E-sting nets 2 Russian hackers; FBI alleges pair stole credit info
 |
|
||||||||||
Federal agents in Seattle have cracked a Russian computer-hacking ring that prosecutors say victimized dozens of e-commerce businesses in 10 states through extortion and the theft of thousands of credit-card numbers.
Two young hackers have been arrested and indicted after the FBI set up a bogus Internet-security firm, aptly called "Invita," and let the men hack into it, authorities said. Then, they lured the men to the U.S. to apply for jobs.
An amended 20-count indictment from a Seattle grand jury earlier this month identifies the men as 20-year-old Alexey Ivanov and Vasiliy Gorshkov, 25.
Prosecutors say they may be linked to hundreds of crimes, including the highly publicized theft of 15,700 credit-card numbers from Western Union in Denver last September. A computer file discovered in an account registered to Ivanov allegedly contained another 38,000 credit-card numbers gleaned from an unnamed business, according to court documents.
Agents suspect the men and associates still operating in Russia have been responsible for tens of thousands of suspicious probes and Internet intrusions into banks and other e-businesses, most often by hacking into a vulnerable version of Windows NT, the Microsoft business-systems platform.
The problem escalated over the past year and became so serious that it prompted nationally circulated warnings from the Department of Justice's National Infrastructure Protection Center, in December and again just last month.
"These guys aren't script-kiddies," said Assistant U.S. Attorney Stephen Schroeder, using a techie colloquialism for a novice hacker. "This is a pretty big deal."
Indeed, Ivanov also has been indicted in New Jersey and Connecticut, where he is currently being held, according to court records. Gorshkov is in custody at the Federal Detention Center in SeaTac.
'Coyote in the henhouse'
According to recently unsealed court documents, Gorshkov and Ivanov used a pair of computers located in Chelyabinsk, Russia, to scan the Internet for businesses using a vulnerable operating system. Microsoft, acknowledging that security holes exist in some versions of Windows NT, has offered "patches" for free for at least two years. Some Unix-based systems also were vulnerable.
Schroeder said numerous companies haven't downloaded the fixes or weren't aware of them.
Once a vulnerable business was located, the hackers would break into the computer system and obtain commands giving them control of the system. Sometimes, it would be months before the business became aware of the problem.
In several cases, the hackers, who called themselves "The Expert Group of Protection Against Hackers," contacted the company, identified themselves as "security consultants" and revealed that they had broken into the computer system. They would then offer to fix the hole -- for a price.
In other instances, the hackers would use compromised computer networks as a staging area for additional hacking and crimes. Among systems used in this manner was the computer used by the St. Clair County, Mich., school district, according to court papers.
Another, said Schroeder, was the system operated by Lightrealm Communications in Kirkland, now a partner of Issaquah-based Hostpro. The prosecutor said Lightrealm knew it had been hacked by Ivanov, but instead of turning him in, it hired him as a consultant.
"They had a coyote in the henhouse and left him there," said Schroeder, who said some of the victims were hosted on Lightrealm's servers.
Lightrealm's system administrator, Raymond Bero, acknowledged that Ivanov had hacked into the system and that the company later paid him as a consultant, although he wouldn't say how much.
He also said he had no clue that Ivanov or anyone else was using his system as a platform for computer crime.
"If we had perceived him as a coyote, he wouldn't have been allowed to stay," Bero said. Ivanov, he said, had control of sensitive information from his system and never used it.
"He had the power to be malicious, and he wasn't," Bero said.
Court documents, however, say Bero ultimately asked Ivanov to leave the Lightrealm system after receiving complaints from other businesses. Goodnews Internet Services, one of the victims, said it received an e-mail from Ivanov, from an account at Lightrealm, saying he had broken into their system and offering to fix its security holes for a fee.
PayPal among the victims
Schroeder said there are more than 40 businesses that were victimized in 10 states, including banks in Texas and California and the e-finance company PayPal of Palo Alto, Calif., the country's largest Internet-based payment company.
The hackers stole personal information from PayPal customers by creating a bogus "mirror" Internet site, identical to PayPal's legitimate home page. They used a special program to locate PayPal customers on the Internet, then sent them an e-mail telling them to log onto the fake site.
Once there, the customers would enter their usernames and passwords, which were recorded by the hackers.
FBI computer-crime specialists identified Ivanov as one of the hackers and, last June, set up a sting to lure him to the U.S. That's when agents invented "Invita," housed it in a downtown office and contacted Ivanov to see if he'd be willing to consult for them.
FBI hacks the hackers
According to search warrants and other court documents, the agents challenged Ivanov to hack into Invita's system, which was set up along the lines of those of several victims. When he succeeded, they asked him to come to the U.S. for an interview.
Ivanov brought Groshkov with him and the two met for several hours at the Invita offices. According to FBI affidavits, agents asked the men to demonstrate their hacking prowess on two computers secretly loaded with "sniffing" programs that recorded every keystroke.
After the men were arrested, agents used the information to access and download an immense amount of data from two computers in Russia.
Schroeder acknowledged the irony of FBI agents hacking into the hackers' computer. There was an urgency, however, because they were concerned data could be destroyed if the arrests were made public.
That data, and statements made by Gorshkov after his arrest, are now the subjects of legal challenges by Gorshkov's attorney, Kenneth Kanev.
Kanev said his client's privacy was invaded when the FBI used the sniffer device to obtain his client's secret username and password, and then used them to access potentially incriminating data from computers halfway around the world.
"In essence, it 'locked' the container (the computer) and the undercover FBI were given no authority to use the 'key' to the container their sniffer seized," Kanev contends.
Kanev also said the FBI should have obtained a search warrant before downloading the information.
Schroeder argues that Gorshkov was using someone else's computer and had no reasonable expectation of privacy. And a search warrant wasn't needed, he said, because the FBI has no jurisdiction in Russia.
U.S. District Judge John Coughenour has set a hearing for May 17, stating that the issue raises "unique and novel legal questions."
Mike Carter can be reached at 206-464-3706 or mcarter@seattletimes.com.