Fighting Russian Cybercrime MobstersDmitri Alperovitch, VP Threat Research, McAfeeKeith Mularski, Supervisory Special Agent, FBI 2007 McAfee, Inc.McAfee Confidential. Shared under MNDA

Agenda Russian La Cosa Nostra Russian Organized Cybercrime DarkMarket Undercover Operation Q&AMcAfee Confidential. Shared under MNDA

What is Online Organized Crime?What is OnlineBotnets frame AttacksClick FraudFast-Flux

What is Online Organized Crime?Bank/Credit Card AccountCompromisesMoney LaunderingStock ManipulationBlackmail / ExtortionIdentity TheftDeceptive Advertising /FraudReshipping FraudCarding

Advantages of cybercrime “because that's where the money is” (Willie Horton) Also:—High certainty of lack of attribution/cost—Low barriers to entry—Low cost of required resources—Enormous potentialMcAfee Confidential. Shared under MNDA

How much ?YEARCOMPLAINTS RECEIVEDUS DOLLAR LOSS2008275,284 265 million2007206,884 239.09 million2006207,492 198.44 million2005231,493 183.12 million2004207,449 68.4 millionRate of increase of cybercrime losses measured through complaints received byFBI’s Internet Crimes Complaint Center (IC3)McAfee Confidential. Shared under MNDA

Interview with a Romanian cybercriminalMcAfee Confidential. Shared under MNDA

Russian La Cosa Nostra 2007 McAfee, Inc.McAfee Confidential. Shared under MNDA

Thief in law / Вор в ЗаконеWhatisOnlineCybercrime? Highly organized Russian underworld society Arose out of Stalin’s Gulags in 1930s Developed strict set of laws (Thief’s Code), violationsoften punishable by mutilation/death Example of laws:—————Forsake all relativesNot have a family of your ownNever, under any circumstances, work, no matter how much difficulty thisbringsMake good on promises given to other thievesHave nothing to do with the authorities

Thief in law / Вор в Законе (cont)Whatis Online Cybercrime? Characteristics:Extraordinary Cruelty— Absolute Ruthlessness— Crime as a way of life vs. business— No recognition of government authority / cooperation prohibited— World War II: B**** War Today: International representation in nearly alldeveloped/developing countries Cooperation with other organized criminal groups Involvement in every aspect of criminal activity

Tattoo-based LanguageWhat is Online Cybercrime?

Russian Justice SystemWhat is Online Cybercrime? 3-judge panel verdicts 1-2% acquittals Double jeopardy not prohibited “Telephone justice” The Cage

Russian Organized Cybercrime 2007 McAfee, Inc.McAfee Confidential. Shared under MNDA

Progression of Russian CybercrimeWhat is Online Cybercrime? Early ‘90s: ‘Warez’ / Organized piracy ‘94-’95: Citibank Hack ( 10 million stolen). Vladimir Levinarrested Late ‘90s: Internet Worms ’99: Political Hacktivism (NATO/Yugoslavia) Early ‘00s: Spamming, Phishing Spring ‘05: Estonia Summer ‘08: Georgia Rise of Nationalism

‘Artistic’ expressionWhat is Online Cybercrime?

Anti-U.S. SentimentMcAfee Confidential. Shared under MNDA

Courtesy of MazafakaMcAfee Confidential. Shared under MNDA

Courtesy of MazafakaMcAfee Confidential. Shared under MNDA

Carding Evolution 2007 McAfee, Inc.McAfee Confidential. Shared under MNDA

22McAfee Confidential. Shared under MNDA

OrganizationMcAfee Confidential. Shared under MNDA

COB’sMcAfee Confidential. Shared under MNDA

Maxim Yastremsky Largest wholesale seller ofTJX cards (batches of10,000) Charged 20- 100 per card Arrested in August ’07 inKemel, Turkey with personalinformation on 5,000 USand European NationalsMcAfee Confidential. Shared under MNDA

Al Qaeda ConnectionAl-Qaeda’s PR agencyMcAfee Confidential. Shared under MNDA Waseem Mughal, YounisTsouli (Irhabi 007) and Tariqal-Daour Convicted in UK in 2007 forInternet-based terrorismincitement Financed their activitiesthrough cybercrime (37,000stolen cards uncovered) Ties to London July 07 ‘05bombings

Дмитрий ГолубовI belong to the rare category of peoplewho go into politics not for personal gainbut for the idea. I am not interested inmoney Together with you we can clean upUkraine from corruption and criminalityMcAfee Confidential. Shared under MNDA

Дмитрий ГолубовMcAfee Confidential. Shared under MNDA

Organized Crimein the 21st CenturySSA J. Keith Mularski

Carder - Slang used to describe individuals who use stolen credit card account information to conduct fraudulent transactions.Carding - Trafficking in and fraudulent use of stolen credit card account information.Cashing - The act of obtaining money by committing fraud. This act can be committed in a variety of ways: The term can stand for cashing outWestern Union wires, Postal money orders and WebMoney; using track data with PINs to obtain cash at ATMs, from PayPal accounts, or setting up abank account with a fake ID to withdraw cash on a credit card account.CC - Slang for credit card.Change of Billing (COB or COBs) - Term used to describe the act of changing the billing address on a credit account to match that of a mail drop.This act allows the carder full takeover capability of the compromised credit card account and increases the probability that the account will not berejected when being used for Internet transactions.CVV2 - CVV2 stands for credit card security code. Visa, MasterCard, and Discover require this feature. It is a 3 digit number on the back of the card.DDoS - Acronym for Distributed Denial of Service Attack. The intent when conducting a DDOS attack is to shut down a targeted website, at least fora period of time, by flooding the network with an overflow of traffic.DLs - A slang term that stands for counterfeit or novelty driver's licenses.Drop - An intermediary used to disguise the source of a transaction (addresses, phones etc.)Dumps - Copied payment card information, at least Track 1 data, but usually Track 1 and Track 2 data.Dump checking - Using specific software or alternatively encoding track data on plastic and using a point of sale terminal to test whether the dump isapproved or declined. This provides carders a higher sense of security for obtaining quality dumps from those who offer them and also a sense ofsecurity when doing in store carding.Full info(s) - Term used to describe obtaining addresses, phone numbers, social security numbers, PIN numbers, credit history reports and so on. FullInfo(s) are synonymous with carders who wish to take over the identity of a person or to sell the identity of a person.Holos - Slang for the word Holograms. Holograms are important for those who make counterfeit plastic credit cards to emulate an existing securityfeature.ICQ - An abbreviation for "I Seek You". ICQ is the most widely used instant messaging system for carders. Popular among Eastern Europeans in theirInternet culture, it continues to be used for carding activity.IRC - An abbreviation for "Internet Relay Chat". IRC is a global system of servers through which users can conduct real-time text-based chat,exchange files, and interact in other ways.IDs - Slang for identification documents. Carders market a variety of IDs, including bills, diplomas, driver's licenses, passports, or anything that can beused as an identity document.MSR (Magnetic Strip Reader) - Device that can be used for skimming payment card information and/or encoding track information on plastic.Phishing - The extraction of information from a target using a hook (usually an e-mail purporting to be from a legitimate company). Phishers spam theInternet with e-mails in hopes of obtaining information that can be used for fraudulent purposes.POS (Point of Sale) - Acronym for a terminal through which credit cards are swiped in order to communicate with processors who approve or declinetransactions.Proxies - Term used for proxy servers. The use of proxy servers to mask ones identity on the Internet is widely practiced amongst carders. Manyvendors sell access to proxy servers, socks, http, https, and VPN (Virtual Private Networks), which aide in hiding the user's actual IP address whencommitting fraud or other illegal activity on the Internet.Track 1/Track 2 data - Track 1 and Track 2 data is the information stored on the magnetic stripe of a payment card that contains the accountinformation.

Vendor Services Bank loginsDumpsCVVsFull Info/CoBsDrops/Fake IDs

Templates used to manufacturecloned cards Blanks produced High quality holograms “Dumps” data used to encode onmagstripe, embosser used to printcard details on front

McAfee Confidential. Shared under MNDA