In an empty Japanese restaurant on the northeast outskirts of Moscow, Nikita Kislitsin, a 28-year-old Russian with blond hair, blue eyes and translucent skin, is showing me how to pull off a multimillion-dollar cyberheist on his MacBook Air. The ace hacker is methodical; his slim fingers click quickly through a series of applications to activate a virtual private network that will blur our real location from prying eyes.
“Which IP address shoubmold we use?” Kislitsin asks. Kislitsin was the editor in chief of Russia’s Hacker magazine for six years before taking a job with Group-IB, a private Russian internet-security firm. We peruse a list of half a dozen international locales like a pair of newlyweds picking through possible honeymoon destinations. “Chicago,” I decide—and with one click we’ve transported ourselves from Russia’s capital to America’s heartland. Now, with our location cloaked, we can operate on the fringes of the law with impunity.
While pulling off online larceny requires strategy, the tools to do it are readily available for a reasonable fee. Kislitsin logs on to several hidden forums and scans the Russian-language conversation threads. We’re looking for a good deal on a Trojan: a program that infects computers and forces them to perform unauthorized actions, extracting all manner of personal data and transmitting it back to the program’s command-and-control server, like a droid seeking out the mother ship. The computer then becomes part of a vast botnet, a network of infected computers whose information—such as account balances and passwords—shows up on the hacker’s dashboard. Armed with this info, criminals can filter out victims to rob and begin to drain their accounts. Kislitsin shows me one dashboard Group-IB hacked into on which a cyber-criminal had made his own handy notes. Next to infected computers he’d listed account balances, “password incorrect,” “missing login” and several notes of bomj (Russian for “homeless”), a reference to someone too poor to be worth robbing.
Once a computer is compromised, the next step of the heist is taking money out of an account. A favorite lifting method is autozaliv (Russian computer slang for “autotheft”), which requires a separate program that can be bought on the same forum. When you log on to your banking profile, the hacker can see that you’re online. Through the autozaliv program, the hacker directs your computer to automatically wire your money into another account. In some cases the hacker even obtains control of your laptop’s online banking screen so that when you look at your account, you see the balance you were expecting—but the money is already gone. It’s only when you try to pay a bill or go to an ATM that the bank will notify you that you have insufficient funds. Your money is long gone.
The stolen funds are now snaking their way across the world through a network of people known as money mules, whose services can also be bought on the forum. It is a separate criminal network that specializes in illicit courier services, organizing all the stops—and there are quite a few—the money will make before it lands in the hands of the cyber-criminal. From the victim’s account the lucre is sent to another American bank account. Sometimes the mules are Eastern Europeans studying in America who are in on the scam; other times the mules are down-on-their-luck Americans who responded to online ads about making money from home. Typically the ad claims a foreign company working in the U.S. needs an American business partner to help it collect its money. For a percentage, the American uses his or her own bank account to collect wire payments for “services rendered” and then sends the money through Western Union to the “company” on the other side of the Atlantic.
The recipient across the ocean is possibly as clueless or as desperate as the American on U.S. soil. He or she picks up the wire transfer and sends the cash onward to the actual hacker. Kislitsin tells me the Western Union collector could be a poor grandmother in Ukraine who collects the funds with her real passport, packs a television set with bundles of cash, perhaps for a salary of about $200 a week, and physically sends it on its way to the original hacker. One way, he noted, is to cross borders on a train. The train attendant charged with moving the package probably doesn’t know he’s delivering a hollow television set stuffed with cash. The money-mule network takes 50 percent of the stolen funds as its cut.
From desktops to laptops to mobile phones and tablets, the reach of cybercrime is growing at an alarming rate. On forums like the ones Kislitsin is showing me, anyone can buy hundreds of stolen credit card numbers, malware (programs that clandestinely enter a computer and damage or hijack its operations—a Trojan is a kind of malware), viruses, space on bulletproof hosting servers (online domains maintained by dubious companies that will not shut them down despite nefarious activities such as child porn and drug scores), money-mule services and much more.
There are many ways to pull off cyberheists that don’t involve hacking into victims’ bank accounts via their computers. From producing fake debit cards to drain ATMs to stealing credit card numbers and shopping online, the opportunities for cybercrime are as ubiquitous as the technology that has crept into our daily routine.
At a private cybersecurity conference in New York last August, then FBI director Robert S. Mueller cautioned, “In the future, the cyberthreat will equal or even eclipse the terrorist threat.” The more connected the world becomes, the greater the risk we all run of getting hit. The websites we visit every day—Chase, Visa, Amazon, eBay—can be infected with malware that will establish dominion over our password-“protected” data. Those with the know-how can pilfer a single mom’s life savings, gut a local gym owner’s capital, hit small businesses or go after bigger fish such as Sony or Home Depot.
One hit can have massive ramifications. As Target customers learned this past Christmas, even if your own machine is as secure as possible, your information can be compromised anyway. Between November and December last year, thieves hacked into Target’s system and stole up to 40 million credit and debit card numbers, as well as addresses and phone numbers of about 70 million customers. The hackers probably got in through Fazio Mechanical Services, a small business in Pittsburgh that provided refrigeration to the stores. According to analysts, the hackers appear to have used malware to infect Fazio’s computers and then moved into Target stores’ point-of-sale systems—the computers where customers physically swipe their cards—and transmitted that information back to the mother ship. Typically criminals will wait months to use their loot, long after the media firestorm has died down and customers have dropped their guard and stopped monitoring their accounts. Hackers can also sell the data on the forums I saw with Kislitsin. Credit card numbers can be bought for about a dollar, which adds up when you sell data by the thousands or millions.
According to Symantec, an American security-research firm, cybercrime cost $113 billion globally in 2013. The United States was hit hardest, losing $38 billion. Every day more than 1 million people are victims of cybercrime—or 12 victims per second, nearly three times the global birthrate. That includes people whose private data you’d expect to be protected to the gills. Last spring Michelle Obama, Joe Biden, Jay Z, Hillary Clinton, Ashton Kutcher, even then FBI director Mueller (among many other high-profile victims) saw their credit card information, Social Security numbers and previous addresses posted online in one massive dump for the entire world to see. The website was registered to a .su (short for Soviet Union) domain, leading experts to point to Russian handiwork.
This was no surprise: Russia is ground zero for cybercrime. Of the FBI’s 10 most-wanted cybercriminals, four are Slavs, one is a Swede and two are Pakistani. China has its fair share of cybercriminals too. The more we try to fortify our security systems, the quicker these hackers evolve to outwit us.
Since I’m new to cybercrime, Kislitsin is setting me up to pull off a heist as easily as possible. We’re looking for prewritten malware (the most skilled cybercriminals design their own, Kislitsin explains). Within 10 minutes we’ve found three kinds of Trojans for sale: SmokeBot, Andromeda and Citadel. Of the three, Kislitsin makes the strongest case for Citadel—at $350, it’s inexpensive and perfect for pilfering from U.S. bank websites. (A quick tally yields that it would cost a newbie about $3,300 to buy the necessary components to launch a cyberheist. “It is a business, so you have to put up some money to start,” Kislitsin explains.)
“In Russia we have a saying: cheap and reliable,” Kislitsin says with a grin. He clicks over to his anonymous chat service and fires off a buying inquiry.
Then we wait.