|
 The trio, who are accused of orchestrating massive computer
breaches at JPMorgan Chase & Co <JPM.N> and other financial firms,
as well as a series of other major offences, did little if any
hacking themselves, the federal indictments and a previous civil
case brought by the U.S. Securities and Exchange Commission
indicate.
Rather, they constructed a criminal conglomerate with activities
ranging from pump-and-dump stock fraud to Internet casino break-ins
and unlicensed Bitcoin trading. And just like many legitimate
corporations, they outsourced much of their technology needs.
"They clearly had to recruit co-conspirators and have that type of
hacker-for-hire," said Austin Berglas, former assistant special
agent in charge of the FBI's New York cyber division, who worked the
JPMorgan case before he left the agency in May. "This is the first
case where it's that clear of a connection." Berglas, who now heads
cyber investigations for private firm K2 Intelligence, said
additional major cases of freelance hacking will come to light,
especially as more people become familiar with online tools such as
Tor that seek to conceal a user’s identity and location.
 RENTED TIME
This week's indictments accused a hacker referred to as
"co-conspirator 1" of installing malicious software on the servers
of multiple victims at the direction of Gery Shalon, the alleged
mastermind of the scheme now under arrest in Israel. A second
indictment charges a man referred to as John Doe, believed to be in
Russia, for an attack on online trading firm E*Trade <ETFC.O>.
Officials have not said if the co-conspirator and John Doe were the
same person, or even if the FBI knows their true identities.
Law enforcement and computer security officials say that outsourced
cyber-crime services - including rented time on networks of
previously compromised personal computers and custom break-ins - are
most readily found on underground Russian-language computer forums,
where skilled attackers advertise their services.
The forums are tight-knit communities where newbies must be vouched
for by multiple known members and pay membership fees that cost
thousands of dollars, said Daniel Cohen, who oversees an undercover
team at EMC Corp's <EMC.N> RSA Security that monitors the forums.
“You can find anything you want for an operation. Hackers, servers,
software, code writing. They are all available," said Cohen.
Individuals hide their identities even from each other, making
infiltration and arrests rare.
In this case, the ringleaders are accused of hiring hackers to steal
contact information and other data that they then used to help
convince ordinary investors to buy little-regulated stocks.
Prosecutors have not disclosed how the hackers were compensated.
Fees vary greatly in the cyber underground, depending on the
complexity of the assignment and supply of talent available to do a
particular job. Elite hackers who pull off the most technically
challenging attacks might get a percentage of profits, while others
might earn an hourly rate or get paid a few thousand dollars for
winning access to a target’s network, researchers said.PUMP-AND-DUMP
All three of those accused this week - Shalon, Joshua Samuel Aaron,
who is at large, and Ziv Orenstein, who is also in jail in Israel –
began promoting penny stocks before the hacks took place, according
to U.S. government claims.
They used websites including Pennystockdiscoveries.com and
Stockcastle.com to send emails as part of a scheme in which they
invested in penny stocks, spread false information to boost their
prices, and then sold them to make windfall profits, according to an
SEC suit filed in July.
Orenstein’s lawyer declined to comment, and Shalon’s lawyer did not
return messages seeking comment.
In one case in early 2012, the SEC claims that they used the website
Stockcastle.com to promote shares in Mustang Alliances Inc, reaping
$2.2 million, the largest pump-and-dump cited in the regulator's
lawsuit. In March of that year, the British Virgin Islands Financial
Services Commission issued an alert warning that two entities tied
to Stockcastle were falsely claiming to be registered in the
territory. That same year, the enterprise began a massive hacking
spree to get contact information for investors who might be good
targets, according to prosecutors. By the end of 2013 they had
ordered up six hacks that provided data on tens of millions of
customers, prosecutors said.
[to top of second column] |
They hit the mother lode in 2014 when they attacked three other
firms, and stole data on 83 million customers from JP Morgan alone,
prosecutors said.
In addition to JP Morgan and E*Trade, the firms attacked included
the mutual fund giant Fidelity Investments, Scottrade, TD Ameritrade
Holding Corp <AMTD.N> and News Corp's <NWSA.O> Dow Jones unit, the
publisher of the Wall Street Journal, according to court documents
and people familiar with the cases.
"To do a 'pump-and-dump' operation, you no longer need 30 people
behind phones in a strip mall," said Shane Shook, a security
consultant specializing in investigating financial breaches. All you
need is to find a hacker on a “Dark Web” forum to provide addresses
from customers of financial services firms like Fidelity or
JPMorgan, then hire a spam service to push out promotional emails,
he said.
Shalon bragged about the stock manipulation scheme, telling the
hacker known as co-conspirator 1 in a web chat message that it was
"a small step towards a large empire," according to the indictment.
His plan, Shalon told the hacker, was to distribute "mailers" on
stocks to those customers. The hacker asked if buying stocks was
popular in America, the indictment said, prompting Shalon to reply:
"It's like drinking freaking vodka in Russia."
Shalon ultimately made good on his promise to build an empire,
according to the indictments. Profits from the pump-and-dump fed
into a sprawling conglomerate including offshore Internet casinos
and payment-processing services for other criminal operators, such
as counterfeit pharmaceutical makers. Shalon also allegedly directed
hackers to attack rival casinos, stealing customer data and
temporarily bringing down their websites with denial-of-service
attacks, which are easily commissioned online.BUTTERFLY AND HIDDEN
LYNX
While this week's indictments opened the first major criminal case
involving outsourced hacking, there have been other substantial
break-ins that researchers believe were contract jobs.
Researchers at Symantec in July attributed a series of precision
breaches at Apple, Facebook, Microsoft and Twitter in 2012 and 2013
to a sophisticated gang called Butterfly, which also attacked law
firms and pharmaceutical companies.
Computer security firm Symantec concluded that the group likely
works for hire, either for a client looking for financial gain in
the stock market or for competitors. How Butterfly gets hired
remains unclear. Tech criminologist Marc Goodman, author of the book
“Future Crimes”, says another group, dubbed Hidden Lynx by Symantec,
may consist of contractors moonlighting from jobs with the Chinese
military. "It's crime as a service," "Goodman said. "They take
all the pain out of it."
(Reporting by Joseph Menn in San Francisco and Jim Finkle and Nate
Raymond in New York; Additional reporting from Maayan Lubell in
Jerusalem; Editing by Jonathan Weber and Martin Howell.)
[© 2015 Thomson Reuters. All rights
reserved.]
Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
