Future Crimes

by Marc Goodman

  Organized cyber criminals have very much embraced Chris Anderson’s “long tail” strategy and see the future of the crime business as stealing less from more. While criminals of yesteryear were always on the lookout for the single heist of a lifetime (think Ocean’s Eleven or the Pink Panther diamond), today’s cyber hoodlums have learned that they can reap massive profits by simply executing smaller operations over and over again against the masses. As we will see in the next chapter, much of this micro-thievery can be automated, leading to a steady stream of repeatable income, with lower risk of apprehension.

  To motivate a diverse criminal workforce, the executives at Crime, Inc. have devised a number of encouragement schemes to keep business booming. For many hackers, cash isn’t the only incentive; many enjoy the thrill of breaking the law, the challenge of cracking a sophisticated security system, or the bragging rights they gain when foiling such a system. Members of the cyber underground have established Web sites where fellow hackers can peer-review and rank their digital break-ins. RankMyHack.​com awards points to the best of the best and uses leaderboards to separate the wannabes from the hacker elite.

  Cyber-crime bosses are well aware of these trends and have found a variety of ways to tap into employees’ needs for recognition, challenge, and belonging by incorporating elements of gamification into their criminal activities. In Montenegro, the KlikVIP scareware gang threw a party for its most productive malware installers and offered a large briefcase full of euros to the affiliate who infected the greatest number of machines. In early 2014, in an effort to drive innovation and create new lines of nefarious business, an eastern European executive at Crime, Inc. offered a brand-new Ferrari for the hacker who invented the best new scam. The news of the prize was unveiled in a dark corner of the digital underground in a professionally produced video that featured several glamorous female “assistants” on the floor of the dealer’s showroom. The boss’s gamification strategy paid off and received widespread attention among his workers, with the Ferrari reserved for the chosen “employee of the month.”

  From Crowdsourcing to Crime Sourcing

  Of all the business innovation techniques utilized by Crime, Inc., perhaps none has been as widely adopted as crowdsourcing. Crowdsourcing began as a legitimate tool to leverage the wisdom of crowds to solve complex business and scientific challenges. The concept of crowdsourcing first gained widespread attention in an article written in 2006 by Jeff Howe for Wired. Howe defined crowdsourcing as the act of “outsourcing a task to a large, undefined group of people through an open call.” While hundreds of examples of crowdsourcing have been documented with great results, these very same techniques can be harnessed for criminal purposes as well.

  YouTube is replete with great examples of apparent strangers suddenly breaking out into song, whether at Heathrow Airport or Times Square. But these flash mobs can rapidly devolve into “flash robs,” wherein less charitably inclined strangers gather not for art’s sake but for crime’s. Though flash robs are mostly a tool of low-end thugs, they are highly successful. In Washington, D.C., thirty young adults, all coordinating on social media and via SMS, simultaneously rushed into the G-Star Raw store and ran out with $20,000 worth of clothing, easily overpowering shopkeepers. If any of the participants involved are arrested, they are unlikely to be able to “rat” on their co-conspirators, whom they met for the first time at the scene of the crime. Similar incidents have taken place in Chicago, Philadelphia, and Los Angeles.

  Some crowdsourcing techniques are meant to give potential lawbreakers a leg up on the police. In the United States, mobile apps such as DUI Dodger, Buzzed, and Checkpoint Wingman allow those who have had too much to drink to crowdsource the location of DUI checkpoints, view them on an interactive map on the iPhone or Android device, and receive alerts when checkpoints are moved or newly established. When the 2011 London riots against government spending cuts turned violent, protesters created an app called Sukey, which allowed them to photograph police and upload their geo-tagged images to a crowdsourced interactive map. When other protest participants launched Sukey on their mobiles, they knew which areas contained riot police and were shown interactive compasses advising them how to avoid the cops (green pointed to safe areas, red to police danger zones).

  Hacktivists too have taken good advantage of crowdsourcing techniques. At the height of its dispute with Sony and News Corp, LulzSec brazenly established a crime-request telephone hotline asking whom the hacktivists should target next. The group established a phone number in Ohio and recorded a greeting message with a French accent advising callers, “We are not available right now as we are busy raping the Internet,” and asking callers to leave their hacking requests after the beep. This new modus operandi in crime sourcing allowed the public to vote, American Idol–style, on who shall be the next victim of a crime. The group later released a statement noting that it had successfully launched DDoS attacks against eight sites suggested by callers. Crime sourcing can be defined as taking the whole or part of a criminal act and outsourcing it to a crowd of either witting or unwitting individuals. By aggressively adopting crowdsourcing techniques, Crime, Inc. is able to build largely anonymous distributed criminal networks that can self-organize and assemble with amazing rapidity. To put these capabilities into perspective, in 2013 Crime, Inc. bosses in Russia and Ukraine were able to unleash a hundred money mules on a hospital in Washington State that they had hacked. As a result, more than $1 million was stolen from the hospital’s payroll system and laundered through ninety-six separate accounts in just a few days. As noted previously, many of these mules might have unknowingly been coopted by organized crime, believing they were “working from home” as “regional accounts receivable representatives.”

  Technology makes it easier than ever for Crime, Inc. to crowdsource its work to unwitting co-conspirators who have no idea they are taking part in an illicit plot. For example, criminals need a constant stream of new e-mail accounts by which to send their spam and phishing attacks, but CAPTCHAs can slow them down. As a work-around, criminals created a software system that automatically took the CAPTCHA image they were shown on Yahoo! or Hotmail and provided it to random strangers to solve for them. But why would any stranger do this? Simple. They were properly incentivized, with pornography. To crowdsource its problem, Crime, Inc. just created dozens of free porn sites and told visitors they would have to solve a CAPTCHA to prove they were over eighteen to gain access. The riddle the horny public was solving, however, was actually the CAPTCHA the criminals needed to create their spam e-mail accounts, cut, pasted, and switched in real time. A win-win situation, free high-quality porn in exchange for unwitting crowdsourced participation in a phishing scam.

  Though the CAPTCHA scheme was clever, it pales in comparison with a criminal casting call posted in an online ad. In Seattle, Washington, a bank robber had carefully plotted out the day and time an armored truck was scheduled to deliver a large haul of cash to the local Bank of America. On the Tuesday in question, at precisely 11:00 a.m., the robber, wearing a yellow safety vest, goggles, a blue shirt, a tool belt, a hard hat, and a respiratory mask, walked up to the armored car guard as he was carrying several large bags of cash into the bank and squirted him in the face with pepper spray. The guard was disabled and dropped the bags of money, which the crook shoved into a large duffel bag he was carrying before making his escape with what Monroe police called “a great amount of money.” When the guard regained his composure, he put out a help call on his radio and described the bank robber to a T. Soon half a dozen police cars were en route with lights and sirens to the scene of the crime on the lookout for the construction worker who had just pulled off the heist.

  The first police car on the scene noticed the construction worker, and the cops drew their guns on him, ordering him to put his hands up and drop to his knees. Then another police car spotted the construction worker culprit and then another and another. In fact, there were dozens of construction workers at the scene ma
tching the description provided by the armored car guard. What authorities did not realize is that the actual bank robber had carefully crowdsourced his escape well in advance. A few days prior to the robbery, the true bandit placed an ad on Craigslist in the help wanted section purportedly looking for construction workers to participate in a road maintenance crew. The pay was great at nearly $30 per hour and interested parties were told to appear on Tuesday at 11:00 a.m. at the intersection where the Bank of America was located. Oh, they were also told to bring their own equipment—in particular a yellow safety vest, goggles, a blue work shirt, a tool belt, a hard hat, and a respiratory mask. Dozens looking for work showed up at the appointed place and time, having no idea they were unwittingly suckered into a crowdsourced bank robbery. In the world of “in screen we trust,” the public is easy to deceive. Only when all the construction workers were rounded up and detained did police realize what had transpired; of course by then, the actual bank robber was long gone.

  Not only is Crime, Inc. rapidly adopting witting and unwitting forms of crime sourcing, but it is also using another white-hot trend in the start-up community: crowdfunding. Crowdfunding is a process by which money is collected from a crowd of backers who agree to support either a new start-up company or a nonprofit project, usually described in great depth on a Web site. The most popular of these sites are Kickstarter and Indiegogo, and tens of thousands of projects have successfully been funded, raising in excess of $1 billion from the crowd. Criminals are of course happy to hack anybody raking in that much money and have already successfully compromised the Kickstarter Web site. That said, criminal hackers have much bigger and more nefarious crowdfunding plans in mind, such as hacking the iPhone in your pocket. When Apple released its iPhone 5s mobile phone, it included a feature known as Touch ID, a fingerprint-recognition scanner touted as a “convenient and highly secure way to access your phone.” Though Apple probably spent years and millions of dollars developing its patented biometric technology, by introducing the feature, Apple was in effect throwing down a gauntlet challenging hackers to defeat its “highly secure system.”

  Around the world, security professionals and hackers alike wondered, who would be the first to crack the uncrackable, and how long would it take? The answer was the Chaos Computer Club in Germany, and it took a day. Using elements of both crowdfunding and gamification, hackers set up a Web site called IsTouchIDHackedYet.com, offered a $20,000 bounty, which was contributed by fellow hackers, and used a leaderboard to show progress toward the $20K goal. In the end, the prize went to a hacker known as Starbug of the Chaos Computer Club who cleverly figured out how to subvert Apple’s multimillion-dollar investment. Starbug took a high-resolution twenty-four-hundred-DPI photograph of the fingerprint oils left behind on the Touch ID screen by the device’s legitimate owner. He then imported the picture to Photoshop, cleaned it up, inverted it, and printed it on a transparency film using a thick toner setting. Finally, white wood glue was smeared onto the pattern and, when dry, could be held over the Touch ID sensor to unlock the phone. Mission accomplished.

  As if crowdfunding hackers weren’t serious enough, recently yet another crowdsourced enterprise surfaced in the digital underground: the Assassination Market. Regrettably, the service is not some sort of deeply disturbing joke. Rather, it is the work of a dedicated anarchist who goes by the pseudonym Kuwabatake Sanjuro. As of late 2014, eight U.S. government officials have been selected via crowdsourced voting for assassination, with the former Federal Reserve chairman Ben Bernanke receiving the greatest number of votes. Donations have been made via encrypted and untraceable online currencies, and Sanjuro has crowdfunded $75,000 for the murder of the former Fed chairman to be paid to any hit man who comes forward upon completing the act.

  Though the $75,000 raised is profoundly alarming, it is not even close to the most successful criminal crowdfunding exercise ever to take place, one in which neither the victims nor the crowd funded the activity willingly. In what was perhaps the most masterful single heist ever carried out by Crime, Inc., thieves around the world crowdsourced a robbery in twenty-seven separate countries, carried out simultaneously. The massive larceny occurred in early 2013 when coders, engineers, and the R&D team at Crime, Inc. in eastern Europe broke into the network of two credit card processors in India and one in the United Arab Emirates. Crime, Inc. stole prepaid MasterCard and Visa debit card numbers and then hacked the processors’ internal computer systems to remove any and all account withdrawal limits on the cards they had pilfered. As a result, the master hacker-criminals had hundreds of debit cards, each capable of withdrawing unlimited funds from the global ATM network.

  Crime, Inc. then sent encrypted messages via the digital underground to crime associates in more than two dozen countries. Those receiving the stolen data used their own criminal professional-grade credit card printers to print the debit cards and encode the card numbers on the magnetic strips on the reverse. What happened next is perhaps one of the greatest feats in crime sourcing, or even crowdsourcing, history. The cards were distributed to hundreds of teams of worker-bee criminals around the world. When Crime, Inc. gave the signal, the race was on, and the infantry of outlaws went on a synchronized withdrawal spree, hitting as many ATMs as humanly possible. In the ten-hour time span that Crime, Inc.’s crowdsourced operation ran, thieves carried out thirty-six thousand ATM transactions in twenty-seven countries and walked away with over $45 million in cash. Because Crime, Inc. had already hijacked the banks’ computers and had the debit card numbers they had assigned, they could watch exactly how much was being taken out and, importantly, how much each criminal worker bee had to kick back prior to taking his “service fee.” Though a small handful of low-level thugs were caught by police, the Crime, Inc. masterminds behind the plot remain unidentified and at large, probably organizing their next massive crowdsourced caper. Ten hours, thirty-six thousand transactions, twenty-seven countries: an amazing logistical feat that few corporations or governments could actually execute. Welcome to the world of network-distributed criminality.

  Crime, Inc. is a business and a highly profitable one. Unencumbered by moral considerations, it is free to profit without limit and use the very latest business practices to do so. Crime, Inc. uses freemium pricing, gamification, crowdsourcing, crowdfunding, reputation engines, just-in-time manufacturing, online training, swarms for distributed project management in pursuit of the long tail of crime victims around the world. Global criminal syndicates such as Innovative Marketing in Kiev have earned upward of half a billion dollars (tax-free of course) in just three years. These outlaws, Moore’s outlaws, are fully networked and capable of leveraging and subverting any technology at will. They do so with near impunity, and their actions imperil a world that is both increasingly connected and profoundly dependent on technology to function. The result is an ever more powerful criminal underworld, one that is growing exponentially in its capabilities. This thriving criminal superorganism lives, breathes, and is controlled from within the deepest, darkest recesses of the Internet—the Dark Web, the inner sanctum of the digital underground and the nerve center of Crime, Inc.

  CHAPTER 11

  Inside the Digital Underground

  Our representation of the standard criminal might be based on the properties of those less intelligent ones who were caught.

  NASSIM NICHOLAS TALEB, THE BLACK SWAN

  Dread Pirate Roberts (DPR) was the most wanted man in the digital underground. From within the darkest reaches of cyberspace, the mysterious outlaw ran a vast empire of covert criminality. He was the subject of a global manhunt, actively pursued by special agents from the FBI, Drug Enforcement Agency (DEA), ATF, Homeland Security, the Royal Canadian Mounted Police, Scotland Yard, and Interpol. Precious little was known about Dread Pirate Roberts, save for the fact that his alias was taken from a character in the cult classic film The Princess Bride. DPR was the mastermind behind Silk Road, a massive online criminal marketplace painstakingly hidden from public view
where any and all manner of illicit goods were for sale in a secret Web: “If you can smoke it, inject it, or snort it, there’s a good chance Silk Road has it.”

  Named after the ancient Asian trading route, Silk Road was a place where buyer and seller could anonymously come together to exchange goods and services in a dizzyingly large emporium of contraband. Known as the “eBay of drugs and vice,” Silk Road offered every possible illicit product imaginable, neatly organized by category such as drugs or weapons, each with accompanying photographs and descriptions. Other items on offer included stolen bank accounts, counterfeit currency, AK-47s, armor-piercing ammunition, stolen credit cards, computer viruses, keystroke loggers, compromised Facebook accounts, tutorials on hacking ATMs, child pornography, and even hit men for hire. Under the category of forgeries, there were more than two hundred listings for fake driver’s licenses, passports, Social Security cards, utility bills, credit card statements, diplomas, and other identity documents.

  At its core, however, Silk Road was all about the drugs, with more than thirteen thousand postings for controlled substances for sale listed. The “narcocopia” of merchandise included heroin, Oxycontin, powder and crack cocaine, morphine, LSD, ecstasy, Molly, marijuana, crystal meth, ’shrooms, syringes, precursors, steroids, stimulants, and a panoply of prescription pills, from Adderall to Xanax. Narcotics were sold both in individual quantities and in bulk, including multi-kilo offers for heroin, cocaine, and methamphetamines. Clicking on any particular link brought up a picture of the product in question as well as descriptive ad copy such as “Nod’s Black Tar HEROIN—ships sweetness express to the veins—or to the lungs if you prefer to smoke it and chase the dragon.”