reports

 As an example, Zooming the number in Tennessee, I can now see a red pin for Nashville.  When I hover that pin, it shows me how many crimes in each NIBRS category were reported for 2017, including 107 cases of Wire Fraud, 34 cases of Identity Theft, and only 3 cases of Hacking/Computer Invasion:

Clicking on "Nashville" as an example

I have requested access to the full data set for 2017.  I'll be sure to report here when we have more to share.

How to Steal a Million: The Memoirs of a Russian Hacker

As a University researcher specializing in cybercrime, I've had the opportunity to watch the Russian carding market closely and write about it frequently on my blog "Cybercrime & Doing Time."  Sometimes this leads to interactions with the various criminals that I have written about, which was the case with Sergey.  I was surprised last January to be contacted and to learn that he had completed a ten year prison sentence and had written a book.   I have to say, I wasn't expecting much.  This was actually the third time a cybercriminal had tried to get my interest in a book they had written, and the first two were both horrible and self-promotional.  I agreed to read his first English draft, which he sent me in January 2017.

I was absolutely hooked from page 1.  As I have told dozens of friends since then, his story-telling vehicle is quite good.  The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil  needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait.  What is a white card?"

My copy of the book!

As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling.  These and many of the other characters in this book appeared regularly in this blog.  (A list is at the bottom of this article)

Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them.  Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.

The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison.  Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside.  The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.

Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work."  It's clear that he took feedback like this seriously.  The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.

A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker

The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.

I seriously debated whether I should support this book.  Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job.  It is a moral dilemma.  Do I lend assistance to a many who stole millions of dollars from thousands of Americans?  Read the book.  To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison.  I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."

Links to selected blog articles that feature Pavlovich's cast of characters:

May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.

August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.

August 8, 2008 TJX: the San Diego Indictments where the US government indicts:

• SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
• DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
• SERGEY VALERYEVICH STORCHAK, aka Fidel

and charges them with violation of "18 USC Section 1029(b)(2) Conspiracy to Traffic Unauthorized Access Devices"

May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.

Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.

Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.

More "Crackas With Attitude" hackers arrested

The Department of Justice has announced the arrest of two North Carolina based members of the group "Crackas With Attitude" who famously broke into the AOL email account of CIA Director John Brennan and the Verizon account of Director of National Intelligence James Clapper last year.

Motherboard on Crackas With Attitude #CWA

Often hackers will find a sympathetic listening ear in the form of a journalist, and the original bad boy of CWA did so with Lorenzo Franceschi-Bicchierai, who writes for Motherboard at Vice.com.
Lorenzo's headlines about CWA tell the timeline of the case:

• Teen Hackers: A '5-year-old' Could Have Hacked into CIA Director's Emails 
• Alleged Hacker Behind John Brennan Email Breach: 'I Don't Want to go to Jail'
• Teen Hackers Who Doxed CIA Chief Are Targeting More Government Officials 
• Teenage Hackers Say They've Doxed More Than 2,000 Government Employees
• The Dox of More than 2,300 Government Employees Might Be Worse Than We Thought
• Teenage Hackers Return With New List of Government Employees
• The FBI is Worried About Hacktivists Targeting Politicians and Cops
• Teen Who Hacked CIA Email Is Back to Prank US Spy Chief
• Teen Hacker Claims Another Victim in Campaign Against Government
• Teens Who Hacked CIA Director Also Hit White House Official
• Hackers Dox Miami Police Officers with Data Stolen from Government Database
• Hacker Published Personal Info of 20,000 FBI Agents
• Teen Allegedly Behind CIA, FBI Breaches: "They're Trying to Ruin My Life."
• Teenage Hackers Promise More Government Hacks After Alleged Leader's Arrest
• No One's Emails Are Safe, Says CIA Director Who Got Hacked
• Police Arrest Second Alleged Member of Teen Group that Hacked CIA Director
•  

All of the articles above can be found by using the Motherboard tag "Crackas With Attitude"
And then, finally, this one:

FBI Arrest Two Alleged Members of Group That Hacked the CIA Director

The Arrest of @Incursio and @_D3f4ult (Andrew Boggs and Justin Liverman)

The two Americans who were arrested were Andrew Otto Boggs, 22, from North Wilkesboro, North Carolina, who is behind the online moniker Incursio and Justin Gray Liverman, 24, from Morehead City, North Carolina, who is behind the online moniker @_D3F4ULT.

Like many hackers, Boggs and Liverman both lived with their parents.  In fact, Boggs was arrested because Twitter records showed that he created and frequently logged in from one of his several #CWA Twitter accounts, @GenuinelySpooky, from a Charter Communications IP address that subscriber records revealed was his father's home, where he lived.   Exactly the same thing happened to Liverman, who used the Twitter account @_D3F4ULT from an Time Warner Cable IP address that was registered to his mother, Edith Liverman, with whom he was living at the time.

While Twitter "private messages" are not revealed to the public at large, they still contained pretty damning information.  The 37 page criminal complaint, an affidavit prepared by a thorough FBI agent, reveals that the two adult Americans were participating in this conspiracy with three British teenagers who were known as CRACKA (AKA @PORNG0D, @PHPHAX, @DICKREJECT), who was 17 years old, DERP (AKA @DERPLAUGHING) also 17, and CUBED (AKA @FRUITYHAX) who was 15 years old.   The other three have all been identified and apprehended in the United Kingdom, where their identities are protected due to their minor status.

In addition to @_D3F4ULT, Liverman used the handles @BASHTIEN_ and @SH1N0D4.
Boggs also used the identities @INCURSIOSUBTER and @GENUINELYSPOOKY.

Social Engineering the Law Enforcement Enterprise Portal (LEEP)

While the affidavit refers to "Victim 1" and "Victim 2", public reporting about these accounts make it clear that Victim 1 is CIA Director John Brennan and Victim 2 is FBI Deputy Director Mark Giuliano.  The affidavit explains that "In or about November 2015" the hackers used Victim 2's credentials to log in to the Law Enforcement Enterprise Portal.  LEEP is a Very Big Deal, because it has information to basically everything about federal law enforcement, including directories of law enforcement officers who have been granted access to the system to enhance their state and local policing capabilities.  The Joint Automated Booking System (JABS), the Internet Crime Complaint Center (IC3.gov) and the Virtual Command Center/Special Interest Group can all be access through LEEP.   Imagine that! Cybercriminals with full unlimited access to the details of every cybercrime complaint that has been made to the Internet Crime Complaint Center!

But that isn't how they used the information.
 
On November 4, 2015, Cracka sent a screen shot of the LEEP computer system login page, showing that he was logged in to Giuliano's account.  When Liverman asked what type of information was there, Cracka replied "every law enforcement info.  fucking shaking."   Liverman replied "holy fucking shittttttt."  Liverman then asks Cracka to search by state/city and requested the list of officers in Miami, which Cracka sent via Jabber message at 18:43 EST that evening.  This is the list of 80 Miami-area officers that was blasted out as their first LEET related "doxing."  The list was found on Liverman's hard drive, pursuant to a lawful search warrant, in a file named "miami_officers.txt".

The following day, Cracka posted links from his @PHPHAX twitter account to copies of the records for Jeremy Hammond (a hacker who participated in the Anonymous movement) that had been obtained through JABS.  He tied this event to November 5th, the date associated with the Anonymous/Guy Fawkes chant "Remember, remember, the fifth of November", a date associated with anti-government actions due to the Gunpowder Treason in 1605, when Guy Fawkes and others attempted to blow up the House of Lords.

In January 2016, they posted publicly the names, work telephone numbers, emails, and titles of 80 police officers in the Miami area, dumped from the LEEP system back in November.

After being locked out of the LEEP system, the hackers tried repeatedly to social engineer their way back in.  The FBI has recordings of 34 calls placed to the LEEP help desk and 56 calls placed to the CJIS (Criminal Justice Information System) help desk attempting to regain acess to the system.

Charges Against CWA Hackers

a. 18 USC § 912 - falsely assuming or pretending to be an officer or employee of the US Government to obtain money, paper, documents, or any thing of value

b. 18 USC § 1028A - knowingly transfering, possessing, or using without lawful authority a means of identification of another person during and in relation to the commission of a felony

c. 18 USC § 1030(a)(2)(B) - intentionally accessing a computer without authorization or exceeding authorized access to obtain information from any department or agency of the US Government

d. 18 USC § 1030(a)(2)(C) - intentionally accessing a computer without authorization or exceeding authorized access to obtain information from a protected computer

e. 18 USC § 1030(a)(3) - intentionally without authorization accessing a nonpublic computer of the United States that is exclusively for the use of the Government of the United States

f. 18 USC § 1038 - engaging in conduct with the intent to convey false or misleading information where such information may reasonably be believed that activity has taken, is taking, or will take place that would constitute a violation of chapter 40 of Title 18 (18 USC 40 is about explosives - so this is about making a bomb threat)

g. 47 USC § 223 - making a telephone call intented to abuse, threaten or harass any specific person without disclosing identity.

A Look Into Motivations

Here's an interesting example exchange between Boggs (@Genuinelyspooky) and Cracka (@PHPHax):

+++++++++++++++

@GenuinelySpooky: I'm going to help you with 0wning the [agency where Victim #1 worked]. I've been looking for evidence of aliens since Gary.

@PHPHax:  i fucking own this loser, i have just released emails of them admitting to torture.

@GenuinelySpooky: If you need any publishing done, let me know.  I'll go Charlotte and use public wifi to publish the stolen information.

@PHPHax:  that sounds great :)
++++++++++++++++

Really?  The reference to Gary is to Gary McKinnon, the UFO conspiracy theorist who was arrested for hacking NASA.  He has posted many things on social media claiming that while in the NASA systems he found "proof" that NASA knows all about the aliens living among us.

Cracka broke into John Brennan's account by calling Verizon technical support, impersonating a Verizon employee, and getting them to share certain information, including the last four digits of the credit card being used to pay the Verizon bill.  He then used that information in a call to AOL to convince them he was Brennan and get them to reset the AOL password.  WIRED tells more of that story in "Teen Who Hacked CIA Director's Email Tells How He Did It".

Cracka was thrilled with the publicity he was getting, boasting about his interview with the New York Times about the Brennan hack via Twitter direct messages with Boggs.

Cracka told Liverman about his access to the FBI Deputy Director's account, including the last four digits of his Social Security Number, access to his Comcast account and other information, including a screen shot of the Comcast billing information. Cracka revealed to Liverman that the Comcast account contained an address book with at least 200 contacts, including many government people.  Several of these screen shots were posted to a Facebook account using the name "Joseph Markowicz" that was registered using the same email address as the Twitter account @_D3F4ULT.  On several occasions, the same proxy IP address was used to access both the Twitter account and the Facebook account in close succession.   The Comcast details also provided the hackers with detailed call logs, showing who the FBI Deputy Director called and on what numbers.  By calling several of these telephone numbers, they were able to locate the government cell phone number of the FBI DD.  They paid $20 to launch a "phone-bombing" attack against the number, which caused anonymized calls to be placed to the phone every hour for thirty consecutive days.

They also sent insulting and threatening text messages to the cell phone, including one (using the redacting from the affidavit:

   "Listen here you fucking boomer, we will destroy your reputation.  Just like [two senior US government officials, including Victim 1]...I guess you couldn't handle us jacking your Comcast ISP accounts too many times so you actually canceled your account!  And telling me to 'watch my back' wasn't a good idea lol.  How is your [derogatory comment][incorrect spouse name]? We will keep a close eye on your family, especially your son!"

Liverman made a Bandicam (video screen capture recording software) video of himself creating a dark market account in Giuliano's name on the Abraxas Market (where drugs are often sold using Bitcoin.)  He also posted Facebook messages to many accounts inviting "sexy nudes" to be sent to the FBI-owned cell phone number and tweeted the same from the @_D3F4ULT account.

Ridiculing Federal government authorities and insulting them and their family members was part of the motivation.  The fact that the very first thing that crosses their minds when they had full access to every criminal record in the United States was to search for information about the arrested Anonymous hacker Jeremy Hammond helps to cast this as an "Us versus Them" battle between hackers and the U.S. Government.

DOJ Civil Division information

On February 3, 2016, Cracka and Liverman had a Jabber chat where Cracka reveals:

"...i owned the entire doj. like, all doj agencies so fbi, dea, Interpol, dhs.  i'm sitting here with 20k fbi employee names, country, email, phone number, title.  i have access to a doj computer"

As proof, Cracka shared screenshots of this with Liverman.

Tweets related to this data started showing up on January 30, 2016, when @DOTGOVS tweeted "9,000 @DHSGov employees." with a partial screenshot of personnel information.  About twenty minutes later the same account tweeted "Why do we have 20,000 @FBI employees: names, phone numbers, countries, and emails? Including ones abroad :)."

While this information is not supposed to be publicly available via the Internet, the DOJ Justice Security Operations Center determined that the DOJ Civil Division help desk had been socially engineered to provide a contract employee's credentials.  These credentials were used multiple times between Jan 27, 2016 and Feb 2, 2016 to access the CIMS (Case Information Management System)  application.

On February 7, @DOTGOVS tweeted links to the website "cryptobin.org" providing a password for decrypting the files, which included the 9,000 DHS.gov employees information and the 20,000 FBI employees' information.

Several members of the conspiracy became involved with propagating these materials, sharing the information on Pastebin, Ghostbin, IndyBay and other locations.  While it seems the 17-year old "Cracka" was the primary person to infiltrate the DOJ systems, the others were certainly encouraging such activity, asking for custom searches within the data, and gleeful in their attempts to help leak sensitive government information to the public through their repeated posts and reposts of the information.

"Unlimited" ATM Mastermind Ercan Findikoglu pleads guilty

One of the most fascinating types of cybercrime, in my opinion, is the Unlimited ATM attack.  There have been several such attacks over the years, as we've written about in this blog previously, including:

• 02JUL2008 - 7-11 ATM Hackers - More Details
• 07SEP2008 - Is the Analyzer Really Back? (The return of Ehud Tenenbaum) 
• (Tenenbaum was transferred to the US, pled guilty to two other cases, sentenced in July 2012 to Time Served and ordered to pay $503,129 restitution) 
• 11NOV2009 - The $9 Million World-Wide Bank Robbery
• 09MAY2013 - ATM Cashers in 26 Countries Steal $40   

In an "Unlimited" attack, hackers gain access to the internal systems of a bank or banking network and are either able to "reset" ATM withdrawal limits or eliminate the limits altogether for a card or group of cards.  The magnetic stripe data from these cards are then widely distributed to "cash-out crews" who take responsibility for draining as many ATM cards as possible in their area, while each time a card is used, the hackers "undo" the transaction so that the card appears to have not been used.

33-year old Turkish citizen Ercan Findikoglu was charged with conducting three such Unlimited campaigns.

In February 2011, $10M was withdrawn using the pre-paid debit cards distributed by the American Red Cross to disaster relief victims.  The cards were operated by JPMorgan Chase.  On February 27 and 28, 2011 a total of around 20 pre-paid debit cards were used in approximately 15,000 transactions to withdraw $10M from ATM machines in 18 countries, including ATMs in the Eastern District of New York.

In Findikoglu's second Unlimited attack, pre-paid debit cards for the India-based company ECS, operated by National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates were used.  On December 21 and 22, 2012, approximately 5,000 transactions in at least 20 countries resulted in withdrawal of $5M.

In the largest of his three documented Unlimited campaigns, enStage, a California-based payment processor, suffered an intrusion and had many cards stolen from its internal database.  A group of pre-paid debit cards for Bank Muscat in Oman were selected as the target, and on February 19 and 20, 2013, 36,000 transactions in 24 countries were used to steal $40M.

ERCAN FINDIKOGLU, who called himself "Segate" or "Predator" online, was arrested in December of 2013 while visiting Germany.

He was originally charged with 18 counts:

(1)   CONSPIRACY TO DEFRAUD THE UNITED STATES
(2-4) FRAUD ACTIVITY CONNECTED WITH COMPUTERS
(5-6) ATTEMPT AND CONSPIRACY TO COMMIT MAIL FRAUD
(7)   BANK FRAUD
(8)   ATTEMPTS TO COMMIT AN OFFENSE
(9-14) PRODUCES/TRAFFICS IN COUNTERFEIT DEVICE
(15) MONEY LAUNDERING CONSPIRACY
(16) MONEY LAUNDERING
(17) TAMPERING WITH WITNESS, VICTIM, OR AN INFORMANT
(18) INTIMIDATION OR FORCE AGAINST WITNESS

On June 24, 2015, Ercan was ordered into US detention, having been extradited from Germany.  The German courts in Frankfurt declared that Findikoglu was "the most-wanted computer hacker in the world and may face more than 247 years in prison if convicted of all U.S. charges" (as quoted in Bloomberg's story of 23JUN2015 - "Most-wanted cybercriminal extradited to U.S. from Germany."

As usual, the reality of sentencing varies dramatically from the overblown initial press release.  On March 1, 2016, All parties appeared before the honorable Judge Kiyo A. Matsumoto for a Change of Plea Hearing.    Sentencing is scheduled for July 12, 2016, but according to the BBC, prosecutors have agreed in a plea deal to limit his incarceration for "between 11 and 15 years."  (See "US bank hacker faces long jail time").

Many of the "Cash-out crews" from these operations have been separately arrested and charged, while many others (the vast majority really) remain at large.