Catch Me If You Can: Cybercrime Edition
Frank William Abagnale Jr., of Catch Me if You Can fame, turned a life of crime into a high paying security consulting career. Abagnale was such an experienced check forger that after his arrest, the FBI hired him as a consultant to help them catch other check forgers. While a criminal record often disqualifies many job applicants, there are very few industries where criminal activity and experience act as a resume for potential employers.
There is a running internet joke that details the two career paths of how to become a highly paid cybersecurity consultant.
One of the most notorious examples of this phenomenon is the story of CumbaJohny a.k.a. Albert Gonzalez. Gonzalez was a hacker that stole and trafficked credit card numbers in underground marketplaces and even started his own sophisticated forum called ShadowCrew, which featured seller accounts, review capabilities, and how-to tutorials. Its features were so sophisticate and customers were so satisfied that is believed many modern dark web marketplaces trafficking stolen data are modeled after the now defunct ShadowCrew. Through an unrelated investigation in 2004, the US Secret Service, tasked with ensuring the financial integrity of the American economy, stumbled upon Gonzalez and eventually arrested him for running ShadowCrew. Rather than shutting down the underground marketplace, Gonzalez took a deal and began assisting the Secret Service with “Operation Firewall”. The objective of Operation Firewall was to investigate, identify, and arrest fellow members of ShadowCrew. While Gonzales was working for the Secret Service, he was receiving a salary of $75,000 a year so long as he continued assisting the investigation. Operation Firewall was a success resulting in the closure of many online carding forums and the arrests of a network of credit card thieves.
While taking a paycheck from Uncle Sam, Gonzalez was also masterminding Operation “Get Rich or Die Tryin’”, a credit card hack that would eventually lead to the theft of almost 50 million credit and debit card numbers from TJX Companies (parent company of TJ Maxx and Marshall’s stores). Gonzales used a combination of wardriving (driving around in a car with a laptop searching for vulnerable or unprotected WiFi access points) and physical access attacks, utilizing computer kiosks inside the stores, normally used to fill out electronic job applications at the company. Gonzales would go on to hack systems at Dave & Buster’s entertainment chain, J.C. Penny, and Heartland Payment Systems; the latter suffering the most by losing 130 million credit and debit card numbers. Unlike Abagnale, Gonzalez could not turn away from his life of crime when given the chance to turn his life around.
I have written extensively about the rise and proliferation of IoT botnets and their effects over the last two years. With hundreds of thousands of vulnerable IoT devices coming online every year and an exponential projected growth, the IoT botnet problem will get much worse before it gets better. Shortly after the Mirai botnet was used to temporarily bring down security blog Krebs On Security through a 665 Gbps sustained DDoS attack, the botnet’s creator wished to distance themselves from the high profile attacks and chose to release the source code for the attack. This act prompted major concerns in the security community that copycats would spring up in its wake.
Boy were they right. These concerns materialized when Satori, Reaper, BrickerBot, Hajime, and dozens other copycats started infecting vulnerable IoT devices around the world, often deleting binaries of rival botnets and closing vulnerabilities after infection. Mirai and its variants have caused significant damage and are one factor contributing to the significant rise in DDoS attacks worldwide.
Nearly a year ago in December 2017, the U.S. Attorney’s Office for the District of Alaska, who had jurisdiction for crimes related to Mirai, reached a plea agreement with three of the botnet’s creators. In exchange for light sentences (probation, community service, and fines), the botnet’s creators will not face any jail time so long as they continue to cooperate to help bring down cybercriminal organizations and provide information to fortify cybersecurity operations against the very tools they created. Citing “extraordinary cooperation” with the FBI in identifying other cyber criminals and helping thwart attacks against several companies, the judge in the case approved the lenient sentences. One defendant has already been hired as a consultant to an unnamed cybersecurity firm.
It is not entirely clear what factor differentiated Abagnale decision to turn his life around and Gonzales, who chose to return to a life of crime. Only time will tell if the US Government’s decision to cooperate with Mirai’s creators will have long term benefits or if they are being conned.
For those not willing to bet that Mirai’s creators will continue cooperating, using an outbound internet scanning utility such as a proxy or DNS-based security tool (many are available free of charge) is a great first step to ensuring compromised devices cannot connect to a command and control server to launch an attack.