Return of the Web Mob - 2

Two years after 'operation firewall,' organized Internet crime is back and brazen.

Ken Dunham, you could say, spends his life peeking into the bowels of the Internet. As director of the Rapid Response Team at VeriSign-owned iDefense, of Dulles, Va., Dunham—along with his team of malware hunters—infiltrates black hat hacker forums, chat rooms and newsgroups, posing as online criminals to gather intelligence on the dramatic rise in rootkits, Trojans and botnets.

Just two years after the Secret Service claimed a major success with "Operation Firewall"—an undercover investigation that led to the arrest of 28 suspects accused of identity theft, computer fraud, credit card fraud and money laundering—security researchers say the mobsters are back, with a level of sophistication and brazenness that is frightening and surreal.

"They never really went away," Dunham said. "They scurried away for a few months and tightened their security controls."

Not tight enough. A law enforcement official familiar with several ongoing investigations, who requested anonymity, showed eWEEK screenshots of active Web sites hawking credit card numbers, Social Security numbers, PayPal and eBay credentials, and bank log-in data by the bulk.

Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contains an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs.

"We even have proof of actual job listings on Russian-language sites offering lucrative pay for coders who can create exploits and launch denial-of-service attacks. Weve seen evidence of skilled hackers stealing corporate data on behalf of competitors. This isnt just about credit card and bank information. It has all the elements of traditional mafia-type crime," said Jim Melnick, a member of Dunhams team.

Roger Thompson, a computer security pioneer who created the first Australian anti-virus company in the late 1980s, said he is convinced the secretive Russian mafia is masterminding the use of sophisticated rootkits in botnet-seeding Trojans.

"Theyre into everything: spyware installations, denial-of-service shakedowns, you name it. Its the traditional mafia finding it easy to make money on the Internet," said Thompson, who now runs Exploit Prevention Labs, in Atlanta.

Yury Mashevsky, a virus analyst at Kaspersky Lab, said there is even evidence of turf wars in the criminal underworld. "They use malicious programs that destroy the software developed by rival groups and include threats directed at each other, anti-virus vendors, police and law enforcement agencies in their creations," Mashevsky said, in Woburn, Mass.

He also has seen fierce online confrontation in the battle to control the resources of infected computers. In November, Mashevsky discovered an attempt to hijack a botnet. "[The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets," he said.

On message boards and newsgroups where malicious code is put up for sale, Mashevsky said flame wars and attacks to steal virtual property are normal.

One key aspect of Web mob activity that flies under the radar is use of "money mules," or individuals who help launder and transfer money from hijacked online bank accounts.

On career Web sites such as, a job listing for a "private financial receiver," "shipping manager" or "country representative" almost invariably is an active attempt to recruit people around the world to withdraw funds and deliver the money to crime bosses, according to iDefense research. Money is transferred into the mules account, withdrawn as cash and then wired to an offshore account.

Dunham cited the recent discovery of MetaFisher, also known as SpyAgent, a Trojan connected to a Web-based command and control interface that highlighted just how advanced the attackers have become. "In just a few weeks, MetaFisher spread to thousands of computers. We found conclusively that these attacks were going on undetected for more than a year. Can you imagine the amount of data that has already been stolen?" Dunham said.

Eric Sites, vice president of R&D at Sunbelt Software, in Clearwater, Fla., showed eWEEK screenshots of the Web interface displaying phishing attacks targeted at European banks. The interface keeps detailed statistics on bot infections around the world and can be used to add exploits. It also can keep track of anti-virus signature definitions and callbacks from infected machines.

"This isnt the work of the guy in the basement. This is organized and simplified to make it super easy to control all those bot drones," Sites said.