Information security could use some good news right now, something to offset the string of bad news about data breaches and system vulnerabilities; so how about this: "Cyber Criminal Forum Taken Down, Members Arrested in 20 Countries". The best thing about that headline is that I didn't make it up, that actually happened, earlier this month.
Unfortunately, like a lot of good news, this story quickly disappeared from the front page, due in part by more stories about more yet breaches (like UCLA Health, AshleyMadison, and the US Census Bureau), and vulnerabilities (like the one that caused Fiat Chrysler to recall 1.4 million vehicles for a software update). Fortunately, the Darkode cybercrime forum takedown which generated that great headline is not the only recent win in the fight against criminal abuse of information systems; so I thought it would be helpful to round up the recent stories in one place.
Darkode Down
Darkode was a forum that made it relatively easy to buy, sell, or even rent, cybercrime tools and the fruits of such crime. If you needed malware to infect victim computers and steal information you could buy it on Darkode, or perhaps just rent a botnet of pre-infected machines, already primed to steal data, send spam, or carry out denial of service attacks. Need to sell the personal information and financial data you have stolen from victims? Darkode was a place to do that too. According to US Attorney David J. Hickton:
"Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world."
Basically, anyone with criminal inclinations could, by means of Darkode, engage in cybercrime, an activity that has developed a reputation for offering big rewards with lower risks than conventional crimes. For example, burglars and bank robbers have a much higher probability of getting shot and killed than people who steal credit card data from retailers. So why was taking Darkode down such a good thing? Well, apart from the 70 Darkode-related arrests spanning multiple countries (20 in the US, 6 in the UK, and so on), there were at least four broad impacts.
1. It changed the risk/reward ratio, demonstrating that such services are vulnerable and the people who use them are at risk of being identified, indicted, arrested, prosecuted, and sentenced.
2. It sent a chill through the Dark Web, where there are hundreds of other places that currently exist to facilitate the same activities. Hopefully some of them are now a little more nervous about their business model, a little less trusting of their buyers and sellers (an agent of the FBI reportedly infiltrated Darkode back in 2010 despite the forum's screening process).
3. It demonstrated that law enforcement agencies could work together across international borders (this investigation, code named Operation Shrouded Horizon, involved a coordinated effort between Australia, Bosnia and Herzegovina, Brazil, Canada, Colombia, Costa Rica, Cyprus, Croatia, Denmark, Finland, Germany, Israel, Latvia, Macedonia, Nigeria, Romania, Serbia, Sweden, the United Kingdom and the United States).
4. It signaled to the public that law enforcement was determined to reduce cybercrime, at a time when this might appear to be an impossible task (I saw one interviewer try to get Mr. Hickton to "admit that this is futile, just a drop in the bucket" and his responses were an admirably solid rejection of such defeatist notions).
Here are just some of the people arrested in the Darkode take down, along with some of their alleged crimes (note that there is a legal presumption of innocence for these people at this point in time). The nature of the charges is relevant for a couple of reasons, for example, it tells current cybercriminals what to expect when they are prosecuted.
- Johan Anders Gudmunds of Sollebrunn, Sweden: conspiracy to commit computer fraud, wire fraud, and money laundering; serving as administrator of Darkode to facilitate creating and selling malware that allowed hackers to create botnets; operating his own botnet of 50,000+ computers and stealing data from users of those computers on approximately 200 million occasions.
- Morgan Culbertson, 20, of Pittsburgh, accused of building and selling Dendroid, malware intended to remotely access, control, and steal data from Google Android cellphones. Culbertson is alleged to have sold the toolkit on Darkode for $300, and the source code for $65,000.
- Eric L. Crocker, 39, of Binghamton, New York: using a Facebook Spreader to infect users’ computers, turning them into bots which he then sold for spamming.
- Naveed Ahmed, 27, of Tampa, Florida; Phillip R. Fleitz, 31, of Indianapolis; and Dewayne Watts, 28, of Hernando, Florida: maintained a spam botnet that used bulletproof servers in China and vulnerable routers in third world countries to send millions of emails designed to defeat spam filtering for mobile phones.
- Murtaza Saifuddin, 29, of Karachi, Pakistan: identity theft; attempting to transfer credit card numbers to others on Darkode.
- Daniel Placek, 27, of Glendale, Wisconsin: conspiracy to commit computer fraud; accused of creating the Darkode forum, and selling malware on Darkode designed to surreptitiously intercept and collect e-mail addresses and passwords from network communications.
- Matjaz Skorjanc, 28, of Maribor, Slovenia; Florencio Carro Ruiz, 36, of Vizcaya, Spain; and Mentor Leniqi, 34, of Gurisnica, Slovenia: racketeering conspiracy; conspiracy to commit wire fraud, bank fraud, computer fraud, access device fraud and extortion. Skorjanc also is accused of conspiring to organize the Darkode forum and of selling ButterFly bot malware.
- Rory Stephen Guidry, Opelousas, Louisiana: charged with computer fraud; accused of selling botnets on Darkode.
For a detailed look at the way Darkode evolved, I recommend this article by Brian Krebs, who spent quite a bit of time lurking on that forum.
Life of cybercrime = Life in prison?
Before looking at some of the non-Darkode-related cybercrime arrests, it helps to put these alleged transgressions in perspective: what kind of future are you facing if you are one of the accused? My best guess is that, if you're found guilty, you are highly likely to go to prison. How long for? How about the rest of your life? That's the sentence received by another cybercriminal, Ross Ulbricht, the guy who founded and operated Silk Road, an online marketplace that operated on the Dark Web, a collection of sites and services that use an encrypted network running on top of the public Internet through special software (Tor). Like Darkode, Silk Road also facilitated the buying and selling of illegal wares, notably illegal drugs.
Some people were shocked by Ulbricht's life sentence, handed down in May, and he is appealing, but I doubt he will end up with anything less than 20 years. This is mainly attributable to the "drug dealing" aspect of his online enterprise, as reflected in this statement from the sentencing judge: “What you did with Silk Road was terribly destructive to our social fabric.” However, there are two factors here that might give a hint as to how cybercrime sentencing will evolve: scale and social fabric.
Theft in cyberspace can be performed on a scale not possible in meatspace. The folks who stole payment card data from Target in 2013 were able to pocket, in a matter of months, a lot more money than all the bank robbers in America that year (some of whom were shot and killed in the act). Drug dealing in cyberspace can also dwarf traditional dealing (Ulbricht's sentence included forfeiting about $183 million). Take just one Silk Road dealer as an example: a guy called Steven Sadler pleaded guilty earlier this year to selling nearly a million dollars of narcotics in the online bazaar (Sadler received a five year prison sentence plus four years' probation, but it would probably have been more if he had not cooperated with authorities).
Of course, I'm not a lawyer, but I do study criminal justice, and a great article by Dr. Susan Brenner of the University of Dayton School of Law pointed out in 2004 that some aspects of cybercrime could trigger federal sentencing "enhancements" meaning stiffer sentences (see: 'Cybercrime Metrics: Old Wine, New Bottles?' Virginia Journal of Law & Technology, 9,13-13). Among these factors are the scale and complexity of the crime, the effort taken to conceal it, and the extent to which it damaged social fabric and infrastructure. In other words, when calculating the sentence for theft or fraud a judge could potentially add time if the crime could be construed as undermining the social benefits of Internet technology.
ID Theft and SpyEye Closure
An indication of what awaits those convicted in the Darkode case was provided earlier this month when a Vietnamese national, Hieu Minh Ngo, 25, was sentenced to 13 years in prison after pleading guilty to charges of wire fraud, identity fraud, access device fraud and four counts of computer fraud and abuse (full details here). If the case had gone to trial it is possible that the sentence would have been closer to 20 years
The FBI's announcement of the sentence included several allusions to the scale of Ngo's activities: he not only sold collections of stolen data about individuals to be used for identity theft (known as “fullz”), he also sold criminals the ability to do online database searches for the stolen PII of specific individuals (he offered PII for 200 million U.S. citizens to more 1,300 customers from around the world and records showed they conducted more than three million “queries”). Ngo appears to have made "nearly $2 million" from this criminal trade in stolen data. The IRS calculated that over 13,000 US citizens whose stolen PII was sold on Ngo's websites were hit by tax identity theft to the tune of $65 million.
Scale may also add to the sentences which will soon be handed down for the two creators of SpyEye, Aleksandr Andreevich Panin of Tver, Russia, and Hamza Bendelladj, of Tizi Ouzou, Algeria (they pled guilty in 2014 and are currently awaiting sentencing). For readers not familiar with SpyEye, it is classic crimeware, one of the first "easy-to-use" malware kits with a GUI front end, employed for banking fraud. And of course, SpyEye was one of the products you could get from Darkode. If you're wondering why the sentencing phase is taking so long, it may be due to the huge effort required to assess the scale and impact of the crimes these guys committed, factors that will surely influence the sentences they receive.
Deterrence and delay
Speaking of SpyEye and banking malware, there was good news on the cybercrime front in Europe last month. A European joint investigation team (JIT) consisting of investigators and judicial authorities from six different countries took action in Ukraine, once seen as a safe haven for cybercriminals, and took down a major cybercrime operation. Europol says that five "high-level cybercriminals and their accomplices" were arrested on suspicion of developing, exploiting and distributing Zeus and SpyEye malware. They can expect to spend a long time in custody while the authorities try to determine the scale and impact of the crimes they committed.
If there is a worrisome pattern here, it's that cybercrime arrests often occur years after the crimes are first committed. After all, ESET products have been blocking the Zeus and SpyEye malware since 2010. This delay factor does tend to undermine the impact of arrests and prosecutions on the criminal activity they are intended to deter. Criminologists generally agree that the swifter the justice, the stronger the deterrent effect.
But delays may be getting shorter as law enforcement agencies around the world gain more experience working together and sharing information. Last week we heard that the criminals who hacked into JPMorgan Chase last year may have been arrested. The word "may" is important here because the four men taken into custody, two in Florida and two in Israel, were sought for other crimes, as described by Manhattan U.S. Attorney Preet Bharara:
"the defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies. Using false and misleading spam e-mails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world."
A typical pump-and-dump scheme involves driving up the price of a stock and then selling it before the price starts to fall, and one technique to pump up prices is mass email campaigns to potential investors. The connection to the JPMorgan hack was made by a a federal law enforcement official who told USA TODAY that the above crimes came to light as a result of the investigation into the bank hack. If you recall, the bank initially claimed it was the victim of a sophisticated attack, possibly a pro-Russian response to US sanctions, but it now appears that JPMorgan's servers may simply have been raided for email addresses to be used in a spam scheme.
Here are few more criminal justice updates:
- The man behind the DNSChanger malware has pleaded guilty in New York to wire fraud and computer intrusion charges earlier this month (read more on Krebs on Security).
- Alex Yücel, the owner of an organization known as “Blackshades” was sentenced last month to just under five years in prison for his role in selling and distributing what US States Attorney Bharara referred to as a "pernicious form of malicious software...known as the Blackshades Remote Access Tool, or RAT."
- "A man suspected of belonging to a network of Islamist hackers responsible for attacks on more than 3,500 websites worldwide was arrested in Bulgaria, the interior ministry announced Wednesday."
So, has the tide now turned in the fight against cybercrime? Probably not, but at least we are learning that the bad guys are not unopposed, and some of them will be spending many years in prison. Not that long sentences are necessarily a strong deterrent to crime. However, increasing the speed with which criminals are brought to justice can deter those who are contemplating a life of crime. Unfortunately, we are still not devoting enough resources to cybercrime deterrence. Hopefully, positive public response to this recent round of arrests and convictions will help persuade politicians to better fund the law enforcement effort against cybercrime.