Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet

by Joseph Menn

former White House cybersecurity advisor Richard Clarke published a book devoted to cyberwar, warning that planes could fall from the sky with a concerted attack on air-traffic control.

they would investigate the technical infrastructure of the company. If it had its own domain name server, that would have to be attacked first, to stop the company from switching the numeric address behind the website. They also looked for parts of the website where bots could chew up the most resources, such as internal search pages, pages requiring authorization to use, and pages offering downloads.

To cover themselves during the reconnaissance effort, the ring’s leaders would investigate potential targets with several hundred bots, confusing any search for the location of the real person. The spy would connect from his Internet service provider to an encrypted virtual private network (VPN), a kind of secure tunnel most common in large corporations with employees in the field. The VPN would take them to a bot, and only from there would the extortionists connect to the target. The eventual attacks would use “rooms” in IRC channels that had a thousand bots each.

After examining the computers operating the infectious sites, the forensics team finally worked out what made them so effective. For most visitors, including the sleuths, the sites appeared normal and harmless. But Bra1n had a friend in St. Petersburg who could hack into domain name servers and “poison” them, sending surfers seeking one site to a different one instead. If they agreed to pick Nike.com, for example, most people typing in that address would have gone to any of a large number of domain name servers and then to the right place. But if they happened to stumble on one of the poisoned servers, which were altered for just a half hour at a time, they would have been sent to highconvert.com or installme.info. Within ten seconds, the machines behind those websites would realize that the visitors were approved targets, check to see if they were running Internet Explorer as a Web browser, and if so use an exploit to install Trojan programs that would give control of the computers to Bra1n. Then they would dispatch the users to the real Nike.com. Few consumers complained about a ten-second detour. If they did, and thought to check their browser history for where they had been, technical support people tended to assume that the user had clicked on the wrong thing and not noticed. In the worst-case scenario, they would navigate directly to the porn site, see that it wasn’t trying to install anything malicious, and tell the user there was no problem. All in all, it was a da...

WHILE CARDERPLANET WAS WREAKING havoc on a global scale, Shadowcrew was doing major damage in the U.S. Shadowcrew grew out of the collaboration of two very different men, a Scottsdale (Arizona) Community College business student in his early twenties named Andrew Mantovani and a former mortgage broker in New Jersey nearly twice his age, David Appleyard.

That, sadly, is not the worst of it. Hacker CumbaJohnny had been helping run Shadowcrew, while his real-life alter ego, Albert Gonzalez, was helping the Secret Service track what happened there. But the same man had a third identity, “Segvec.” Federal agents knew Segvec was bad, they just didn’t know he was one of their own. In filings against e-Gold, they described customer Segvec as a known Ukrainian carder. In reality, the Secret Service later admitted, Segvec was the young Cuban American who had been aiding their Shadowcrew probe since 2003. All the while, Gonzalez and two young men in Miami had been “wardriving”—driving up and down outside major businesses seeking wireless vulnerabilities to tap into. They hacked into OfficeMax, BJ’s Wholesale Club, and Barnes & Noble. They hit the mother lode in July 2005, when they got into the network at a Marshall’s department store and installed a “sniffer” on the computers of parent company TJX, which also owned the T.J. Maxx chain. All told, they sucked down as many as 45 million credit and debit card numbers, about twenty times what Shadowcrew members were accused of trafficking. TJX racked up more than $100 million in expenses to settle litigation and belatedly improve its security. In terms of the hundreds of breaches publicly reported since ChoicePoint, “T.J. Maxx is kind of the grand-daddy of them all,” said an executive of a top encryption firm.