In September 2008 police began arresting alleged members of Dark Market, an underground Internet forum for buying and selling credit card data used for identity fraud. The sting wouldn't have been possible without the work of FBI agent J. Keith Mularski who spent two years infiltrating the group.
FBI Special Agent J. Keith Mularski spent two years posing as a cybercriminal as part of an undercover sting operation.
(Credit: U.S. Federal Bureau of Investigation)Mularski became hacker "Master Splynter," a play on the name of the Teenage Mutant Ninja Turtle character called "Master Splinter," a rat who lives in New York City's sewers. He was so successful in his online disguise that he ended up running the server that hosted the Dark Market forum from his offices at the National Cyber Forensics Training Alliance in Pittsburgh.
Mularski, a supervisory special agent with the FBI's Cyber Initiative & Resource Fusion Unit, spoke about the Dark Market sting during a session at the RSA security conference last month. CNET News caught up with him this week on the telephone to find out what it was like hanging out with cybercriminals.
Q: You were central to the Dark Market sting. Tell me what happened and what role you played.
Mularski: We kicked off an undercover operation to try to penetrate these underground crime groups that are running these forums on the Internet. We developed the persona of a spammer/hacker and I assumed that role. Our intention was to try to penetrate the groups and dismantle them like we would with organized crime. In this case we were very successful in getting to the upper echelons of the Dark Market group and we were actually able to run the server and host all the communications that were going on there to make our cases against the criminals. Worldwide we had 60 arrests. It was a two-year operation and we had arrests in the U.K., Germany, Turkey, and here in the U.S.
What measures did you take to try to prove you were legitimate?
I acquired the reputation of one of the world's top 5 spammers. The Spamhaus Project, which tracks spammers, made a listing for me as being a top spammer and that gave me credibility so that I didn't necessarily have to do any criminal activity. I could talk the talk. If someone wanted me to mail (send spam) for them I would (get out of it by giving them the excuse) that they were too small of a fish. If they were a big fish I'd just say I didn't have any openings or time to work with them.
What sorts of crimes were they doing on Dark Market?
They were doing all sorts of identity theft. They were hacking into companies and stealing credit card numbers and selling them. They were selling counterfeit drivers' licenses and other photo documentation, as well as manufacturing fake credit cards. They were selling harvested bank accounts and brokerage accounts and selling different types of malware or spyware programs or Trojan horses that you could infect peoples' computers with. The whole gamut of the cyber underground was available there. If you needed it you could get it there on the site.
How did being undercover interfere with your life? What extremes did you have to go to to keep up the facade?
I would have to be online all the time, basically, in case someone needed to get ahold of me. If I was at home I would always have a computer on, even while watching TV. If I went on vacation I took the computer with me to make sure I was able to log in. I would tell the (Dark Market) guys I was traveling to go surfing or something like that and I would tell them I'll be online at these times if you need to get me. I had a cell phone connected to a Gmail account and I would tell them if they had to get ahold of me to send an e-mail and it would ping me. It was like that for two solid years almost every day. My wife wasn't too happy about it (chuckling).
No doubt! Was there ever a moment when you thought the jig was up and that they were on to you?
There were a couple of those. We had a problem with our backstopping right at the beginning of the operation when I took over the server. One of our rivals had hacked into the Dark Market server and was looking at who was logging in. He traced the IP address doing a "who is" (lookup) and the phone number connected to our covert IP address, which was supposed to be unlisted but instead it showed the address here at the National Cyber Forensics Training Alliance. By doing some research they determined that the IP address came from this building and they thought it came from me. I had to go on the offensive and say that it wasn't me and that it was already in the server. Eventually they believed me. There were a lot of wars between rival groups at the time. A lot of people were accusing each other of being "feds" and "cops" and I was able to use that to my advantage to create a smoke screen and create doubt.
How were you able to become administrator of the Dark Market server?
I had good relations with the administrator whose alias was "Jilsi." He wasn't a very technical guy and was having problems running the site because it was getting attacked by a rival group. So I told him about my background as a spammer and told him how good I was at setting up sites. I did some demonstrations and set up some test sites to show him I had the skills. Then there was just a lot of talk and rapport building. One night when Dark Market was getting attacked by a rival group I said I was ready and that I could secure the server for him and he said "let's move." That gave me full access to everyone using it and what they were doing.
Any anecdotes to tell about your dealings with these people?
It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops. It was funny being part of the discussion as people were talking about whether so and so was a cop or a fed and I was sitting there knowing full well that the person wasn't. There were a lot of egos, and a lot of funny stories where guys would brag about their close brushes with the law and how close they got to being arrested. You get 20-year-old guys, 30-year-old guys who are single and making a lot of money, so you hear a lot of stories of partying and things like that.
Did you get a sense of what these carders are like as people; what their characters are like?
There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name Iceman, was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert. He could have given talks at RSA about vulnerabilities. A lot of these guys are just misguided. They get into a hotel and see that they have credit cards and one thing leads to another. I think that's how it all starts off and then they find they can make a lot of money and it becomes a business, a job. If you met them in person they were actually nice guys. I enjoyed a lot of my chat sessions when we were talking about other things, like traveling the world and things like that.
How old are they?
The average guy is in his mid-20s or so. We've seen guys in their 40s. Ages range from 17 to 40something, typically. A lot of the guys who we arrested were in their mid-30s.
How tied to organized crime are they?
One of the guys, "ChaO," kidnapped someone. He viewed himself as a traditional organized crime member. He was connected with organized crime groups in Turkey and they resorted to violence when they kidnapped someone who was talking too much about the operations. We're seeing more of that, especially in Romania. Also in Russia.
Did you hear from any of your former carder cohorts after the arrests?
I heard from sources that they couldn't believe I was an FBI agent. One of the guys whose house we raided wasn't at home and he sent me an expletive-filled message saying 'you're never going to catch me.' I told him he should give himself up rather than spend his life on the run and a week later he turned himself in.
This work sounds kind of dangerous. Did you ever feel you were in danger or are you worried now?
When you are an FBI agent there's always that threat of danger working crimes undercover. We never intended for my name to come out in this operation. But FBI agents' names are in affidavits. There was always that risk that my name could be exposed. It's always in the back of your mind but you try not to think about it.
What impact did the sting have?
It showed that we can get you no matter where you live. We were able to make internal relationships and work cases jointly with law enforcement in other countries. In the future there will be other joint cases in Europe and around the world. You don't necessarily have to be in the U.S. for us to bring you to justice. That is one of the most significant impacts it had. Another one is that it showed these guys that, yes, we do have a presence out there (on the Internet) and the U.S. is serious about targeting cybercrime. We are going to throw our resources at this problem.
How have things changed since you started the Dark Market operation in 2006?
With every operation the bad guys learn more of the undercover techniques that law enforcement is using. Everything that was successful for us in this operation would have to be tweaked because of that. The level of sophistication is so much higher. The days of a cyber investigation where you just track an IP address and that leads you to a hacker's house, those days are long gone. There are many different anonymization services the bad guys are using. The exploits and botnets they are using are so much more sophisticated than they were a couple of years ago. Just two years ago the majority of the botnets were IRC botnets, which are fairly simple. Now we're seeing botnets like the Storm worm that are very sophisticated and running peer-to-peer networks and that makes it harder for us to track down the command and control servers.
Have you been involved in any of the efforts to track down the people behind the Conficker worm?
I can't comment on that.
Anything else to add?
The message I'm trying to preach is that we have international cooperation and that other countries are starting to recognize this problem. Also, the attackers have changed with the emergence of organized crime into these cybercrimes. It's not just an 18-year-old pimply faced kid in his room committing these crimes. These are organized crime groups doing it. It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.
The stakes are higher now for everyone?
Definitely.
Every time I use my credit card online I suffer a momentary feeling of angst, even though I know that it's still safer than handing my card over to an unscrupulous waiter. The impersonal nature of the Internet and the perception that I lose control of my data after I hit "submit" contributes to this lack of sense of security.
Also contributing to this paranoid feeling are all the reports of phishing scams, including IRS and tax-related scams; data breaches at retailers like TJX, where more than 45 million accounts were exposed; and payment processors like RBS WorldPay, where stolen data led to cloned cards and ATM withdrawals last year.
This all got me to wondering exactly how the data gets from my credit card or keyboard ends up as money in the pockets of criminals.
How does the data get stolen from my computer?
There are many ways sensitive data can be pried out of computer users. In a typical social-engineering phishing attack, a consumer opens an e-mail that looks like it was sent by the consumer's bank, Amazon, PayPal, or some other trusted source. With a bogus excuse, such as suggesting there was a security incident and the user needs to verify his or her account details, the e-mail will prompt the recipient to provide username and password via a link to a Web site that looks legitimate but isn't. The consumer enters the information and continues on, not knowing that the data is now being sent to criminals.
In other cases, criminals create fake e-commerce Web sites where consumers provide their credit card information to pay for a product that will never arrive. Attackers also have ways of rendering legitimate Web sites risky by injecting malicious code into the Web sites with cross-site scripting, SQL injection, and clickjacking attacks. Such attacks, typically invisible to the consumer, can be used to steal data that a consumer types in.
Other attacks are accomplished by getting spyware onto a victim's computer. For instance, attackers can distribute a worm via an e-mail attachment that downloads a keystroke logger onto the recipient's computer when it is opened. Attackers also can create programs that exploit unpatched holes in Windows or holes in a browser that haven't been fixed and download keyloggers onto computers. The keyloggers can be written to send data to a remote server every time the computer user types a password or social security number, for example.
If I don't use my credit or debit card on the Internet, how does the data get stolen?
Attackers can steal data by planting a skimming device that reads the magnetic-stripe data from the card when a user slides it through a payment card reader at a register or using a skimmer on an ATM machine combined with a video camera that records the PIN when someone is making a transaction. The magnetic-stripe data includes name, credit card number, and expiration date.
Attackers can steal more people's payment card data at a time by hacking into a retail firm or payment processor's computer network. In the TJX incident, experts believe attackers made their way into the company's system by first gaining access through a wireless regional hub for the company's store controllers, which handle the point-of-sale system. Attackers also can grab unencrypted PINs from bank systems during the authorization process using specially crafted malware that scrapes the data from the memory of the bank's computer, according to Wired. Or attackers can trick a misconfigured hardware security module, which decrypts and re-encrypts PINs as they make their way across various bank networks, into revealing the encryption key.
What do the criminals do with the data when they get it?
Cybercriminals tend to have specialties. The data thieves, also called "harvesters," sell it to brokers who either use the data themselves, hire others to do the leg work to withdraw the money, or sell it to others via IRC channels, private peer-to-peer networks, carder sites, and other organized underground marketplaces.
Often, the data is sold with a money-back guarantee in the event that the cards are found to have been reported as stolen or if the data is incorrect. Brokers have a number of ways of verifying cards. They can break into an e-commerce Web site and process small transactions on the card with a payment processor to see if the transactions go through. Or they can use the card data to make a $1 donation to a charity.
Once the data is verified, the criminals can turn it into cash by either moving the money from the victim's account to an account they control, wiring themselves the money, creating counterfeit checks, or even just withdrawing small amounts (under $50) on a regular basis that may not get noticed by the cardholder.
Many of the criminals are located outside of the data's country of origin and will need to be able to either transfer funds or make international purchases without alerting the authorities. To do this, criminals have elaborate schemes using middlemen, also known as "drops." For instance, criminals will advertise work-from-home jobs in the U.S over the Internet and by e-mail. The drop is merely asked to provide a local address or bank account and when money or goods arrive, they are instructed to transfer it on to a foreign address. The criminal then takes over the bank or credit card account for which data was stolen, and changes the address or bank account to that of the middleman.
"The countries where re-shipping happens include Nigeria, where you can't easily buy consumer goods. This is a way for them to get goods," said Dave Ostertag, global investigations manager at Verizon Business who used to be a chief investigator at Discover Card. "This fraud stocks the shelves of a store in another country."
An estimated 70 percent of the online identity fraud activity is related to organized crime, Ostertag said. In the U.S., street gangs can make more money off mortgage fraud than they can selling drugs, he added.
The criminals also can make blank plastic cards that are encoded with the stolen magnetic-stripe data. Often, cards are produced in one country and shipped back to the country where the account is located. The cards then can be used by "runners" to make withdrawals from ATM machines if the PIN codes are known.
Criminals have been known to use private databases to get more complete information on victims, such as address, date of birth, and even social security number. For instance, the U.S. Postal Service says someone accessed LexisNexis and Investigative Professionals databases without authorization and used personally identifiable information from there to obtain fraudulent credit cards.
Screenshot of price list for stolen credit card numbers and available balance amounts discovered on the Web by McAfee Avert Labs.
(Credit: McAfee Avert Labs) How much is the data worth?
There is so much stolen magnetic-stripe data available on the underground markets that prices for it have dropped from between $10 and $16 per record in mid-2007 to less than 50 cents per record today, according to the 2009 Data Breach Investigations Report (PDF) from Verizon Business. Those price tags go up when the PIN is available and cash can be withdrawn directly from a victim's account.
The value of a card is determined by a combination of factors. Cards from the U.S. and Europe fetch higher prices, as do cards with more available credit or balance, those with additional information such as PIN or home address, and those that have been verified.
Credit card data can range in price from 6 cents for bulk quantities to $30, while bank account credentials range from $10 to $1,000, according to a Symantec Internet Security Threat Report released last month. Most of the stolen credit card data for sale is from the U.S., the report found.
Is the consumer liable for any fraudulent charges?
While credit card fraud typically has a zero-liability policy for consumers, the burden of proving fraud is on the consumer when it involves a debit card.
How big a problem is online identity fraud?
The latest Consumer Reports survey found that over the past two years 1 out of 13 Americans provided personal data to phishers, 1 in 12 had serious problems with spyware, 1 in 7 lost money to online fraud or had computer virus problems, and about 1.7 million were victims of identity fraud, the San Francisco Chronicle reported on Monday.
A report from Javelin Research (PDF) places the number of identity fraud victims in the U.S. at 10 million in 2008. Identity fraud rose 22 percent last year from the year before to the highest level since 2004, the report said. Meanwhile, online theft and data breaches each represented 11 percent of the known identity fraud incidents, compared to 43 percent for lost or stolen wallets and 19 percent that occurred during a transaction.
Payment card breaches represented 80 percent of the 90 reported breaches last year, and payment card data represented 98 percent of all records compromised, according to the report from Verizon Business.
Between January and December 2008, consumer complaint database Consumer Sentinel Network received more than 1.2 million consumer complaints, according to a report released by the U.S. Federal Trade Commission (PDF) in February. Of those, 52 percent were fraud complaints and 26 percent related specifically to identity theft.
Complaints of online crime hit a record high last year and total dollar loss linked to online fraud was $265 million, according to a report released in March by The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. The third most common fraud complaint was credit or debit card fraud, representing 9 percent, preceded by non-delivery of merchandise or payment at 33 percent, and Internet auction fraud, representing more than 25 percent.
What can consumers do to protect themselves?
To protect against online identity fraud, consumers (who use Windows) should sign up for regular automatic Microsoft software updates, use the latest browser versions with enhanced security features, and keep their antivirus and other security software up-to-date. To avoid phishing and other malicious sites when Web surfing, there are a number of programs, including McAfee Site Advisor and AVG LinkScanner.
McAfee also recently launched the McAfee Cybercrime Response Unit, where people can go if they suspect they have become a victim of cybercrime or identity fraud. The site has a free Windows-based scanner that can give an indication of how likely the consumer is to have been victimized, as well as specific steps to take in the case of identity fraud. These include changing account passwords and PINs, placing a fraud alert on credit reports, and reporting the crime to authorities.
The FTC's Identity Theft Site, the Identity Theft Resource Center, and The Privacy Rights Clearinghouse's Identity Theft Victim's Guide have more information.
Correction 2:19 p.m. PDT: An earlier version of this story and its headline significantly mischaracterized a key metric used in the IC3 report. The overall finding of the report was that complaints regarding Internet-related crimes rose 33 percent in 2008.
Complaints of Internet-related crimes soared 33 percent last year, countering two years of consecutive declines, according to a report released Monday by the Internet Crime Complaint Center (IC3).
The IC3 Web site received 275,284 complaints last year, up from 206,884 the previous year. The organization referred 72,940 of those 2008 complaints to federal, state, and local law enforcement agencies. The IC3 is a partnership among the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance.
Referred complaints, which ranged from online auction fraud to identity theft to non-delivery of goods purchased online, cost consumers about $264.6 million last year, with the median dollar loss reaching $931 per complaint, according to the report. In 2007, the losses were less: $239.1 million.
(Credit:
Internet Crime Complaint Center)
(Credit:
Internet Crime Complaint Center)
As far as complaint categories of Internet crimes, non-delivered merchandise after sending a payment or delivering the goods but never receiving a payment, were at the top of the list, according to the report. Of all complaints received, 32.9 percent were related to this offense.
Internet auction fraud accounted for 25.5 percent of the complaints, while credit card and debit card fraud made up 9 percent, according to the report.
(Credit:
Internet Crime Complaint Center)
Even though complaints of crimes involving non-delivered goods occurred the most, that category didn't hit consumers in the pocketbook like check fraud, which carried a median loss of $3,000.
And the most common means to engage in an Internet crime was e-mail, the report noted. In 74 percent of the reported crimes, e-mail was used, followed by Web pages in nearly 29 percent of the cases.
The Crown Prosecution Service has decided it will not prosecute self-confessed NASA hacker Gary McKinnon in the U.K., edging him closer to extradition to the U.S.
McKinnon's diagnosis with Asperger's Syndrome, a condition on the autistic spectrum, had not been taken into account in the decision, a Crown Prosecution Service (CPS) spokesperson told ZDNet UK on Thursday.
Gary McKinnon
(Credit: ZDNet UK)U.S. authorities last year won the extradition of McKinnon to face charges of breaking into 97 military and NASA computers. In December, McKinnon's legal team sent a letter to the CPS in which he confessed to offenses under section 2 of the Computer Misuse Act, in an attempt to be prosecuted in the U.K. rather than the U.S.
McKinnon faces up to 70 years in a maximum security prison if convicted of hacking charges under U.S. law. In a statement regarding its decision, the CPS said the offenses McKinnon admitted to in his confession, including the unauthorized access to a computer system, are not as serious as the charges US prosecutors have leveled against him.
"We identified nine occasions where Mr. McKinnon has admitted to activity which would amount to an offence under Section 2 of the Computer Misuse Act (unauthorized access with intent)," Alison Saunders, the head of the CPS organized crime division, said. "Although there is sufficient evidence to prosecute Mr. McKinnon for these offences, the evidence we have does not come near to reflecting the criminality that is alleged by the American authorities."
Saunders made the decision on McKinnon in consultation with Keir Starmer, the director of public prosecutions, the CPS spokesperson said.
U.S. prosecutors allege that McKinnon was politically motivated in his hacking attack on U.S. Army, Navy, Air Force, and NASA systems in 2001. They also allege that he caused $700,000 worth of damage by deleting files, and that he disabled the function of a warship.
McKinnon has never denied accessing the systems, but he does deny causing any damage. He claims to have been searching for evidence of UFOs.
The CPS does not have access to the evidence held by U.S. authorities that could allow it to make more serious charges against McKinnon, his solicitor, Karen Todner, told ZDNet UK on Thursday.
"The reason the CPS doesn't have the evidence is that the U.S., under the extradition treaty, does not have to provide any evidence," Todner said. "The CPS could have asked to see the evidence, but it didn't do that."
The CPS spokesperson confirmed that the department had not asked to see any evidence. U.S. prosecutors are not required to show any prima facie evidence to secure the extradition of a U.K. citizen, under the terms of the US/UK Extradition Treaty of 2003.
"The harm occurred in the US, affecting infrastructure in the U.S., the witnesses are located in the U.S., the bulk of the evidence is in the U.S., and the task of gathering evidence from the U.S. is considerable," the service's spokesperson said. "U.S. prosecutors were able to frame charges reflecting the extent of Mr. McKinnon's criminality."
Todner said that the next step would be a High Court review of home secretary Jacqui Smith's decision to turn down McKinnon's appeal against extradition last year. A date has not yet been set for the review, as it hinged on the CPS decision. Todner expects it to be scheduled in April.
McKinnon was not available for comment at the time of writing. According to Todner, he was still hopeful that the High Court review might save him.
McKinnon's mother, Janis Sharp, criticized the U.K. prosecutors for not taking his health into account in its decision.
"I'm heartbroken at the lack of compassion shown towards my desperately vulnerable son," said Sharp. "Gary is a gentle man with Asperger's, not a dangerous terrorist. His obsessions led him to search U.S. computer systems. Wrong? Yes. But extraditing him to a high-security prison, knowing he won't survive--surely no-one can honestly believe that punishment fits the crime?"
Graham Cluley, senior technology consultant at security company Sophos, said that the U.K. IT community had shown sympathy for McKinnon's plight. "The real question is should we really be making such an example of a guy who was apparently just a UFO conspiracy theory nut?" Cluley said in a statement.
Tom Espiner of ZDNet UK reported from London.
Did your brother-in-law really send you a singing holiday card? Did a long-lost friend from college really include you on this year's list?
One inexpensive way to send holiday cheer may be to send e-cards, but security vendor AVG warned on Tuesday that online criminals are taking advantage of the fact most people don't know the difference between a legitimate e-card and one hosting malware.
Last week security vendors warned of a Trojan horse masquerading as holiday-themed e-cards from McDonald's, Coca-Cola, and Hallmark.
To better educate the public, AVG has launched a site, "Slam the Holiday Scam,", co-sponsored with CyberStreetSmart.org and i-Safeworking, and is working to team with various online safety organizations such as the National Crime Prevention Council, the FTC's Bureau of Consumer Protection, CyberStreetSmart.org, i-Safe, the National Cyber Security Alliance, and Consumers Union, and Protection from Brand Infection.
The tips, which should be familiar to most online users, include:
- Don't open attachments because most legitimate e-cards include links to the company's Web site that allow you to go directly to your card.
- If something looks a little strange or "phishy" just delete the card.
- Use security software on your desktop.
- Watch out for misspelled words or names, a disguised name (such as Your Friend, A Secret Admirer), or an odd URL.
- Always read the fine print before accepting any terms.
Eleven people have been charged with hacking major U.S. retailers, including TJX.
The hacks compromised more than 40 million people's credit and debit card details.
The defendants are based internationally: three from the U.S., one from Estonia, three from the Ukraine, two from the People's Republic of China, and one from Belarus. One individual is known only by an online alias, and his place of origin is unknown, the U.S. Department of Justice said Tuesday.
Albert "Segvec" Gonzalez, from Miami, was charged on Tuesday with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy. Christopher Scott and Damon Patrick Toey, also from Miami, were indicted on related charges by a Boston court on Tuesday.
The Department of Justice alleges that Gonzalez and co-conspirators obtained the credit and debit card numbers by "wardriving," or touring around and testing wireless computer networks for vulnerabilities, then hacking into them.
Eight major U.S. retailers were allegedly hacked by members of the gang. TJX Companies, which owns businesses including TK Maxx in the U.K. (T.J. Maxx in the U.S.), admitted in a Securities and Exchange Commission filing in March 2007 that 45.7 million payment-card details had been stolen by unknown intruders.
However, according to the Department of Justice, card details were also stolen by the gang from other retailers, including BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever21, and DSW.
Once inside the companies' networks, the alleged hackers installed "sniffer" programs that would capture card numbers, as well as password and account information, as the numbers were processed. According to a report in The Wall Street Journal in March 2007, the hackers left encrypted messages in the TJX systems to tell each other which files had been copied. The newspaper also reported that TJX had used the Wireless Encryption Protocol (WEP) to encrypt transaction information. WEP has been repeatedly shown to be insecure.
The Department of Justice indictment alleges that, after the gang collected the information from the different chains, members concealed the data in encrypted computer servers in Eastern Europe and the U.S. They allegedly sold some of the credit and debit card numbers via the Internet to other criminals in the U.S. and Eastern Europe. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards; the defendants then used these cards to withdraw tens of thousands of dollars at a time from bank machines, according to the Department of Justice.
Gonzalez and others were also allegedly able to conceal and launder the fraud proceeds by using anonymous, Internet-based currencies both within the U.S. and abroad, and by channeling funds through bank accounts in Eastern Europe.
Indictments against the eight other alleged members of the gang were unsealed in San Diego, Calif., on Tuesday.
Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia, were accused of "trafficking in unauthorized access devices"--which includes payment cards--the sale of the stolen payment card data, and identity theft.
Hung-Ming Chiu and Zhi Zhi Wang of China, along with a person known only by the online nickname "Delpiero," were charged with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting.
Sergey Pavolvich of Belarus and Dzmitry Burak and Sergey Storchak, both of the Ukraine, were charged with conspiracy to traffic in unauthorized access devices. The Department of Justice said it believes all to be foreign nationals residing outside of the U.S.
Only Gonzalez, Yastremskiy, and Suvorov are currently in custody. Gonzalez was working as an informant for the U.S. Secret Service when he was arrested. He became an informant after being arrested in 2003 on a different access-device fraud charge. Gonzalez faces life imprisonment if found guilty.
Yastremskiy was arrested in July 2007 by Turkish officials when he traveled to Turkey on holiday. He has been held in Turkey since then, pending the resolution of related charges there. The U.S. has made a formal request for his extradition.
Suvorov was apprehended by the German Federal Police in Frankfurt in March 2008 when he traveled there on holiday. He was apprehended at the request of the Department of Justice. He is currently being held during extradition proceedings to the U.S.
The remaining members of the alleged gang remain at large.
Tom Espiner of ZDNet UK reported from London.
On Wednesday, the FBI and its partner, the Internet Crime Complaint Center (IC3), warned against a new e-mail campaign being used by the creators of the Storm Worm botnet.
The e-mail uses the the phrase "F.B.I. vs. Facebook" in its subject line and contains a link to view an article about the FBI and Facebook, a popular social networking website. Clicking on the link downloads malicious software onto the victim's computer.
"The spammers spreading this virus are preying on Internet users and making their computers an unwitting part of criminal botnet activity," said the FBI in a press release. "We urge citizens to help prevent the spread of botnets by becoming web-savvy."
The FBI is warning users not to respond to spam e-mail and not to open attachments or links provided within such e-mail, and advising them to validate the legitimacy of the e-mail by typing the organization's Web site address directly into a browser window, rather than clicking on a provided link.
- prev
- 1
- next
