<p>Meet the hackers who want to attack Target and other U.S. companies. Who are they? What do they want? The answers will scare you.</p>
In an empty Japanese restaurant on the northeast outskirts of Moscow, Nikita Kislitsin, a 28-year-old Russian with blond hair, blue eyes and translucent skin, is showing me how to pull off a multimillion-dollar cyberheist on his MacBook Air. The ace hacker is methodical; his slim fingers click quickly through a series of applications to activate a virtual private network that will blur our real location from prying eyes.
“Which IP address shoubmold we use?” Kislitsin asks. Kislitsin was the editor in chief of Russia’s Hacker magazine for six years before taking a job with Group-IB, a private Russian internet-security firm. We peruse a list of half a dozen international locales like a pair of newlyweds picking through possible honeymoon destinations. “Chicago,” I decide—and with one click we’ve transported ourselves from Russia’s capital to America’s heartland. Now, with our location cloaked, we can operate on the fringes of the law with impunity.
While pulling off online larceny requires strategy, the tools to do it are readily available for a reasonable fee. Kislitsin logs on to several hidden forums and scans the Russian-language conversation threads. We’re looking for a good deal on a Trojan: a program that infects computers and forces them to perform unauthorized actions, extracting all manner of personal data and transmitting it back to the program’s command-and-control server, like a droid seeking out the mother ship. The computer then becomes part of a vast botnet, a network of infected computers whose information—such as account balances and passwords—shows up on the hacker’s dashboard. Armed with this info, criminals can filter out victims to rob and begin to drain their accounts. Kislitsin shows me one dashboard Group-IB hacked into on which a cyber-criminal had made his own handy notes. Next to infected computers he’d listed account balances, “password incorrect,” “missing login” and several notes of bomj (Russian for “homeless”), a reference to someone too poor to be worth robbing.
Once a computer is compromised, the next step of the heist is taking money out of an account. A favorite lifting method is autozaliv (Russian computer slang for “autotheft”), which requires a separate program that can be bought on the same forum. When you log on to your banking profile, the hacker can see that you’re online. Through the autozaliv program, the hacker directs your computer to automatically wire your money into another account. In some cases the hacker even obtains control of your laptop’s online banking screen so that when you look at your account, you see the balance you were expecting—but the money is already gone. It’s only when you try to pay a bill or go to an ATM that the bank will notify you that you have insufficient funds. Your money is long gone.
The stolen funds are now snaking their way across the world through a network of people known as money mules, whose services can also be bought on the forum. It is a separate criminal network that specializes in illicit courier services, organizing all the stops—and there are quite a few—the money will make before it lands in the hands of the cyber-criminal. From the victim’s account the lucre is sent to another American bank account. Sometimes the mules are Eastern Europeans studying in America who are in on the scam; other times the mules are down-on-their-luck Americans who responded to online ads about making money from home. Typically the ad claims a foreign company working in the U.S. needs an American business partner to help it collect its money. For a percentage, the American uses his or her own bank account to collect wire payments for “services rendered” and then sends the money through Western Union to the “company” on the other side of the Atlantic.
The recipient across the ocean is possibly as clueless or as desperate as the American on U.S. soil. He or she picks up the wire transfer and sends the cash onward to the actual hacker. Kislitsin tells me the Western Union collector could be a poor grandmother in Ukraine who collects the funds with her real passport, packs a television set with bundles of cash, perhaps for a salary of about $200 a week, and physically sends it on its way to the original hacker. One way, he noted, is to cross borders on a train. The train attendant charged with moving the package probably doesn’t know he’s delivering a hollow television set stuffed with cash. The money-mule network takes 50 percent of the stolen funds as its cut.
From desktops to laptops to mobile phones and tablets, the reach of cybercrime is growing at an alarming rate. On forums like the ones Kislitsin is showing me, anyone can buy hundreds of stolen credit card numbers, malware (programs that clandestinely enter a computer and damage or hijack its operations—a Trojan is a kind of malware), viruses, space on bulletproof hosting servers (online domains maintained by dubious companies that will not shut them down despite nefarious activities such as child porn and drug scores), money-mule services and much more.
There are many ways to pull off cyberheists that don’t involve hacking into victims’ bank accounts via their computers. From producing fake debit cards to drain ATMs to stealing credit card numbers and shopping online, the opportunities for cybercrime are as ubiquitous as the technology that has crept into our daily routine.
At a private cybersecurity conference in New York last August, then FBI director Robert S. Mueller cautioned, “In the future, the cyberthreat will equal or even eclipse the terrorist threat.” The more connected the world becomes, the greater the risk we all run of getting hit. The websites we visit every day—Chase, Visa, Amazon, eBay—can be infected with malware that will establish dominion over our password-“protected” data. Those with the know-how can pilfer a single mom’s life savings, gut a local gym owner’s capital, hit small businesses or go after bigger fish such as Sony or Home Depot.
One hit can have massive ramifications. As Target customers learned this past Christmas, even if your own machine is as secure as possible, your information can be compromised anyway. Between November and December last year, thieves hacked into Target’s system and stole up to 40 million credit and debit card numbers, as well as addresses and phone numbers of about 70 million customers. The hackers probably got in through Fazio Mechanical Services, a small business in Pittsburgh that provided refrigeration to the stores. According to analysts, the hackers appear to have used malware to infect Fazio’s computers and then moved into Target stores’ point-of-sale systems—the computers where customers physically swipe their cards—and transmitted that information back to the mother ship. Typically criminals will wait months to use their loot, long after the media firestorm has died down and customers have dropped their guard and stopped monitoring their accounts. Hackers can also sell the data on the forums I saw with Kislitsin. Credit card numbers can be bought for about a dollar, which adds up when you sell data by the thousands or millions.
According to Symantec, an American security-research firm, cybercrime cost $113 billion globally in 2013. The United States was hit hardest, losing $38 billion. Every day more than 1 million people are victims of cybercrime—or 12 victims per second, nearly three times the global birthrate. That includes people whose private data you’d expect to be protected to the gills. Last spring Michelle Obama, Joe Biden, Jay Z, Hillary Clinton, Ashton Kutcher, even then FBI director Mueller (among many other high-profile victims) saw their credit card information, Social Security numbers and previous addresses posted online in one massive dump for the entire world to see. The website was registered to a .su (short for Soviet Union) domain, leading experts to point to Russian handiwork.
This was no surprise: Russia is ground zero for cybercrime. Of the FBI’s 10 most-wanted cybercriminals, four are Slavs, one is a Swede and two are Pakistani. China has its fair share of cybercriminals too. The more we try to fortify our security systems, the quicker these hackers evolve to outwit us.
Since I’m new to cybercrime, Kislitsin is setting me up to pull off a heist as easily as possible. We’re looking for prewritten malware (the most skilled cybercriminals design their own, Kislitsin explains). Within 10 minutes we’ve found three kinds of Trojans for sale: SmokeBot, Andromeda and Citadel. Of the three, Kislitsin makes the strongest case for Citadel—at $350, it’s inexpensive and perfect for pilfering from U.S. bank websites. (A quick tally yields that it would cost a newbie about $3,300 to buy the necessary components to launch a cyberheist. “It is a business, so you have to put up some money to start,” Kislitsin explains.)
“In Russia we have a saying: cheap and reliable,” Kislitsin says with a grin. He clicks over to his anonymous chat service and fires off a buying inquiry.
Then we wait.
In February 2013, three days after reporting $1.1 million in fraudulent wire transactions, Daniel Crenshaw—the now 37-year-old founder and owner of Efficient Services Escrow Group in Huntington Beach, California—got served. Police officers stormed Efficient Services’ office, brandishing badges. They confiscated Crenshaw’s computers, kicked out his employees and changed the locks on the office doors. In December 2012 Crenshaw had worked with his bank to recover a mysterious wire that had sent $432,215 to a bank in Moscow; then, over one week in late January 2013, two more wires totaling $1.1 million were sent to a northern region of China near the Russian border. Efficient reported the fraud in accordance with state regulations. The California Department of Corporations gave the company three days to come up with the money. It couldn’t. The money was gone, so the police came in. (When an escrow company reports a fraudulent wire transfer in California, the law gives it three days to recover the funds, whereupon the state is mandated to take possession of the company.)
The firm that Crenshaw and his older brother, Rob, 39, had started in 2009 had been on its way to becoming one of the biggest escrow outfits in southern California. They’d just opened a second office and were hiring new employees. Suddenly everything was gone—the Crenshaws went from getting a cushy salary to no paycheck. They laid off their staff, and they owed money to their clients that they couldn’t return.
The reputational damage from a cyberattack alone is jarring—money has mysteriously disappeared from a company. The Crenshaws’ competitors were beginning to whisper, saying they’d always known the brothers were shady. Although criminal charges were never filed, that didn’t make it better. “We were getting threats from our clients, from the Department of Corporations, from the bank,” Daniel recalls. “You don’t know how to defend yourself. You didn’t do anything wrong. Overnight you’ve lost a company that you spent five years building.” He says he is being forced to walk away from the real estate industry. “Even when all the dust settles, it still doesn’t go away. Now they want to blackball us from the industry.” His brother’s membership in the California Escrow Association has already been revoked. Daniel’s hearing with the association is pending. “Until the public knows that we had no doing in this matter, our names will not be cleared,” he says.
Online bank theft often targets American small businesses. They are more lucrative than individual accounts because they tend to have fatter balances, and they are checked less often. Small businesses also have laxer online security than big firms do. (That’s why hackers could get into Target through Fazio Mechanical Services in Pittsburgh.) And although the U.S. government insures personal accounts, small businesses with commercial accounts have no government guarantees to recover stolen funds—as the Crenshaws learned, if a business gets hit, the cost is its to bear.
Losses from cybercrime can be staggering. The U.S. Internet Crime Complaint Center (IC3), a government initiative for victims of cybercrime, received 289,874 complaints in 2012, an 8.3 percent increase from 2011. And that includes only individuals who reported some kind of loss. Many people who get hacked never go public. They are frequently targeted while looking at porn: A common scam involves infecting a victim’s computer with malware that installs another program, called Ransomware, which locks the computer and flashes a warning that the owner has violated U.S. federal law. The scam goes further, declaring that the user’s IP address was used to visit child-pornography sites. It then instructs victims to pay a fine to the U.S. Department of Justice through prepaid money card services in order to regain control of their machine. Most people pay.
“The first trap that many infected users fall into is thinking that this is personal in some way,” says Brian Krebs, a journalist specializing in cybercrime investigations who blogs at KrebsOnSecurity.com. “You’re not some unique snowflake that the bad guys want to attack. Unless you’re some big juicy target, most of these attacks are opportunistic. Your machine can be monetized a hundred ways from Sunday.”
It took Mark Patterson more than three years to recover from the hit. Over a six-day period in 2009, a ZeuS Trojan snared $588,000 from his Maine-based company, Patco Construction, by infecting the business’s work computers. The hackers tapped into both the company’s account and its line of credit. “We’re going to get our money back, right?” Patterson said when he called the bank. But the bank rep was stumped: “We don’t even know what’s going on.” Within 24 hours the bank managed to halt about $200,000 of the money, recovering funds that had been moved to the first money-mule account. But the rest was gone.
Patterson sued the bank—and lost. All the while, the bank continued to charge Patterson interest, which would total about another $100,000 over the course of his legal ordeal. In 2012 an appeals court overturned the decision; the bank settled, but the damage had been done. By then Patterson had spent hundreds of thousands in legal fees—none of which was reimbursed. He had been so focused on the case that new business opportunities had slipped away. “I guess you can feel good about winning, but not really winning,” Patterson says. “There are still people losing hundreds of thousands of dollars, continually.”
Much of that money is winding up in Russia, the birthplace of cybercrime. With the collapse of the USSR, well-educated Russian programmers, lacking job opportunities, began to look for ways to monetize the internet. They excelled at spamming and developing networks of infected computers under the control of one command center, which would drive internet traffic to paid porn sites. That in turn spawned the fake credit card industry. Soon Russian hackers had developed all the moving parts they needed to graduate to bank heists. Since the early 2000s Russians have produced the most effective banking Trojans, specifically targeting America and Western Europe. Today Russia is home to the best hackers and the most banking hits.
Russia’s refusal to cooperate with the U.S. government to arrest its own citizens has created a cybercrime safe haven. Usually only hackers who attack Russian banks serve time. The only way to stop the others is to arrest them if they step on European or American soil. Last July the FBI indicted four Russians and a Ukrainian for stealing more than 160 million credit card numbers from major U.S. companies, including Visa, Discover, NASDAQ, 7-Eleven and JetBlue. They stole $300 million in total—one of the largest cyberheists in history. Two of the culprits were arrested in the Netherlands and one of them was extradited to the U.S., but three of the masterminds are still at large.
Since the government isn’t cracking down on them, Russians can do pretty much anything with the money they make. And when money comes easy, it’s no surprise that those with gaudy streaks flaunt it. Group-IB showed me a profile on vKonnect, the Russian version of Facebook, of a 19-year-old kid who had stolen millions from U.S. point-of-sale registers—the same kind of heist that hit Target. His photos feature him wearing thick bedazzled chains and making gang signs with his friends.
Invincibility on Russian soil led one hacker, VorVZakone, to make a video of his life as a well-to-do cybercriminal and upload it to YouTube. “I decided to meet you, let’s say remotely,” the brick of a man in a black trench coat and wraparound shades boasts to the camera. “Now you will see how I live.” He calls himself Seroga and takes viewers on a tour of his gated community. Seroga and Oleg, a younger guy with an aquiline nose and highlighted blond hair pulled back with a headband, act like guests on a bootleg episode of MTV Cribs. After a drive through their hood, the two jump out and examine Seroga’s second car, a white Hyundai Solaris, as birds chirp placidly in the background. The camera follows him to his house and into a redbrick foyer, where he shows off a walkie-talkie by calling his cleaning lady on the other end. The residence itself is a typical nouveau riche affair. “This is my setup,” Seroga says, pointing to an open laptop and a desktop facing two white leather couches along the walls. “You don’t need anything more,” Oleg chimes in. At the end of the video, Seroga sits down alone in his kitchen to a plate of caviar sandwiches his housekeeper has prepared.
The video caused a stir on underground forums. Hackers mocked Seroga, defaming him as a phony, a police plant or just an idiot who wasn’t taking his security seriously. In September 2012, VorVZakone posted a battle summons called Project Blitzkrieg, trying to recruit other hackers to coordinate mass attacks on 30 U.S. banks before they upped security measures, claiming he had been developing the Trojan since 2008 and had already successfully stolen $5 million. The announcement prompted security companies to issue warnings of an impending attack. McAfee Labs found that VorVZakone’s touted pilot Trojan had already infected more than 80 victims across the United States. He was never caught.
While the FBI has made headway in busting cybercrime rings in recent years, U.S. banks and businesses are deeply resistant to admitting they’ve been hit for fear of damaging their reputations. They increasingly rely on private companies such as Group-IB that work under nondisclosure agreements to track down their stolen funds.
Founded in 2003 by several college kids at Russia’s equivalent of MIT, Group-IB is housed in a gated business compound on the northeast edge of central Moscow. Inside the squat, grimly utilitarian building is a labyrinth of corridors divided by key-coded doors. In this hushed atmosphere, young employees peer fixedly at their double flatscreen monitors, sipping from steaming mugs. They work on behalf of various banks and internet empires, including Microsoft, tracking down cybercriminals and trying to hack into the companies’ servers to test their security systems.
I’m sitting behind Dmitry Volkov’s desk. Tall and taciturn with wavy brown hair, the 29-year-old head of Group-IB’s cybercrime-investigation team flicks through the files of criminals it has tracked down. We pause on Ivan. On his vKonnect profile, Ivan (Volkov asked that I withhold Ivan’s real name), who lists his age as 24, has the kind of blond bowl cut, button nose and wide-set blue eyes found on Soviet-era propaganda posters beseeching comrades to fell hay for the motherland. He’s married to a buxom, blue-eyed blonde with a round face and pouty lips. She’s 23. They have a young son.
A few years ago, Volkov says, Ivan began to visit Russian-language hacking forums. He started to write injects—software programs that transfer money from a specific bank—which he advertised and sold in the online netherworld for between $200 and $500. Soon hackers began posting endorsements: Ivan delivered what he promised. Then, around 2011, Ivan decided to perpetrate his own heist. He bought prewritten malware called SpyEye to hit Bank of America. He and a partner used Ivan’s own injects and contracted someone to hack a server to spread the Trojan. They then transferred the cash and hired a money-mule service to pull it out of the accounts. In 2012 they hit Italian and German banks. Last year Ivan hit a Russian bank and grabbed at least $2 million. “If he wants to make a million, he needs to steal two,” Volkov explains, “because he gives 50 percent of the money to mules.”
Ivan lives in a provincial city hours outside Moscow. Russia’s provinces are notoriously poor, their capitals filled with concrete-slab apartment blocks. Jobs are scarce, and drug and alcohol abuse runs rampant. Volkov hails from a similarly neglected far-flung city in Petropavlovsk-Kamchatsky, an underpopulated peninsula in Russia’s far east where tundra winds beat down on the city. When Volkov was a kid, his parents enrolled him in programming classes where he and his friends would send one another computer viruses as practical jokes. He ended up at the best technical university in Moscow, where programmers make three times as much as those in the provinces.
For those who remain behind, it’s not hard to understand the temptation to go rogue. The guys at Group-IB could easily have been on the other side of the coin. There’s a universal appeal to hacking, finding errors in codes and gaps in security and proving your worth.
Group-IB knows Ivan is working on a new project, trying to write his own malware, but whom he intends to target, they can’t tell. For now, Volkov tells me, Ivan is still at large. Volkov isn’t sure Ivan will actually serve time if he’s caught. There are many ways to avoid sentencing in Russia’s corrupt legal system—even if you steal from Russians. For crimes that target the U.S., the arrest rate is nonexistent. U.S. and Russian authorities rarely work together on cybersecurity cases, and officials from Russia’s Federal Security Service, the Russian FBI, tend to look the other way when the victims are abroad. Moscow’s decision to grant Edward Snowden temporary asylum when he is wanted by the U.S. for leaking National Security Agency surveillance programs is unlikely to make cooperation smoother.
Kislitsin published his first article in Hacker at the age of 15. It was about how to get multiple uses off a single internet credit scratch card, which back then was used to top up credit and log in to the internet. (He admits he used it a few times before notifying the company of the security glitch. “It was just to make sure it worked,” he tells me coyly.) “There are lots of poor people in Russia, and some of these poor people still have access to a good education. If a smart student sees that he can write software and each copy would cost $50,000, wouldn’t he do this?” Kislitsin says.
“This well-educated guy might grow up in an intelligent family in which his parents taught him it is bad to steal money or things. Psychologically, he’s not ready for stealing money,” Kislitsin continues, “but on the other hand, he can see that many people in Russia steal from their own country, from the government budget, and feel great. So he might think, Okay, what if I write this piece of malware? I’m not even stealing anything. I’m just a software developer, and psychologically it’s okay.” That’s exactly how Ivan started. But the more money they make, the more sophisticated the heists get.
Unlike his colleague, Volkov has no sympathy for the hackers he’s employed to catch. He refers to them with unmasked disdain as the “golden youth.” “These people are for some reason convinced they are not stealing from actual people but from bad people or from the government, like Robin Hood,” Volkov says, shaking his head. “I’ve never seen anyone on comments say, ‘This is a small business. Let’s not steal from it.’ If there’s money, they’ll take it.”
On a Thursday morning in March 2010, Ken Hollomon, 49, an IT consultant in Los Angeles, got the call. His longtime friend Michelle Marsico was frantic—the bank account of her recently founded escrow company was missing $450,000. Over three days, 26 wire transfers had gone out across the U.S. Hollomon rushed to the office. “It was like the beginning of a nightmare, when you know it’s going to be a nightmare and you’re trying to stop it,” he says.
The bank was unresponsive, telling Marsico it could no longer communicate with her without a lawyer present. The police department gave her a receipt with a case number. “I’m so sorry,” was all the officer said. Eventually, the Secret Service called Marsico. After discussing the situation, she asked for her case number so she could follow up.
“This happens so much we would run out of numbers, so there’s no case number,” the agent told her.
Marsico was incredulous. She had never expected anything like this to happen to her; she had barely heard of cases like this. Someone had been through her accounts and taken everything—she didn’t have the money to keep running the business. It took all her strength just to get out of bed every day. “It feels like you’ve been raped; you don’t want to broadcast how that feels. You feel like you’ve done something wrong, like you’re a bad person, like you weren’t responsible enough. All this stuff goes through your head, like I shouldn’t own my own business if I can’t handle this. I totally ripped myself a new one,” she says. “My whole livelihood was taken away, and I had nobody to help me. All the government agencies were just.… I felt like nobody cared. Here I am, a taxpayer, an American citizen, working my butt off to make it, and there was nobody on my side. I was alone, and that was the most alone I’ve felt in my life.”
Marsico and Hollomon decided to take matters into their own hands. From the names on the fraudulent wire statements the bank provided, they began to track down the mules, plugging the names into Facebook and LinkedIn. Most of the people they found were Americans who’d responded to employment ads online. Most didn’t realize they were acting as money mules in a global mafia heist; they thought they had gotten a good deal doing honest work for a company overseas. “A lot of them were decent people,” Hollomon says. “Some of them got out of college and didn’t have any money. Some of them had just lost their jobs. They were Americans hurting for money.”
On their own, Hollomon and Marsico were able to track down $78,000 of the money. Then things got weirder. When Marsico was talking to her bank’s IT expert, he asked her whether she had ever tried to access her bank account remotely. “From home?” she asked. “No, from Glendale,” the rep said. Hollomon knew Marsico would never have logged on from Glendale, California—she didn’t even log on from her house. So Hollomon started hunting in online forums and soon learned that Glendale was a well-known hacker haven, right in their own backyard. He says he walked into a Glendale bar and ran into a kid who told him, “Yeah, I work for these people.” Oh my God, Hollomon thought, I have to get out of here real quick.
“I just wanted to see if the addresses of the people we’d found were true, and they were,” he explains. “These hackers aren’t scary. They aren’t thugs. They’re just kids.” In 2012 Marsico settled with her bank. It was a big payout that brought her company back from the abyss. Her settlement was a precedent for the industry: Since the wire transfers were unusual—to foreign countries Marsico had never sent money to before, in sums she didn’t normally transfer—the bank took responsibility for allowing the funds to go through without sending up a red flag. But Marsico had lost two years of her life just fighting to survive. Since then, Hollomon has been contacted by other small businesses with the same problem. “They’re trying to protect themselves, but they’re trying to conduct business with these tiny IT budgets. It’s really difficult,” he says.
One of the most daring ATM heists happened last February. Two coordinated strikes involving people in 27 countries netted $45 million from thousands of ATMs around the world. Hackers targeted two Middle Eastern banks, raising the withdrawal limits and increasing the balances on prepaid MasterCard debit cards issued by Bank of Muscat of Oman and National Bank of Ras Al Khaimah PSC of the United Arab Emirates. Money mules then strolled through cities across the world, simultaneously draining ATMs.
In New York City alone, the thieves hit 2,904 ATMs over 10 hours using a single Bank of Muscat account number. Sauntering around Manhattan, hitting ATMs and stuffing the money into backpacks, they withdrew $2.4 million. In May prosecutors indicted eight men of Dominican origin living in Yonkers, New York. But they were just the cogs of the operation; their job was to withdraw stolen funds and transfer them to the mastermind’s account for a commission. (This was the riskiest part of the heist because it happened on U.S. soil and ATMs are under camera surveillance.) While money mules are frequently caught, the real kingpins remain free. The brains behind the Yonkers crew operation remain unknown, but according to prosecutors, one of the arrested men sent an e-mail to “firstname.lastname@example.org,” an address “associated with an organization based in St. Petersburg, Russia that specializes in laundering the proceeds of criminal activity.”
The Yonkers crew seemed as if they couldn’t believe their own luck. After the heist, the perpetrators took a selfie: Sitting in a car, two men in their early 20s in black jackets pull the universal boo-yah face, dimpling their still-baby-fat cheeks while pointing to four thick stacks of cash between them. They purchased Rolex Oyster Perpetual Datejust watches, a Mercedes SUV and a Porsche Panamera. They stacked cash on top of Coors Light cans and took pictures—remorse seemed lacking. At one point they deposited nearly $150,000, in the form of 7,491 $20 bills, at a bank branch in Miami. One of the two in the selfie had listed Domino’s as his place of employment on his passport application. Then they got busted—surveillance footage from the heist shows one of the mules wearing a Domino’s hat.
A week after our attempts to buy the Trojan in the Japanese restaurant, Kislitsin e-mails me that he has heard back from two of the three sellers. The guy offering the Citadel Trojan upped his price for technical reasons—now, for about a grand, he’s selling a whole kit that includes multiple components for a cyber-heist that would allow users to manage and control their own botnet. Kislitsin bargains the price down 200 bucks and they have a deal. The seller gives Kislitsin his number for WebMoney, a service that doesn’t require bank accounts—you can deposit funds by using money orders, wire transfers or exchange offices and prepaid cards. “I was supposed to pay him and never did,” Kislitsin writes me. We could have made a fortune.
Even while online banking struggles to keep up, new banking methods—from smartphones to tablet apps—are creating new battlegrounds for the same war. Symantec estimates half of smartphone users sleep with their phones within arm’s reach. Half of them also use no security precautions on their phone—no passwords, no security software, no backup files. Forty percent of smartphone and tablet users have experienced mobile cybercrime in the past year, and nearly 60 percent of users don’t even know security for smartphones and tablets exists.
Yet even the most secure are vulnerable. In March 2012 NASA disclosed it had been hacked 13 times. In one go, hackers had stolen 150 user credentials that could be used to gain unauthorized access to NASA systems. That same month the Department of Homeland Security warned of a cyber-intrusion campaign on American gas pipelines that had been in the works since 2011. In July 2012 the NSA director said there had been a 17-fold increase in cyber incidents at U.S. infrastructure companies in the previous three years. In January of last year, The New York Times, The Wall Street Journal, the Washington Post and Bloomberg News revealed they had been the victims of persistent cyberattacks, possibly originating in China. The following month the Department of Energy was hit; 14 computer servers and 20 workstations were penetrated, affecting hundreds of employees and compromising their personal information. In May 2013 the U.S. government revealed that the country’s electrical grid is under near constant attack from multiple unknown entities.
As I look over copies of the logs Kislitsin sent of our attempts to buy malware and Ivan’s cyberforum postings that Volkov shared with me in Moscow, I realize the user name is the same on all of them. Ivan is not just somewhere out there in Russia’s vast hinterlands, working on a new plan: He’s selling all the components for others to do it too. One of them could be me. One of them could be your Domino’s delivery guy. And you’ll never see us coming.