Boing Boing » Joseph Menn

Keep Your 40 Acres, Just Send the Mules

Joseph Menn — Fri, 05 Nov 2010 05:00:32 +0000

I suppose I can boil down my complaints about U.S. law enforcement's attempts to do something effective about rampant and metastasizing cybercrime to two things. The first is that our guys don't have good relations with Russia and other countries that are knowingly harboring the worst criminals. And the second is that they don't have bad relations with those countries--not bad enough to blow the whistle.

Instead, U.S. authorities are the co-dependents in a perennially depressing romance, always thinking that real change in their partner is right around the corner. Think about Lucy holding the football for Charlie Brown.

After spending a couple of vacation days this week at a cybercrime conference aimed mostly at bankers--'cause hey, that's how I roll--I'm still convinced that we are in much bigger trouble than people realize. The Zeus family of financial computer trojans, which are probably on millions of PCs and often escape the notice of antivirus software, is truly impressive. Even if your bank cares enough about you to hand over a gadget with ever-changing one-time passwords, Zeus can intercept them and do other neat tricks, like redirecting you to a "down for maintenance" page while it cleans out your account. It can then do math on the fly so that when you check your balance, it appears to be right where it should be. I'm pretty sure it can walk on its hands while juggling with its feet, but you should check with one of the people who have lost or nearly lost their businesses, like Karen McCarthy.

But I also spoke to the Secret Service and FBI delegates to the conference, and they gave me a glimmer of hope that I would like to fan into a faint glow. It wasn't their accounts of the five big cheese Ukranians detained recently in a $70 million Zeus case, though that was certainly a good thing. Those men still haven't been charged, let alone convicted and sent to jail; the FBI man grimaced when I asked about the chances for locking up Zeus' Russian author; and forensics maven Gary Warner reported this morning that new Zeus control servers are popping up every day.

What cheered me was that they showed more pragmatism and less bust-down-the-doors machismo than I have ever seen in high-level feds. They are making slow progress in tough spots like Ukraine, they said, in part because the criminals screwed up and started attacking their countrymen. If every other country starts cooperating, pressure on Russia will grow. In the meantime, they are seizing servers, building intelligence on 50 top criminals, and disrupting their networks when they can.

Looking at the big picture, they see that the current bottleneck for the mobsters is the mules--the tens of thousands of people in the U.S. alone who often unwittingly accept transfers from compromised accounts, take a cut, and wire the rest overseas. The cyber gangs have access to more bank money than they can get out of the country.

So that's why the FBI made a big deal out of picking up some dozens of mules a few weeks back. Arrests and news conferences get precious TV time and stories, which can alert people that those work-from-home payment processing jobs are a really bad idea. Like the occasional fall of one or another honcho or botnet, the removal of scores of low-level employees won't do much to stem the tide. But an amplified message could reduce access to some of the kingpins' most precious assets, and it's certainly a worthwhile thing to try.

Something else seems increasingly doable as well, but that calls for a broader effort from outside law enforcement. The recent Zeus cases depended on work by outside security researchers, who often know far more than the cops. I would really like to see more such collaboration. I don't see why thousands of people would work together on such open-source projects as Linux and Mozilla and not on something so core to defending the Internet as a reasonable place to exist.

This marks the end of my guest-blogging stint here at BoingBoing, and I want to thank my gracious hosts and all of you for reading. You can always follow me at @josephmenn.

U.S. Mobsters, Behind in Cybercrime, Could Win Tuesday

Joseph Menn — Mon, 01 Nov 2010 06:32:57 +0000

[image: PartyPoker founder Ruth Parasol]

I know what patriotic Americans reading about the lucrative feats being pulled off by organized cyber criminals in Russia, Ukraine and elsewhere are thinking. Can't mobsters from the good old U.S. of A. compete in today's fast-moving global marketplace?

It's a sad fact that the West is lagging behind in giant-scale Internet fraud. But I don't think we need to lobby for a Five Families bailout just yet, especially if the Republicans capture the House tomorrow and kill Rep. Barney Frank's effort to legalize online gambling.

True, the other side has unfair advantages, including stunningly ~~corruptible~~ business-oriented law enforcement and the lack of a Silicon Valley to siphon off programming talent with high-paying straight jobs. In fact, some countries essentially sport a pre-fabbed mob infrastructure. Even legitimate enterprises typically hire their own mafia patron to negotiate cop-shakedowns and fend off other mobsters wanting handouts, so a greater union is pretty much the natural course of things once a hacking group gets big.

Going up against that sort of trade barrier, our wiseguys actually have done okay for themselves. U.S. prosecutors have said the biggest money-making enterprise in Gambino family history--netting some $650 million--was a combined pair of scams run by soldier Richard Martino. One was pretty straightforward: Enter your credit card number, just to prove you're 18, to see some free Web pr0n, then prepare to be shocked when charges from innocuous-sounding businesses show up on your statement. The other showed more initiative. Callers looking for free phone sex were tape-recorded saying "yes", they were 18, and then stuck with bogus monthly phone services. When regulators inquired, the "yes" was played back, this time appearing to accept recurring fees.

Mainly, though, U.S. mobsters have moved on only gradually from what they know, taking to online sports betting and more recently online poker. BetCRIS, serving U.S. customers from Costa Rica, has been controlled by No. 1 American bookie Ron Sacco, who the FBI says worked with the Gambinos. And even London Stock Exchange-traded PartyPoker, for years the biggest card site, grew to dominance with the help of a key player in Martino's scams who avoided prosecution.

PartyPoker founder Ruth Parasol, another veteran of sketchy 1-900 and Web sex outfits, recommended her friend for the job, I've reported elsewhere.

So bettors shouldn't be stunned if they fall prey to cheating on online sites, or are unknowingly matched up against robots, or simply find that the site they put deposits in has disappeared. All of those things have already happened, and they will keep happening at least until online gambling is legalized and regulated. Because that no longer appears to be in the offing, our mobsters should continue to prosper. Now they just need to reinvest, diversify and pursue win-win partnering opportunities. Let's get those business-school applications in, people.

U.S. record on cybercrime weak, lacks vodka

Joseph Menn — Thu, 28 Oct 2010 12:54:57 +0000

My post on real evil by a Russian mob got me called a CIA propagandist, which is kind of a stretch, given my previous reporting and attempted reporting on U.S. intelligence. Still, that gives me an opportunity to fault the spotty efforts by my home country to put a significant brake on cybercrime, which in my view is one of the gravest threats we're facing.

Among the greatest U.S. government screw-ups are the failures to invest sufficiently in developing a more secure Internet protocol, to call out other governments who are harboring the worst of the worst, and to warn the public that nothing they do online is secure. I could go on at length, but I have elsewhere.

Instead, let's talk about the arrogance of U.S. law enforcement abroad and about Viggo Mortensen naked. In the movie "Eastern Promises," which features Viggo Mortensen nude [Hey, when your book comes out in paperback, I'll be happy to discuss SEO ethics], there's a bit after he has been initiated into the most central Russian gang with a tattoo. "I am through the door," he tells an associate.

Ordinary business in Russia doesn't require that kind of rite. What it does require is prodigious vodka-drinking. There's an historic reason for this: In the old days, the man in your circle who wasn't drinking was probably an informant. U.K. detective Andy Crocker, one of the two main heroes in Fatal System Error, learned that lesson during the unprecedented three years he spent chasing, arresting and convicting three members of a Russian cyber gang. He bonded with an MVD colonel who would be his key partner after passing out in the colonel's office during an afternoon celebration, discovering later that the colonel's wife had passed out on top of him. When I was reporting in Moscow with Crocker and my other big hero, California security whiz Barrett Lyon [that's us in the picture], I too had to drink beyond reason to earn the trust of Russian officers. Only then was I through the door.

While there, I also went to interview the FBI's legal attache, the man the U.S. goes through when it wants help from the MVD. Nice guy, hardworking guy, sincere guy. But for religious reasons, he doesn't drink a drop. All power to him and his god, but it seems to me the FBI also needs good men in places like Saudi Arabia, where abstinence doesn't hurt the cause.

Given my work on this stuff over the years, I can give a more sophisticated analysis of why U.S. law enforcement leadership hasn't handled cybercrime abroad right, despite talented agents. But the images I see are my vodka shots with Andy and the MVD and my chat with the ramrod-straight but misplaced man from the FBI.

Good news, of a kind, from a dark world

Joseph Menn — Tue, 26 Oct 2010 06:52:12 +0000

As a fan of BoingBoing dating from a decade ago, when it was delivered on horseback, I wanted to share something positive with fellow readers in my first guest post. Unfortunately, the thing I've been most passionate about in my reporting and writing since 1999--cybercrime and tech security--doesn't lend itself to much that's happy. What I'm offering today is a compromise. It was good news to me personally, and it will be good news to those of you who have my read my book, Fatal System Error. For the rest of you, it won't be pleasant, and I'm sorry about that.

On Friday, I got a Skype message from a longtime source of mine: "My friend got his daughter back." We spoke on Sunday, and I will tell you what I can from that talk. To begin with, though, my source uses the fake name Jart Armin of HostExploit.

Like the people who work at Spamhaus, Jart is one of those people dedicated to tracking the worst cyber gangs who works in anonymity in order to protect himself. I don't like quoting people I can't name, but I did so in the book with Jart because he has done important research and because he is entirely right to be afraid of the people he has been tracking.

To explain that in the book, I briefly told the story of a colleague of Jart's who was investigating mob activity in St. Petersburg, Russia. The colleague made the mistake of working with the local police. Before he finished his assignment, the man's teenage daughter was kidnapped from her Western country, and the investigator got a message that if he dropped the case, the rest of his children might be okay.

That was five years ago. I had to leave the story hanging in the book because there had been no closure. A couple of weeks ago, the man got a new message. His daughter was in Kazakhstan, and he could have her back as long as he agreed not to look into certain of the gang's activities. One factor in the change of heart was the additional attention that Fatal System Error brought to the mob. The family has been reunited, though the young woman is not the same as she was. She was fed drugs and used to service men. A grim story, but at least it has an ending now, and I wanted to update those who knew the first part.

There are many reasons why cybercrime is as bad as it is, and getting much worse. One of them is lack of awareness of how dangerous and well-connected the gangs are. The most serious identity thieves and fraudsters are not isolated teenage script kiddies. They are mobsters who kill people, and worse, though those stories are seldom told. Folks need to know just how bad they are, every bit as much as they need to know the stories of the heroes who are risking their lives to stop them.