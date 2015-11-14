(Repeating story first sent on Friday to additional
subscribers)
By Jim Finkle and Joseph Menn
NEW YORK/SAN FRANCISCO Nov 13 When U.S.
prosecutors this week charged two Israelis and an American
fugitive with raking in hundreds of millions of dollars in one
of the largest and most complex cases of cyber fraud ever
exposed, they also provided an unusual look into the burgeoning
industry of criminal hackers for hire.
The trio, who are accused of orchestrating massive computer
breaches at JPMorgan Chase & Co and other financial
firms, as well as a series of other major offences, did little
if any hacking themselves, the federal indictments and a
previous civil case brought by the U.S. Securities and Exchange
Commission indicate.
Rather, they constructed a criminal conglomerate with
activities ranging from pump-and-dump stock fraud to Internet
casino break-ins and unlicensed Bitcoin trading. And just like
many legitimate corporations, they outsourced much of their
technology needs.
"They clearly had to recruit co-conspirators and have that
type of hacker-for-hire," said Austin Berglas, former assistant
special agent in charge of the FBI's New York cyber division,
who worked the JPMorgan case before he left the agency in May.
"This is the first case where it's that clear of a connection."
Berglas, who now heads cyber investigations for private firm
K2 Intelligence, said additional major cases of freelance
hacking will come to light, especially as more people become
familiar with online tools such as Tor that seek to conceal a
user's identity and location.
RENTED TIME
This week's indictments accused a hacker referred to as
"co-conspirator 1" of installing malicious software on the
servers of multiple victims at the direction of Gery Shalon, the
alleged mastermind of the scheme now under arrest in Israel. A
second indictment charges a man referred to as John Doe,
believed to be in Russia, for an attack on online trading firm
E*Trade.
Officials have not said if the co-conspirator and John Doe
were the same person, or even if the FBI knows their true
identities.
Law enforcement and computer security officials say that
outsourced cyber-crime services - including rented time on
networks of previously compromised personal computers and custom
break-ins - are most readily found on underground
Russian-language computer forums, where skilled attackers
advertise their services.
The forums are tight-knit communities where newbies must be
vouched for by multiple known members and pay membership fees
that cost thousands of dollars, said Daniel Cohen, who oversees
an undercover team at EMC Corp's RSA Security that
monitors the forums.
"You can find anything you want for an operation. Hackers,
servers, software, code writing. They are all available," said
Cohen. Individuals hide their identities even from each other,
making infiltration and arrests rare.
In this case, the ringleaders are accused of hiring hackers
to steal contact information and other data that they then used
to help convince ordinary investors to buy little-regulated
stocks. Prosecutors have not disclosed how the hackers were
compensated.
Fees vary greatly in the cyber underground, depending on the
complexity of the assignment and supply of talent available to
do a particular job. Elite hackers who pull off the most
technically challenging attacks might get a percentage of
profits, while others might earn an hourly rate or get paid a
few thousand dollars for winning access to a target's network,
researchers said.
PUMP-AND-DUMP
All three of those accused this week - Shalon, Joshua Samuel
Aaron, who is at large, and Ziv Orenstein, who is also in jail
in Israel - began promoting penny stocks before the hacks took
place, according to U.S. government claims.
They used websites including Pennystockdiscoveries.com and
Stockcastle.com to send emails as part of a scheme in which they
invested in penny stocks, spread false information to boost
their prices, and then sold them to make windfall profits,
according to an SEC suit filed in July.
Orenstein's lawyer declined to comment, and Shalon's lawyer
did not return messages seeking comment.
In one case in early 2012, the SEC claims that they used the
website Stockcastle.com to promote shares in Mustang Alliances
Inc, reaping $2.2 million, the largest pump-and-dump cited in
the regulator's lawsuit. In March of that year, the British
Virgin Islands Financial Services Commission issued an alert
warning that two entities tied to Stockcastle were falsely
claiming to be registered in the territory.
That same year, the enterprise began a massive hacking spree
to get contact information for investors who might be good
targets, according to prosecutors. By the end of 2013 they had
ordered up six hacks that provided data on tens of millions of
customers, prosecutors said.
They hit the mother lode in 2014 when they attacked three
other firms, and stole data on 83 million customers from JP
Morgan alone, prosecutors said.
In addition to JP Morgan and E*Trade, the firms attacked
included the mutual fund giant Fidelity Investments, Scottrade,
TD Ameritrade Holding Corp and News Corp's Dow
Jones unit, the publisher of the Wall Street Journal, according
to court documents and people familiar with the cases.
"To do a 'pump-and-dump' operation, you no longer need 30
people behind phones in a strip mall," said Shane Shook, a
security consultant specializing in investigating financial
breaches. All you need is to find a hacker on a "Dark Web" forum
to provide addresses from customers of financial services firms
like Fidelity or JPMorgan, then hire a spam service to push out
promotional emails, he said.
Shalon bragged about the stock manipulation scheme, telling
the hacker known as co-conspirator 1 in a web chat message that
it was "a small step towards a large empire," according to the
indictment.
His plan, Shalon told the hacker, was to distribute
"mailers" on stocks to those customers. The hacker asked if
buying stocks was popular in America, the indictment said,
prompting Shalon to reply: "It's like drinking freaking vodka in
Russia."
Shalon ultimately made good on his promise to build an
empire, according to the indictments. Profits from the
pump-and-dump fed into a sprawling conglomerate including
offshore Internet casinos and payment-processing services for
other criminal operators, such as counterfeit pharmaceutical
makers. Shalon also allegedly directed hackers to attack rival
casinos, stealing customer data and temporarily bringing down
their websites with denial-of-service attacks, which are easily
commissioned online.
BUTTERFLY AND HIDDEN LYNX
While this week's indictments opened the first major
criminal case involving outsourced hacking, there have been
other substantial break-ins that researchers believe were
contract jobs.
Researchers at Symantec in July attributed a series of
precision breaches at Apple, Facebook, Microsoft and Twitter in
2012 and 2013 to a sophisticated gang called Butterfly, which
also attacked law firms and pharmaceutical companies.
Computer security firm Symantec concluded that the group
likely works for hire, either for a client looking for financial
gain in the stock market or for competitors. How Butterfly gets
hired remains unclear.
Tech criminologist Marc Goodman, author of the book "Future
Crimes", says another group, dubbed Hidden Lynx by Symantec, may
consist of contractors moonlighting from jobs with the Chinese
military. here
"It's crime as a service," "Goodman said. "They take all the
pain out of it."
(Reporting by Joseph Menn in San Francisco and Jim Finkle and
Nate Raymond in New York; Additional reporting from Maayan
Lubell in Jerusalem; Editing by Jonathan Weber and Martin
Howell.)