• United States



Interview with a Mob CIO

Jul 13, 200712 mins
CybercrimeDLP Software

The facts, the scams, are real. The CIO? Not so much. But here's how organized crime uses technology to make money.

People call me a lot of things. Nobody would ever call me a CIO, but after reading CSO magazine a little bit, I guess that’s basically what I am. Maybe I’m a little younger than you. A little more techy. I know my routers and code. Most of the guys I work with, they don’t like computers. They get frustrated. Lots of times they want to shoot their computers, like that guy in Colorado did. I printed out that story and gave it to one of my guys. He loved it, especially the part where the guy hung the dead computer on the wall of his bar. “I love this Colorado guy,” he said. And he passed it around to all the guys. “You have to read this story MIT gave me.” Yeah, they call me MIT, like, “Let’s ask MIT if we can set up an online account” or “Maybe MIT can make a website for that.” A website for what? For making money, what else? Isn’t that why anyone sets up a website?

Yeah, I deal with the same stuff you do. Same headaches. I’m constantly replacing and fixing stuff and trying to do whatever helps the bosses grow the business, as you call it.

Bosses. I mean, bosses are the worst, right?

The Penny Stock Scam

We’re in a real boom right now. Credit cards. Gambling. You heard about that stock deal? The one that uses that new image spam? This is an old-fashioned pump-and-dump scam but with a cool techno twist.

This wasn’t mine, but I know a guy who knows the guy who set it up. Here’s how he worked it.

First, he rented a botnet. That was for e-mail distribution. He pays, I don’t know, say $50Gs for a month, turns around and promises the bot-herder a taste in exchange for that month’s usage and some guaranteed uptime. You know, he says, deliver 10 million e-mail messages for me and I’ll guarantee you some back-end cash.

So the bot-herder knows a kid who wrote this absolutely killer image spam application that creates the e-mail messages. Pays him a flat fee. I mean, the kid could’ve asked for a lot more, but a lot of these programmers are pretty young and dumb. You wave some cash and they think, “Flat screen TV!” Anyway, he tells the kid to make the program create advertisements for pink slip stocks, those unlisted ones that trade for pennies. It all gets done in like 15 minutes after they get some of the basic wording down.

So then this guy sets up offshore accounts online (in Brazil, I think) to collect the investments. His guys all buy something like 10,000 shares at 30 cents per. Then the botnet goes to work. Starts mass mailing the ads for the stocks. And the beauty part is those little messages get by all the spam filters because the filters are looking for text, but with the image spam all the filters see is a million different images, each one unique, even though they all say the same thing: Buy this stock. [Editor’s note: For more on image spam, go to] Genius. Finally, enough people invest to drive up the price. Eighty cents a share. A buck. Two. Eventually, our guys sell, make a nice chunk of change, the stock tanks and the suckers who got in on the e-mail tip lose their shirts.

Like I said, a classic pump-and-dump, but back in the day it was a lot harder to do. It required a lot of legwork, relationships with reporters and brokers. Compared to that, this is, like, nothing.

I know what you’re thinking: Who believes an anonymous e-mail that says such-and-such company you’ve never heard of is at a quarter a share now but is heading to five bucks? Hey, I don’t know, but you send out 10 million messages, you get 1,000 to invest, that’s only, what? A hundredth of a percent? I’d say the sucker population is a lot bigger than that.

It was a great little business. One of those stocks hit six bucks! But then the Feds sniffed it out and suspended trading on those penny stocks in March. Maybe when things cool off, it’ll pick up again. By that time, the spam filters will probably have adjusted and we’ll have to go back to the programmers for their latest bots.

Everyone Wants ID…Just Not Their Own

The big money is in credentials.

Look, the world runs on credit, and what you need to get credit are personal credentials. That’s what everyone is after right now. And that’s where a lot of our investments are: credentials for lines of credit.

That TJX thing last January? No, not me. But let’s say I’ve had beers with someone who worked on that job. It sounds like the heist of the century, right? What, 40 million personal records? But really it’s pretty basic stuff. If you want to get into the credentials market, you do three things: One, get inside access to someone who stores lots of personal data. Retail is great for that. Think about how many cards are swiped every second at those places. Two, invest in antiforensics, because once you’re in, you want to stay invisible until you’re done. [Editor’s note: more on antiforensics]

Three, after you got the credentials, behave. I’ll explain that one in a minute.

I’m not saying the TJX deal went down this way, but here’s how I’d do it based on what this guy told me.

Inside access. That’s easy. You spread some USB keys around. People see them and go, Cool, free dongle! Only when they plug them in, a little program installs some bots or keyloggers onto their machine. From there, you root around until you get deeper into the network. (There are other ways too. Dumpster diving for paper records and credit card statements. Paying off the custodial staff. This stuff is as old as time; computers just make it easier.)

After gaining access, it’s time to invest in antiforensics. Look, I don’t care if they can see what I did as long as they can’t see it was me that done it. We have this saying here about antiforensics: Make it hard for them to find you and impossible for them to prove they found you. We’ve got a whole bunch of software that allows us to cover our tracks and keep us basically invisible while we’re inside someone’s system. What’s great is a lot of antiforensic tools are free. They’re all over the Internet. We buy others, like encryption programs and data wipers like Evidence Eliminator. This guy I had beers with says a few guys are even experimenting with ways to make someone else look guilty. You know, send the cops down the wrong path.

At that point, you install a little program that collects the credentials. Sometimes we use ’em; most of the time we sell ’em. We’ve been working on a subscription service. You pay for access to credentials for a certain period of time. We can get $1,000 a month or more for a subscription pretty easy. That adds up.

But what we’ve run into—a big problem—is that lots of guys get their hands on this information and just start buying stuff. They have no discipline. Look at TJX. Those guys got busted for using the credentials they lifted to buy gift cards for, what, like $20Gs or something? I mean, you buy a $20,000 gift card, someone’s going to notice. So don’t do Visa’s job for them. All it takes is one jerk who gets some credit and buys a Bentley to take down an entire business. Find guys who can wait to use the credentials and then, when they do, use them in a way that looks normal.

They Gamble; We Don’t

Right now, we’re setting up a service out of Costa Rica. It’s a—how do I put it?—it’s a high-risk, high-return investment service for sports fans.

So how do I set up something like that? Like any project, with a lot of legwork. I’ve got to get my guy in Costa Rica to set up the back-end servers. Costa Rica’s great because everything’s available right in one building. I call my guy and say, “It’s MIT. I need some stuff.” He just walks down the hall to the ISP, gets servers and backups, and then goes upstairs to the Web developers. It’s out-of-the-box, like calling up IBM Global Services or something. There’s even a little online payment service outfit down there. We like it better than the big ones up here because those guys, they’re better with international currency and security.

After we get all that going, we’ve got to do all the testing. I’m telling you, it’s really not much different than those e-commerce projects I read about in CSO. We do the same due diligence. Same troubleshooting. Same thing with bosses yelling, “MIT, you got that site up yet? Super Bowl’s in a few weeks. Site’s gotta be up for that!”

They ask for some ROI up front, by the way. It’s a little more informal than the way most of your readers do it. They’ll ask, “Ballpark, what do we gotta spend?” I give them a number. They say, “What can we clear in an average month?” I give them another number. I’m not making these up either. I ask around. I mean, that’s cost-benefit analysis right there, right?

Anyway, once that site’s up and running it’ll be a nice little business…for the overseas market, of course.

Even Crooks Need Security

I invest in top-notch security because, believe me, gaming sites are constantly dealing with extortion. Criminals. Not a day goes by when a site doesn’t have some Russian hacker launching a DDoS attack, asking for cash to call it off. We encrypt everything, and we’ve got pretty severe authentication for access. We don’t outsource or contract the security. We keep it in-house.

I pay my security guy well. I’d say about 25 to 30 percent above what you’d pay. Met him at the Black Hat conference in Vegas a couple of years ago. I liked him right away because he wasn’t presenting or bragging about what a hotshot he was. He was in the back, taking notes, trying to learn. Quiet. I knew right away he’d fit in.

I’ve also tasked him (that’s how you say it, right?) with internal security. Basically, his job is chief privacy officer for a bunch of guys who really value privacy. All this technology—phones, the Internet—it’s all great for making money, but the problem is, everything gets logged. My security guy has written and used lots of antiforensic tools to erase those logs, and I’m comfortable telling my boss we have better privacy than the big banks. My security guy knows how to disable the GPS in our cell phones. He’s building some routing programs, sort of like that Onion Router project that, like it says on their website, “prevents the transport medium from knowing who is communicating with whom” so that anything we send over the Internet is scrambled through different routes and hops all over the world, completely anonymous and untraceable. And everything, I mean everything, is encrypted. Say someone stole the servers we keep here at the home office. My guy designed it so that really only two people can access the data: me and him. We have the private keys and no one else does. Not even the boss.

My Kind of Guys

The guys I keep, or keep on a kind of retainer, are the ones that show me something extra. We had one guy who came to us selling a great new way to set up temporary international cell phone accounts, using credentials bought in the identity market. Guys will pay a lot for a disposable international cell phone. We bought some and were so impressed we decided to get into business with him. He set up the phones; we handled distribution. I asked the guy what else he was working on. He flips his laptop around and shows me his own website where he’s auctioning off credit credentials to the highest bidder. Slick. I said to him, “You could be our R&D.” He said, “Cool.” And that was that.

Compared to you guys, I’m pretty lucky with talent. My guys are way ahead on the technology. They work hard. They’re innovative and entrepreneurial. I think they’re some of the most talented IT staff around.

Alignment Among Thieves

Actually, there is one way you and I are different. I read all those stories in CSO about how hard you have to work to align technology with the business’s goals. That’s one problem I don’t have. My bosses don’t let me spend a dime on anything that’s not going to make them money. Why should they? And I wouldn’t even think about investing in a huge project that might fail to live up to expectations. I don’t get play money to buy technology that doesn’t work. I don’t have vendors paying the freight to conferences at swank resorts to convince me to invest in something that’s half-developed and overhyped. I never use jargon. I spend zero time doing PowerPoints.

Speculation? That’s not part of our business model. So maybe I don’t get the newest gadgets all the time but, man, I’m aligned. With the bosses. With the business. There’s really no other choice, you know?

Send feedback to Senior Editor Scott Berinato at