Fatal System Error (21 page)

Read Fatal System Error Online

Authors: Joseph Menn

Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology

BOOK: Fatal System Error
8.81Mb size Format: txt, pdf, ePub
Andy pressed Maksakov to tell him more about how attacks could be thwarted and how they were evolving. The overall picture wasn’t a reassuring one. The best chance for discovering a hacker was when he was in reconnaissance mode. While many bots would be contacting the site at random for cover, they usually would look at only one page apiece. By examining the log file for the IP addresses of visitors and disregarding those that clicked just once, the target company might be able to pinpoint the IP of the computer that the attacker was using as a proxy for his probe. But that was still merely an ordinary zombie computer, and it would be quite a bit more work for the authorities to get control of that machine and then trace the VPN connection back to the attacker’s real Internet service provider.
Killing off a botnet also would be much harder than Andy had thought. At first, the agent had thought that simply taking the controlling IRC server offline would do the trick. But since the attackers also had domain name servers to direct the bots to the right channel, they could just change the numeric address for the channel and start it up someplace new. Then Andy had thought that seizing the domain name server at the same time as the IRC server would be enough. But Maksakov pointed out that the attacker could just buy or capture another domain name server and once again change the IP address to which it referred connections. That meant that the authorities would have to persuade the domain registration company to cut off the domain name entirely—and there were any number of corrupt companies through which to register domain names.
The attack teams, meanwhile, were amassing more resources and adding new approaches. Among the more diabolical was a new assault on the legal British gambling site Blue Square. Instead of just overwhelming the site and extorting a payment in exchange for peace, a criminal crew had pilfered the email addresses of clients from the company’s server. It then threatened to send child pornography to all of those addresses in such a way that the pictures would appear to be from Blue Square. That forced the company to make a public announcement of the threat in case the gang carried it out. The customers’ displeasure at the insecurity of their contact information reinforced the decision of many other companies to pay quietly rather than fight.
ANDY HAD PICKED THE RIGHT RAID to go on. Denis Stepanov, arrested by another team in St. Petersburg, was surly and misleading from the first interview. The twenty-three-year-old, who worked as a computer system administrator, denied doing anything illegal. But after some time in prison, when confronted with his cell phone and Internet service provider records, he began offering some useful information. For starters, he admitted knowing Maksakov, Milsan, and Zet, and he said he knew that Stran had organized DDoS attacks for extortion.
Stepanov conceded he had connections with at least three more people in the DDoS business, nicknamed Faust, Pirog, and Red Hunter. Andy tracked down Faust from a phone number he had used to call Stepanov. He was identified as Vyacheslav Stepanov, no relation, a resident of Rostov-on-Don and the registered owner of a server called
irc.jerry.pp.ru
. He shared that machine with Pirog, another Stepanov contact. The server was physically hosted in Kissimmee, Florida, and controlled a botnet that Andy watched attack Blue Square, William Hill, and others. Andy suspected the “jerry” ring of being behind the threat to email child pornography to customers of Blue Square and other targets. Faust evaded arrest but was believed to still be in Russia. Pirog, identified as Anton Valeryovich Slobodyanik, likewise went into hiding in St. Petersburg. Andy never got Red Hunter’s real name.
Denis Stepanov also copped to dealing with one of the titans of the underground economy, a man known as King Arthur. The most respected figure on the carding fraud forums, and probably the most feared financial criminal of the era, King Arthur was best known for his mysterious ability to encode fake bankcards that would be accepted at ATMs.
He had run CarderPlanet, the most notorious of the cyber-bazaars, and he settled disputes among participants there. He also advised up-and-comers on DDoS attacks and other crimes. But Andy’s squad and other investigators had never gotten close to him. They didn’t know his real identity or even his country. King Arthur was to them a real-life Keyser Soze from The
Usual
Suspects, a mythic persona they might have blamed for more things than one man could orchestrate.
Stepanov had gotten some Wells Fargo bank account numbers and online passwords, but he didn’t know how best to extract the money from those accounts. On CarderPlanet, he asked King Arthur to help, and he offered an encryption program as payment. King Arthur instead wanted new exploits that could be used to hack into computers, and Stepanov either couldn’t or wouldn’t supply any. Later, King Arthur wanted to deploy a program for stealing bank account information on Stepanov’s botnet, but Stepanov refused. He gave Andy two reasons. First, he was afraid that King Arthur might take control of the botnet. And second, he feared that if the two ever had a falling-out, King Arthur might have him killed.
Other names Stepanov gave would tantalize Andy. He said Stran’s allies included a St. Petersburg hacker and former police officer named “02,” after the phone number for a police emergency. More troubling, Stepanov said 02 might have worked for Dept. K, the national cybercrime squad, in St. Petersburg. A former cybercrime police officer in the national force would be a powerful man to have on board, someone who could pick up the phone and find out where an investigation was heading, along with what it might cost to make sure it never arrived. It was also the most likely conduit if something even worse existed. The local police chief or Dept. K division head or FSB man would be reluctant to be seen with crime lords. If the law enforcement leaders were involved in planning criminal activity, they would want to do business through an intermediary, and an ex-cop would be a prime candidate.
While corruption was a major problem everywhere in Russia, St. Petersburg was notorious. Igor had already warned Andy that he didn’t trust the police there. The big western city was home to what was growing to be the single greatest nest of criminal activity online, the Russian Business Network. Two years down the road, the RBN would confound the West even more than King Arthur. The RBN wasn’t a mob leader but an ongoing business, ownership unknown, with a headquarters address and a phone number. It was just that every single thing it did was wrong. Officially, the RBN was a service provider, with Web hosting and fast uplinks to the Internet. But it specialized in what the security trade called “bulletproof hosting” for the worst spammers, identity thieves, and child-porn businesses in the world. It charged more, but that meant that no amount of victim complaining could get the plug pulled on a customer. Complaints rolled in anyway, from Western law enforcement, security firms, legitimate service providers, and thousands of consumers whose computers were infected with spyware spewing pop-up ads. To operate as it did, the RBN needed powerful protection—most likely from local or national police as well as traditional organized crime. Andy would come to believe that 02 was part of the RBN.
The biggest disappointment in the day of action was in the raid in Pyatigorsk. Andy and Igor had hoped the police would find and arrest Maria Zarubina and Timur Arutchev, whom they believed to be two-thirds of Stran, the people on the receiving end of Canbet’s payout. Timur was the presumed leader of the three: he had a ranking title on CarderPlanet, “Gabellotto,” which is the Italian term for a tenant farmer who taxed peasants in a system that prefigured the mafia.
But when MVD officer Dmitri Bushman’s team got to their apartment on Pestova Street, Zarubina and Timur Arutchev had fled. Then the agents learned that the couple had taken out $29,000 from a bank the previous day—the maximum allowed withdrawal. Even in their haste to flee, they had the presence of mind to take the hard drive from their computer. And the news got worse from there. In a single month the previous fall, at the peak of the attacks in Costa Rica, a staggering $1.2 million had passed through the couple’s account. The day before they disappeared, phone records showed repeated calls to numbers in the Turks & Caicos Islands, an offshore banking haven.
Andy had thought Stran was just another mule, someone who passed along money to the big players. Now it looked like Stran was the kingpin—and one who had been tipped off by the authorities, to boot. The police did find Timur’s brother, Yan Arutchev, believed to be the last part of Stran. Yan admitted to accepting money on his brother’s behalf after electronic transfers, but said he didn’t know what it was for. He said he had no idea where the couple had gone or why. Without more evidence, there was nothing the police could do to shake his story.
Two weeks after the fruitless raid, Maria Zarubina tried to cash $60,000 in American Express travelers checks at a Moscow bank. The Russian police had asked American Express to stop payments on those checks, and the bank clerk held on to them, asking Zarubina to wait. The clerk put Zarubina’s passport down and walked away to call the MVD headquarters off Red Square. The call went to Misha Salenkov, a short, chubby detective who spoke almost no English. Salenkov ran down the hall, shouting “Zarubina bank! Zarubina bank!” Andy and Igor were just three miles from the scene. They ran out to the street and ordered a passing driver to stop his Russian-made Lada. Andy, Igor, Misha, and two other MVD men crammed in, joining the civilian driver in the tiny car as they raced across town. Unfortunately for Andy, Zarubina had grabbed her passport and fled. The team missed her by minutes. The next day a lawyer appeared at the bank and asked the manager why he had kept the American Express checks. Police, alerted when the lawyer asked for an appointment, trailed the man as he left the bank, hoping he would lead them to Zarubina. But they had no such luck. As technically proficient as Maksakov was, Zarubina and Timur Arutchev were clearly higher up in the food chain. And the Gabellotto had gotten away clean.
THE YEAR 2004 HAD BEGUN with Andy sitting in the office of the wrong Russian investigators, filling out paperwork and twiddling his thumbs. As the year drew to a close, he had the opposite problem: too many good leads to chase at once. And he had a strong hunch that local or national officials were protecting some of the people he wanted. Andy decided the best course was to go after the men Maksakov had fingered as his superiors in the extortion ring, since Maksakov was still cooperating. That meant Zet, Milsan, and Brain.
Milsan, and it would emerge Brain as well, lived in Kazakhstan, which made things much harder. The country was tied by economics and politics to its much larger neighbor Russia, without the rebelliousness of a Chechnya or Georgia. But it was still a wilder outpost with greater corruption, and Russian officials had to go through the same letter-of-request formalities that had proved such a burden earlier in the case. While requests for help in pursuing Milsan wended their way through the system, Andy found some Web pages that had been defaced in early 2003 by a group calling itself “RegoTeam,” which left as Web graffiti the membership roster Milsan—Zet—Zerg. By May 2003, RegoTeam was bold enough to offer DDoS and other services in spam. “Do you want to get rid of your competitors? Or blackmail your boss because he didn’t pay you? We can help!” one email read. The group also promised to assist those “looking for specific content for your web site (like child porn or anything weird).”
At the Internet café where Maksakov worked during the day, Andy and a detective from Moscow’s Dept. R would join him for long sessions as he chatted with the suspects still at large. In ICQ chats with Milsan, Maksakov learned of several attacks as they were happening. Andy then had Maksakov log into the servers that Milsan was using. Digging around in those servers eventually produced Milsan’s real name—Alexandr Milutin—and his Internet and physical addresses.

Other books

Taking In Strays by Kracken
The Indifference League by Richard Scarsbrook
The Forest Lover by Susan Vreeland
Behind Closed Doors by Kimberla Lawson Roby
Renegade Reborn by J. C. Fiske
I'll Be Your Everything by Murray, J.J.
SNATCH: A Dark Erotica by Hildreth, Scott