
Reporting From the Web’s Underbelly - hunterwalk
http://www.nytimes.com/2014/02/17/technology/reporting-from-the-webs-underbelly.html?hpw&rref=technology&_r=0
======
nikcub
> The source said that he had bought a large batch of stolen cards from an
> underground site and that they all appeared to have been used at Target.

Interesting sidenote in the Target hack. First, something that you might not
know: not one of these breaches (that is Target, Neiman Marcus, Michaels,
etc.) was discovered by the actual affected companies - they were all
discovered by bank and security officials in the underground markets.

Bank and infosec people worked out a while ago that rather than wait for
breaches to be discovered, it'd be best to set yourself up on the underground
markets in the guise of a purchaser - buy up cards, correlate purchase history
and work out who has been hacked. It is this type of reconstruction that lead
back to Target, Neiman Marcus, et al.

Target was discovered not too long after the hackers had ramped up their
sniffing, and with the response from banks and computers it meant the overall
'score' wasn't that great. A hack that should have provided enough dumps for
the entire underground for more than a year ended up lasting weeks.

So score one for the good guys.

The problem now is that the black hat groups have wizened up to this. A few
things are happening.

First, there has been a bit of a purge of users in the forums. It is harder
than ever to get into the private forums.

Second, cards are now being 'laundered'. You take dumps from different sources
and combine them together, to the point where it would be difficult to find
out where the cards were stolen from. Being from a particular source used to
be a selling point for the traders, but now they are blurring a lot of that
info out and combining different dumps and then slicing them for sale in other
ways (usually IBAN, State and Expiry).

The public 'auto sites' that sold these dumps have all been taken down, after
getting a lot of attention over the Target attack. Many complete novices
sought out the underground sites after the Target breach reporting in the
mainstream media, flooding the forums with newbie questions and requests in a
mini eternal september.

It is possible that with the underground adapting in this way and the state of
security still being so poor that we won't even find out about the next big
breaches.

~~~
naterator
Is there a bright side to this, though? Doesn't this mean that the barrier to
entry will increase for this kind of crime, and thus a smaller group of
criminals will be able to perform it? Maybe that's small consolation,
considering that only a handful need to do it to cause widespread havoc.
Still. I hope this isn't _all_ bad.

~~~
nikcub
You can now buy credit cards on some of the new underground markets that are
replacing Silk Road.

Find the type of card you want, select how many you want ($5-20 each) and go
through the checkout process, just like shopping on Amazon.

What happen is that there is now another tier of distribution - the bulk guys
aren't selling directly to the public any more but there are people buying
from them who _are_ , and they are making it easy.

The bright side is that with chip+pin the horizon for dumps is short, but that
leaves CVV's (card not present carding, used in online fraud).

~~~
jnbiche
Although I almost don't want to know the answer here, how are people usually
paying for these cards? Is it Bitcoin?

I know Liberty Reserve was alleged to be popular among carders before. So has
it all shifted to Bitcoin now that Liberty Reserve has been shut down?

~~~
nikcub
It is bitcoin almost everywhere in the underground now. It used to be "accept
LR, WM, UK" (meaning liberty reserve, web money, ukash, etc.) on vendor forum
posts but now the payment method isn't even mentioned since it is assumed to
be bitcoin.

~~~
jnbiche
Thank you -- I was afraid of that.

------
meowface
The online crime world has a bitter hatred of Krebs, moreso than any other
"white hat" out there probably. Numerous malware families include references
to him in their source code, control panels, and domain names.

As a security researcher I frequently find botnet command & control panels
that have a picture of Krebs' face above the login form. Domain names similar
to "briankrebsisachildmolestor.com" are sometimes used to host malware and
botnets.

Considering all that, plus the real-life harassment he's gotten (death
threats, the heroin framing attempt, SWATing), I hope he invests in a good
home security system. Or a security guard.

~~~
hyperion2010
One of the articles profiling him mentioned he recently upgraded to a 12-guage
security system.

~~~
w1ntermute
You mean a 12 gauge shotgun?

~~~
JonnieCache
Somehow I don't think a 1 and a half metre long gun is that appropriate for
self-defence, if you're worried about people creeping up on you. Maybe I'm
wrong, but I can't see much in the way of a quick draw being possible. I guess
when you hear the front door being broken down you can be prepared with a
robust response.

Or perhaps he has a tiny train for making his getaway, wallace and gromit
style?

~~~
aaronem
True, a shotgun is not the sort of thing you'd carry for personal defense
outside your own property, but for home defense, a 12-gauge pump-action is as
good as anything, and better than most -- especially when, as mentioned in the
article, you have surveillance cameras at the approaches, so you can see any
unwanted guests coming with enough time to prepare for their arrival.

~~~
Consultant32452
The best type of firearm to have for personal defense is the one you have on
you, not in your gun safe. The 12-gauge is only beneficial if you're going to
carry it with you from room to room, keeping it at your side at all times..
The time between hearing someone kick in your door to being on you is just a
few seconds, there's no time to open a safe. So in this type of scenario the
12-gauge isn't bad, but I'd probably still prefer a pistol on an over the
waist band or shoulder holster. When you don't need to conceal it's not that
difficult to carry around a full sized pistol in any reasonable defense
caliber. It appears that this guy is toting his shotgun with him though, so I
guess there's that.

------
r0h1n
As an ex-journalist I'm really envious of Krebs' sources and understanding of
this space. I also _think_ his background as a journalist (reporting and
writing skills) might have allowed him to be far more effective than many
others in the space with comparable technical skills.

------
rkuykendall-com
Great article. Reminded me how amazing it is to explore a "world" online.
Often, a world you never knew existed.

------
Havoc
>called a SWAT team to his home just as his mother was arriving for dinner.

As far as pranks go thats actually pretty good. Better than 4chan's pizzas.

~~~
nieve
Given the current state of policing in the US swatting someone has a non-zero
chance of getting someone severally beaten, tazered, tear gassed, or just
shot. I don't know of any deaths, but there have been some really close calls
reported in the press and and injury plus property damage. I don't think that
really qualifies as a good prank, more of a harassment/endangerment tactic.

~~~
sizzle
[https://news.ycombinator.com/item?id=5928424](https://news.ycombinator.com/item?id=5928424)

[http://www.cato.org/raidmap](http://www.cato.org/raidmap)

Now you know of some deaths

~~~
nieve
Thanks for the map! I should clarify that I was unaware of deaths specifically
attributable to a deliberate swatting incident, the death rate in SWAT raids &
no-knock raids is ridiculous. It may be much lower than the death rate from
"accidental" shootings of even as specific a group as say young black men who
turn out to have no criminal record, are unarmed, and aren't engaged in any
criminal activity at the time of the incident, but swatting is more
outrageous-seeming to most of the majority who have less worry about being
shot by the police. I suspect that the fact that it's a deliberate act of
endangerment also increases the perceived significance of the risk - malice is
more threatening than incompetence even when it's rare and even if it's less
dangerous.

