This particular tale has a peculiar cast of characters: Zeus, Rescator, and the Carbanak Gang. You may have heard of some of them because they have been behind the Target breach and many others over the past few years, according to cybersecurity expert Mark Lanterman.
All the high-profile cases, Lanterman said, were accomplished using malware written by one hacker based in Russia, who goes by the name Rescator. He is not some kid, Lanterman added, but a “for-profit professional.” Rescator’s accomplices are known collectively as the Carbanak Gang.
Lanterman spoke at Deluxe Corporation’s Exchange 2017 conference earlier this year on the subject of the “dark web.” This article is based on his presentation and a follow-up interview. Lanterman came out of law enforcement and was a supervisor in the U.S. Secret Service for its electronic crimes task force. Now at Computer Forensic Services, where he is chief technology officer, he and his colleagues work with banks and corporations on cyber responses and giving expert testimony.
Lanterman said that like any other for-profit operation, the Carbanak Gang has a business model. He described it as like that of a farmer: “Farmers plant crops. Hackers plant malware,” a form of computer virus. The hackers’ crop grows as it begins to collect data—primarily stolen credit card data in the case of this gang. The harvest is passed on to Rescator, who has created “the Amazon.com for stolen card data,” as Lanterman described it. He said the U.S. Department of Justice estimates that Rescator represents over 85% of the dark-web sales of stolen credit card numbers. (More about the dark web in a moment.)
“Hackers send card numbers to him, and he sells the data for them,” Lanterman explained. “He takes a 40% cut.” Rescator also sells hackers the malware to do this, Lanterman pointed out, and everything is done in Bitcoin. He can do this, said Lanterman, because he owns the market, and he is in Russia, beyond the reach of U.S. law enforcement.
A live visit to the dark web
The dark web, or dark net, is a part of the internet not indexed by Google, according to Lanterman, so you won’t just stumble onto it. However, it is not difficult to find instructions on how to get to it. Lanterman confirmed that it is based on technology created by the U.S. Navy in the early years of the internet that somehow ended up in the hands of the public—and criminals. The dark web does have legitimate uses, he noted. One example is the means by which citizens of an abusive regime can communicate with the outside world. But mainly it is a “criminal flea market,” as Lanterman called it, where you buy anything—drugs, guns, information, cards, identities, people. (Lanterman advised against casually looking for the dark web—“Bad idea!”)
In his presentation, Lanterman took the audience to Rescator’s storefront on the dark web—live. “This is where criminals come to spend their Bitcoin,” he said. “You get to choose which countries you’re interested in. Drop-down menus allow you to choose region, issuer, and type of card—a gold Visa, a corporate Mastercard, a platinum American Express card; stolen debit or credit cards,” Lanterman told a rapt audience. “And you get to choose cards based on the bank.”
There are more than 14,000 banks and credit unions listed, he said, ranging from Bank of America to very small community banks and credit unions. Criminals can select stolen credit cards based on city and state and billing address.
This is not just a big-city problem, according to Lanterman. He described how in one northern Minnesota town of 7,000 people, he found almost 2,000 stolen cards on the Rescator site. “It’s an every-town problem,” said Lanterman.
Unusual case, with lessons
The means for all this sophisticated criminal activity depends on two things primarily: malware and the phishing and spoofing tricks that get people to download malware.
In his presentation, Lanterman related a case of a nonprofit in Minnesota where two years ago, a bogus $1 million wire transfer was made to Romania. The nonprofit’s bookkeeper, who was responsible for wire transfers, was Romanian and was immediately suspected. But she said she didn’t steal the money.
His firm investigated the case. In brief, Lanterman related how the bookkeeper had logged in to the organization’s bank using an RSA security token, had checked the bank balances using a secure connection, and then took a break. When she came back, she admitted she was looking at wedding dresses online for a time.
“I checked the woman’s computer, and the traffic was consistent with her version of what happened,” said Lanterman. “And then I found Zeus [a type of malware]. Zeus is like a hacker’s Swiss Army Knife,” he said. “It does many things and has the attitude of a soldier: You tell it what to do, and it does not stop until it’s done. In this case, Zeus was a keystroke logger and took screenshots every 30 minutes.” It also did a third thing, said Lanterman, which he had never seen before. When the bookkeeper went to take a break, she closed the browser, but did not log off from the secure line from the bank. “Zeus detected an open, SSL-encrypted data connection,” he says, “and it kept that open without the user’s knowledge, notified the hacker [that installed it], and then the hacker took control of that data connection.”
“That’s supposed to be impossible,” Lanterman thought at the time. He called the feds right away. Ultimately, he said, U.S. law enforcement contacted its counterpart in Romania. The fraud turned out to be engineered by a Ukrainian Army general, who was arrested.
What to do in a risky world
There are risks in almost everything in life and always have been, Lanterman said. What people and organizations have to do is try to mitigate and manage the risks.
With cybersecurity in particular, “It’s important we all take responsibility for it,” Lanterman stressed. No software can prevent all fraud. He is not a big believer in antivirus software, which, at best, detects known viruses, but won’t detect a virus that is “polymorphic”—that is, constantly changing. Zeus is polymorphic, he says, which is why it is still state of the art, though it’s been around for years. “Zeus changes about every 48 hours,” said Lanterman.
It’s a dangerous world. In the accompanying sidebar, Lanterman offers suggestions for both individuals and institutions to help manage cyber risk.
A few simple steps to avoid cyber fraud
• Most malware is disseminated by email. In the nonprofit case cited in the main article, cybersecurity expert Mark Lanterman said the bookkeeper had received a bogus email from what was purported to be the FDIC. The email’s message was clever: “Be on the lookout for fraudulent cashiers’ checks being cashed in your area. Other organizations like yours have been victimized. These are very difficult to identify. If you want to see what they look like, click here.” The bookkeeper clicked, and Zeus malware was downloaded.
Even though it’s been said over and over, the lesson here is clear: Be very careful about clicking on a link in an email. Typos are one clue that a message is bogus.
• Don’t be so “honest.” On a personal level, Lanterman suggested that whenever you’re asked for personal information by a vendor or even a doctor online, consider using fake answers that only you know.
• Always log out of any secure link, such as an online banking session. Don’t just close the browser.
• If possible, use an Apple computer. “I used to make fun of Apple computers,” said Lanterman. “Then I analyzed one, and our entire office is now on Apples because 99% of the malware out there will not run on them.”
• Read the book. Whenever starting to use new technology—whether a new smart router in your home or, for a bank, issuing chip and PIN cards—understand the technology. “Read the manual.”
- Marrying Security and Performance in Financial Services
- Benchmarking Study to Assess Crisis Response Best Practice in US Banks
- Wells Fargo, M&T, Comerica: The Biggest Banking Moves in March
- COVID-19: The Outlook for European Banks
- Wells Fargo is Next Big Bank to Pay Special Compensation: But how will Community Banks Adapt?