by Misha Glenny
3
MR HYDE OF LAGOS
2003 was the year that Adewale Taiwo received his BSc in chemical engineering from the University of Lagos. The son of a university lecturer and a civil servant, Adewale, who was tall and striking, had grown into an articulate and measured young man with a promising future in industry or academia. By Nigerian standards, the family was comfortably off and they had relatives in London able to assist Adewale when he explored the possibility of continuing his education in the United Kingdom.
This was also the year that he created his alter ego, Fred Brown of Oldham in Lancashire. Although Adewale had never yet been to England, he decided in advance to create this veritable Mr Hyde of the cyber world. It was Fred Brown who established the yahoo newsgroup on bank fraud.
Before long Fred Brown was also posting adverts on the Internet, using such sites as the Hacker Magazine, Alt 2600 or UK Finance:
OPPORTUNITY: A business opportunity has arisen for people employed in High Street banks or people who have family or friends working for banks to go into partnership. Banks include HSBC, Royal Bank of Scotland but others will be considered. Please reply to Fred B Brown on yahoo, icq or Safemail.
The messaging programs icq (derived from I Seek You) and the older IRC (Internet Relay Chat) are tools beloved of hackers and crackers, as criminal hackers are sometimes known. They are instant messaging services on which you can chat to one or more people. Importantly for hackers, they are ‘dynamic’, which means that they do not leave a trace of the conversations conducted on them unless somebody consciously saves their exchanges. ‘Safemail’ is an encrypted email system that cannot be cracked. Unless, that is, you can persuade an Israeli court to subpoena the information you are looking for, as a company in Tel Aviv owns and runs it.
Respondents to Fred Brown’s adverts were then invited to join [email protected], whose aims and ethos were explicit: ‘This group is for people who don’t want to work legit but for cash and are willing to bend the rules. This group will teach you how to defraud banks and identity theft.’ It is a measure of the pervasiveness of fraudulent activity on the Web that Fred felt able to promote his business so openly. It would be several years before law enforcement noticed him, and that was only because he eventually made an uncharacteristically crass error.
Fred’s adverts were designed to skin a cat in that most traditional fashion – the inside job. If you can persuade a bank employee to filch and then hand over customer details, you save yourself the sweat of having to crack the accounts or credit cards. Perpetrators of fraud on the Internet invest considerable effort in trying to find disgruntled or distressed bank employees, because having a reliable insider working with you can increase your earnings dramatically. Armed with the account details, the criminal is free to enter the account over the Internet as he would his own, before transferring cash into a designated account of his choosing. Unless the infiltrator needs a significant sum in a hurry, the preferred method of theft involves sucking out small amounts over a long period, so that neither bank nor customer notices.
But Fred Brown was also developing some more advanced methods of fraud. He was able to enter deeper into a bank’s system, where he could engage in such practices as increasing an account’s overdraft facility. He seemingly had the know-how to change names and addresses and, of course, fish out passwords.
By laying the foundations of his trade long before he came to the United Kingdom, Fred demonstrated his systematic approach to business. He was considered; he was not socially insecure; and he did not waste much time playing computer games. Fred Brown (aka Freddy Brown, Fred B. Brown, Freddy B, FredB and Freddybb) regarded the Internet as a simple and easy way of defrauding countless people of large sums of money.
But before Fred was let loose on the Web, his Dr Jekyll – Adewale Taiwo – had other matters to attend to, namely the year spent studying for an MSc in chemical engineering at Manchester University, where he arrived in October 2005. A month before receiving his Masters in May 2006, he opened an account with the London Gold Exchange (LGE), into which he could transfer money from any high-street bank.
The LGE buys gold with the money you deposit and gives you ‘digital currency’ credits. With its headquarters in Belize and its gold stored in Switzerland, the misnamed London Gold Exchange was one of several institutions that expanded during the 1990s and were favoured by fraudsters and money-launderers. Once Taiwo had shifted his funds into the London Gold Exchange, he then sent it on to an account he held at a similar institution, E-Gold, from where he would distribute cash around the world via Western Union, either to launder it or pay off his collaborators.
As with all his work, he proved meticulous and efficient: an excellent student and an excellent criminal. Grimley Smith snapped him up as a first-class prospect soon after Manchester awarded him the Masters degree – at the same time as the Internet fraud fraternity welcomed him as a serious player.
Adewale Taiwo was a gifted chemical engineer. Still in his twenties, he was regarded as one of the high-flyers at Grimley Smith and before long he was travelling as far afield as China and Venezuela for his work. He dressed well, but never ostentatiously, and his BMW was appropriate to his salary and his lifestyle. He took both his lives very seriously and, of course, his legitimate work acted as a credible disguise protecting his underground activity. A respected and successful company in the energy sector is one of the last places one would look for a major cyber criminal, especially not among the firm’s industrious and highly skilled engineers.
When DS Chris Dawson started looking at the extent of Fred Brown’s fraud, he was flabbergasted. Even after narrowing the evidence down, he was still looking at some 34,000 files, some of which were 100–150 pages long. Early on, he spotted a single file that had 100 pages
jam-packed with American credit-card numbers, along with their security codes and all the requisite passwords.
DS Dawson was a homicide officer – nobody in Humberside had ever worked a high-end Internet fraud before, and he and his colleague on the case had to attend to their day jobs. He simply didn’t know where to start. Along with the files, there was the software for an MSR206. This device is probably the most important weapon in the arsenal of the credit-card fraudsters, who are known by the generic term ‘carders’. With this, the carder can ‘clone’ a credit card. This means copying all the information on the magnetic strip at the back and pasting it onto a piece of blank white plastic with an empty magnetic strip. The MSR206 is a personal mint.
Dawson also found key logging trojans on the files. These are to the criminal hacker what a jemmy is to the safe-cracker. The early viruses were very different creatures from the key loggers. When viruses first circulated in large numbers in the 1990s, they were designed by adolescents and students, so-called script kiddies, who wanted to demonstrate their prowess as anarchic programmers. Irritatingly, they chose to do this by inconveniencing as many computer users around the world as they could.
Once your computer was infected, it might behave in any number of ways: it could slow down; if you requested one application, say Microsoft Word, an Internet browser might open instead; it would automatically shut the computer down; and, worst of all, it could destroy your files and data. There are tales of authors losing entire manuscripts to some mischievous virus, and of statisticians who saw months of data input being gobbled up in front of their eyes by a naughty digital worm.1
But after the millennium hackers, crackers and criminals began to appreciate that viruses, trojans and worms could be put to more lucrative use. The key logger was born, and it multiplied over the Internet at great speed. Once this little chap nestles inside your computer, its job is to track every stroke of your keyboard. So when you type www.hsbc.co.uk into your browser, it sends that information back to its Creator or Owner, who could be anywhere in the world. If you were then to type in your password as, say, Robinhood, the
virus Commander in New Jersey, Rostock, Lilongwe or deepest Ruritania would immediately log it. Bingo! Mi casa es su casa! Or, more to the point, Mi cuenta bancaria es su cuenta bancaria!2
Just as having thousands of credit-card details and bank-account numbers sitting on your computer is not a crime, nor is storing a key-logger virus. It may be a strong indication of criminal activity, but it does not amount to a case. Ploughing through the endless files, Dawson and another colleague had to untangle the hundreds of jumbled threads.
After manually inputting several thousand account details onto an Excel spreadsheet, the police then decided to approach the banks. Eminently sensible, one might think, for after all it is the banks’ security systems that Fred Brown had breached so successfully.
Think again.
Many of Dawson’s enquiries ran into a brick wall because the banks simply did not bother to respond to his requests. The detective was pushed for time throughout the investigation, and much was wasted on futile attempts to persuade banks to cooperate.
The attitude of most banks to cybercrime is ambiguous. While writing this book, a gentleman from my bank, NatWest, called me and asked if I had made any recent purchase at a jewellers in Sofia, the capital of Bulgaria. Furthermore, he enquired whether I had spent 4,000 francs settling a bill with Swiss Telecom. I said that I had not. I was then told that my NatWest Visa card had been compromised, that I would need a new one, but that I could be safe in the knowledge that NatWest had cancelled the £3,000 for which the card had been fraudulently used. Like everyone else who goes through that experience, I was hugely relieved when the bank gently reassured me that I was not liable.
But who is actually paying for that? The bank? No, they are insured against such losses. The insurance company? No, because they set the premiums at a level that ensures they don’t lose out. So maybe it is the bank after all, given that they’re paying the premiums? Yes. But they recoup the money by levelling extra charges on all consumers. Essentially, bank fraud is paid for by all bank customers.
This is something that banks understandably do not wish to have widely advertised. Similarly, they do not like the public to learn how often their systems have been compromised by cyber criminals. Journalists find it impossible to get any information out of banks about the cyber attacks that rain down on them daily. That is understandable. What is less excusable is their frequent reluctance to work with police, in case the information be revealed in open court. By refusing to admit that their customers are victims of cybercrime, for fear of losing an edge against their competitors, banks are indirectly assisting the work of criminals.
Of course, the banks have a problem: their customers are the most vulnerable part of the networked financial system. Even the finest hackers would find cracking the computer systems of the major retail and investment banks a challenge these days. But getting into most customers’ computers and then watching them access their accounts and, indeed, playing around with the money in those accounts, is child’s play for any hacker worth his or her (although usually his) salt. How can one improve one’s customers’ online habits when the great draw of Internet banking (as with so much of our activity on the Web) is convenience? People are in general put off by elaborate security measures needed to access their accounts, because they’re so tedious.
Banks like to keep the extent of fraud quiet partly for competitive reasons and partly because they do not want their customers to demand a return to the old ways. Electronic banking saves them huge sums of money because the customer is carrying out tasks that were once the preserve of branches and their staff. If we were all to refuse to manage our finances via the Internet, banks would be compelled to reinvent the extensive network of branches through which they used to serve us. That would cost an awful lot of money and, as we now know, the banks have spent everything they have, along with hundreds of billions of taxpayers’ cash, underwriting egregious speculative ventures and their obscenely inflated bonus payments.
So DS Dawson was obliged slowly to piece together the puzzle with only limited assistance from the banking fraternity. In his favour, however, was the fact that Fred Brown had made a couple of significant errors in constructing his network of fraud: although his [email protected] was registered with yahoo in America, the email address attached to it was yahoo.co.uk. Because it was a British domain name, Dawson was able to subpoena the material from yahoo immediately. He was less fortunate with the Safemail account. He had to request a British court to request from an Israeli court that Safemail allow him access to Fred Brown’s encrypted account. That took months and all the time he was under pressure from the courts to disclose its evidence to defence lawyers and to speed up the proceedings.
Dawson’s bosses were unhappy: he could feel the pressure building. None of the victims of the crimes he was investigating came from Humberside – the credit-card holders were spread all over the world. One, the Reverend John, was in neighbouring West Yorkshire, but that was about it. ‘I can’t afford to have one of my best homicide officers working on a fraud case which has nothing to do with this area!’ Dawson was warned on more than one occasion. Something in the detective drove him on, though. He wouldn’t let go and so, to assuage his superiors, he started working in his own time, sometimes late into the night, poring over the dancing numbers.
In despair at how the investigation of Adewale Taiwo was starting to consume his life, Dawson requested assistance from the regional intelligence unit. They were unable to help, but suggested that Dawson ask the City of London High-Tech Unit if they had information that might assist him. No, came the reply, but why don’t you approach the Serious Organised Crime Agency?
Finally, Dawson contacted SOCA at their secret operational headquarters in London, which is like something out of Len Deighton’s The Ipcress File or Funeral in Berlin: brass plates with the name of a fictitious company, and everyone pretending not to work for the agency that Tony Blair described as Britain’s answer to the FBI (much to its officers’ irritation).
Dawson asked for assistance in a complex fraud case that involved a mysterious man named Fred Brown. He received a curt call back from the big boys in the metropolis: ‘What do you know about Freddie Brown?’ After all, the tone implied, you’re just a local plod from Humberside.
‘Nothing,’ DS Dawson replied, ‘except that I’ve got him on remand up here in Scunthorpe.’
There was silence down the end of the line. ‘Have you ever heard of something called DarkMarket, DS Dawson?’ the voice continued.
‘No, never. Why?’
Dawson’s fish was even bigger than he realised.
But the news also came as some surprise to SOCA. Freddybb had been on their radar for several years, but the DarkMarket investigation had gone quiet for a while after a series of arrests the previous summer. They had not envisaged that a copper from Scunthorpe would revitalise it. But Britain’s largest online crime unit had learned one thing above all else since a group of Ukrainian cyber thieves set up the first website dedicated to global crime in 2001 – expect the unexpected.
* * *
1 The simplest, albeit incomplete, distinction between viruses, worms and trojans, known collectively as ‘malware’, lies in their method of transmission – viruses through infected email attachments, trojans through downloads, while worms have an ability to self-replicate on a host computer and then use that computer’s communications programs to spread themselves to other machines. But, basically, they all do bad things to your computer.
2 ‘My bank account is your bank account.’
Part II
4
THE ODESSA FILES
Odessa, Ukraine, June 2002
They came from as far north as St Petersburg and from Latvia on the Baltic Sea; one delegate arrived from Belarus, a country created in 1990, seemingly as a living memorial to communism. The Russians were there in fo
rce and Ukraine provided a host of delegates, whether from Ternopil in the west, Kiev in the centre, Kharkov in the north or Donetsk in the east.
But the First Worldwide Carders’ Conference (FWCC) was truly international. Some attendees had arrived from Western Europe while others had flown in from as far away as the Persian Gulf, Canada and South America. The FWCC’s press release lamented how delegates from Australia and South-East Asia hadn’t made it, due to travel difficulties.
The organisers hand-picked three dozen or so delegates from the 400 applications they had received. Those lucky enough to be given the thumbs-up knew that the invitation alone would provide a huge boost to their reputation within the fiercely hierarchical world of online criminals.
In order to throw police off the scent, the organisers originally announced that they were holding the event on several luxury yachts moored off Turkey’s Black Sea coast. But this was just a feint. After all, where else could you possibly hold the world’s first ever conference for cyber criminals than in Odessa – Ukraine’s fabled city of rogues?
Using their well-tested methods, the Tsar, Stalin and Hitler all had a crack at taming this wild beast, but none of them could crush Eastern Europe’s most enduring criminal fraternity. ‘Without an understanding of Odessa’s gangsters and their lives,’ one chronicler wrote about his home town, ‘the city’s history is simply unintelligible.’