Case Analysis: Shadowcrew Carding Gang
The mainstream and IT trade press is replete with references to 'organized crime' getting into cybercrime. Is this designation correct? And how significant are the successes of law enforcement in this area?
U.S. prosecutors yanked a major ring of online ID thieves, the Shadowcrew, from the shadiness of the web into an American court spotlight that achieved guilty pleas in November 2005. The roundup of the leaders of the Shadowcrew, which trafficked more than 1.7 million credit cards online, is a sign that authorities are cracking Internet fraud. But experts believe that the police are mostly missing the culprits.
It could be because there is no clear stereotype of who tends to trade in stolen cards online. Geoff Fellows, head of The LG Training Partnership said: "The type of people behind this sort of crime is a mixture." Graeme Burnett, a security architecture engineer at Enhyper said that the perpetrators are not who you would expect. The description would be "14-30, middle class, good education, predominately white," he said.
The Shadowcrew were indeed a mixed bunch of people and would not represent organized crime in the conventional sense. Most of the members had day jobs. Neither of the founders - Andrew Mantovani and David Appleyard - would immediately appear to have the credentials to create such a monster. Mantovani nicknamed "ThnkYouPleaseDie," was a business student while Appleyard, known as "Black Ops" was once a mortgage broker.
Nevertheless, they brought 4000 Shadowcrew members all together under one web site - shadowcrew.com - to deal in credit card wares giving police a focal point for tracing them. The web site was a big giveaway. Fellows says: "The web is in someone's jurisdiction - an IP address comes with a server which is a major drawback for these kinds of criminals."
A member of the gang co-operated with law enforcement - providing the necessary evidence to force Shadowcrew into a corner. The 'turncoat' opened up a door in the web site for the US Secret Service to spy through. The Secret Service waited and watched the web site as members of the gang came and sold credit card numbers, passports, bank account numbers, and social security cards. As a result of the evidence, six men, including the co-founder Andrew Montavani, who ran Shadowcrew.com, pleaded guilty in November. The yearlong investigation by the Secret Service also led to the arrests of 21 individuals in the US. So far, the investigation has resulted in 12 guilty pleas and several arrests outside the US.
Dario Forte, a computer forensic practitioner at DFLabs comments that "it was a complex case because of the large amount of stolen data, and bank cards involved. I work in similar cases and only a skilled and international investigative team can react in the proper fashion. Investigations of this type usually involve disk analysis on attacked end users when available, log correlation and, finally, complete forensic analysis on the criminal's workstations if possible."
But Fellows believes that there is a serious lack of investigations embarked on in the first place. "There is a necessity for proactive investigation - of which there is very little going on. It is almost impossible for law enforcement to find time to go out and look for criminality." He warned that stolen credit cards are up for sale through more anonymous avenues than websites like Shadowcrew.com. "A lot of stolen credit cards are available for sale on newsgroups and peer-2-peer networks."
Shadowcrew's centralized marketplace for carding activities was the brainchild of Andrew Montavani (23). The gang had a strict chain of command led by Montavani, who comes from Arizona. He, along with David Appleyard of New Jersey and Anatoly Tyukanov of Moscow, acted as administrators who were in charge of the group. They handled the technical running and security of Shadowcrew.com. They also dictated who could become a member and set the strategy. The hierarchy also consisted of moderators and vendors. Moderators hosted forums to share hacking tips online and vendors sold stolen data to other members.
Everyone communicated using nicknames to ensure the protection of all identities. Montavani had five different handles. The safeguarding of real names was of paramount importance to the group's effective running. Appleyard, as an administrator, once punished a member, known as CCSupplier, by posting his real name, address and phone number. CCSupplier had failed to refund money owed to other gang members.
The gang's activities lasted from August 2002-October 2004. Their crimes are estimated to have cost more than $4 million. They stole money using spamming and phishing to capture credit card numbers that were used to purchase wares. The merchandise was then sent to an address specifically arranged to receive the goods. The gang sent and received payments for goods using Western Union money transfers and digital money including E-Gold and Web Money.
Montavani's dream that persuaded 4,000 individuals around the world to spend other people's plastic has evaporated. But potential criminals will keep on dreaming, said Fellows. "It is up to the fraudster to dream up what to do next." Law enforcement doesn't have time to think of what swindlers will do next so they are always on the back foot, he said.
This article has been provided exclusively to BankInfoSecurity by Infosecurity Today Magazine. To sign up to receive Infosecurity Today free of charge, visit www.subscription.co.uk/cc/ist_d.
By Sarah Hilley