Black Code: Inside the Battle for Cyberspace (18 page)

Shortly thereafter would come the enticing link with the naked video, the prompts to download viruses disguised as antivirus tools, and the emergency pop-up screens. A globally distributed, malicious organism feeding continuously off of our digital habits.

It was an ingenious scheme, and to keep track of revenues the Koobface group sent themselves text messages to their mobile phones summing up their daily spoils. As with other aspects of the operation, the organization here was meticulous. Intricate ledgers on every payment made and income received were kept. During the window we had on their system, a glimpse that lasted just less than a year, this part of the Koobface operation netted over $2 million. No doubt there were other revenue streams invisible to us.

We soon discovered that we were not the only ones to have access to Koobface’s inner workings. Others, most notably the German cyber security researcher Jan Droemer, were on the same path. Droemer contacted us and we shared information and methods. While we were mostly interested in the morphology of Koobface, Droemer was more interested in “whodunnit.” He had combined the same pieces of evidence – basically a broad sweep of open-source information: the website registration, forum postings made with nicknames associated with members of the group, coincidental findings of names, addresses, and phone numbers that both of us were able to cross-reference. In one spectacular piece of gumshoe work, Droemer discovered that photographs stored on the Koobface command-and-control machines contained metadata that pinpointed the geographic location of the gang right
down to its St. Petersburg, Russia, headquarters. There, five Russian men between the ages of twenty and forty-five, decked out in Nike running shoes and polyester athletic gear and surrounded by iPhones and PowerBooks, led a casual work life straight out of a Silicon Valley startup. The Koobface “gang” turned out to be a group of guys in track pants living a very comfortable life in distant Russia, driving BMWs, and playing World of Warcraft while reaping millions of dollars a year.

•  •  •

As we prepared our report
for publication, we debated whether and how to proceed with notification to proper authorities. Clearly a major global criminal operation was unfolding in real time before our eyes, but whom should we notify? Ever since
Tracking GhostNet
and
Shadows in the Cloud
were published, there were grumblings in Ottawa, questions about our methods and intentions. For our part, the internal operations of law enforcement agencies in Ottawa were a bit of a mystery. With the GhostNet investigation, for example, we turned over data to Public Safety Canada’s Cyber Incident Response Centre in the hope that they would help notify victims. We never heard back from them. The Koobface investigation presented an opportunity for us to engage with Canadian law enforcement agencies once again, and hopefully assuage their concerns about the Citizen Lab. We also wanted to learn more about how law enforcement would deal with the evidence we had in hand.

We invited members of the RCMP’S Integrated Technological Crime Unit to the University of Toronto and briefed them fully, turning over copies of the Koobface backups and walking them through the research we had done. The officers were grateful for the information, but seemed demoralized and fatalistic, intimating
on several occasions that it was pointless for them even to begin an investigation. (One officer warned us against outing the group. “These might be the type of people who’ll firebomb the Munk School,” he said.) They argued that without a Canadian victim of real consequence not much could be done, and that the mechanisms put in place by Koobface to generate revenue were so subtle that it was extremely difficult to identify who the victims were. Although Koobface netted millions a year, the earnings were derived from hundreds of thousands of micro-transactions, a fraction of a penny each, spread across dozens of countries. Furthermore, without an identifiable complainant it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask, “What’s the crime?” Prosecutors ask, “Who am I supposed to prosecute?” Koobface, it appeared, would fall through the cracks.

Cyber-crime networks, especially international ones, succeed by hiding locally while leveraging the global infrastructure of a free and open Internet.
Electrons may move at the speed of light, but legal systems crawl at the speed of bureaucratic institutions, particularly across international borders. We told the RCMP that several of the major command-and-control computers used by Koobface were rented out on servers in Britain and Sweden, and that the perpetrators might be out of reach in St. Petersburg but these surely could be seized. “For us to get permission just to talk to a counterpart in the United Kingdom or Sweden could take months,” we were told, the sense of resignation obvious.

The RCMP officers told us they would explore the case further, but left us with the distinct impression that what they would actually do (or not do) was none of our business. “We’ll take it from here,” was all they said. While they did not ask us to withhold publication, knowing that doing so would be
inappropriate, they did suggest that our report might prejudice their investigation. We told them that we had an obligation to publish and gave them a realistic time frame in which we would do so. Our report,
Koobface: Inside a Crimeware Network
, went live in the fall of 2010.

The outreach with the RCMP was one track we followed, but we also worked with the broader security community to notify the hosting companies and ISPs that serviced the roughly 500,000 fraudulent Google Blogger and Gmail accounts and the tens of thousands of Facebook pages upon which Koobface had built its malignant enterprise. Doing so gave us a window onto a different kind of cyber-crime enforcement performed by private sector companies taking matters into their own hands. Many were increasingly frustrated with the slow pace and awkward political constraints around official cyber-crime responses and had begun to find ways to dismantle or degrade criminal networks and botnets on their own.
Specialists working for Facebook, Jan Droemer and other security researchers (notably Dirk Kollberg of the company SophosLabs and independent security consultant Dancho Danchev) continued their pursuit of Koobface for more than a year, culminating in a dramatic January 2012 outing of the perpetrators first by Danchev, then Facebook, and finally Droemer and Kollberg in a detailed report published by SophosLabs that revealed reams of personally identifiable information about the group. The public exposure and the release of the Sophos report led to immediate action by Koobface: its command-and-control servers stopped responding, and the gang started removing traces of themselves from the Net. The antivirus company F-Secure called it a “name and shame approach” – one that was widely criticized by some in the industry for hampering an ongoing criminal investigation and jeopardizing the collection of evidence.

With their identities revealed, and their infrastructure brought to its knees, Koobface will not be able to operate with the same carefree impunity it once did, but it is unlikely its creators will ever be prosecuted. Russia lacks extradition treaties with the U.S. and other Western countries, and the arrest and prosecution of the group is not likely there. Recent history suggests that Russian cyber criminals have little to fear as long as they stay close to home. (Responding to the Koobface incident, Russia’s anticyber-crime unit, the interior ministry’s K Directorate, told Reuters that it did not investigate the matter because it had not been asked to: “An official request needs to be filed to the K Directorate first, and when it’s filed, we will certainly investigate and work on it.” Officials at Facebook told the same Reuters reporters that they had passed along information to the interior ministry before deciding on their more radical naming and shaming approach.) In February 2011, in another case, a Russian criminal, Yevgeny Anikin, received only a suspended sentence after being arrested for what American authorities called “perhaps the most sophisticated and organized computer fraud attack ever conducted,” a hack of the Royal Bank of Scotland and a $9 million windfall for Anikin.

•  •  •

Ever since the Internet
emerged from the world of academia into the world of the rest of us, its growth trajectory has been shadowed by a grey economy that thrives on opportunities for enrichment made possible by an open, globally connected infrastructure. In the early years, cyber crime was clumsy, consisting largely of extortion rackets that conducted network attacks against online casinos or pornography sites to extract funds from frustrated owners. Koobface is part of what author Misha Glenny calls the “industrialization of crime on the web.”

In the early days, cyber crime was primarily a loner’s calling, an annoying but affordable by-product of an open Internet. Today, the loners find each other, network together, and professionalize their activities. Underground forums have emerged in the dark recesses of the Internet where specialized tools and techniques are now bought, sold, and traded. Malicious software packages – known as “Ødays” or “zero days,” because antivirus companies have no known protections against them – are now as readily available as songs on iTunes. “Botnet herders” – individuals who control tens of thousands of compromised computers – market their wares in underground auctions. Stolen credit cards and email addresses are sold, bought, and traded like candy. (Rik Ferguson, of the Internet security firm Trend Micro, provides a detailed list of illicit products and services sold. To name a few: hiring a DDOS attack, $30–$70 a day; hacking a Facebook or Twitter account, $130; hacking a Gmail account, $162; scans of legitimate passports, $5 each.) Around the globe, botnets can be rented cheap online from public websites for weeks, days, even hours. Some advertise 24/7 technical support. Cyber crime has indeed become a global menace, a multinational business that shows no signs of letting up, a former cottage industry gone viral and into a global marketplace.

Whereas ten years ago a cyber criminal needed the equivalent of an advanced graduate degree in engineering, today a teenager could set up something like Koobface.
In Brazil, there is an academy that openly advertises courses on computer crime: “This course is intended for everybody making online transactions. You will learn how crackers take control of corporate or home computers … how ‘auto-infect’ works, how to use sources [trojans], how to manipulate the security plug-ins installed on browsers such as Internet Explorer, Firefox, Chrome, Avant, Opera, and antivirus and firewalls. How spamming helps catch new victims, what ‘loaders’ do and how crackers use them … how crackers can
own e-commerce websites that store credit card numbers and what they do with this data. You’ll learn about the laws in Brazil and what the sentence is if you’re caught.”

The course costs $75 and includes a special bonus: 60 million email addresses with which to begin experimenting. (Brazenly, the academy lists its office address, and phone and fax numbers on a public website with an accompanying Google map location.) But then again one needn’t go to cyber-crime school, or pay any kind of fee at all. One freely downloadable program provides a simple click-as-you-go interface to create “phishing” websites that simulate legitimate banking, shopping, and webmail interfaces, but which are actually designed to extract credit card numbers, email addresses, and passwords from unsuspecting victims. Just follow the step-by-step screen instructions guiding you through how to create a mock site, load it online, and then send links out to potential victims.

Cyber crime thrives not just by its ingenuity, but also by social media opportunities. Koobface succeeded by mimicking normal social networking behaviour. It leveraged our readiness to extend trust with our eagerness to click on links in a world that has become intensely interactive. The age of mass Internet access is less than twenty years old, and social networking, cloud computing, and mobile connectivity are, for most people, innovations only of the last few years. We have embraced these new technologies at such a pace that regulatory agencies have been left in the dust, and we have overlooked extraordinary user vulnerabilities. Today, data is transferred from laptops to USB sticks, and over wireless networks at cafés, and stored across cloud computing systems whose servers are located in far-off jurisdictions. We produce massive amounts of personal data as we navigate this new ecosystem and click on website addresses and documents like lab mice clicking on pellet dispensers. It is this conditioned tendency, combined with the sheer volume of data we
generate, that Koobface and others capitalize on with precision. Every new piece of software, social networking site, cloud computing system, or web-hosting service represents an opportunity for the predatory cyber criminal to subvert and exploit.

•  •  •

Cyber crime has become
one of the world’s largest growth businesses. (Estimates vary, and the self-interest of threat inflation cannot be ignored, but the National Security Agency’s General Keith Alexander has estimated that American companies lose around $250 billion from IP theft, and that internationally cyber crime causes $114 billion in losses. The computer security company McAfee states the number is closer to $1 trillion. Whatever it is, one thing is clear: it’s large.) This growth is being fuelled by the demographic changes affecting the entire Internet. Russian, Chinese, and Israeli gangs are now joined by upstarts from Brazil, Thailand, and Nigeria. Executing a digital break-in of a computer in Manhattan can be done from the slums of Panama City.

Western observers of technology tend to have a biased view of what constitutes digital innovation. We think of ingenuity in ways that conform to our concepts of what is right and moral: liberation, freedom, commercial entrepreneurialism for the common good. We think about our kids creating avatars for their online games, or a new iPhone app that shows us the location of the nearest laundromat. But ingenuity in cyberspace is as bountiful and unpredictable as the individuals who go online, and for the newly connected digital natives of the global South and East operating an email scam or writing code for botnets, viruses, and malware represents an opportunity for economic advancement, a relatively safe route around structural economic inequality and mass unemployment, an avenue for tapping into global supply chains and breaking
out of local poverty and political inequality. Sitting in front of a glowing monitor thousands of miles from their victims, essentially immune from the law in St. Petersburg or Rio de Janeiro, scam-ming online must feel more like a virtual crime, with very tangible monetary rewards.