DarkMarket_ Cyberthieves, Cybercops and You - Misha Glenny [41]
Sometimes it seemed as though the banks had left their ATMs open to him and his friends on purpose. It was so easy, he thought, it was as if we were the chosen ones. He particularly enjoyed siphoning funds from Citibank. Of all the banks, Citi deserved it. First of all, they were the most immoral of all those bastard bankers. Second, their security sucked.
Phishing was, from an early stage, critical to all manner of cybercrime. Even if a company’s digital defences were sealed tight, a relatively inexperienced hacker could breach them with a phishing attack. This is the mass dispatch of emails to addresses that are sometimes targeted as belonging to a specific company – a bank, for example – and sometimes chosen at random. Many spam messages contain either an infected attachment or a link which, if pressed, would direct a browser to a site that can automatically download malware. If a hacker sends out several million spam emails, he does not need a high response rate in order for it to be worthwhile – each compromised computer promises access to bank accounts and other personal or financial information.
Banks have always been faced with one overwhelming security headache: their customers (although this did not excuse the banks’ appallingly weak security systems during the first fifteen years of Internet banking). The best networked system was only as good as it weakest element – and we, their hundreds of millions of customers, were as vulnerable as it gets.
So if a bank is unbreachable, the cyber thief would ask its clients for help. Send out millions of emails to account holders, which look as if they have been sent from their bank, and then wait for the replies: the account numbers and passwords arrived like an avalanche.
Phishing Citibank customers was a breeze:
Buy bulk freshly hacked emails. Check.
Buy Dark Mailer, the spammer’s wet dream. Check.
Buy proxies. Check.
Buy hosting. Check.
Design new Citibank page. Check.
Put in pop-up box that never goes away until a card number and pin are entered. Check.
Set up email address for the account numbers and passwords to roll into. Check.
Every day RedBrigade would go phish. He looked at the account details of one Dr H.M. Hebeurt from upstate New York. ‘Hmmm … she lives close by. Fuck me, she’s making 50k a month and her fucking husband is pulling in more than 72k!’ Looking closer, he saw the target worked on Wall Street. Maybe if he had made better choices, he pondered, he could be stealing legally like this guy … But he could not allow himself to indulge in fantasies like that – instead he just started calculating. Okay: two checking accs, two saving accs, one overdraft acc and one credit card … $2,000 from each. Total $12,000 from a single phish.
And everyday fifty of these little phishies swam into his account.
The spree in New York’s Washington Mutual lasted just over a fortnight, netting him almost $300,000. Just as well, because his average weekly outgoings were in the region of $70,000. Every two or three months he would buy a new top-of-the-range Merc or BMW. First-class travel was axiomatic. He thought as much about purchasing a $10,000 Breitling watch as we might before buying a newspaper. He had a beautiful apartment on the Upper East Side, but only slept there two or three nights a week because he enjoyed the city’s luxury hotels. RedBrigade was earning more money than a Premiership footballer in England, but without the 50 per cent tax rate.
Nothing was out of his reach. He’d peel off the fifty-dollar bills and would see that look on the face of the cashier, meaning, ‘Who the fuck is this guy?’ He figured they thought he must be either a Trustafarian or a dope dealer. But in the Age of Plastic the super-rich were as likely to dress in T-shirt and jeans as in a Savile Row suit. Either way, the merchants always took the money – the jewellers,