Just to clarify - why the hell didn't the FBI task someone to do what Brian was doing?
> So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.
Just assigning an agent to that seems like a dead simple way to really quickly curtail that operation.
Organisations (and individual people) are semi-constitutionally capable and incapable of different things.
A lot of time, complete outsiders find very high "value" tasks that they can do, seem trivial, but the organisation seems unable to "task" to someone.
A classic example is "watchdog" regulators that are supposed to police an industry. Regardless of mandate, they nearly always operate entirely via well organized, documented complaints. They don't do "outbound" policing, even if it's deeming easy & productive. The
@patio11 recently did a great post on his dealings with CROs, and such regulators make an apoearance.
My personal belief is that you can put all of this down to bike-shedding, or more formally Parkinson's Law of Triviality.
Add a little risk/reward to the mix and an overarching system that impractically punishes failure to convict or prosecute, leading to risk-averse approaches, and you get a nice system that is happy to prosecute the low-level weed peddlers instead of the real players. Those people land on your desk or you get them from a traffic stop. Try to go further and you might lose your job or your pension. And, of course as a prosecutor or AG, make sure you plea-bargain everyone to boost your incarceration stats.
Lots of easy wins to cook the books without really touching on the real problem. So you've got Too Big To Fail in the black markets and the criminal world too.
(I hasten to avoid saying 'criminal-underworld' because our righteous overworld tends to be just as bad, if not worse in some cases.)
I can attest that the FBI has in fact been tracking these guys for more than a decade, and some of them were indicted previously. What I can't understand is why it took so long for this latest, more broad action, and why there is such a huge time gap between the victims referenced in the indictments. There are victims listed from 2010 and 2011 and then some this year (2019), but hardly any in between.
That said, the FBI is not in the pre-crime business (with few exceptions), so they're not really set up to warn businesses like I did for so many years.
This seems like a bit of a systemic defect, if you can watch a financial (etc.) crime in progress but not have the jurisdiction (or allocation) to intercede.
p.s. Shouldn't some of this fall into USSS jurisdiction?
> I guess those pre-crime exceptions are the ones were the agent convinces the malcontents they're embedded with to try a little terrorism?
That's the exception, you have to justify your job and budget somehow. And nothing loosens purse-strings like the 'T-word' post 9/11. Although to be fair, the first attempt to bomb the WTC was a failed FBI Sting:
Sadly, the FBI is apparently not in the business of going after the king pin either. They are prosecuting the low level money mules, who are either unwilling or unable to comprehend the need to cease and desist after a letter from the FBI.
>In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.
Because Mr. Krebs was doing so with good effect and as a private individual he did not face the legal firewalls in place to prevent LEOs taking such actions for corrupt or ill intent or blow investigations.
> Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites.
Law enforcement already masquerades online as underage girls and boys, potential terrorists searching for bomb-making materials, etc.
What "legal firewalls" would prevent them from walking a URL to see what companies are about to get robbed?
And forget about law enforcement, why wouldn't banks and payroll services do the same thing to protect their customers?
It's beyond ridiculous that our only line of defense is Brian Krebs.
If one had watched too many Hollywood movies (where single points of failure are exploited ruthlessly by the Bad Guys), one might conclude that Krebs is far better off if more people are involved in this project, and that he should delegate at his earliest possible convenience (and maybe this is it?)
Krebs didn't freeze any business' account and any FBI agent doing similar work to Krebs would not have had to either.
Apparently, the companies themselves called their banks to prevent the transactions. Banks do engage in effort to protect their customers and already flag questionable actions.
It would be nice if that were the case, but in my experience it just isn't so. Very few police departments have the resources or expertise to tackle complex cybercrime cases, and all of the examples mentioned in the story are multi-jurisdictional.
Consider that the attackers are in different countries that are beyond the reach of U.S. federal law enforcement. The machines they used to send the spam and remote into the victim systems are usually elsewhere. The money mules are and their corresponding banks are scattered across the U.S. and Europe. The victim's bank may or may not be located in the same place as the victim. And so on. Where did the crime take place? That's a monumental challenge for federal law enforcement, and frankly the local PD is just not up to it, especially when they're up to their eyeballs in fighting crimes (often violent ones) where their jurisdiction is quite clear.
The thing about the situation actually described was everything happened on a fairly large scale but it was far from given - a lot of transactions failed for various reasons not necessarily implying the FBI was making a systematic effort to stop them. Indeed, Krebs was making a systematically effort to stop them and they just kept going.
That'll still hurt the margins - a lot of these cyber crimes are only cost effective at scale and only hitting a few people successfully can deter folks to easier revenue streams - they care about margins as much as anyone else.
I'm curious what you think the margin is for this endeavor. Is it like the food wholesale business which retains a 2% net margin after all expenses? Or is it like Google with net margins of 18% or thereabouts?
Costs consist of writing and updating the malware itself, maintaining C&C servers and hiring mules to cash out the proceeds with an 8% commission.
Maybe there are kickbacks to government authorities, though I understand kickbacks are often payments in kind, by sharing exploits with intelligence agencies.
I mean, logically, the take home has to be pretty decent, but it's not approaching the take homes that drug cartel's tend to get, so they probably lose big big chunks of profit to local corruption. Otherwise you'd see the same thing you see in central america - the immense profit potential slowly militarizes the entire industry and you've got private armies tooling about.
From what we've seen out of Russia, the militarization of hacking hasn't yet evolved to private armies - so either it's all being controlled by an existing (maybe the government) or early emergent (maybe a shiny new oligarch) player or the profit margins just aren't enough to justify violence. As soon as you can make 200k by robbing a criminal you'll see it happen though.
Because Mr. Krebs was doing so with good effect and as a private individual he did not face the legal firewalls in place to prevent LEOs taking such actions for corrupt or ill intent or blow investigations.
I would be interested in what legal firewalls in particular exist - anyone have references?
My own guess would be that "don't blow the investigation" would be the catch-all phrase used to explain this situation (even if there is not investigation at time X). It seems as if the institutional mandate of law enforcement is 99% catch criminals, 1% stop crimes without catching criminals. So no one wants to be tasked in efforts to merely stop a theft and not catch a thief.
This seems much in line with the push to "get tools to catch bad guys" by weakening encryption, even if said weakening would result in many more crimes.
Law enforcement does not seem interested in looking for victims, even if it's easy. It seems that they are optimized for responding to complaints. Anything more proactive gets reserved for perpetrators.
They don't really seem to care much for complaints a lot of the time either.
Somebody attempted to cash some fraudulent checks for a company I worked for, luckily this was caught by our bank before we lost any money. The NYPD had no interest in doing any more than taking a report and were extremely happy when the perpetrator attempted to cash a third check, taking the total above $100k and into FBI justification. The FBI took the report and nothing happened even though our bank was able to provide details which should have led to an arrest.
I'm not overly familiar with American police, but at least in Australia and New Zealand, the police are poorly equipped and resourced for dealing with financial crimes and other "information" crimes, they're heavily biased towards solving violent and property crimes. They deal primarily with physical evidence.
This is certainly an issue in the USA, I can't speak to how it compares. Someone I knew was trying to raise an issue about a caretaker skimming money. She was taking out the maximum amount of money every day and spending excessively on a credit card. They basically told him to get lost, and it was a civil matter
It's also the case with more serious financial crimes, eg. Ponzi Schemes. The crazy thing is some of these things are completely illegal operations, yet publicized, with brick and mortar locations. This can go on for years. Sometimes there are complaints. Sometimes it's one determined victim or would-be victim that blows the lid on the whole thing. Even then it can take time; months to years. It's an area where people have been able to get away with it, often for a good chunk of their adult lives.
That's because every time the police force would call a potential victim to warn them, and it would turn out to be a false positive eventually some business owner would think: "we lost some money today, must have been because of that false warning, police is do incompetent".
And then proceed to take the force to the court for "damages".
I don't believe for a second that the primary reason police departments don't look for potential victims is because they're worried about getting sued. The way they handle police brutality cases is enough proof that that's not true.
Considering Evil Corp's ties to the Russian FSB, perhaps there was some other TLA involved in a long game to reach their adversaries. The cost was some more businesses being robbed, but... the end justifies the means, you know.
The FBI has struggled to get a workable computer systems for their own internal use. Presumably, even some fairly modest technical problems may be beyond their capabilities.
They also have a heavy focus on counterterrorism these days, which likely makes everything else lower priority by default.
Unfortunately they're all busy radicalising people on twitter and supplying them with evidence to later make a big show of arresting them and saving the day.
Looks like they revised the list after erroneously adding them. But they left others on. So right now any conclusion is speculative, unless you have better information.
The mastermind, Yakubets, is still on the fbi’s most wanted list, FWIW.
You are totally right. I don't have better information, although I have looked. If anyone else knows what those companies do and why they were removed, I'd be happy for any good news.
I read in the Russian news[1] that the removed companies were run by Gusev's namesakes. The name is common and the removed companies were registered in cities far away from Moscow.
Schemes like this, especially of this scale, rarely,if ever,run without any suport from these type agencies. So while the guy's face is all over the internet for being 'the leader' of the org, I'm pretty sure there are quite few people above him that will never ever end up on any DoJ lists.
The people above him are over the authority of the DoJ, they're in the domain of the CIA & Department of State to deal with. At a certain level prosecuting people starts international diplomatic incidents, and the DoJ tends to avoid those without DoS authorization.
I know how basic security work, which is enough to protect myself. And I don't have enough money to attract elaborate scams.
What I mean is that I don't risk getting involved in a business that can attract murderers and geopolitical interests. I would be happy to work for a computer security company if it was working towards making the world a safer place, meaning searching for vulnerabilities and fixing them.
But so far the computer security market tend to favor wrongdoing, because there are no standards or political forces that encourage people to do security work for good reasons. One reason is to let intelligence agencies have the upper hand.
That's why I'm not really willing to work in security. It's an unregulated market. I think that most people who do computer security work either for governments, for blackhats, or for pointless security consulting who have a very hard time to do a meaningful job.
> Needless to say, the victims that spun their wheels chasing after me usually suffered far more substantial financial losses (mainly because they delayed calling their financial institution until it was too late).
That really rubs me the wrong way... someone doubts the random phone call telling them they are being robbed and he acts like it was their fault for doubting?
I never took offense at victims lashing out. If my notifications were at all perfunctory, it was because time was of the essence, and on any given day there were multiple victims to notify.
I often spent huge chunks of my workday on the phone doing these notifications, and some were harder to track down just by Googling a name than others. I never faulted companies for reacting angrily or suspiciously to my calls; it's too bad that's the conclusion you come to from reading what I wrote. If I was ever bitter about anything related to these calls, it was that I rarely ever received so much as a thank you from the victim or their bank.
I generally welcomed the calls from police departments and FBI agents because in many cases it was an opportunity to educate them about a prolific and often hugely damaging form of fraud that they simply weren't aware of at the time. Some of these companies actually went out of business as a result of these attacks, and I did everything I could to minimize that outcome.
Anyway, I almost always found that the law enforcement person on the other end of the line genuinely appreciated my explaining my methods and how these schemes work.
"You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”
There's nothing wrong with skepticism on the part of the victims but we're not talking about an anonymous tip off from a phone booth. He goes out of the way to share his own personal information and means of reaching him. It's not his fault that some victims decide to lash out on him emotionally. The fact that he continued to play the good Samaritan is more to his credit.
I mean, what's the worst that happens? You call your bank and find out there are outstanding unauthorized transactions or... nothing unusual? What do you have to lose by following up on his advice and checking with your bank? There's a lot to gain and nothing to lose.
It's why we have the saying "don't shoot the messenger"
Happens often. Someone brings bad news and the recipient wants to take out their emotions on the deliverer. And, sometimes emotion can overwhelm logic.
That comment ended very differently than I expected it to.
What rubs me the wrong way is that they'd doubt the call. It'd take seconds to process "how can the attacker benefit from this" and come up empty.
After all it's not like he was calling them and offering to fix the issue, he was literally giving them a heads up, the worst that could happen is a wasted call to the bank.
> the worst that could happen is a wasted call to the bank.
Well, no. The worst (and probably very likely) thing that would happen is they would call the bank, the bank would block withdrawals from their payroll processor, and they would miss payroll for that period. This could also have severe financial consequences for the company's employees, given how many people live paycheck to paycheck.
Small businesses are constantly inundated with all varieties of scam calls, so it's not at all unreasonable to be suspicious of someone who calls you out of the blue and says, "Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately." The odds of ever getting a call from a good samaritan like Brian Krebs are vanishingly small, while you're probably getting called by scammers every day.
He says right there, the fraudulent payroll payments were many times the normal amount and not part of the normal cycle.
In fact, from what he described, even the bank would have picked up on the fraudulent transactions upon human review.
Small businesses are not going to confuse out-of-cycle payroll payments with normal ones, cash flow is way too tight for mistakes like that.
-
I'm also not saying it's unreasonable to be suspicious of the call, but after that initial suspicion, it's unreasonable not to hang up immediately on the scammer... then make a "sanity call" to bank/payroll processor/both
This is like asking why people crash planes when one of their instruments is telling them bad information and the others are all working fine. Once you know something important isn't trustworthy, it's easy and likely to become very disoriented as to what you can trust. This is why people reflexively doubt anything particularly out of the ordinary - it might rarely be wrong, but it's far better than becoming paranoid at every drop of a hat.
Just because you can't think of how an attack can benefit from this in a few seconds doesn't mean there isn't a way. Making a security decision based on your inability to think of how it could be a danger in seconds is a pretty foolhardy strategy.
It's crazy how every reply to this comment is arguing a complete strawman.
The other comment is arguing you could accidentally cancel payroll, which tells me they've never had to worry about payroll before.
This one is claiming I'm advocating making a "security decision based on...".
-
It's making a sanity check based on a few seconds of conversation.
If you didn't know, confirming a withdrawal for many times your normal payroll from your payroll account to an unknown account at the wrong time is fraudulent takes very little effort past a phone call.
That effort is easily worth it based on an off-the-cuff risk assessment.
Fundamentally, you can't do a risk assessment in response to someone telling you you're about to collide with an "unknown unknown". Most of the time, assuming the source is maliciously trying to confuse you is a better choice than doubting everything.
When arguing from an armchair on the internet, somehow people forget what actual uncertainty under stress is like.
omg..this part:
"Here’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites."
Amazing....
And the picture of the Russian tool in question, with his cat and his clothes. Could he be anymore more stereotypical Russian Goon looking?! He looks like the evil character in an Austin Power's movie...
What I wonder about these schemes - why don't any of these "Money mules" just keep all of the money? If these guys had any enforcement capabilities in the US, they presumably wouldn't need money mules.
The mules are never in posession of "all of the money" - they handle a couple payments, after that they get the next ones. Sure, some of them might "keep" the money (they can't keep it, the victims have claim on that money and the mules aren't anonymous or protected) and not forward it, so the scammers need to recruit new mules.
The "money mules" may not realize that what they are doing is illegal. If they are people looking for part-time work and have already done weeks of menial tasks before being asked to transfer funds, they probably just think that it's part of their gig.
It's true, distributing Evil Corp information is prohibited and will be punished to the fullest extent of the law -- it didn't specify who would be in legal trouble, though.
I actually enjoy the hackers' questionable taste and extravagant lifestyle -- it's like Russian hackers are becoming self aware and having fun with it. They seem like they'd be cool to hang out with if you were interested in also defrauding millions from innocent people (which, alas, I am not).
> So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.
Just assigning an agent to that seems like a dead simple way to really quickly curtail that operation.