In Depth
Alexey Ivanov and Vasiliy Gorshkov: Russian Hacker Roulette
Russian hacker Alexey Ivanov was lured to the United States and snared in a high-stakes cyber-sting.
By Art Jahnke
But that job, he says, paid poorly—only about $75 a month—and he eventually joined a group of hackers who shared an appreciation for more entrepreneurial challenges. There, at a company called tech.net.ru, Ivanov learned the practice of "carding"—buying goods online with stolen credit cards.
At first, he says, it was books and CDs, ordered online from Amazon.com or Barnesandnoble.com. To avoid suspicion, the group would have the goods mailed to cities in neighboring Kazakhstan, where they would hire young women to receive the packages. Ivanov and others would travel to the distant cities, pick up the goods, and take them to Chelyabinsk. There, much of the merchandise found its way to legitimate shops, where the CDs were prized. The quality of the recordings was far superior to the shops' other CDs, which had been pirated in Bulgaria.
"At first, all of the activities at tech.net.ru were illegal," he says. "Then we came up with the idea that we would look less suspicious if we established some legal business, so we started designing webpages."
They also started hacking into any sites that looked vulnerable. For the Russians, each hack presented a new challenge and, in most cases, a new victory. Some of those victories paid off in cash, and all of them offered the satisfaction of winning. They were beating a system, and they were outsmarting the smartest security guys in the country that considered itself technologically superior to all others. For a hacker, there was nothing better.
PayPal provided the Russians with one of their more satisfying conquests, if not one of the more lucrative. Ivanov claims to have masterminded the PayPal scam. The first step, he says, involved placing scripts on eBay that collected the e-mail addresses of PayPal customers. Then, using the domain name "PayPaI," with an uppercase "I" instead of a lowercase "L," Ivanov set up a mirror site that was a replica of PayPal. Ivanov and his cohorts then sent e-mails to PayPal customers, offering them a gift of $50, for which they had only to enter their passwords on the bogus site. The scammers simply sat back and collected the password harvest.
"We weren't really malicious," he says. "We could have sent it to thousands of people, but we only sent it to 150. We got about 120 passwords. We did that mainly for fun."
Despite its limited application, the PayPal scam provided proof of concept and emboldened Ivanov and his group to set their sights on a higher prize.
Alexey Ivanov
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
