Black Code: Inside the Battle for Cyberspace
Page 14
The Citizen Lab tracked the gang behind Koobface for months in 2010, watching their every move. Villeneuve was in it for the challenge of solving the puzzle, the thrill of the hunt. Our wider motivation, however, was to better understand cyber crime, and how crime, espionage, and warfare might be blurring together over and through cyberspace. Koobface was well known among the exclusive (and often contentious) club of technogeeks who study the malicious underworld of cyberspace. The Villeneuves of the world had been following it since the mid-2000s, when Koobface emerged as a menace to the growing social networking community that it so openly mocked and exploited. But no one had detailed knowledge of how Koobface worked or who the perpetrators behind its vast reach were. Was it a well-organized crime syndicate? A few bored teenagers? Something else, perhaps more nefarious? Whatever the truth, Koobface was trolling across the world of social networking like a giant digital amoeba, consuming and spitting out unsuspecting victims. In 2010, the Russian security company Kaspersky Lab estimated that Koobface controlled nearly 800,000 computers worldwide, each belonging to users lured into its trap.
Becoming ensnared happens easily. Koobface sends a link over Facebook from a “friend” (who has already been infected) that says something outrageous or provocative, something like “OMG! Have you see this naked video of you?” Who wouldn’t follow that link? Or maybe another funny video of dancing kittens. Who wouldn’t enjoy such a thing? But for the hapless recipient, that one curious click leads into an abyss of viruses and trojan horses, and straight into Koobface’s grasp.
Koobface makes its money through pay-per-click and pay-per-install schemes. (“Pay-per-click” refers to a model whereby webmasters display third-party advertisements on their websites and earn income whenever Internet users click on these advertisement links. “Pay-per-install” refers to a model whereby the software of one company is promoted by a third party who is paid every time a user installs the software. Both are legitimate, but they have also been widely exploited by online criminals.) Once its malicious software is installed on a user’s computer their Internet requests and website visits are redirected without their consent or knowledge to sites that pay Koobface for each visit. Some of these websites are themselves honeypots for yet more cyber crime, such as for phony antivirus software that promises to clean up your computer’s hard drive by eliminating viruses and malignant files. Those initially victimized by Koobface are thus served up to other criminal entrepreneurs posing as good guys who promise to fix computer problems, but who, in fact, only make them worse. A cut of the revenue from the sale of fake antivirus products is then given to Koobface. Joint ventures, strategic alliances, globally distributed production chains, “value-added” services, robust customer management databases, and multiple (and complementary) revenue streams: Koobface is one sophisticated post-industrial operation.
• • •
Just the same, even the most meticulous criminals generally make mistakes. Our investigation really started with the discovery that Koobface backed up its entire database each and every day on a “zipped,” or compressed, file, and that they did so on an Internet-connected computer without any password protection. It was left wide open, there for the taking, a mistake that laid bare the entire operation from the inside out.
Downloading and opening the compressed file gave us almost complete access to Koobface’s operating infrastructure: how it worked (down to the finest detail), where the fraud was occurring, the worldwide locations of the compromised computers they had commandeered, and their revenue streams. We felt like voyeurs peeking through a window – with Koobface having no idea we were watching – justified in doing so given the lawless intent of those under our surveillance. Such privileged access gave us insight into the complexity and ingenuity of one of the world’s leading cyber-crime outfits, and a richer understanding of the hidden swamps of cyberspace.
A major hurdle Koobface had to overcome was the precautions Facebook had in place to prevent fake “friends” using their trusted network. Each new Facebook account requires a real person to fill out a “CAPTCHA” – clusters of wavy, sometimes illegible letters and numbers. (CAPTCHA is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart.) As a standard security precaution, Facebook requires a human being to visually identify the CAPTCHAS and reproduce them in a field in order to create a new account.
To get around the CAPTCHA problem, Koobface engaged in what the cyber crime expert Marc Goodman calls “crime-sourcing,” the outsourcing of all or part of a criminal act to a crowd of witting and unwitting individuals. With thousands of infected computers at its disposal, Koobface created a transnational assembly line of co-opted workers – the hapless computer owners themselves -who manually filled out the CAPTCHAS. It engineered a system through which a fake emergency pop-up window appeared on the screens of users throughout the world along with a box with the familiar Windows brand name and colour scheme carrying a startling warning: “Type the characters you see in the picture below. Time before shutdown 02:29, 02:28, 02:27, 02:26 …”
Faced with such a panic-inducing moment, most users complied simply to avoid the risk of having their computers crash and their work destroyed. And so, every day, by the thousands, in commandeered computers as far afield as Thailand, Canada, Mexico, China, and India, fake CAPTCHAS were entered, information fed through the Internet to the Koobface database, and from there to the legitimate Facebook account creation field, all properly sorted and organized in real time, with the account management system maintained by Koobface engineers. Problem solved.
Once the fraudulent Facebook accounts were created, Koobface encountered another hurdle: how would the enterprise accumulate “friends,” the necessary conduit for revenue? Only the most careless people would accept a friend invitation on Facebook from just anyone, so Koobface created a system that automatically culled through and recycled accounts they had compromised, taking bits and pieces of people’s identities to create Frankenstein-like friends. One person’s images would be combined with another’s birthday and status information, and these were combined with the “likes” and “dislikes,” places of birth, and employment histories of other people. Combined in this way, that friend request from a vaguely familiar person might just be someone you knew from high school. The name seems a little off, but I recognize that face from somewhere … Sure, why not? Accept.
Shortly thereafter would come the enticing link with the naked video, the prompts to download viruses disguised as antivirus tools, and the emergency pop-up screens. A globally distributed, malicious organism feeding continuously off of our digital habits.
It was an ingenious scheme, and to keep track of revenues the Koobface group sent themselves text messages to their mobile phones summing up their daily spoils. As with other aspects of the operation, the organization here was meticulous. Intricate ledgers on every payment made and income received were kept. During the window we had on their system, a glimpse that lasted just less than a year, this part of the Koobface operation netted over $2 million. No doubt there were other revenue streams invisible to us.
We soon discovered that we were not the only ones to have access to Koobface’s inner workings. Others, most notably the German cyber security researcher Jan Droemer, were on the same path. Droemer contacted us and we shared information and methods. While we were mostly interested in the morphology of Koobface, Droemer was more interested in “whodunnit.” He had combined the same pieces of evidence – basically a broad sweep of open-source information: the website registration, forum postings made with nicknames associated with members of the group, coincidental findings of names, addresses, and phone numbers that both of us were able to cross-reference. In one spectacular piece of gumshoe work, Droemer discovered that photographs stored on the Koobface command-and-control machines contained metadata that pinpointed the geographic location of the gang right down to its St. Petersburg, Russia, headquarters. There, five Russian men between the ages of tw
enty and forty-five, decked out in Nike running shoes and polyester athletic gear and surrounded by iPhones and PowerBooks, led a casual work life straight out of a Silicon Valley startup. The Koobface “gang” turned out to be a group of guys in track pants living a very comfortable life in distant Russia, driving BMWs, and playing World of Warcraft while reaping millions of dollars a year.
• • •
As we prepared our report for publication, we debated whether and how to proceed with notification to proper authorities. Clearly a major global criminal operation was unfolding in real time before our eyes, but whom should we notify? Ever since Tracking GhostNet and Shadows in the Cloud were published, there were grumblings in Ottawa, questions about our methods and intentions. For our part, the internal operations of law enforcement agencies in Ottawa were a bit of a mystery. With the GhostNet investigation, for example, we turned over data to Public Safety Canada’s Cyber Incident Response Centre in the hope that they would help notify victims. We never heard back from them. The Koobface investigation presented an opportunity for us to engage with Canadian law enforcement agencies once again, and hopefully assuage their concerns about the Citizen Lab. We also wanted to learn more about how law enforcement would deal with the evidence we had in hand.
We invited members of the RCMP’S Integrated Technological Crime Unit to the University of Toronto and briefed them fully, turning over copies of the Koobface backups and walking them through the research we had done. The officers were grateful for the information, but seemed demoralized and fatalistic, intimating on several occasions that it was pointless for them even to begin an investigation. (One officer warned us against outing the group. “These might be the type of people who’ll firebomb the Munk School,” he said.) They argued that without a Canadian victim of real consequence not much could be done, and that the mechanisms put in place by Koobface to generate revenue were so subtle that it was extremely difficult to identify who the victims were. Although Koobface netted millions a year, the earnings were derived from hundreds of thousands of micro-transactions, a fraction of a penny each, spread across dozens of countries. Furthermore, without an identifiable complainant it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask, “What’s the crime?” Prosecutors ask, “Who am I supposed to prosecute?” Koobface, it appeared, would fall through the cracks.
Cyber-crime networks, especially international ones, succeed by hiding locally while leveraging the global infrastructure of a free and open Internet. Electrons may move at the speed of light, but legal systems crawl at the speed of bureaucratic institutions, particularly across international borders. We told the RCMP that several of the major command-and-control computers used by Koobface were rented out on servers in Britain and Sweden, and that the perpetrators might be out of reach in St. Petersburg but these surely could be seized. “For us to get permission just to talk to a counterpart in the United Kingdom or Sweden could take months,” we were told, the sense of resignation obvious.
The RCMP officers told us they would explore the case further, but left us with the distinct impression that what they would actually do (or not do) was none of our business. “We’ll take it from here,” was all they said. While they did not ask us to withhold publication, knowing that doing so would be inappropriate, they did suggest that our report might prejudice their investigation. We told them that we had an obligation to publish and gave them a realistic time frame in which we would do so. Our report, Koobface: Inside a Crimeware Network, went live in the fall of 2010.
The outreach with the RCMP was one track we followed, but we also worked with the broader security community to notify the hosting companies and ISPs that serviced the roughly 500,000 fraudulent Google Blogger and Gmail accounts and the tens of thousands of Facebook pages upon which Koobface had built its malignant enterprise. Doing so gave us a window onto a different kind of cyber-crime enforcement performed by private sector companies taking matters into their own hands. Many were increasingly frustrated with the slow pace and awkward political constraints around official cyber-crime responses and had begun to find ways to dismantle or degrade criminal networks and botnets on their own. Specialists working for Facebook, Jan Droemer and other security researchers (notably Dirk Kollberg of the company SophosLabs and independent security consultant Dancho Danchev) continued their pursuit of Koobface for more than a year, culminating in a dramatic January 2012 outing of the perpetrators first by Danchev, then Facebook, and finally Droemer and Kollberg in a detailed report published by SophosLabs that revealed reams of personally identifiable information about the group. The public exposure and the release of the Sophos report led to immediate action by Koobface: its command-and-control servers stopped responding, and the gang started removing traces of themselves from the Net. The antivirus company F-Secure called it a “name and shame approach” – one that was widely criticized by some in the industry for hampering an ongoing criminal investigation and jeopardizing the collection of evidence.
With their identities revealed, and their infrastructure brought to its knees, Koobface will not be able to operate with the same carefree impunity it once did, but it is unlikely its creators will ever be prosecuted. Russia lacks extradition treaties with the U.S. and other Western countries, and the arrest and prosecution of the group is not likely there. Recent history suggests that Russian cyber criminals have little to fear as long as they stay close to home. (Responding to the Koobface incident, Russia’s anticyber-crime unit, the interior ministry’s K Directorate, told Reuters that it did not investigate the matter because it had not been asked to: “An official request needs to be filed to the K Directorate first, and when it’s filed, we will certainly investigate and work on it.” Officials at Facebook told the same Reuters reporters that they had passed along information to the interior ministry before deciding on their more radical naming and shaming approach.) In February 2011, in another case, a Russian criminal, Yevgeny Anikin, received only a suspended sentence after being arrested for what American authorities called “perhaps the most sophisticated and organized computer fraud attack ever conducted,” a hack of the Royal Bank of Scotland and a $9 million windfall for Anikin.
• • •
Ever since the Internet emerged from the world of academia into the world of the rest of us, its growth trajectory has been shadowed by a grey economy that thrives on opportunities for enrichment made possible by an open, globally connected infrastructure. In the early years, cyber crime was clumsy, consisting largely of extortion rackets that conducted network attacks against online casinos or pornography sites to extract funds from frustrated owners. Koobface is part of what author Misha Glenny calls the “industrialization of crime on the web.”
In the early days, cyber crime was primarily a loner’s calling, an annoying but affordable by-product of an open Internet. Today, the loners find each other, network together, and professionalize their activities. Underground forums have emerged in the dark recesses of the Internet where specialized tools and techniques are now bought, sold, and traded. Malicious software packages – known as “Ødays” or “zero days,” because antivirus companies have no known protections against them – are now as readily available as songs on iTunes. “Botnet herders” – individuals who control tens of thousands of compromised computers – market their wares in underground auctions. Stolen credit cards and email addresses are sold, bought, and traded like candy. (Rik Ferguson, of the Internet security firm Trend Micro, provides a detailed list of illicit products and services sold. To name a few: hiring a DDOS attack, $30–$70 a day; hacking a Facebook or Twitter account, $130; hacking a Gmail account, $162; scans of legitimate passports, $5 each.) Around the globe, botnets can be rented cheap online from public websites for weeks, days, even hours. Some advertise 24/7 technical support. Cyber crime has indeed become a global menace, a multinational business that shows no signs of letting up, a former cottage industry gone viral and into a gl
obal marketplace.
Whereas ten years ago a cyber criminal needed the equivalent of an advanced graduate degree in engineering, today a teenager could set up something like Koobface. In Brazil, there is an academy that openly advertises courses on computer crime: “This course is intended for everybody making online transactions. You will learn how crackers take control of corporate or home computers … how ‘auto-infect’ works, how to use sources [trojans], how to manipulate the security plug-ins installed on browsers such as Internet Explorer, Firefox, Chrome, Avant, Opera, and antivirus and firewalls. How spamming helps catch new victims, what ‘loaders’ do and how crackers use them … how crackers can own e-commerce websites that store credit card numbers and what they do with this data. You’ll learn about the laws in Brazil and what the sentence is if you’re caught.”
The course costs $75 and includes a special bonus: 60 million email addresses with which to begin experimenting. (Brazenly, the academy lists its office address, and phone and fax numbers on a public website with an accompanying Google map location.) But then again one needn’t go to cyber-crime school, or pay any kind of fee at all. One freely downloadable program provides a simple click-as-you-go interface to create “phishing” websites that simulate legitimate banking, shopping, and webmail interfaces, but which are actually designed to extract credit card numbers, email addresses, and passwords from unsuspecting victims. Just follow the step-by-step screen instructions guiding you through how to create a mock site, load it online, and then send links out to potential victims.
Cyber crime thrives not just by its ingenuity, but also by social media opportunities. Koobface succeeded by mimicking normal social networking behaviour. It leveraged our readiness to extend trust with our eagerness to click on links in a world that has become intensely interactive. The age of mass Internet access is less than twenty years old, and social networking, cloud computing, and mobile connectivity are, for most people, innovations only of the last few years. We have embraced these new technologies at such a pace that regulatory agencies have been left in the dust, and we have overlooked extraordinary user vulnerabilities. Today, data is transferred from laptops to USB sticks, and over wireless networks at cafés, and stored across cloud computing systems whose servers are located in far-off jurisdictions. We produce massive amounts of personal data as we navigate this new ecosystem and click on website addresses and documents like lab mice clicking on pellet dispensers. It is this conditioned tendency, combined with the sheer volume of data we generate, that Koobface and others capitalize on with precision. Every new piece of software, social networking site, cloud computing system, or web-hosting service represents an opportunity for the predatory cyber criminal to subvert and exploit.