Identity Thieves Organize
Recent investigations of online identity-theft rings show a disturbing pattern emerging, law-enforcement officials say. Large groups of criminals are banding together to steal financial data from individuals, and then trade or sell that data on underground Internet sites.
One such case involves Shadowcrew, an online marketplace for stolen credit-card and debit-card information that U.S. agents shut down. The Web site, with some 4,000 members, served as the backbone of an extensive criminal organization that traded at least 1.5 million stolen credit-card numbers and caused total losses in excess of $4 million, according to an indictment returned by a federal grand jury in Newark, N.J., in October.
The indictment names 19 individuals for their roles in running what the Department of Justice calls one of the largest online centers for trafficking stolen identity information, documents and banking details.
INTERNET INSECURITY
See how members of Shadowcrew allegedly operated a secret Web site that traded stolen credit and debit card information.
As public concern mounts about identity theft, police busts in the U.S., Europe and Latin America are shedding light on the increasing sophistication of the criminals behind such schemes. They are finding well-run, hierarchical organizations where members coordinate efforts via the Internet, often using aliases.
Once stolen, the information is advertised and sold on Web sites and Internet chat rooms specializing in the trafficking of such valuable data.
"They are run like businesses," says Larry Johnson, special agent in charge of the Secret Service's criminal investigative division, who helped coordinate the Shadowcrew investigation. Identity theft long predates the Web, but Mr. Johnson says the Internet helps large groups communicate much more efficiently and extend their geographical reach.
The rings often are international, including Shadowcrew, which had key members in several countries.
Identity theft cost consumers and their banks and credit-card companies about $11.7 billion in losses for the 12 months through April 2004, estimates Gartner Inc., a Stamford, Conn., technology research firm. Gartner says it is difficult to know how much of that is attributable to crimes committed online rather than offline -- such as from stolen purses or wallets. But banks and law enforcement say that online identity theft is growing rapidly.
One widespread scam is known as phishing, which uses e-mails designed to look as if they are from a legitimate bank or retailer to trick consumers into entering credit card, banking or other sensitive information at fake Web sites. In a new twist, dubbed pharming, hackers manipulate the settings on a computer so the user will be redirected to a counterfeit Web site when attempting to visit a legitimate Web site for service.
Major banks have been frequent targets of such attacks. A recent legitimate-looking e-mail to customers of HSBC Holdings PLC warned recipients that there had been several failed attempts to log onto their online accounts. The e-mail, bearing the HSBC logo, asked recipients to re-confirm their account information. It pointed customers to a Web site link beginning with the bank's real address,
www.hsbc.com, and warned that those who ignored the request would have their account suspended.
HSBC confirms the e-mail was fake but says it doesn't know how much money the scam may have swindled from customers. Customers who report that their accounts are missing money often don't know how their account numbers and passwords were stolen.
A large Brazilian gang allegedly swindled roughly $66 million from online-banking customers using a computer virus attached to an e-mail that appeared to be from legitimate banks, says Paulo Quintiliano, head of the Brazilian federal police's cyber-crime division.
People who clicked on the link in the e-mail downloaded the virus onto their computers, which then stored the customer's bank details when they accessed their accounts online at legitimate banking sites. The computer code then sent the swiped account information and passwords to the hackers.
The gang then used the banking information to transfer money out of accounts, create fake bank cards and even set up shell companies through which they channeled the money, says Mr. Quintiliano.
Brazilian federal police have arrested and charged more than 100 members of the gang over the past 18 months, and a trial is under way.
The market for trading stolen information has grown more sophisticated in the past year, too, security experts say.
Originally, large volumes of credit-card or bank-account information were sold indiscriminately in bulk, says John Watters, chief executive of iDefense Inc., a Reston, Va., information-security consultant that monitors Web sites which market stolen data. Now, criminals are charging more if a card has a high credit limit or if valuable additional personal information -- such as a billing address and maiden name -- are included with the account number and PIN.
And information on overseas bank accounts is now commanding higher prices than data on accounts in the U.S., where security measures are perceived to be stiffer, adds Mr. Watters. An account number and PIN for a British bank account holding the equivalent of about $3,000 can sell for $200, which is double what a similar U.S. account fetches, he says. "It's the Nasdaq of the underground economy."
The operations often are international in scope. Police in the U.K. are pursuing an Eastern European gang that they believe stole millions of pounds from customers of British banks through fake e-mails, or phishing.
As part of that probe, the U.K.'s National Hi-Tech Crime Unit last June arrested two men, an American and a Scotsman, in the U.K. in connection with their alleged role as moderators of a Web site where stolen account and password information was traded. Police charged the men with conspiracy to defraud and money laundering.
The Shadowcrew Web-site case in New Jersey illustrates how criminal groups profit from stolen data. The indictment alleges that Shadowcrew members traded stolen personal data on a Web site called
www.shadowcrew.com. Using online nicknames such as "Dirty Harry" and "NotoriousCarder," they bought and sold credit- and debit-card information, counterfeit drivers' licenses, passports and Social Security cards, the indictment alleges.
Among the leaders of the operation was 23-year-old Andrew Mantovani, of Scottsdale, Ariz., who along with other "administrators" directed the organization and handled day-to-day management decisions, the indictment alleges. "Reviewers" tested illicit merchandise before it could be sold. The information then was advertised and sold on shadowcrew.com, a password-protected site that was overseen by various "moderators."
According to the indictment, the organization reprimanded members who broke the rules. On one occasion, an administrator punished a member nicknamed "CCSupplier" for failing to pay other members, the indictment says. The penalty: The group posted CCSupplier's real name, address and phone numbers on the site.
What makes Shadowcrew noteworthy is "the level of sophistication and the level of organization of this online community," says assistant U.S. attorney Kevin O'Dowd in Newark.
The 62-count indictment carries five charges against Mr. Mantovani, including conspiracy, trafficking in stolen credit-card numbers and unlawful transfer of other personal information. Mr. Mantovani pleaded not guilty at his arraignment in February, according to his attorney, Pasquale Giannetta.
If convicted, Mr. Mantovani potentially faces more than 20 years in prison. A trial is scheduled for October.
The investigation also led to two other organizations -- called Carderplanet and Darkprofits -- that the Secret Service alleges operated similar Web sites to traffic in counterfeit credit cards and stolen personal data.
Authorities shut down those sites, but security experts expect the people behind them will just move their operations. "It's a cat and mouse game," says the Secret Service's Mr. Johnson.
犯罪团伙网上联手盗取个人资料
执法官员称,最近对网上身份盗用团伙的调查显示,一种令人不安的模式正在出现。大型犯罪团伙正在联手盗取个人的财务数据,然后在非法互联网网站上交易或出售这些数据。
其中一个案件涉及Shadowcrew,这是一个出售被盗信用卡和借记卡信息的网上市场,目前已经被美国联邦特工关闭。根据去年10月份新泽西州纽瓦克的一个联邦大陪审团提出的一项指控,这个网站拥有4,000个会员,是一个范围很广的犯罪组织的核心,该组织至少交易了150万个被盗信用卡帐号,造成了总计超过400万美元的损失。
美国司法部(Department of Justice)称Shadowcrew是非法交易被盗身份信息、文件和银行资料的大型网上中心之一,陪审团对19名经营这个网上市场的个人提出了指控。
公众越来越担忧身份盗用的问题,而美国、欧洲和拉丁美洲的警方也发现,策划此类阴谋的罪犯团伙的复杂程度越来越高。他们发现这是一些运作良好、等级分明的组织,其成员通常使用化名通过互联网协调行动。
一旦被盗,有关信息将被制作成广告,并在专门交易此类重要数据的非法网站上和互联网聊天室里出售。
“他们就像一般的企业那样经营”,负责特务处刑事调查部门的特工拉里?约翰逊(Larry Johnson)说。约翰逊曾帮助协调Shadowcrew一案的调查。身份盗用在互联网出现之前早就存在,但约翰逊表示,互联网帮助大规模犯罪团伙更加有效地沟通信息,并扩大他们犯罪的地域范围。
这些犯罪集团通常是国际性的,包括Shadowcrew,其主要成员分布在几个国家。
根据科技研究公司Gartner Inc.的估计,截至2004年4月的12个月,身份盗用给消费者及其银行和信用卡公司带来的损失约为117亿美元。Gartner称,很难知道其中有多少损失是因为线上犯罪而非线下犯罪--如钱包被偷造成的。但银行和执法部门称,网上身份盗用的情况正在迅速增长。
一个常用的伎俩是网路钓鱼术(phishing),利用看起来是来自一家合法银行或零售商的电子邮件来哄骗消费者在假冒网站上输入信用卡、银行或其他敏感信息。现在又出现一种被称为电脑入侵术(pharming)的新花招,黑客会操纵一台电脑的设置,因此用户在访问合法网站的时候将被直接导向假冒网站。
大型银行一直是此类攻击的主要目标。最近,汇丰控股(HSBC Holdings PLC)的客户常常会收到一封看起来是来自合法网站的电子邮件,警告他们登录其网上帐户的努力已经出现数次失败。这封带著汇丰标识的电子邮件要求收件人重新确认他们的帐户信息。它将客户导向一个以汇丰真实网址
www.hsbc.com开头的网站链接,并对那些不理会这种要求的客户发出警告,称他们的帐户服务将被暂停。
汇丰证实,这封电子邮件是伪造的,但表示银行并不清楚这一骗局从客户那里骗取了多少钱财。那些报告其帐户资金出现流失的客户通常都不知道其帐号和密码是如何被窃取的。
巴西联邦警方互联网犯罪部门的负责人保罗?昆蒂利亚诺(Paulo Quintiliano)称,巴西一个大型犯罪团伙涉嫌从网上银行客户那里骗取了大约6,600万美元,他们的手法是在看似来自合法银行的电子邮件中附加电脑病毒。
那些点击电子邮件中网站链接的客户会同时把电脑病毒下载到他们的电脑中,然后在他们进入合法银行网址的网上帐户时,病毒就会把客户的银行资料存储下来,之后再将被盗帐户信息和密码传送给黑客。
昆蒂利亚诺称,这个犯罪团伙然后利用银行资料将资金转出帐户,制造伪造银行卡,甚至成立空壳公司,用来转移资金。
过去18个月以来,巴西联邦警方已经逮捕了这个犯罪团伙中的100名成员,并对他们提起了诉讼,审判正在进行当中。
安全专家称,交易被盗信息的市场也在过去一年中变得更加复杂化了。
信息安全咨询公司iDefense Inc.的首席执行长约翰?沃特斯(John Watters)称,起初,大量信用卡和银行帐户信息都是不加区别地进行批量出售。而今,犯罪集团对那些信用等级较高、或除了银行帐号和PIN外,包含额外重要个人信息--如地址和娘家姓等--的信用卡会索要更高的价钱。iDefense的主要业务是监控那些非法交易被盗资料的网站。
此外,沃特斯称,海外银行帐户的信息要比美国帐户的资料值钱,因为海外的安全措施被认为要更加严格。一个存款约为3,000英镑的英国银行帐户的帐号和PIN的售价为200美元,较同等美国帐户高出一倍。“这是地下经济的那斯达克市场”,他说。
这些犯罪集团的业务范围通常是国际性的。英国警方目前正在抓捕一个东欧犯罪团伙,他们涉嫌通过伪造电子邮件、也就是网络钓鱼术从英国银行的客户那里骗取数百万英镑。
作为上述调查的一部分,英国的国家高新技术犯罪研究专案组(National Hi-Tech Crime Unit)于去年6月份在英国逮捕了一名美国人和一名苏格兰人,他们涉嫌充当一个被盗帐户和密码信息交易网站的版主。警方指控两人合谋进行诈骗和洗钱。
新泽西州的Shadowcrew网站一案说明了犯罪集团如何从被盗资料中获利的手法。指控称,Shadowcrew的会员在一个名为
www.shadowcrew.com的网站上交易被盗个人资料。通过诸如Dirty Harry和NotoriousCarder这样的网名,他们买卖信用卡和借记卡资料,伪造驾驶执照、护照和社会安全卡。
这个犯罪组织的头目中包括23年岁的安德鲁?曼托瓦尼(Andrew Mantovani),以及其他指导组织并进行日常管理决定的“管理员”。“审查员”负责在非法商品出售前进行测试。然后有关信息将被制作成广告,并在shadowcrew.com上出售。该网站有密码保护,由多个“版主”监督。
根据指控,该组织会对违反规定的成员进行严厉谴责。有一次,一位管理员对一位化名为'CCSupplier'的成员未能向其他成员付款的行为进行了惩罚,具体措施是:该集团将CCSupplier的真实姓名、地址和电话刊登在网站上。
纽瓦克的美国助理联邦检察官凯文?奥多德(Kevin O'Dowd)称,Shadowcrew一案之所以引人注目,是因为这个网上犯罪集团相当复杂,而且组织严明。
总共62项指控中包括针对曼托瓦尼的5项指控,包括共谋、非法交易被盗信用卡帐号和非法传递他人资料。曼托瓦尼的律师帕斯夸莱?谵内塔(Pasquale Giannetta)表示,曼托瓦尼在2月份的传讯中未认罪。
如果被定罪,曼托瓦尼可能面临20年以上的牢狱之灾。审判定于10月份举行。
此次调查还连带出另外两个组织--Carderplanet和Darkprofits,特务处指控它们运营相似的网站,非法交易假冒信用卡和被盗个人数据。
当局关闭了这些网站,但安全专家预计它们背后的组织还会转移业务。“这就是猫捉老鼠的游戏,”特务处的约翰逊这样说。
