Barrett took a recorder that looked identical to his real fob and called Darren back. Sure, Barrett said coolly, he could get together the next day. But Barrett still needed to get dress shoes for his wedding ceremony—did Darren mind tagging along as he shopped? Darren didn’t mind. Barrett picked Darren up at his hotel the next morning. They spent most of the day together. Darren was his usual self, friendly and silly.
Barrett, meanwhile, was giving the performance of a lifetime. He really did need shoes, and they went to a Burlingame mall, then the Westfield Mall in San Francisco. Barrett wanted to focus on his conversation with Darren—to get him to open up about Mickey and Sacco, where the money had come from, and where it had gone. But first he had to deal with the recorder. The FBI agent had warned him that the key-fob gizmo would get muffled if it stayed completely inside his pants pocket, ruining the recording. The agent suggested that Barrett leave the fob sticking out of his pocket, looking like it might fall out. The way to mask that oddity, the agent explained, was to wear a long jacket that hung over it. Barrett decided to junk all that and just dump the fob with the other stuff from his pants pockets on the table while they ate, hoping that Darren wouldn’t examine it too closely. At first they talked about uncontroversial things: Barrett’s wedding and where other Prolexic alumni had ended up. They stopped for lunch at a food court in the second mall. After more shopping, they went for a tapas dinner at Medjool, in the Mission District, and Barrett encouraged him to have mojitos.
Thinking again about how he had tried to do the world some good and gotten suckered into working for the mob, Barrett went for the close. He invited Darren back to the house and poured his good wine. Darren began to enjoy himself. He laughed about Sacco buying a thirdhand plane with a Panamanian pilot and about Brian Green, classy guy that he was, traveling to the ecological wonderland of the Galapagos Islands—to go hunting. As Barrett struggled through his own developing buzz to egg Darren on, the chief executive of one of the biggest gambling software suppliers blabbed on and on to the unseen tape recorder on the counter.
BetCRIS had fulfilled the dream Sacco had shared with Barrett at the Beverly Hills steak house in 2004, he recounted. It had opened physical casinos in Ecuador, Peru, Guatemala, Venezuela, and several cities in Mexico. Darren told Barrett he had set up the Mexican operation himself, cutting deals with the drug cartels in order to pull it off. Hazy with his own wine consumption, Barrett wasn’t sure whether he had gotten everything the FBI wanted. But it seemed a pretty good start.
The next night, at the wedding rehearsal dinner at the Hotel Vitale, on San Francisco’s downtown waterfront, Barrett excused himself to go to the bathroom. Looking over his shoulder, he ducked outside and ran across the street to the same dark sedan, now parked outside of the swank Boulevard restaurant. The agent inside rolled down the window. Dressed up for the special occasion he had just left, Barrett reached in to shake his hand, slipping him the fob in the process. A year and a half later, Betancourt told Barrett that the FBI was drawing up long-shot papers to extradite Darren, Mickey, and Sacco, who had quietly been indicted by a state grand jury in Arizona.
6
FROM SPAM TO IDENTITY THEFT
WHEN BARRETT HAD BEEN WEIGHING whether to leave Prolexic in 2006, he had thought about more than the ethical complications of working for immoral people against immoral people. He was also thinking about whether denial-of-service attacks, which had been on the cutting edge of technology crime three years before, were still such a high priority for the hacking gangs. If they had become routine, then perhaps other companies would do just as well in warding them off. And if the top criminals had moved on to something else, it wasn’t clear whether Barrett would be doing the world much good by staying in the fight.
Barrett decided to check back with the criminals who had been state of the art when he got in the game, just to see what they were up to. He went online to see if the Internet Relay Chat channels that had given orders to Ivan Maksakov’s bots were still up and running. Yes, they were. And even long after the crime ring was supposedly broken up, infected computers were still registering in the channel, seeking instructions.
Now, though, whoever ran the channel wasn’t launching the zombies on denial-of-service attacks. Instead he was telling the machines to send him all the financial information and passwords that were stored on each PC. The Russian gang had moved on to identity theft.
Like everyone else in America, Barrett already knew that identity theft was a major and growing problem. He’d even been a victim himself. But he hadn’t known the Russian mob had gotten in on the action.
From the time of the dot-com boom, identity theft had topped each year’s list of complaints to the Federal Trade Commission. The burdens ranged from days of aggravation trying to clear a tarnished credit report to major financial losses. In 2005, the issue broke onto front pages across the country after a ring of Nigerian con artists penetrated ChoicePoint, a Georgia-based spin-off from one of the three big credit bureaus and one of the world’s largest repositories of private information on consumers. That breach was only disclosed because of a recent California law requiring notification of its residents placed at risk. Even then, ChoicePoint tried at first to warn only Californians, and it continued to mislead the public after that. Among other things, it said such wide access had never been granted mistakenly in the past, when in fact another ring had done exactly the same thing two years before.
But how had Russian hackers joined in? Barrett guessed that they were simply pursuing the highest profit. Since viruses had gone professional in 2003, they had woven together millions of compromised machines. A denial-of service attack was one of the easiest ways to convert that resource into cash, but now Barrett realized that it was far from the only one.
It had all begun, innocently enough, with spam. Because the earliest email programs had no restrictions on who sent what to whom, people looking to spread their ideas or hawk their products quickly seized on bulk messages as the closest thing to free advertising. Spam actually predates broad use of the World Wide Web. The term, from the Monty Python sketch in which every dish on a restaurant menu has either a little or a lot of the canned meat product, first appeared in an email group in 1993, after an administrator accidentally sent two hundred copies of the same message to every subscriber.
As more people began using email, spam got more effective. A technology arms race ensued, with service providers and stand-alone software companies trotting out different means for weeding out unwanted messages. Not much worked for long, at least on any scale. Filtering out certain words prompted deliberate misspellings. Blocking specific senders just forced them to fake the email addresses in the “from” field. “Challenge” systems sent out automated replies to all correspondents in search of proof that they were human beings, but most consumers didn’t want to both download an additional product and annoy their friends.
Those companies routing tens of millions of emails eventually found it most effective to trace spam back to the computers that were spewing the come-ons. They began assembling blacklists of the suspect Internet addresses and sharing them in industry forums and through such resources as Spamhaus, a volunteer and mostly anonymous group in London that launched the Registry of Known Spam Operations, the ROKSO list of the worst offenders, in 2000. The anonymity was by necessity: when the home address of CEO Steve Linford leaked, death threats forced him from the country.
As was the case elsewhere in technology, simple economics drove substantial progress on the part of the spammers. Since it cost just a few pennies to send millions of emails, a tiny percentage of recipients clicking through and buying what was on offer made the financials compelling. A dozen or more of the most prolific spammers made millions hawking penis enlargement pills, get-rich-quick schemes, and counterfeit pharmaceuticals.
When blacklists stopped spammers from using a single computer to reach everyone, the more entrepreneurial bought or rented another machine. Better still, they stayed put and bounced their emails off what are called open proxies. Proxies are in the email-routing software within many large computers. In more trusting days, they were left “open” and therefore would helpfully relay any incoming mail to the next stop. Many administrators never bothered to change that setting, generally because they didn’t realize that the spammers were abusing their machines to launder the Internet addresses from which they were spamming, evading the blacklists. Gradually, the people in charge of corporate networks figured out that they were aiding the enemy and began closing the loophole.
At the same time that the business-minded spammers were developing a bigger appetite for open proxies, the world of computer viruses was blossoming. Long the handiwork of teenage computer geeks with an excess of curiosity and a deficiency in common sense, viruses spread faster as more people bought software with security flaws, especially Microsoft products. Because consumers got used to clicking on new kinds of attachments in email, electronic messages became one of the easiest vectors for spreading viruses. There were many others, though, including instant messages, rigged websites, and especially pernicious “worms” that spread automatically, without the computer user downloading or clicking on anything. Some security researchers fed the flames by publicly posting their discovery of new vulnerabilities and even “proof of concept” code that showed hackers how to take advantage of them.
The spammers didn’t want to use viruses to delete files, turn machines off, or broadcast love for a stripper, as the Melissa virus did. They wanted to harness that power to take control of machines and open them up to send email. While no one has definitively shown how the leading spammers and the virus writers got together, security experts have concluded that the spammers hired virus authors, or wrote such code themselves, in order to make spamming easier. In any case, the era of amateur viruses came to a rapid close.
The early weeks of 2003 brought forth what would develop into a type of virus more threatening than any that had gone before. The first version of the virus was dubbed SoBig by the security researchers who discovered it. Like other viruses, SoBig spread by persuading recipients to open a mislabeled attachment containing a malicious program. Once activated, the virus looked in the machine for new addresses to mail itself to. SoBig was cleverer than most, because it forged the “from” address in outgoing email so that it often appeared to be coming from a trusted friend. More troubling was the complexity of the program, which used encryption and multiple computer languages. SoBig told infected machines to check in with other computers, whose location would be revealed only at the last instant, to get additional tools and instructions. Worst of all, the system appeared to be commercially motivated, in that infected machines would eventually turn into open proxies. Those who knew where to look could use an email program to connect to the new zombie, and the unwitting machine would spew out thousands of messages while disguising the initial source of the mailing.
In May 2003, a new and improved version of SoBig started spreading. But the initial alarm at a serial offender was mitigated by an unusual twist in the coded instructions: after spreading for two weeks, the worm was programmed to turn itself off. That made the project appear to be some kind of science experiment, where the author was holding himself in check, perhaps due to some moral misgivings. As new versions of SoBig began to appear—labeled SoBig.C, SoBig.D, and so on—the mechanics of the program grew more sophisticated. They hid the second and third phases of infection better and fixed various bugs. SoBig.E sent attachments as compressed or “zipped” files, allowing them to get past gatekeeper software that bars executable programs from getting into corporate networks. By then, security experts realized that the short shelf life of the new versions was one of the most ominous things about them. It meant that the authors—by now generally believed to be members of a highly organized group—didn’t want old versions cluttering up the Internet when they released better varieties. They were learning from each assault and refining their work.
On August 18, 2003, someone using a stolen credit card and the online handle “Misiko” posted what he described as a “nice” pornographic picture to several online newsgroups. When others downloaded the file, they unleashed SoBig.F, which in short order would become the biggest virus of all time. SoBig.F sent more than 300 million emails with such subject lines as “Your Details,” “Thank you!” and “Re: Approved.” SoBig’s mail clogged the networks at FedEx and Starbucks and shut down CSX passenger trains.
The programming was by far the best ever seen by the top virus hunters. Those researchers were an odd breed, often self-taught experts like Barrett. Many worked for small companies, like Finland’s F-Secure or Atlanta’s SecureWorks, that big security firms relied on for help in protecting corporate clients from the latest threats. The global cadre raced to decrypt and analyze the code, and a team from F-Secure got there first. When it did, the researchers found that SoBig.F told infected machines to contact twenty master computers for a new payload on Friday, August 22, at 7 P.M. Greenwich time—just thirty hours away—and then again every subsequent Friday until September 10. Given how fearsome the foundation program was, the experts hated to imagine what the next step would be.
Once the Web addresses of the twenty masters had been identified, Finnish and U.S. authorities tracked them to the U.S., Canadian, and South Korean Internet service providers they depended on, then succeeded in getting most of the computers knocked offline. Microsoft and others joined the chase for the remaining machines as the minutes ticked down. Finally, nineteen of the twenty had been neutralized. While much of the technological world held its breath, the twentieth was overwhelmed with zombie traffic at the appointed hour. When experts succeeded in connecting to that computer a short time later, it was still redirecting infected hosts to Gary Kremen’s
Sex.com
, a harmless pornographic site being used as a placeholder. Hearing the figurative footsteps coming up the path, the virus writers had never put their next phase into play.