Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (22 page)

Max was interested in port 5900—the standard port for a VNC server. He set his machines sweeping through broad swaths of Internet address space, sending to each a single sixty-four-byte synchronization packet that would test whether port 5900 was open for service.

The addresses that answered his sweep streamed into a PERL script Max wrote that connected to each machine and tried to log in through the RealVNC bug. If the exploit didn’t work, the script would try some common passwords: “1234,” “vnc,” or an empty string.

If it got in, the program grabbed some preliminary information about the computer: the name of the machine and the resolution and color depth of the monitor. Max snubbed computers with low-quality displays, on the assumption that they were home PCs and not businesses. It was a high-speed operation: Max was running on five or six servers at once, each capable of zipping through a Class B network, over sixty-five thousand addresses, in a couple of seconds. His list of vulnerable VNC installations grew by about ten thousand every day.

The point-of-sale systems were needles in a massive haystack. He could spot some just from the name: “Aloha” meant the machine was likely an Aloha POS made by Atlanta-based Radiant Systems, his favorite target. “Maitre’D” was a competing product from Posera Software in Seattle. The rest of them took some guesswork. Any machine with a name like “Server,” “Admin,” or “Manager” needed a second look.

Slipping in over his VNC client, Max could see what was on the computer’s
screen as though standing right in front of it. Since he worked at night, the display on the dormant PC was usually dark, so he’d nudge his mouse to clear the screen saver. If there was anyone in the room, it might have been a little spooky: Remember that time your computer monitor flipped on for no reason, and the cursor twitched? It might have been Max Vision taking a quick look at your screen.

That manual examination was the slow part. Max recruited Tea to help out—he gave her a VNC client and started feeding her lists of vulnerable machines, along with instructions on what to look for. Soon, Max was wired into eateries throughout America. A Burger King in Texas. A sports bar in Montana. A trendy nightclub in Florida. A California grill. He moved up to Canada and found still more.

Max had gotten his start vending by stealing the dumps from a single restaurant. Now he had as many as a hundred feeding him credit card data in nearly real time. Digits would be doing a lot more business.

With so much work to be done, Dave “El Mariachi” Thomas had chosen a bad time to become a real pain in Iceman’s ass. In June, Thomas did something nearly unheard of in the insular computer underground: He took their dispute off the forums and into public, civilian cyberspace, attacking Carders Market in the comments section of
a widely read computer security blog, where he accused Iceman of being “LE”—law enforcement.

“Here is a site hosted in Ft Lauderdale Florida,” Thomas wrote. “Matter of fact, it’s hosted right out of a guy’s house. Yet, LE refuses to shutter them. Instead, this site promotes vending of PINs and numbers and PayPals and eBays and so forth, all the while LE looks on at all the players.

“LE claims they can’t do anything to a site hosted on U.S. soil. Yet, truth be told, it’s LE running the site just like they ran Shadowcrew.”

By highlighting Carders Market’s hosting arrangements, Thomas was targeting Iceman’s Achilles’ heel. The site had been purring along unmolested because Affinity didn’t notice the illicit server among its tens of
thousands of legitimate hosted sites. El was working to change that, lodging complaints with the company over and over again. The tactic was lacking in logic: If Carders Market really was under government control, the complaints would fall on deaf ears; only if it was a real crime site would Affinity kick it off. If Iceman drowns, then he’s not a witch.

A week after Thomas’s post, Affinity abruptly cut off Carders Market. The shutdown angered Max; he’d had a good thing going at ValueWeb. He searched overseas for new, legitimate hosting that would stand up to El Mariachi, approaching companies in China, Russia, India, and Singapore. It always turned out the same way—they’d demand some upfront money as the price of admission and then roll a spool of red tape in front of the door, asking for a passport and a business license or corporate papers.

“Couldn’t be because you have some STUPID FUCKING NAME called CARDERS this or CARDERS MARKET that, now could it?” Thomas wrote, taunting Iceman. “Maybe if you didn’t scream ‘CARDERS WORK HERE,’ you could get a small site going, and possibly grow to be the beast you so desperately need to be.”

It was personal now: Thomas hated Iceman, whether he was a fed or not, and the feeling had become mutual.

Max finally set up at Staminus, a California firm specializing in high-bandwidth hosting resistant to DDoS attacks. By then, Thomas was tearing into him in the comments section of
a random blog called “Life on the Road.” The blogger had quoted Thomas’s comments about Carders Market in a brief entry about the forums, unwittingly volunteering his blog as the new battlefield in the El Mariachi-versus-Iceman war.

Iceman picked up the gauntlet and posted a lengthy public rebuttal to Thomas’s indictment, accusing his foe of “hypocrisy and slander.”

The spirited defense completely ignored the detailed crime tutorials and review system on Carders Market, not to mention the secret impetus for the site: to give Max a place to sell stolen data.

Knowing his California hosting wouldn’t satisfy the underground, Max resumed his search for an arrangement overseas. The next month, he hacked himself a new server, this time in a country as far from U.S. influence as any on the Net—a nation unlikely to respond to complaints from Dave Thomas or even the American government.

“Carders Market is now hosted in IRAN,” he announced on August 11. “Registration is reopened.”

apidity is the essence of war. Take advantage of the enemy’s unreadiness, make your way by unexpected routes, and attack unguarded spots.”

Max had been reading Sun Tzu’s
The Art of War
, using the 2,600-year-old tome as his hacking manual. He sketched out his plans on a pair of whiteboards in his safe house; after some attrition and new entrants, there were five English-language carding sites that mattered in the underground, and that was four too many. He’d spent weeks infiltrating his competitors: ScandinavianCarding, the Vouched, TalkCash, and his chief rival, DarkMarket, the UK-run site that emerged a month before Carders Market and was building a powerful reputation as a ripper-free zone.

In a way, Max’s plan to muscle in on the other forums was coming from the white-hat side of his personality. The status quo was working fine for Max the criminal—he wasn’t greedy, and he was doing brisk business on Carders Market. But the post-Shadowcrew carding scene was broken, and when Max the white hat saw something broken, he couldn’t resist fixing it—just as he’d done for the Pentagon a few years earlier.

Ego played a role too. The whole carding world seemed to think Iceman was just another forum administrator, bankrupt of any skill except the ability to set up forum software. Max saw a golden opportunity to show the carders how wrong they were.

DarkMarket turned out to be an unguarded spot. A British carder called JiLsi ran the site, and he’d made the mistake of choosing the same password—“MSR206”—everywhere, including Carders Market, where Max knew everyone’s passwords. Max could just walk in and take over. The Vouched, on the other hand, was a fortress—you couldn’t even connect to the website without a privately issued digital certificate installed in your browser. Fortunately, JiLsi was also a member of that site, and he had moderator privileges there. Max found a copy of the certificate in one of JiLsi’s webmail accounts, protected by the carder’s usual password. From there, it was just a matter of logging in as JiLsi and leveraging his access to get at the database.

On TalkCash and ScandinavianCarding, Max determined that the forum software’s search function was vulnerable to an “SQL injection” attack. It wasn’t a surprising discovery. SQL injection vulnerabilities are the Web’s most persistent weakness.

SQL injection has to do with the behind-the-scenes architecture of most sophisticated websites. When you visit a website with dynamic content—news articles, blog posts, stock quotes, virtual shopping carts—the site’s software is pulling the content in raw form from a back-end database, usually running on a completely different computer than the host to which you’ve connected. The website is a facade—the database server is the important part, and it’s locked down. Ideally, it won’t even be accessible from the Internet.

The website’s software speaks to the database server in a standard syntax called Structured Query Language, or SQL (pronounced “sequel”). The SQL command SELECT, for example, asks the database server for all the information that fits a specified criteria. INSERT puts new information in the database. The rarely used DROP instruction will mass-delete data.

It’s a potentially perilous arrangement, because there are any number of situations where the software has to send a visitor’s input as part of an
SQL command—in a search query, for example. If a visitor to a music site enters “Sinatra” in the search box, the website’s software will ask the database to look for matches.

An SQL injection vulnerability occurs when the software doesn’t properly sanitize the user’s input before including it in a database command. Punctuation is the real killer. If a user in the above scenario searches on “Sinatra’; DROP music_catalog;” it’s tremendously important that the apostrophe and semicolons not make it through. Otherwise, the database server sees this.

As far as the database is concerned, that’s two commands in succession, separated by a semicolon. The first command finds Frank Sinatra albums, the second one “drops” the music catalog, destroying it.

SQL injection is a standard weapon in every hacker’s arsenal—the holes, even today, plague websites of all stripes, including e-commerce and banking sites. And in 2005, the forum software used by TalkCash and ScandinavianCarding was a soft target.

To exploit the bug on TalkCash, Max registered for a new account and posted a seemingly innocuous message on one of the discussion threads. His SQL attack was hidden in the body of the message, the font color set to match the background so nobody would see it.

He ran a search query designed to find the post, and the buggy forum software passed his command to the database system, which executed it, INSERTing a new administrator account just for Max. A similar attack worked at ScandinavianCarding.

On August 14, Max was ready to show the carding world what he was
capable of. He slid into the sites through the holes he’d secretly blasted in their ramparts, using his illicit admin access to copy their databases. The plan would have made Sun Tzu proud: Attacking and absorbing rival forums was an unexpected route indeed. Most carders wanted to avoid attention, not thrust themselves into prominence. A hostile takeover was unprecedented.

When he was done with the English-speaking sites, Max went to Eastern Europe. He’d strived to unite the Eastern European carders with the West, but Tea’s efforts had been largely fruitless—the Russians liked her but didn’t trust an American board. Diplomacy had failed; it was time for action. He found Cardingworld.cc and Mazafaka.cc no more secure than the western boards and was soon downloading their databases of private messages and forum posts. Megabytes of Cyrillic flowed onto his computer, a secret history of scams and hacks against the West stretching back months, now permanently warehoused on Max’s hard drive in San Francisco’s Tenderloin.

When he was done, he executed the DROP command on all the sites’ databases, wiping them out. ScandinavianCarding, the Vouched, TalkCash, DarkMarket, Cardingworld—the bustling, twenty-four-hour-a-day marketplaces supporting a billion-dollar global underground economy all winked out of existence. Ten thousand criminals around the world, men with six-figure deals in the works; wives, children, and mistresses to support; cops to buy off; mortgages to pay; debts to satisfy; and orders to fill, were, in an instant, blind. Adrift. Losing money.