WASHINGTON, D.C. -- In the corrupt and clandestine world of cybercrime, the most valued commodity is anonymity...
Criminals, such as those in the lurid Shadowcrew underground network responsible for stealing at least 1.7 million credit card numbers, take great pains to hide their IP addresses, ensuring they can't be identified, can't be traced and, most importantly, can't be found.
But even criminals who spend virtually their entire lives online can't hide forever, and that's how the U.S. Department of Justice, the Secret Service and local and international authorities were able to identify and apprehend nearly 30 alleged "carders" as a result of "Operation Firewall."
During a rare and candid presentation at the recent CSI Computer Security Conference, Kimberly Kiefer Peretti, CISSP and trial attorney in the DoJ's computer crime and intellectual property division, explained how an ongoing 18-month investigation led to the arrests, and proved just how difficult it is to hunt down a new generation of thieves.
That's because of one common misconception: that organized crime on the Internet manifests itself just like traditional mafia. In reality, Peretti said, it's virtually impossible to find any true "crime families" in cyberspace.
"It is different from traditional mafia in the organizational sense, but you'll see some similarities in the way it is run," Peretti said. "We'd have someone we'd track for three months, and then all of the sudden he would retire and we'd never see him again."
In fact, the word "organized" may be a misnomer. Peretti said Shadowcrew members were typically young males in their late teens or early 20s. What makes these investigations a challenges, she said, is tracking such a fluid group of individuals to determine who its group's core members are.
And while Shadowcrew's trademark was the theft and resale of stolen credit card numbers, by no means was that the full extent of its capabilities.
"Cybercriminals aren't just involved in one type of illegal action," Peretti said. "We don't have separate hacking groups, phishing groups, botnet groups or credit card groups. They're all involved in a number of these kinds of activities."
The investigation started when the agencies began monitoring the users of several credit card theft sites, such as cvv.ru, virgindumps.com and shadowcrew.com. Each operated as online marketplaces for the buying, selling and trading of stolen credit information.
The sites, whose members numbered in the thousands, also educated users in online money-laundering, database infiltration and ID theft. Some would even offer complete "wallets," a matching set of credit cards, state drivers' licenses, passports, birth certificates, health care cards and other placards enabling a thief to go to a brick-and-mortal store and "prove" his fake identity.
To ensure quality, certain members of the group offered a "peer review" program, conducting extensive analysis on fraudulent cards and documents before they were endorsed by the organization. "That way," Peretti said, "only those with a superior product can vend it on the site."
The members conspired to steal credit card data from stores, Web sites and individuals through a wide array of nefarious tactics, including phishing and fake Web sites. Peretti said one site she encountered asked visitors to submit their credit card numbers to confirm that they hadn't been stolen.
"When you entered your card number and hit submit, you'd get a message back saying, 'Well, it's stolen now!'" she said. "It was really bad."
Since the Shadowcrew fraudsters identified themselves solely through handles or screennames, investigators patiently created online identities of their own and earned the group's trust. Despite usually hiding their IP addresses, the members would occasionally make a mistake and log on without cloaking themselves, providing investigators with the breaks they needed. Peretti said the Secret Service also used federal wiretap warrants to obtain IP addresses from ISPs.
Eventually, they managed to identify one of the Shadowcrew's top site administrators, arresting him in secret. With surprisingly little coercion, Peretti said, the admin gave investigators access to the site, allowing them to get the goods on the entire network.
"In the end," Peretti said, "we were running the site, so we were collecting all the data on who was buying and who was selling for a good six months."
In total, 100 PCs were seized and 28 people arrested, 21 scattered across the U.S. and seven others in Europe and Russia. Peretti said the individuals are likely responsible for at least $5 million in fraud, with some facing up to 3-5 years on credit card, identification and Internet fraud charges. This week six of the suspects pleaded guilty to conspiracy to commit fraud, and will be sentenced early next year.
But more importantly, she said, Operation Firewall has served as a huge deterrent because investigators obliterated Shadowcrew's trusted network of thieves.
"Everyone else pulled back," Peretti said, "because we arrested and worked with someone who was a top-level member of this organization. So now they're much more untrusting."
And even more busts may be in the works. Peretti said that in addition to her Washington-based group, there are now one or two attorneys focusing on cybercrime in each of the DoJ's more than three dozen local offices throughout the nation.
"The message we want to send to the online criminals out there was 'you guys aren't invincible,'" Peretti said.