In my last post, I painted a picture of a hacker that discovered his victim would be on vacation. He then shared that information with someone who breaks into houses. I also suggested that he might have an ongoing arrangement with that burglar, for their mutual benefit.
Perhaps some of you thought, “There he goes again… getting carried away and making up stories. Sure, it COULD happen, but how likely is that?”
So, today, I want to talk about how cybercrime REALLY works.
But, first, I want to talk a little bit about how our communities work.
In my community, there is a shopping center where two main highways intersect. On one corner you can find a post office, a large department chain store, a nutritional supplement store, a hair stylist, and a good number of other stores. Across the street, you can find a Walmart, a large grocery store, an Amscot, a video game store, a nail salon, a beauty shop, a place that buys gold for cash, and numerous other stores. On the third corner, you’ll find a large health food store, a restaurant, a sports shop, a bank, a pool supply store, and a number of other stores. On the remaining corner of that intersection is another bank, as well as a number of other shops.
Down the street a couple blocks are a couple of well-known drug stores, a gas station, some restaurants, a liquor store, a large discount member-only shopping club, a veterinarian, an outlet for a major lumber/hardware chain, an auto repair shop, and many other places. There are also dentists, accountants, and most of the other suppliers of goods and services that you need, all within a distance of a few blocks. Every shop provides something different, but they are all close by.
In fact, if you focus on just cars or trucks, you can find an auto repair shop, a tire shop, an auto parts store, and a couple of gas stations within just a few blocks. Or you can get a haircut or perm, a mani pedi, new clothes, makeup, jewelry, shoes, and accessories, all within a few hundred feet of one another.
The consumer can get what they need without having to drive all over town. The consumer doesn’t have to supply all their own needs. They go shopping! Someone else can provide the products and services they need. That’s part of what makes a community.
What about the business owner? The business owner doesn’t have to learn everything and do everything to make a business work. Instead of buying a camera and taking their own picture for their advertising, they go to a photographer and get a “head shot.” They hire someone to put up their web site and someone to do their advertising. Even in today’s world of “desktop publishing,” they probably get their business cards, business letterhead, and promotional materials from a print shop. They may go somewhere else for the signs for their business. They hire an accountant and an attorney. They get their office supplies and furniture from an office supply store. They probably lease their office space from someone else. They buy phone and Internet service from a provider. And the list goes on.
What they DON’T do is try to do everything themselves. Even those business owners that try to do everything themselves rely on someone else for a good number of their supplies and services. The most successful business owners focus on what they do best. They find someone else to do all the other stuff.
So, what about the cybercriminal? One of the popular images of a hacker is of a kid who sits in his parent’s basement, staying up all night, drinking caffeinated drinks to keep going. He is seen as a loner. But even the hackers who fit that profile interact with other hackers online.
Let’s update our image of the cybercriminal. As an example, let’s think about the skimmers that are being found on gas pumps and ATM machines around our communities.
Someone has to install that skimmer on the pump or the ATM machine. At first thought, we may think the criminal operates alone and uses the credit card numbers he obtains to buy stuff. End of story. Let’s take a closer look.
Where did they get the skimmer? They purchased it online. There are online stores where you can buy those things. They learned what they needed to know to select which skimmer to buy and how to install it, as well as what to do after you put it in place. There are places online where you can learn that stuff. Once they have the skimmer, they have to install it. That is probably one of the higher-risk parts of the process. Someone might see you or you might be caught on camera.
But what do they do once they harvest the card numbers? They could use the credit card number in a transaction that doesn’t require the actual card, either by phone or online. But that’s not the most likely use.
They are more likely to sell them. There are places online where you can offer stolen credit card information for sale. Then, other criminals go online and buy those card numbers.
Card numbers are usually sold in bulk. The buyer will buy a huge quantity of card numbers. Some of them won’t be any good by the time they get them, but many will be. Then what?
If you purchase thousands of card numbers, you would have trouble using them all by yourself. By the time you got a chance to use the majority of them, they would no longer work. So, the obvious solution is to sell them off in smaller quantities. In other words, think wholesale vs. retail. The person who harvested the card numbers from the skimmer is the wholesaler. The crook who buys them in bulk is the middle man. They can then sell them to a retailer who will sell them to someone else, or to someone who will use them for their own use.
But there’s another way these cards are used. It is possible to manufacturer a counterfeit card and print the stolen card number and other information on the card, then transfer the information to the magnetic strip on the back. Now, those stolen numbers have been turned into physical cards. Those cards can be sold in large quantities or in smaller batches. Again, there may be a wholesaler and a retailer for those counterfeit cards.
So, now we have marketplaces for selling card numbers. We have wholesalers and retailers of stolen numbers. We also have businesses that can manufacture counterfeit plastic cards from the numbers. And we have people that can then wholesale or retail the countefeit cards, and possibly make use of some of them for their own purposes.
Using skimmers is just one way to get credit card numbers. A “better” way is to hack into a database, or to use malware to hack the computers of homeowners or small business owners. That doesn’t require showing up in person at the gas pump or an ATM machine to install the skimmer.
How does that work? One variation is by using malware designed to steal your sensitive information.
A hacker who is skilled at programming writes some malware. He offers his malware for sale at an online “malware store.”
Another criminal purchases that malware and starts sending out spam.
If you click on the link they send you, your computer is infected with the malware. The malware sits on the computer undetected and watches for certain sequences that look like credit card numbers, social security numbers, e-mail addresses, and similar information. At some point, it communicates back with the person who infected it, sending your information. Now they have your credit card number and the e-mail addresses of all your friends.
Once the hacker has a bunch of credit card numbers, they can offer them for sale at an online credit card number “store.”
Let’s consider the people that buy the cards or card numbers. One of the ways they can use the credit card numbers is to make purchases online. They can buy electronics and other equipment. But, where would they have it shipped? If they ship it to their house, it’s only a matter of time before they get caught. Maybe they could send it to one of the stores that provides private mailboxes to the public. Even then, someone has to show up to pick up those packages.
But there is another way. They could advertise on craigslist. Or they could post a job listing with an online employment service. “Help wanted. Shipping manager to mail packages. We ship our equipment in bulk to you at the nearby mailbox store. You pick the packages up and repackage it to our customers. You get a percentage of all shipments.”
Then, they can post another job listing. “Help wanted. Marketing Manager. Need self-starter to market electronic equipment we purchase in bulk from liquidators. You receive a percentage of all sales.” (There are other variations of “job listings” that criminals use to get unsuspecting people to do their dirty work for them.)
The crook has now involved others to do all the higher risk work for them. The credit cards are used to make purchases, which are shipped to their “employee,” who reships them to “customers” provided by the “marketing manager.” The crook collects the money and may (or may not) pay the “employees” what was promised. By the time the authorities figure out what is going on, the crook has cashed out and moved on to another group of “employees.”
That’s just ONE of many ways these stolen credit card numbers can be used.
So far, we have an online skimmer store, an “educational” site for hackers and associates, someone who purchases and installs skimmers, a malware writer, an online malware store, a spammer, a “shop” that manufactures credit cards from stolen credit card information, someone who buys the credit card numbers in bulk, and someone who sells or uses the credit card numbers. And that’s just the tip of the cybercrime iceberg.
It’s beginning to sound a little bit like the community where you can go shopping and find anything and everything you want or need.
That’s the reality of cybercrime today.
There may be some “individual” cybercriminals out there. But there is also a community, where all the individual services and products needed are available. You just need to go shopping!
You can find:
* A place to learn how.
* Places that sell products (skimmers, counterfeit credit cards, etc.)
* Service providers (people to write malware, people who rent lists of thousands of e-mail addresses, people who have tens of thousands of computers under their control, people who buy and sell the credit card numbers you’ve obtained, people who can turn the credit card numbers into cash or products with little risk to you)
* And much, much more.
Remember the picture painted last week of the hacker who reads your e-mail being in league with the house burglar? Not only is that a realistic picture, the reality goes far further. Cybercrime today is truly “organized crime.” Today’s cybercriminal isn’t a single person that does everything by himself. There is an established infrastructure, a community, that provides all the products and services the cybercriminal needs. All he needs to do is go shopping!