Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (21 page)

Johnson’s handlers in Columbia already suspected their asset of leaking his informant status after the drama on Carders Market. Now they had reason to believe he’d tipped off the target of an impending raid. They brought in a polygraph examiner and strapped Johnson to the box.

The needles were steady as Johnson answered the first two questions: Did he contact the target? Did he have anyone else contact the target? No and no. The final question was broader: Did Johnson have any unauthorized contact with anyone? “No,” he said again, his galvanic skin response skittering up the chart.

Despite the agents’ admonishments, Johnson had secretly continued his talks with the
New York Times
reporter, he admitted, and he was very serious about getting a book deal. The feds interrogated him until two
in the morning, then had him sign a form consenting to a search of his agency-funded apartment.

Tossing the apartment was like an Easter egg hunt. The agents found a stored value card in a shoe in the bedroom closet. A memo book containing account numbers, PINs, and identity information was in a toiletry kit in the bathroom. A sock stuffed in a pair of men’s pants in the closet contained sixty-three ATM cards. A Rubbermaid bowl at the bottom of the laundry bin was keeping fresh nearly two thousand dollars in cash. Finally, there were loaded Kinko’s payment cards; Johnson had been buying computer time at the local copy shop.

He’d been leading a triple life almost from the start of his service to the agency, posing as a crook at the Columbia field office and pulling his own very real capers in his off hours.

Johnson’s specialty was the same scam the Los Angeles target had been carrying out. He’d mine victims’ Social Security numbers from online databases, including California’s Death Index of recently departed Golden State residents, then file bogus tax returns on their behalf, directing the refunds into prepaid debit cards that could be used for ATM withdrawals. He’d pulled in more than $130,000 in tax refunds under forty-one names, all under the nose of the Secret Service.

The agents phoned up Johnson’s bail bondsman and persuaded him to revoke the $10,000 bond that had set the fraudster free. Then they put Johnson back in the county jail. After three days, Johnson’s handler showed up with a senior agent, who was not happy with the informant. “Before we begin, Brett, I just want to say that you are either going to tell us everything that you have done the past six years, or I’m going to make it my mission in life to fuck over you and your family,” the supervisor growled. “And I’m not just talking about these current charges. Once you get out,
I will hound you for the rest of your life.”

Johnson refused to cooperate, and the agents stormed out. The U.S. Attorney’s Office started working on a federal indictment. But the swindler
had one more trick up his sleeve. Two weeks later he managed to get his bond reinstated, bailed from the detention center, and promptly vanished.

Anglerphish was a debacle. After 1,500 hours of work, the government was left with a fugitive informant and tens of thousands of dollars in new fraud. There was only one silver lining: that first batch of twenty-nine platinum dumps Johnson had bought in May for $600.

The Secret Service had tracked some of the cards to a pizza parlor in Vancouver—a dead end. But the corporate Bank of America account the seller used to accept his payment belonged to one John Giannone, a twenty-one-year-old living in Rockville Centre on Long Island.

ea, these girls are white trash. Don’t be friends with them,” said Chris. “Their minds are different.”

They were at Naan and Curry, a twenty-four-hour Indian and Pakistani restaurant in San Francisco’s theater district. It had been three months since Tea hooked up with Chris, and she was with him for one of his monthly trips to the Bay Area, where’d he’d meet his mysterious hacker friend “Sam” just before dawn. They were only four blocks from Max’s safe house now, but Tea wouldn’t be introduced to the hacker on this trip or any other. Nobody met Sam in person.

She was fascinated by how it all worked: the cashless nature of the crime, the way Chris organized his crew. He’d told her everything, once he thought she was ready, but never asked her to hit the stores with the others. She was special. He didn’t even like her hanging out with his cashing crew, for fear that they’d somehow taint her personality.

Tea was also the only employee not being paid. After she’d protested the $40 Chris left on the nightstand, Chris concluded that Tea didn’t want any money from him at all, despite the long hours she was spending on Carders Market and the Russian crime boards. Chris was taking care of the rent on the Tea House, buying her clothes, and paying for her travel—but she found it a strange existence, living online, traveling on confirmation numbers instead of plane tickets. She’d become a ghost, her body in
Orange County, her mind more often projecting into Ukraine and Russia, befriending organized cybercrime chieftains in her role as Iceman’s emissary from the carding world of the West.

Iceman, she’d decided, was pretty cool. He was always respectful and friendly. When Chris and his partner got into one of their fights, each man would whine and gossip about the other to Tea over ICQ, like children. At one point, Iceman sent her a bunch of dumps and suggested she go into business for herself, a move that sent Chris into a petulant rage.

As Chris and Tea chatted over Indian food, a tall man with a ponytail walked in from the street and headed for the cash register in back, his eyes flickering over them, just for a moment, before he picked up a bag of takeout and left.

Chris smiled. “That was Sam.”

Back in Orange County, Chris’s counterfeiting operation was earning enough for him to send his kids to private schools, cover Tea’s apartment, and, in July, start searching for a bigger and better home for himself and his family. He went house-hunting with Giannone and found a spacious rental—a two-story house in the coastal town of Capistrano Beach at the end of a quiet cul-de-sac on a bluff rising above the sandy beach. It was a family-friendly neighborhood, basketball hoops hanging above garages and a boat parked in a neighbor’s driveway. His move-in date was July 15.

Giannone flew back out for the July 4 weekend—Chris’s last holiday at his old condo—but wound up back at the Tea House while Chris spent time with his family. It happened all the time; Giannone would fly into John Wayne Airport, expecting a weekend of clubbing with Chris, and instead would end up holed up with one of the crew or be tasked with babysitting Chris’s boys at his house. Tea was tolerable, different from the cheap party girls cashing out Chris’s cards, but time at the Dana Point apartment dragged.

He phoned Chris and complained that he was bored. “Come to the house,” Chris said. They were at the pool. “The wife’s here with the kids.”

Giannone invited Tea, who’d never seen Chris’s condo complex just four miles away. When they arrived, Chris, Clara, and the two boys were splashing around in the pool, enjoying the sun. Giannone and Tea said hello and made themselves at home on some deck chairs.

Chris looked stunned. “I see you brought your friend,” he said to Giannone testily.

Clara knew Giannone, the babysitter, but had never met Tea. She looked at the stranger, then at Giannone, then back at the Mongolian, awareness and anger creeping over her face.

Giannone realized he’d made a blunder. The two women looked uncannily alike. Tea was a younger version of Chris’s wife, and at a glance, Clara knew her husband was sleeping with this woman.

Chris pulled himself out of the pool and walked around to where they were sitting, his face neutral. He squatted down in front of Giannone, his hair dripping water onto the concrete. “What are you doing?” he said in a low voice. “
Get out of here.”

They left. And for the first time since she joined up with Chris Aragon and his gang, Tea felt dirty.

Chris wasn’t angry—he got a guilty, alpha-male pleasure out of seeing Tea and Clara in the same place. But Tea’s crush was becoming a problem. He had genuine affection for her and her quirky ways, but she was becoming an unwanted complication.

There was an ideal solution at his disposal. He bought her a plane ticket to visit her home country for an extended vacation, literally banishing his overardent paramour to Outer Mongolia.

With Chris distracted by his tangled love life, Carders Market was consuming more of Max’s time, and he still had his business as “Digits” to run. He was working in the food service industry now, and it was paying off big.

It had started in June 2006, when a serious security hole emerged in the software RealVNC, for “virtual network console”—a remote-control program used to administer Windows machines over the Internet.

The bug was in the brief handshake sequence that opens every new session between a VNC client and the RealVNC server. A crucial part of the handshake comes when the server and client negotiate the type of security to apply to the session. It’s a two-step process: First, the RealVNC server sends the client a shorthand list of the security protocols the server is configured to support. The list is just an array of numbers: [2,5], for example, means the server supports VNC’s type 2 security, a relatively simple password authentication scheme, and type 5, a fully encrypted connection.

In the second step, the client tells the server which of the offered security protocols it wants to use by sending back its corresponding number, like ordering Chinese food off a menu.

The problem was, RealVNC didn’t check the response from the client to see if it was on the menu in the first place. The client could send back any security type, even one the server hadn’t offered, and the server unquestioningly accepted it. That included type 1, which is almost never offered, because type 1 is no security at all—it allows you to log in to RealVNC with no password.

It was a simple matter to modify a VNC client to always send back type 1, turning it into a skeleton key. An intruder like Max could point his hacked software at any box running the buggy RealVNC software and instantly enjoy unfettered access to the machine.

Max started scanning for vulnerable RealVNC installations as soon as he learned of this gaping hole. He watched, stunned, as the results scrolled down his screen, thousands of them: computers at homes and college dorms; machines in Western Union offices, banks, and hotel lobbies. He logged in to some at random; in one, he found himself looking at the feeds from closed-circuit video surveillance cameras in an office-building lobby. Another was a computer at a Midwest police department, where he could
listen in on 911 calls. A third put him in a home owner’s climate control system; he raised the temperature ten degrees and moved on.

A tiny fraction of the systems were more interesting and also familiar from his ongoing intrusion into the Pizza Schmizza: They were restaurant point-of-sale systems. They were money.

Unlike the simple dumb terminals sitting on the counters of liquor stores and neighborhood grocers, restaurant systems had become sophisticated all-in-one solutions that handled everything from order taking to seating arrangements, and they were all based on Microsoft Windows. To support the machines remotely, service vendors were installing them with commercial back doors, including VNC. With his VNC skeleton key, Max could open many of them at will.

So Max, who’d once scanned the entire U.S. military for vulnerable servers, now had his computers trolling the Internet day and night, finding and cracking pizza joints, Italian
ristorantes
, French bistros, and American-style grills; he harvested magstripe data everywhere he found it.

Under Visa-issued security standards, that shouldn’t have been possible. In 2004 the company outlawed the use of any point-of-sale system that stores magstripe data after a transaction is complete. In an effort to comply with the standards, all the major vendors produced patches that would stop their systems from retaining the swipes. But restaurants weren’t racing to install the upgrade, which in some cases was a paid extra.

Max’s scanning machinery had several moving parts. The first was aimed at finding VNC installations by performing a high-speed “port sweep”—a standard reconnaissance technique that relies on the Internet’s openness and standardization.

From the start, the network’s protocols were designed to let computers juggle a variety of different types of connections simultaneously—today that can include e-mail, Web traffic, file transfers, and hundreds of other more esoteric services. To keep it all separate, a computer initiates new connections with two pieces of information: the IP address of the destination machine, and a virtual “port” on that machine—a number from 0 to
65,535—that identifies the type of service the connection is seeking. The IP address is like a phone number, and a port is akin to a telephone extension you read off to the switchboard operator so he can send your call to the right desk.

Port numbers are standardized and published online. E-mail software knows to connect to port 25 to send a message; Web browsers connect to port 80 to retrieve a website. If a connection on the specified port is refused, it’s like an unanswered extension; the service you’re looking for isn’t available at that IP address.