Confessions of a mob CIO

Confessions of a mob CIO

The facts and the scams are real. The CIO? Not so much. Yet, this is how organised crime uses technology to make lots of money.

People call me a lot of things, but nobody would ever call me a CIO. Yet after reading CIO magazine a little bit, I guess that’s basically what I am. Maybe I’m a little younger than you, a little more techie. I know my routers and code. Yeah, I deal with the same stuff you do. Same headaches. I’m constantly fixing stuff and trying to do whatever helps the bosses grow the business, as you call it.

Bosses. I mean, bosses are the worst, right?

We’re in a real boom right now. Credit cards. Gambling. You heard about that stock deal? The one using that new kind of spam? Image spam, that’s it. This is an old-fashioned pump-and-dump scam but with a cool techno twist.

This wasn’t mine, but I know a guy who knows the guy who set it up. Here’s how he worked it.

First, he rented a botnet. That was for email distribution. He pays, I don’t know, say US$50Gs for a month, turns around and promises the bot-herder a taste in exchange for that month’s usage and some guaranteed uptime. You know, he says, deliver me 10 million email messages and I’ll guarantee you some back-end cash.

So the bot-herder knows a kid who wrote this absolutely killer image spam application that creates the email messages. Pays him a flat fee. I mean, the kid could’ve asked for much more, but a lot of these programmers are pretty young and dumb. You wave some cash and they think, “Flat-screen TV!” Anyway, he tells the kid to make the program create advertisements for pink-slip stocks, those unlisted ones that trade for pennies. It all gets done in like 15 minutes after they get some of the basic wording down.

So then this guy sets up offshore accounts online (in Brazil, I think) to collect the investments. His guys all buy something like 10,000 shares at 30 cents per share. Then the botnet goes to work. Starts mass mailing the ads for the stocks. And the beautiful part is those little messages get by all the spam filters because the filters are looking for text, but with the image spam all the filters see is a million different images, each one unique, even though they all say the same thing: Buy this stock. Genius. Finally, enough people invest to drive up the price. Eighty cents a share. A buck. Two. Eventually, our guys sell, make a nice chunk of change, the stock tanks and the suckers who got in on the email tip lose their shirts. Like I said, a classic pump-and-dump, but back in the day it was a lot harder to do. It required a lot of legwork, relationships with reporters and brokers. Compared to that, this is, like, nothing.

I know what you’re thinking: Who believes an anonymous email that says such-and-such company you’ve never heard of is at 25 cents a share now but is heading to five bucks? Hey, I don’t know, but you send out 10 million messages, you get 1000 to invest, that’s only, what? A hundredth of a per cent? I’d say the sucker population is a lot bigger than that.

It was a great little business. One of those stocks hit six bucks! But then the Feds sniffed it out and suspended trading on those penny stocks in March. Maybe when things cool off it’ll pick up again. By that time, the spam filters will probably have adjusted and we’ll have to go back to the programmers for their latest bots.

The big money is in credentials.

Look, the world runs on credit and what you need to secure credit are personal credentials. That’s what everyone is after right now. And that’s where a lot of our investments are: Credentials for lines of credit.

That TJX thing last January? It wasn’t me. But let’s say I had a few beers with someone who might have worked on that job. It sounds like the heist of the century, right? What, 40 million personal records? But really it’s pretty basic stuff. If you want to get into the credentials market, you do three things: One, get inside access to someone who stores lots of personal data. Retail is great for that. Think about how many cards are swiped every second at those places. Two, invest in anti-forensics, because once you’re in, you want to stay invisible until you’re done. Three, after you got the credentials, behave. I’ll explain that one in a minute.

The papers say the ‘wiseguys’ got into TJX; they got employee IDs, by intercepting wireless data flowing between cash registers, hand-held price-checking devices and such. Maybe? But this is how I’d do it. Inside access. That’s easy. You spread some USB keys around. People see them and go, ‘Cool, free dongle’! Only when they plug them in, a little program installs some bots or keyloggers onto their machine. From there, you root around until you get deeper into the network. (There are other ways too. Dumpster diving for paper records and credit card statements or paying off the custodial staff. This stuff is as old as time; computers just make it easier.)

After gaining access, it’s time to invest in anti-forensics. Look, I don’t care if they can see what I did as long as they can’t see it was me that did it. We have this saying here about anti-forensics: Make it hard for them to find you and impossible for them to prove they found you. We’ve got a whole bunch of software that allows us to cover our tracks and keep us basically invisible while we’re inside someone’s system. What’s great is a lot of anti-forensic tools are free. They’re all over the internet. We buy others, like encryption programs and data wipers like Evidence Eliminator. This guy I had beers with says a few guys are even experimenting with ways to make other guys look guilty. You know, set someone up, send the cops down the wrong path.

At that point, you install a little program that collects the credentials. Sometimes we use ‘em; most of the time we sell ‘em. We’ve been working on a subscription service. You pay for access to credentials for a certain period of time. We can get $1000 a month or more for a subscription pretty easy. That adds up.

But what we’ve run into — a big problem — is that lots of guys get their hands on this information and just start buying stupid stuff. They have no discipline.

Look at TJX. Those guys got busted for using the credentials they lifted to buy gift cards for, what, like $20Gs or something? I mean, you buy a $20,000 gift card, someone’s going to notice. So don’t do Visa’s job for them. All it takes is one jerk who gets some credit and buys a Bentley to take down an entire business. Find guys who can wait to use the credentials and then, when they do, use them in a way that looks normal.

Other people gamble; we don’t

Right now, we’re setting up a service out of Costa Rica. It’s a — how do I put it? — it’s a high-risk, high-return investment service for sports fans. So how do I set up something like that? Like any project, with a lot of legwork. I’ve got to get my guy in Costa Rica to set up the back-end servers. Costa Rica’s great because everything’s available right in one building. I call my guy and say, “I need some stuff.” He just walks down the hall to the ISP, gets servers and back-sups and then goes upstairs to the Web developers. It’s out-of-the-box, like calling up IBM Global Services or something. There’s even a little online payment service outfit down there. We like it better than the big ones up here because those guys, they’re better with international currency and security.

After we get all that going, we’ve got to do all the testing. I’m telling you, it’s really not much different than those e-commerce projects I read about in CIO. We do the same due diligence; same troubleshooting too. Same thing with bosses yelling, “You got that site up yet? Super Bowl’s in a few weeks. Site’s gotta be up for that!”

They ask for some ROI up-front, by the way. It’s a little more informal than the way most of CIO’s readers do it. They’ll ask, “Ballpark, what do we gotta spend?” I give them a number. They say, “What can we clear in an average month?” I give them another number. I’m not making these up either. I ask around. I mean, that’s cost-benefit analysis right there, right?

Anyway, once that site’s up and running it’ll be a nice little business… for the overseas market, of course.

I invest in top-notch security because, believe me, gaming sites are constantly dealing with extortion. Criminals! Not a day goes by when a site doesn’t have some Russian hacker launching a DDoS attack, asking for cash to call it off. We encrypt everything and we’ve got pretty severe authentication for access. We don’t outsource or contract the security. We keep it in-house. I pay my security guy well. I’d say about 25 to 30 per cent above what you’d pay. Met him at the Black Hat conference in Vegas a couple of years ago. I liked him right away because he wasn’t presenting or bragging about what a hotshot he was. He was in the back, taking notes, trying to learn. Quiet. I knew right away he’d fit in.

I’ve also tasked him (that’s how you say it, right?) with internal security. Basically, his job is chief privacy officer for a bunch of guys who really value privacy. All this technology — phones, the internet — it’s all great for making money, but the problem is, everything gets logged. My security guy has written and used lots of anti-forensic tools to erase those logs, so I’m comfortable telling my boss we have better privacy than the big banks. My security guy knows how to disable the GPS in our cellphones. He’s building some routing programs, sort of like that Onion Router project that, like it says on their website, “prevents the transport medium from knowing who is communicating with whom”. So anything we send over the internet is scrambled through different routes and hops all over the world, completely anonymous and untraceable. And everything, I mean everything, is encrypted. Say someone stole the servers we keep here at the home office. My guy designed it so really only two people can access the data: Me and him. We have the private keys and no one else does. Not even the boss.

Actually, there is one way you and I are different. I read all those stories in CIO about how hard you have to work to align technology with the business’s goals. That’s one problem I don’t have. My bosses don’t let me spend a dime on anything that’s not going to make them money. Why should they? And I wouldn’t even think about investing in a huge project that might fail to live up to expectations. I don’t get play money to buy technology that doesn’t work. I don’t have vendors paying the freight to conferences at swank resorts to convince me to invest in something that’s half-developed and over-hyped. I never use jargon. I spend zero time doing PowerPoints.

Speculation? That’s not part of our business model. So maybe I don’t get the newest gadgets all the time but, hey, I am aligned. With the business. With the bosses. There’s really no other choice, you know?

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

Tags botsmafiacybercrime

Show Comments