By Byron Acohido and Jon Swartz
SEATTLE -- Criminals covet your identity data like never before. What's
more, they've perfected more ways to access your bank accounts, grab
your Social Security number and manipulate your identity than you can
Want proof? Just visit any of a dozen or so thriving cybercrime forums,
websites that mirror the services of Amazon.com and the efficiencies of
eBay. Criminal buyers and sellers convene at these virtual emporiums to
wheel and deal in all things related to cyberattacks and in the fruit of
cyberintrusions: pilfered credit and debit card numbers, hijacked bank
accounts and stolen personal data.
The cybercrime forums gird a criminal economy that robs U.S. businesses
of $67.2 billion a year, according to an FBI projection. Over the past
two years, U.S. consumers lost more than $8 billion to viruses, spyware
and online fraud schemes, Consumer Reports says.
In 2004, a crackdown by the FBI and U.S. Secret Service briefly
disrupted growth of the forums. But they soon regrouped, more robust
than ever. Today, they are maturing and consolidating just like any
other fast-rising business sector, security experts and law enforcement
officials say. In fact, this summer a prominent forum leader who calls
himself Iceman staged a hostile takeover of four top-tier rivals,
creating a megaforum.
Security firms CardCops, of Malibu, Calif., and RSA Security, a division
of Hopkinton, Mass.-based EMC, and volunteer watchdog group Shadowserver
observed the forced mergers, as well, and compiled dozens of
takeover-related screen shots. "It's like he created the Wal-Mart of the
underground," says Dan Clements, CEO of CardCops, an
identity-theft-prevention company. "Anything you need to commit your
crimes, you can get in his forum."
The Secret Service and FBI declined to comment on Iceman or the
takeovers. Even so, the activities of this mystery figure illustrate the
rising threat that cybercrime's relentless expansion enabled in large
part by the existence of forums poses for us all.
In the spy vs. spy world of cybercrime, where trust is ephemeral and
credibility hard won, CardersMarket's expansion represents the latest
advance of a criminal business segment that began to take shape with the
formation of the pioneering Shadowcrew forum.
Shadowcrew, which peaked at about 4,000 members in 2004, arose in 2002.
It established the standard for cybercrime forums set up on
well-designed, interactive Web pages and run much like a well-organized
co-op. Communication took place methodically, via the exchange of
messages posted in topic areas. Members could also exchange private
Shadowcrew gave hackers and online scammers a place to congregate,
collaborate and build their reputations, says Scott Christie, a former
assistant U.S. Attorney in New Jersey who helped prosecute some of its
In the October 2004 dragnet, called Operation Firewall, federal agents
arrested 22 forum members in several states, including co-founder Andrew
Mantovani, 24, aka ThnkYouPleaseDie. At the time, Mantovani was a
community college student in Scottsdale, Ariz. In August, he began
serving a 32-month federal sentence for credit card fraud and
Shadowcrew as catalyst
Shadowcrew's takedown became the catalyst for the emergence of forums as
they operate today. With billions to be made, new forums have reformed
like amoebas, splintering into 15 to 20 smaller-scale co-ops. "They
learned that it's best to disperse," says Yohai Einav, director of RSA
Security's Tel Aviv-based fraud intelligence team.
Forum leaders have become increasingly selective about accepting new
members. "Vouching" for new members is now the norm, requiring a member
in good standing to extend an invitation to new recruits. Some forums
charge an initiation fee; others limit the power to invite new members
to the forum leaders.
Veteran vendors and buyers typically do business in multiple forums
simultaneously, in case any particular forum shuts down.
"If criminals get caught one way, they modify their behavior," says
Kevin O'Dowd, an assistant U.S. Attorney in New Jersey who prosecuted
the Shadowcrew case.
Some forums have become known for their specialties, such as offering
free research tools to do things such as confirming the validity of a
stolen credit card number or learning about security weaknesses at
specific banks. A few offer escrow services, handling the details of
complex deals for a fee.
The better-run forums invest in tech-security measures that have become
the norm in the corporate world, such as use of encrypted Web pages. All
forums run aggressive campaigns to identify and sweep out rippers the
con artists who gain membership and instigate deals, only to renege on
their part of the bargain.
From this post-Shadowcrew milieu, Iceman has emerged as a forum leader
RSA Security has tracked Iceman's postings on CardersMarket since
October 2005; CardCops has compiled an archive of hundreds of postings
on several forums by someone using the nickname Iceman since January
In the boastful world of cybercrime, nicknames, or nics, are sacrosanct.
It's not unusual for a hacker or cyberthief to go by two or three
different nics, but unthinkable for two or three people to knowingly
share the same nic, says RSA Security's Einav. "I believe we're talking
about one guy and not a group hiding behind his name," he says.
Clearly enterprising and given to posting rambling messages explaining
his strategic thinking, Iceman grew CardersMarket's membership to 1,500.
On Aug. 16, he hacked into four rival forums' databases, electronically
extracted their combined 4,500 members, and in one stroke quadrupled
CardersMarket's membership to 6,000, according to security experts who
monitored the takeovers.
The four hijacked forums DarkMarket, TalkCash, ScandinavianCarding and
TheVouched became inaccessible to their respective members. Shortly
thereafter, all of the historical postings from each of those forums
turned up integrated into the CardersMarket website.
To make that happen, Iceman had to gain access to each forum's
underlying database, tech-security experts say. Iceman boasted in online
postings that he took advantage of security flaws lazily left unpatched.
CardCops' Clements says he probably cracked weak database passwords.
"Somehow he got through to those servers to grab the historical postings
and move them to CardersMarket," he says.
Iceman lost no time touting his business rationale and hyping the
benefits. In a posting on CardersMarket shortly after completing the
takeovers he wrote: "basically, (sic) this was long overdue ... why
(sic) have five different forums each with the same content, splitting
users and vendors, and a mish mash of poor security and sometimes poor
He dispatched an upbeat e-mail to new members heralding CardersMarket's
superior security safeguards. The linchpin: a recent move of the forum's
host computer server to Iran, putting it far beyond the reach of U.S.
authorities. He described Iran as "possibly the most politically distant
country to the united states (sic) in the world today."
At USA TODAY's request, CardCops traced CardersMarket's point of origin
and confirmed that it is registered to a computer server in Iran.
If Iceman succeeds in establishing CardersMarket as the Wal-Mart of
forums, its routing through an Iranian server will make an already
complex law enforcement challenge that much more difficult, security
"Chasing these carding fraudsters is like chasing terrorists in
Afghanistan," says RSA Security's Einav. "You know they are somewhere
out there, but finding their caves, their underground bunkers, is almost
The U.S. Secret Service declined to answer questions about Iceman and
CardersMarket. It would not acknowledge whether they are under
investigation as part of Operation Rolling Stone, the most intensive
federal probe of cybercrime since Operation Firewall. This year, 35
suspects have been arrested. No names were initially released, but a few
have surfaced after indictments were unsealed.
Suspects include Binyamin Schwartz, 28, of Oak Park, Mich., indicted in
July in Nashville for allegedly trafficking more than 100,000 Social
Security numbers, and Paulius Kalpokas, 23, of Lithuania, whose
extradition to Nashville on charges of trafficking stolen credit card
data has been requested.
Schwartz "got caught up in something on the Internet but did not profit
from it," says Sanford Schulman, Schwartz's attorney. "He inquired about
acquiring information online without criminal intent, nor was he
involved in a sophisticated enterprise."
Secret Service spokesman Thomas Mazur says Operation Rolling Stone is
designed to "disrupt and dismantle any of these carding forums," but he
declined to say which forums or how many are being investigated.
Security experts worry that CardersMarket's emergence as a model for
setting up hypersafe forums could translate into a spike of activity by
the best and brightest cybercrooks.
"It's called bulletproofing," says CardCops' Clements. "Guys will now
migrate to CardersMarket because they really are untouchable there."
Trust a thief?
Iceman's masterstroke rattled his rivals and raised suspicions among his
In the tech industry, companies routinely spread what they call FUD
fear, uncertainty and doubt about a competitor's business model. Shortly
after Iceman swept up TalkCash's 2,600 members onto CardersMarket's
website, TalkCash's leader, nicknamed Unknown Killer, e-mailed a shrill
warning to TalkCash members: "I've talked to a number of guys and all
say that they didn't merge a (expletive) with that site ... so please
beware as they can be feds."
Speculation abounds on the Internet that the FBI helped install Iceman
as head of a dominant forum set up to lure kingpin cybercrooks into
In busting up Shadowcrew, law enforcement had used a high-ranking member
of Shadowcrew as an inside informant, beginning in August 2003,
according to court records. Security experts say it's possible, though
unlikely, Iceman could be an informant. While not commenting directly
about Iceman, FBI spokesman Paul Bresson says, "The FBI is not in the
business of exposing Americans to fraud."
Instead of being admired by his peers, Iceman found himself scrambling
to deal with an intensifying backlash. A forum member, nicknamed Silo,
posted this public comment on CardersMarket: "How Can we TRUST you and
this boards admin? You breached our community's security. Stole the
Databases of other forums ... you've breached what little trust exist's
(sic) in the community."
Ten days after the forced mergers, the deposed leaders of DarkMarket and
ScandinavianCarding managed to reconstitute forums under those names.
And CardersMarket appeared to be under assault, with some of the
features on its website functioning sporadically, according to RSA
Security experts expect the infighting to run its course. They say
Iceman's attack prompted forum leaders to beef up database passwords and
patch other security holes, making both hostile takeovers and law
enforcement investigations more difficult. Most experts expect the
activity level of the forums to rise, because many consumers and
businesses are uninformed or apathetic.
Consumers' lax attitudes
Consumers continue to exhibit lax attitudes, even as Internet intrusions
and scams rise in frequency and sophistication. John Thompson, CEO of
anti-virus giant Symantec, contends Internet users must adopt the same
"sixth sense about security" they use when they get in their cars or
Meanwhile, the commercial sector has been slow to ask consumers to take
other steps, such as using a smartcard or fingerprint reader along with
typing a log-on and password to prove they are who they say online.
Thomas Harkins spent two decades as operations director for MasterCard
International's fraud division, gaining an insider's view of
cybercrime's breakneck rise. Now COO of security firm Edentify, based in
Bethlehem, Pa., Harkins says identity theft is poised to increase by a
factor of 20 over the next two years.
"There's so many stolen identities in criminals' hands that (identity
theft) could easily rise 20 times," Harkins says. "The criminals are
still trying to figure out what to do with all the data."
Meanwhile, stories such as Kevin Munro's will continue to pile up. In
late August, the name, Social Security number and other data of the
51-year-old Warsaw, N.Y., building inspector turned up for sale on a
forum monitored by CardCops. Munro recalls changing checking accounts
after a thief tried to cash several bad checks in 2002. Since then, his
personal data have persisted in circulation.
Cybercrooks have used it online to order magazines, purchase three Dell
computers and attempt to take out a real estate loan. Recently,
MasterCard notified Munro that an account he's had for 20 years and uses
infrequently was being canceled.
"I work for a living," Munro says. "I do everything on the up-and-up,
and some lowlife comes by and takes it away."
Acohido reported from Seattle, Swartz from San Francisco.
Visit the InfoSec News store!