Hired-gun hack­ing played key role in breaches

Kuwait Times - - TECHNOLOGY -

NEW YORK/SAN FRANCISCO: When US pros­e­cu­tors this week charged two Is­raelis and an Amer­i­can fugi­tive with rak­ing in hun­dreds of mil­lions of dol­lars in one of the largest and most com­plex cases of cy­ber fraud ever ex­posed, they also pro­vided an un­usual look into the bur­geon­ing in­dus­try of crim­i­nal hack­ers for hire. The trio, who are ac­cused of or­ches­trat­ing mas­sive com­puter breaches at JPMor­gan Chase & Co and other fi­nan­cial firms, as well as a se­ries of other ma­jor of­fences, did lit­tle if any hack­ing them­selves, the fed­eral in­dict­ments and a pre­vi­ous civil case brought by the US Se­cu­ri­ties and Ex­change Com­mis­sion in­di­cate.

Rather, they con­structed a crim­i­nal con­glom­er­ate with ac­tiv­i­ties rang­ing from pump-and-dump stock fraud to In­ter­net casino break-ins and un­li­censed Bit­coin trad­ing. And just like many le­git­i­mate cor­po­ra­tions, they out­sourced much of their tech­nol­ogy needs. “They clearly had to re­cruit co­con­spir­a­tors and have that type of hacker-for-hire,” said Austin Ber­glas, for­mer as­sis­tant spe­cial agent in charge of the FBI’s New York cy­ber di­vi­sion, who worked the JPMor­gan case be­fore he left the agency in May. “This is the first case where it’s that clear of a con­nec­tion.”

Ber­glas, who now heads cy­ber in­ves­ti­ga­tions for pri­vate firm K2 In­tel­li­gence, said ad­di­tional ma­jor cases of free­lance hack­ing will come to light, es­pe­cially as more peo­ple be­come fa­mil­iar with on­line tools such as Tor that seek to con­ceal a user’s iden­tity and lo­ca­tion.

Rented Time

This week’s in­dict­ments ac­cused a hacker re­ferred to as “co-con­spir­a­tor 1” of in­stalling ma­li­cious soft­ware on the servers of mul­ti­ple vic­tims at the di­rec­tion of Gery Shalon, the al­leged mas­ter­mind of the scheme now un­der ar­rest in Is­rael. A sec­ond in­dict­ment charges a man re­ferred to as John Doe, be­lieved to be in Rus­sia, for an at­tack on on­line trad­ing firm E-Trade. Of­fi­cials have not said if the co-con­spir­a­tor and John Doe were the same per­son, or even if the FBI knows their true iden­ti­ties.

Law en­force­ment and com­puter se­cu­rity of­fi­cials say that out­sourced cy­ber-crime ser­vices - in­clud­ing rented time on net­works of pre­vi­ously com­pro­mised per­sonal com­put­ers and cus­tom break-ins - are most read­ily found on un­der­ground Rus­sian-lan­guage com­puter fo­rums, where skilled at­tack­ers ad­ver­tise their ser­vices. The fo­rums are tight-knit com­mu­ni­ties where new­bies must be vouched for by mul­ti­ple known mem­bers and pay mem­ber­ship fees that cost thou­sands of dol­lars, said Daniel Cohen, who over­sees an un­der­cover team at EMC Corp’s RSA Se­cu­rity that mon­i­tors the fo­rums.

“You can find any­thing you want for an op­er­a­tion. Hack­ers, servers, soft­ware, code writ­ing. They are all avail­able,” said Cohen. In­di­vid­u­als hide their iden­ti­ties even from each other, making in­fil­tra­tion and ar­rests rare. In this case, the rin­glead­ers are ac­cused of hir­ing hack­ers to steal con­tact in­for­ma­tion and other data that they then used to help con­vince or­di­nary in­vestors to buy lit­tle-reg­u­lated stocks. Pros­e­cu­tors have not dis­closed how the hack­ers were com­pen­sated.

Fees vary greatly in the cy­ber un­der­ground, de­pend­ing on the com­plex­ity of the as­sign­ment and sup­ply of tal­ent avail­able to do a par­tic­u­lar job. Elite hack­ers who pull off the most tech­ni­cally chal­leng­ing at­tacks might get a per­cent­age of prof­its, while oth­ers might earn an hourly rate or get paid a few thou­sand dol­lars for win­ning ac­cess to a tar­get’s net­work, re­searchers said.

Pump-and-Dump

All three of those ac­cused this week - Shalon, Joshua Sa­muel Aaron, who is at large, and Ziv Orenstein, who is also in jail in Is­rael - be­gan pro­mot­ing penny stocks be­fore the hacks took place, ac­cord­ing to US gov­ern­ment claims. They used web­sites in­clud­ing Pen­ny­s­tock­dis­cov­er­ies.com and Stock­cas­tle.com to send emails as part of a scheme in which they in­vested in penny stocks, spread false in­for­ma­tion to boost their prices, and then sold them to make wind­fall prof­its, ac­cord­ing to an SEC suit filed in July. Orenstein’s lawyer de­clined to com­ment, and Shalon’s lawyer did not re­turn mes­sages seek­ing com­ment. In one case in early 2012, the SEC claims that they used the web­site Stock­cas­tle.com to pro­mote shares in Mus­tang Al­liances Inc, reap­ing $2.2 mil­lion, the largest pump-and-dump cited in the reg­u­la­tor’s law­suit. In March of that year, the Bri­tish Vir­gin Is­lands Fi­nan­cial Ser­vices Com­mis­sion is­sued an alert warn­ing that two en­ti­ties tied to Stock­cas­tle were falsely claim­ing to be reg­is­tered in the ter­ri­tory.

That same year, the en­ter­prise be­gan a mas­sive hack­ing spree to get con­tact in­for­ma­tion for in­vestors who might be good tar­gets, ac­cord­ing to pros­e­cu­tors. By the end of 2013 they had or­dered up six hacks that pro­vided data on tens of mil­lions of cus­tomers, pros­e­cu­tors said. They hit the mother lode in 2014 when they at­tacked three other firms, and stole data on 83 mil­lion cus­tomers from JP Mor­gan alone, pros­e­cu­tors said. In ad­di­tion to JP Mor­gan and E*Trade, the firms at­tacked in­cluded the mu­tual fund gi­ant Fidelity In­vest­ments, Scot­trade, TD Amer­i­trade Hold­ing Corp and News Corp’s Dow Jones unit, the pub­lisher of the Wall Street Jour­nal, ac­cord­ing to court doc­u­ments and peo­ple fa­mil­iar with the cases.

“To do a ‘pump-and-dump’ op­er­a­tion, you no longer need 30 peo­ple be­hind phones in a strip mall,” said Shane Shook, a se­cu­rity con­sul­tant spe­cial­iz­ing in in­ves­ti­gat­ing fi­nan­cial breaches. All you need is to find a hacker on a “Dark Web” fo­rum to pro­vide ad­dresses from cus­tomers of fi­nan­cial ser­vices firms like Fidelity or JPMor­gan, then hire a spam ser­vice to push out pro­mo­tional emails, he said.

Shalon bragged about the stock ma­nip­u­la­tion scheme, telling the hacker known as co-con­spir­a­tor 1 in a web chat mes­sage that it was “a small step to­wards a large em­pire,” ac­cord­ing to the in­dict­ment.

His plan, Shalon told the hacker, was to dis­trib­ute “mail­ers” on stocks to those cus­tomers. The hacker asked if buy­ing stocks was pop­u­lar in Amer­ica, the in­dict­ment said, prompt­ing Shalon to re­ply: “It’s like drink­ing freak­ing vodka in Rus­sia.” Shalon ul­ti­mately made good on his prom­ise to build an em­pire, ac­cord­ing to the in­dict­ments. Prof­its from the pump-and-dump fed into a sprawl­ing con­glom­er­ate in­clud­ing off­shore In­ter­net casi­nos and pay­ment-pro­cess­ing ser­vices for other crim­i­nal op­er­a­tors, such as coun­ter­feit phar­ma­ceu­ti­cal makers. Shalon also al­legedly di­rected hack­ers to at­tack ri­val casi­nos, steal­ing cus­tomer data and tem­po­rar­ily bring­ing down their web­sites with de­nial-of-ser­vice at­tacks, which are eas­ily com­mis­sioned on­line.

But­ter­fly and Hid­den Lynx

While this week’s in­dict­ments opened the first ma­jor crim­i­nal case in­volv­ing out­sourced hack­ing, there have been other sub­stan­tial break-ins that re­searchers be­lieve were con­tract jobs. Re­searchers at Sy­man­tec in July at­trib­uted a se­ries of pre­ci­sion breaches at Ap­ple, Face­book, Mi­crosoft and Twit­ter in 2012 and 2013 to a so­phis­ti­cated gang called But­ter­fly, which also at­tacked law firms and phar­ma­ceu­ti­cal com­pa­nies.

Com­puter se­cu­rity firm Sy­man­tec con­cluded that the group likely works for hire, ei­ther for a client look­ing for fi­nan­cial gain in the stock mar­ket or for com­peti­tors. How But­ter­fly gets hired re­mains un­clear. Tech crim­i­nol­o­gist Marc Good­man, au­thor of the book “Fu­ture Crimes”, says an­other group, dubbed Hid­den Lynx by Sy­man­tec, may con­sist of con­trac­tors moon­light­ing from jobs with the Chi­nese mil­i­tary. “It’s crime as a ser­vice,” “Good­man said. “They take all the pain out of it.” — Reuters

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.