by Misha Glenny
Having entered a server, he was then in a position to control it. If he wished, he could watch all the email and Internet traffic going in and out. But he didn’t wish: all he wanted to do was use these servers to receive, store and distribute games using fXp technology.
Matrix was just fifteen years old, but he could at will come and go in huge parts of the Internet that most adults did not even appreciate existed. His parents had no idea of the secret world he was exploring from his bedroom. Nor were they likely to find out – downloading games and software was patently illegal and an infringement of copyright laws, but the practice was at this time restricted to a very small number of users. It was regarded by manufacturers as an irritation, but not a terminal problem. The overwhelming majority of games were bought perfectly legally in stores or from sites like Amazon.
Matrix did not conceal his activity from his parents out of concern that he might be infringing intellectual property laws. No – the most wonderful thing about the Internet for teenagers, he realised, was that your parents would never (and in most cases can never) have the slightest notion of what you are doing. It was tough enough for parents to keep track of which DVDs were entering or leaving a house. But at least DVDs were physical objects that a mother or father could confiscate, should they find their thirteen-year-old watching an X-rated movie (always at the risk, of course, of provoking a tedious temper tantrum).
The Internet was changing all that. Children were growing up in a cyber environment which to them was self-explanatory and normal, but which parents found increasingly mystifying and treacherous to navigate. Teenagers were perfectly aware that their parents were at cybersea in this same environment. This in turn started to reinforce a sense that the Web was an area of their young lives from which parents could legitimately be banned. How many mothers and fathers have walked into a room and observed their teens minimising their Internet browser as their cheeks flush briefly? And if parents so much as glance at a Facebook page, even when the kids are accessing it in a public room, the child is transformed into a human-rights activist, accusing the beleaguered carer of acting like a Gestapo officer.
What many children and teenagers were less aware of was how, while they were able to pull the wool over their parents’ eyes, there were all sorts of people less easily fooled – and whose numbers were growing. These might include stalkers, advertisers, bullies, groomers, police, teachers and criminals. Only the most sophisticated users are able to cover up what they are actually doing on the Web.
In contrast to long-suffering parents, these other interested parties with a modicum of computer literacy were starting to track digital footprints that children and teenagers were beginning to leave over many years. Such records habitually included admissions of drug-taking and alcoholic binges, the insulting of teachers, the bullying of classmates and, increasingly, the posting of pornographic self-portraits. Parents may have known nothing about this, but other people did. Even really smart kids like Matrix could become complacent.
In taking over poorly protected servers, then storing and playing games on them, Matrix was not actually doing anything wrong. At the turn of the millennium this was not a crime in Germany, and the issue of copyright in the digital age was opaque – already teenagers and young adults had started sharing music files using Audiogalaxy and Napster. These were websites where, if you wanted to download Queen’s ‘Bohemian Rhapsody’, for example, they would direct you to a PC somewhere in the world on which the song was stored. Using the website as a bridge, you could then download a copy onto your computer.
In a very short space of time, millions of people figured out that they no longer had to purchase recorded music – everything was available for free! While file-sharing was a mere inconvenience to the computer-games business, it was a huge challenge to the music industry. To combat the problem they would need lawyers to redefine copyright for the digital age; then they would have to persuade legislators to pass laws in that spirit; finally, they had to convince the cops that apprehending digital pirates was part of their job. Furthermore, the music trade would have to develop new technical devices to prevent the practice (something they have signally failed to do).
The practice of sharing music files that are small and easy to transfer from computer to computer spread like wildfire. Music sales in the United States peaked in 1999 at just over $14.5 billion, but started to fall the following year, and that is what they have been doing ever since.
By contrast, the unauthorised downloading of games that were much more unwieldy made barely a dent on physical CD-Rom and DVD sales, which kept growing year-on-year. If anything, the downloaders helped to advertise games. So the worst thing that could be said about Matrix’s cyber activity was that it deprived him of sleep and led to his homework being neglected.
But then Matrix, almost without noticing it himself, shuffled one little step further down a spiral of mischief.
The advertising industry had discovered the Internet and, like everyone else, it was trying to work out how best to exploit it. The Web offered distinct advantages for advertisers – first, you could target your potential audience with much greater accuracy. If you want to sell nappies, then avoid websites that cater for skydivers and concentrate on message boards for young parents. If you are paying for adverts on the television, radio or billboards, you are hitting the skydivers as well, but to no real purpose (unless, of course, the skydivers happen also to be young parents).
Second, you can calibrate the success and the cost of advertising. Each time a young mum or dad clicked on the nappy ad, this would register with both the nappy manufacturer and the advertiser. The advertising company then got paid according to the number of clicks. Advertisers and sellers were then able to analyse the so-called Click Through Rate (CTR), so that our nappy manufacturer could see how, out of 100 visitors to the skydiving site, none of them clicked on the advert. But on the young parents’ message board, ten out of 100 visitors clicked on the site, giving a 10 per cent CTR – and the advertising firm would be paid accordingly. Before long the CTR had spawned Click Fraud.
An administrator on one of the forums that Matrix visited was involved in a scam. He encouraged Matrix to use the servers he controlled to set up a program that would click automatically on banner ads at intervals. Each time he did it, he earned a cent. He didn’t even know it was illegal. The administrator then told him that there was another forum that he should look at where similar matters were discussed, and it was on this forum, CarderPlanet, that he learned about credit-card fraud for the first time.
Matrix crossed the Rubicon in a psychological trance, unable to perceive the waters swirling around him. He was a kid and he was sliding into crime, slowly, incrementally. Somewhere at the back of his mind, he maybe knew that something was wrong, but the boundaries in cyberspace are very blurred, if indeed they are visible at all.
12
A PASSAGE TO INDIA
Chennai, Tamil Nadu, 2001
By the year 2001 Renu had not seen his parents and siblings in nine years. Yet even young men like Renu, who have taught themselves to survive with the loosest familial links, are occasionally obliged to respond to the entreaties of a mother. After much cajoling, he promised her he would find the funds to fly to Tamil Nadu in the south of India to visit the whole family.
Funds, however, were hard to come by. While at Westminster University, Renu had taken a job with Pizza Hut as a delivery man. He worked until about midnight or one o’clock in the morning and then had to get up early to attend his first lecture (although his punctuality slipped steadily as the year went on). The job had given him some extra cash for the first time in his life. But it wasn’t sufficient to allow him to save: what he had left over was being absorbed by his drug habit, which now included cocaine and before long would embrace that most devastating narcotic, crack cocaine.
Unable to muster the fare, Renu borrowed it from friends, and for safety purchased £3,000 worth of American Express traveller�
�s cheques before setting off on the long flight to Chennai.
Nobody knew what to expect from the encounter: when he had left his mother, he was still a boy. Now he was a young adult whose life was punctuated by bouts of intense solitude. His social life had picked up since college, but he was given neither to easy talk nor to any great expression of emotion. And, although youthful, he was also rapidly creating a patchy past. There was much that he would not be sharing with his family.
The trip began inauspiciously. From Chennai, he had to take one of India’s overstuffed, clammy buses into the countryside, sharing his space with too many people, too many chickens and too much luggage. Halfway through the journey, his eyelids drooping after the long plane ride from London, he felt a slight tug that woke him momentarily. He thought nothing of it. But the joy of being reunited with his mother was tempered when he left the bus – his little purse had been slit open and the £3,000 of traveller’s cheques were gone.
There was worse to come. When he visited the Amex office in Chennai, the staff refused to reimburse him (which he had understood was the whole point of taking cheques rather than cash in the first place). Before they would stump up the replacements, he would have to provide written confirmation from the local police that the money was gone. He was also told that Amex did not guarantee to return the money, but would pay it back ‘at their discretion’.
Once back in England, the bureaucrats at Amex were similarly stony-faced. Renu, they adamantly maintained, had failed to provide the requisite documentation that would prove the cheques had been stolen or lost. There would be no payout.
The people he had borrowed money from were friends. But only up to a point. They sympathised with Renu’s plight, but they still wanted their cash back. The only way that Renu could stump up the money was by taking out credit cards – this was after all the Age of Plastic, and the banks and credit companies were as keen for Renu’s custom as they were for anyone else’s.
The lousy job at Pizza Hut could not cover his increasing financial demands: the debt; the drink and drugs; the college costs; the rent. Renu’s world began to wobble. College assignments were the first to suffer. Having passed the first-year exams at the Harrow campus of Westminster University, he started turning up to ever fewer classes. He failed the second-year exams and failed the retakes.
To escape the despair, he started obsessively downloading songs from Napster, before discovering the sites where members of The Scene would share the games and programs they had cracked. The nights became ever longer as Renu sank into the safe and distant world of the flickering screen, far from the circling dogs of reality.
One evening, he told the tale of his lost Amex money to one of the many itinerant surfers he met on the Net and his IRC channel. ‘Go check amexsux.com,’ his contact said, ‘it’ll make you feel better, if nothing else!’
Renu loved the new site (logo: DO leave home without it), where former clients of American Express poured out their anger at perceived wrongs. The animus felt towards this particular company is fairly extensive, as a Google search testifies: there are hundreds of sites dedicated to bitching about Amex, many of which post a fairly impressive set of links to negative news stories featuring the company.
One poster on the message board offered an original idea to those who felt they had grievances against the company. ‘Take your revenge! Go to CarderPlanet.com!’
As Renu set sail in search of CarderPlanet, he felt it was time to bid farewell to his own personality. He became JiLsi, whose avatar was the face of a mischievous cartoon pirate with a red hat and a black patch over his left eye. A veritable Captain Jack Sparrow amidst the cyber Caribbean, he soon felt at home among the scurrilous crew of hackers, crackers and fraudsters when at last he weighed anchor on CarderPlanet. Somewhere among this group of misfits wandered Matrix, and although it was a few months before they exchanged the vows of virtual friendship, the two became familiar figures floating between the myriad sites that sought to emulate CarderPlanet.
Where else might you find a drug-addicted refugee from Sri Lanka hanging out with a strait-laced middle-class German teenager, hosted by a charismatic Odessite with a vision for a new Ukraine? Only on the Web.
13
SHADOWLANDS
New York, New York, 2003–4
RedBrigade decided that the time had come to hit Washington Mutual – in his eyes, nothing more and nothing less than a purveyor of free money. The bank had actually lost its mutual status in 1983, and now its CEO had announced that he intended this venerable institution from Seattle to become the ‘Wal-Mart of banking’. Strip it down wherever you could was the boss’s philosophy. Shift those loans and don’t look too closely at the customers’ assets, liabilities and wages. Move those sub-prime mortgages, package ’em up. Invest as little as possible in staff and equipment. This was low-cost banking with all the frills cut out. Fortunately for RedBrigade and his pals, the frills included elementary security systems.
He left the Four Seasons Hotel on 57th and 5th Streets at around eleven in the morning. His head was still groggy from the previous night’s partying, but as it was vintage champagne and almost uncut cocaine, he felt fully combat-operational.
On reaching the bank, he casually strolled up to the untrained teller (‘they didn’t have to pay ’em as much’) and passed over the WaMu debit card.
‘How much would you like today, sir?’
‘Ten thousand, please.’
‘Alrighty!’
Tip-tap, tip-tap. Here at WaMu, RedBrigade had to hand over his card to the teller, who would then swipe it through a point-of-sale device. In any other bank this is the moment when the teller might be reading a coded message on their screen telling them to ‘call in immediately’. RedBrigade would have to scrutinise the teller’s face. Is she rumbling me this minute? Should I run? Or do I just stand here like an imbecile and wait for the cops to turn up? Maybe there’s nothing wrong at all and I’m being paranoid?
Not at WaMu. Those cheapskates didn’t want to waste money on computer screens and coded security messages. So if the card was rejected in this establishment, RedBrigade would just look slightly surprised, apologise and walk off. Nobody called in the cops at WaMu.
But his cards never were turned down. On this December day in 2003 the lady swiped his card and it was approved straight away. He then signed a printed-out receipt with a transactional code on it, before walking to the machine at the front of the bank. In went the code. A momentary wait and then, like a fantasy one-armed bandit in a Las Vegas casino, it spewed out the cash in fifties: 1,000, 2,000, 3,000 . . . on and on, until RedBrigade stuffed 200 fresh fifty-dollar bills in his pocket.
Sometimes it seemed as though the banks had left their ATMs open to him and his friends on purpose. It was so easy, he thought, it was as if we were the chosen ones. He particularly enjoyed siphoning funds from Citibank. Of all the banks, Citi deserved it. First of all, they were the most immoral of all those bastard bankers. Second, their security sucked.
Phishing was, from an early stage, critical to all manner of cybercrime. Even if a company’s digital defences were sealed tight, a relatively inexperienced hacker could breach them with a phishing attack. This is the mass dispatch of emails to addresses that are sometimes targeted as belonging to a specific company – a bank, for example – and sometimes chosen at random. Many spam messages contain either an infected attachment or a link which, if pressed, would direct a browser to a site that can automatically download malware. If a hacker sends out several million spam emails, he does not need a high response rate in order for it to be worthwhile – each compromised computer promises access to bank accounts and other personal or financial information.
Banks have always been faced with one overwhelming security headache: their customers (although this did not excuse the banks’ appallingly weak security systems during the first fifteen years of Internet banking). The best networked system was only as good as it weakest element – and we, their hundre
ds of millions of customers, were as vulnerable as it gets.
So if a bank is unbreachable, the cyber thief would ask its clients for help. Send out millions of emails to account holders, which look as if they have been sent from their bank, and then wait for the replies: the account numbers and passwords arrived like an avalanche.
Phishing Citibank customers was a breeze:
Buy bulk freshly hacked emails. Check.
Buy Dark Mailer, the spammer’s wet dream. Check.
Buy proxies. Check.
Buy hosting. Check.
Design new Citibank page. Check.
Put in pop-up box that never goes away until a card number and pin are entered. Check.
Set up email address for the account numbers and passwords to roll into. Check.
Every day RedBrigade would go phish. He looked at the account details of one Dr H.M. Hebeurt from upstate New York. ‘Hmmm . . . she lives close by. Fuck me, she’s making 50k a month and her fucking husband is pulling in more than 72k!’ Looking closer, he saw the target worked on Wall Street. Maybe if he had made better choices, he pondered, he could be stealing legally like this guy . . . But he could not allow himself to indulge in fantasies like that – instead he just started calculating. Okay: two checking accs, two saving accs, one overdraft acc and one credit card . . . $2,000 from each. Total $12,000 from a single phish.
And everyday fifty of these little phishies swam into his account.
The spree in New York’s Washington Mutual lasted just over a fortnight, netting him almost $300,000. Just as well, because his average weekly outgoings were in the region of $70,000. Every two or three months he would buy a new top-of-the-range Merc or BMW. First-class travel was axiomatic. He thought as much about purchasing a $10,000 Breitling watch as we might before buying a newspaper. He had a beautiful apartment on the Upper East Side, but only slept there two or three nights a week because he enjoyed the city’s luxury hotels. RedBrigade was earning more money than a Premiership footballer in England, but without the 50 per cent tax rate.