Posts Tagged: Nicholas Weaver


2
Oct 14

Silk Road Lawyers Poke Holes in FBI’s Story

New court documents released this week by the U.S. government in its case against the alleged ringleader of the Silk Road online black market and drug bazaar suggest that the feds may have some ‘splaining to do.

The login prompt and CAPTCHA from the Silk Road home page.

The login prompt and CAPTCHA from the Silk Road home page.

Prior to its disconnection last year, the Silk Road was reachable only via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Tor also lets anyone run a Web server without revealing the server’s true Internet address to the site’s users, and this was the very technology that the Silk road used to obscure its location.

Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.

But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events.  And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI’s story.

Continue reading →


3
Sep 14

Data: Nearly All U.S. Home Depot Stores Hit

New data gathered from the cybercrime underground suggests that the apparent credit and debit card breach at Home Depot involves nearly all of the company’s stores across the nation.

Evidence that a major U.S. retailer had been hacked and was leaking card data first surfaced Tuesday on the cybercrime store rescator[dot]cc, the shop that was principally responsible for selling cards stolen in the Target, Sally Beauty, P.F. Chang’s and Harbor Freight credit card breaches.

As with cards put up for sale in the wake of those breaches, Rescator’s shop lists each card according to the city, state and ZIP code of the store from which each card was stolen. See this story for examples of this dynamic in the case of Sally Beauty, and this piece that features the same analysis on the stolen card data from the Target breach.

Stolen credit cards for sale on Rescator's site index each card by the city, state and ZIP of the retail store from which each card was stolen.

Stolen credit cards for sale on Rescator’s site index each card by the city, state and ZIP of the retail store from which each card was stolen.

The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).

Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.

This morning, KrebsOnSecurity pulled down all of the unique ZIP codes in the card data currently for sale from the two batches of cards that at least four banks have now mapped back to previous transactions at Home Depot. KrebsOnSecurity also obtained a commercial marketing list showing the location and ZIP code of every Home Depot store across the country.

Here’s the kicker: A comparison of the ZIP code data between the unique ZIPs represented on Rescator’s site, and those of the Home Depot stores shows a staggering 99.4 percent overlap.

Home Depot has not yet said for certain whether it has in fact experienced a store-wide card breach; rather, the most that the company is saying so far is that it is investigating “unusual activity” and that it is working with law enforcement on an investigation. Here is the page that Home Depot has set up for further notices about this investigation.

I double checked the data with several sources, including with Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley. Weaver said the data suggests a very strong correlation.

“A 99+ percent overlap in ZIP codes strongly suggests that this source is from Home Depot,” Weaver said. Continue reading →


25
Jul 14

Service Drains Competitors’ Online Ad Budget

The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality that for nearly every legitimate online business there is a cybercrime-oriented anti-business. Case in point: Today’s post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors.

Youtube ads from "GoodGoogle" pitching his AdWords click fraud service.

Youtube ads from “GoodGoogle” pitching his AdWords click fraud service.

AdWords is Google’s paid advertising product, displaying ads on the top or the right side of your screen in search results. Advertisers bid on specific keywords, and those who bid the highest will have their ads show up first when Internet users search for those terms. In turn, advertisers pay Google a small amount each time a user clicks on one of their ads.

One of the more well-known forms of online ad fraud (a.k.a. “click fraud“) involves Google AdSense publishers that automate the clicking of ads appearing on their own Web sites in order to inflate ad revenue. But fraudsters also engage in an opposite scam involving AdWords, in which advertisers try to attack competitors by raising their costs or exhausting their ad budgets early in the day.

Enter “GoodGoogle,” the nickname chosen by one of the more established AdWords fraudsters operating on the Russian-language crime forums.  Using a combination of custom software and hands-on customer service, GoodGoogle promises clients the ability to block the appearance of competitors’ ads.

“Are you tired of the competition in Google AdWords that take your first position and quality traffic,?” reads GoodGoogle’s pitch. “I will help you get rid once and for all competitors in Google Adwords.”

The service, which appears to have been in the offering since at least January 2012, provides customers both a la carte and subscription rates. The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitors’s ads indefinitely. Fees are paid up-front and in virtual currencies (WebMoney, e.g.), and the seller offers support and a warranty for his work for the first three weeks. Continue reading →


7
Feb 14

Florida Targets High-Dollar Bitcoin Exchangers

State authorities in Florida on Thursday announced criminal charges targeting three men who allegedly ran illegal businesses moving large amounts of cash in and out of the Bitcoin virtual currency. Experts say this is likely the first case in which Bitcoin vendors have been prosecuted under state anti-money laundering laws, and that prosecutions like these could shut down one of the last remaining avenues for purchasing Bitcoins anonymously.

michaelhackfeedbackWorking in conjunction with the Miami Beach Police Department and the Miami-Dade State Attorney’s office, undercover officers and agents from the U.S. Secret Service’s Miami Electronic Crimes Task Force contacted several individuals who were facilitating high-dollar transactions via localbitcoins.com, a site that helps match buyers and sellers of the virtual currency so that transactions can be completed face-to-face.

One of those contacted was a localbitcoins.com user nicknamed “Michelhack.” According to this user’s profile, Michelhack has at least 100 confirmed trades in the past six months involving more than 150 Bitcoins (more than $110,000 in today’s value), and a 99 percent positive “feedback” score on the marketplace. The undercover agent and Michelhack allegedly arranged a face-to-face meeting and exchanged a single Bitcoin for $1,000, a price that investigators say included an almost 17 percent conversion fee.

According to court documents, the agent told Michelhack that he wanted to use the Bitcoins to purchase stolen credit cards online. After that trust-building transaction, Michelhack allegedly agreed to handle a much larger deal: Converting $30,000 in cash into Bitcoins.

Investigators had little trouble tying that Michelhack identity to 30-year-old Michell Abner Espinoza of Miami Beach. Espinoza was arrested yesterday when he met with undercover investigators to finalize the transaction. Espinoza is charged with felony violations of Florida’s law against unlicensed money transmitters — which prohibits “currency or payment instruments exceeding $300 but less than $20,000 in any 12-month period” — and Florida’s anti-money laundering statutes, which prohibit the trade or business in currency of more than $10,000.

Police also conducted a search warrant on his residence with an order to seize computer systems and digital media. Also arrested Thursday and charged with violating both Florida laws is Pascal Reid, 29, a Canadian citizen who was living in Miramar, Fla. Allegedly operating as proy33 on localbitcoins.com, Reid was arrested while meeting with an undercover agent to finalize a deal to sell $30,000 worth of Bitcoins.

Documents obtained from the Florida state court system show that investigators believe Reid had 403 Bitcoins in his on-phone Bitcoin wallet alone — which at the time was the equivalent of approximately USD $316,000. Those same documents show that the undercover agent told Reid he wanted to use the Bitcoins to buy credit cards stolen in the Target breach.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley and keen follower of Bitcoin-related news, said he is unaware of another case in which state law has been used against a Bitcoin vendor. According to Weaver, the Florida case is significant because localbitcoins.com is among the last remaining places that Americans can use to purchase Bitcoins anonymously.

“The biggest problem that Bitcoin faces is actually self-imposed, because it’s always hard to buy Bitcoins,” Weaver said. “The reason is that Bitcoin transactions are irreversible, and therefore any purchase of Bitcoins must be made with something irreversible — namely cash. And that means you either have to wait several days for the wire transfer or bank transfer to go through, or if you want to buy them quickly you pay with cash through a site like localbitcoins.com.” Continue reading →


21
Nov 13

No Bail for Alleged Silk Road Mastermind

A federal judge has denied bail for Ross Ulbricht, the 29-year-old man arrested last month on suspicion of running the Silk Road, an online black market that offered everything from drugs and guns to computer hackers and hitmen for hire.

The decision came after federal prosecutors in New York dumped a virtual truckload of additional incriminating evidence supporting charges that Ulbricht was the infamous Silk Road administrator known as the “Dread Pirate Roberts” (DPR), and that he was indeed a strong flight risk. To top it off, the government also now alleges that Ulbricht orchestrated and paid for murder-for-hire schemes targeting six individuals (until today, Ulbricht was accused of plotting just two of these executions).

Fraudulent identity documents allegedly ordered by Ulbricht.

Fraudulent identity documents allegedly ordered by Ulbricht.

The documents released today indicate that Ulbricht was a likely flight risk; they allege that prior to his arrest, Ulbricht had researched how to buy a citizenship in Dominica. The government said that the laptop seized from Ulbricht contained reference guides for obtaining “economic citizenship” in other countries. “In particular, the computer contained an application completed by Ulbricht for citizenship in Dominica, along with reference materials explaining that Dominica’s ‘economic citizenship’ program offers ‘instant’ citizenship in exchange for a one-time ‘$75,000 donation’ to the country’s government,'”, the government’s bail submission (PDF) notes. A copy of the application for citizenship in Dominica allegedly found on Ulbricht’s laptop is here (PDF).

In addition, prosecutors unveiled a photo showing the assortment of fake IDs that Ulbricht had allegedly ordered off the Silk Road (see image above), which included identity documents bearing his picture and various pseudonyms in Australia, Canada, and the United Kingdom, among other places.

According to the Justice Department, evidence from Ulbricht’s computer also shows that he had contemplated and prepared for a life on the run.

“For example, one file found on the computer, labeled ’emergency,’ contains a list of apparent to-do items in the event that Ulbricht learned that law enforcement was closing in on him. It reads as follows:

encrypt and backup important files on laptop to memory stick:
destroy laptop hard drive and hide/dispose
destroy phone and hide/dispose
Hide memory stick
get new laptop
go to end of train
find place to live on craigslist for cash
create new identity (name, backstory)”

The prosecution also released several screenshots of Ulbricht’s computer as it was found when he was arrested at a San Francisco public library. According to investigators, Ulbricht was logged in to the Silk Road and was administering the site when he was apprehended, as indicated by this screenshot, which shows a Silk Road page titled “mastermind.” The government says this page provided an overview of transactions and money moving through the site:

DPR-mastermind

Another screen shot shows the Silk Road “support” page as found logged in on the computer seized from Ulbricht:

DPR-support

Continue reading →


7
Oct 13

Feds Arrest Alleged Top Silk Road Drug Seller

Federal authorities last week arrested a Washington state man accused of being one of the most active and sought-after drug dealers on the online black market known as the “Silk Road.” Meanwhile, new details about the recent coordinated takedown of the Silk Road became public, as other former buyers and sellers on the fraud bazaar pondered who might be next and whether competing online drug markets will move in to fill the void.

NOD's feedback from Silk Road buyers, according to the government.

NOD’s feedback from Silk Road buyers, according to the government.

A complaint unsealed Oct. 2 by the U.S. District Court for the Western District of Washington at Seattle alleges that Steven Lloyd Sadler, 40, of Bellevue, Wash., used the nickname “NOD” on the Silk Road, and was among the “top one percent of sellers” on the Silk Road, selling high-quality cocaine, heroin and methamphetamine in small, individual-use amounts to hundreds of buyers around the world.

Investigators with the FBI and U.S. Post Office inspectors say they tracked dozens of packages containing drugs allegedly shipped by Sadler and a woman who was living with him at the time of his arrest. Authorities tied Sadler to the Silk Road after intercepting a package of cocaine and heroin destined for an Alaskan resident. That resident agreed to cooperate with authorities in the hopes of reducing his own sentence, and said he’d purchased the drugs from NOD via the Silk Road.

Agents in Seattle sought and were granted permission to place GPS tracking devices on Sadler’s car and that of his roommate, Jenna White, also charged in this case. Investigators allege that the tracking showed the two traveled to at least 38 post offices in the Seattle area during the surveillance period.

Interestingly, the investigators used the feedback on NOD’s Silk Road seller profile to get a sense of the volume of drugs he sold. Much like eBay sellers, merchants on the Silk Road are evaluated by previous buyers, who are encouraged to leave feedback about the quality of the seller’s goods and services. According to the government, NOD had 1,400 reviews for individual sales/purchases of small amounts of drugs, including: 2,269.5 grams of cocaine, 593 grams of heroin and 105 grams of meth. The complaint notes that these amounts don’t count sales going back more than five months prior to the investigation, when NOD first created his Silk Road vendor account.

Cryptome has published a copy of the complaint (PDF) against Sadler. A copy of Sadler’s case docket is here. NOD’s reputation on the Silk Road also was discussed for several months on this Reddit thread.

Many readers of last week’s story on the Silk Road takedown have been asking what is known about the locations of the Silk Road servers that were copied by the FBI. It’s still unclear how agents gained access to those servers, but a civil forfeiture complaint released by the Justice Department shows that they were aware of five, geographically dispersed servers that were supporting the Silk Road, either by directly hosting the site and/or hosting the Bitcoin wallets that the Silk Road maintains for buyers and sellers.

geomap2
Two of those servers were located in Iceland, one in Latvia, another in Romania, and apparently one in the United States. See the map above.

Continue reading →


2
Oct 13

Feds Take Down Online Fraud Bazaar ‘Silk Road’, Arrest Alleged Mastermind

Defendant Charged With Drug Trafficking, Hacking, Money Laundering

Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering.

A screen shot of the Silk Road Web site, taken Oct. 23, 2013.

A screen shot of the Silk Road Web site, taken Oct. 2, 2013.

The Silk Road is an online black market that as late as last month was hosting nearly 13,000 sales listings for controlled substances, including marijuana, LSD, heroin, cocaine, methamphetamine and ecstasy. Much like eBay sellers, merchants on the Silk Road are evaluated by previous buyers, who are encouraged to leave feedback about the quality of the seller’s goods and services.

The Silk Road is not available via the regular Internet. Rather, it is only reachable via the Tor network, an anonymity network that bounces its users communications across a distributed network of relays run by volunteers all around the world.

That is, it was until this week, when FBI agents arrested its alleged proprietor and seized the Web servers running the site. The feds also replaced the Silk Road’s home page with a message saying that the site had been seized by the FBI, Homeland Security Department and the Drug Enforcement Administration.

According to a complaint unsealed this week, Ulbricht alone controlled the massive profits generated from the operation of the business. The government alleges that Ulbricht also controlled and oversaw all aspects of the Silk Road, including: the maintenance of the computer infrastructure and programming code underlying the Silk Road Web site; the determination of vendor and customer policies; decisions about what could be sold on the site; and managing a small staff of online administrators who assisted with the day-to-day operations.

The Silk Road didn’t just sell drugs. For example, the complaint identifies 801 for-sale listings under “digital goods,” which included banking Trojans, pirated content, and hacked accounts at Netflix and Amazon. The “forgeries” section of the Silk Road featured 169 ads from vendors of fake driver’s licenses, passports, Social Security cards, utility bills, credit card statements, car insurance records, and other forms of identity documents.

An ad for heroin on the Silk Road. Notice this seller has 97 feedback points.

An ad for heroin on the Silk Road. Notice this seller has 97 feedback points.

Another popular section of the Silk Road included 159 listings for generic “Services,” mostly those listed by computer hackers offering such services as hijacking Twitter and Facebook accounts of the customer’s choosing. Other classified ads promised the sale of anonymous bank accounts, counterfeit bills, firearms and ammunition, and even hitmen for hire.

FBI investigators said that on or about March 29, 2013, Ulbricht contacted a Silk Road seller “Redandwhite” to see about hiring him to to take out another Silk Road user — someone going by the nickname “FriendlyChemist” — who was threatening to release the identities of thousands of users of the site.

From the government’s complaint: “Asked what sort of problem FriendlyChemist was causing him, DPR responded in a message dated March 30, 2013, ‘[H]e is threatening to expose the identities of thousands of my clients that he was able to acquire….[T]his kind of behavior is unforgivable to me. Especially here on Silk Road, anonymity is sacrosanct.'” As to the murder-for-hire job he was soliciting, DPR commented that “[i]t doesn’t have to be clean.”

Later that same day, redandwhite sent DPR a message quoting him a price of $150,000 to $300,000, “depending on how you want it done, ‘clean’ or ‘non-clean’.

On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.”

DPR, allegedly using the nickname "altoid" seeks to hire a tech expert for the Silk Road via bitcointalk.org

DPR, allegedly using the nickname “altoid” seeks to hire a tech expert for the Silk Road via bitcointalk.org

According to investigators, the two ultimately settle on a price of $150,000, and that Ulbricht paid for the transaction using Bitcoins — an anonymous virtual currency — sending the would-be hit man 1,670 bitcoins for the arranged hit. Bitcoin currency rates fluctuate quite a bit from day to day, but historic sites that track Bitcoin rates show that one bitcoin around that date in late March 2013 was worth about USD $90, meaning investigators believe Ulbricht paid approximately $150,300 for the hit.

The government’s complaint states that the hit wasn’t carried out, but it also doesn’t seem that FriendlyChemist was the source of investigators’ break in this case. That would come on July 23, 2013, when investigators gained access to a Silk Road server and made a complete copy of the data on the machine.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at University of California San Diego, said the information contained on the server seized by investigators indicates that Ulbricht/Dread Pirate Roberts routinely failed to heed his own advice to fellow Silk Road users: Prominent on the Silk Road site were links to tutorials DPR penned which laid out the technologies and techniques that users should adopt if they want to keep off the radar of federal investigators.

“This shows me that the head of the Silk Road wasn’t using [encryption] for all his communications, because [the government] wouldn’t have all of this information otherwise, unless of course he stored his encryption key on the server that was seized,” Weaver said. “Either [the government] got his encryption key off of this server or another server that they were able to access, or he wasn’t using encryption at all.”

The complaint also suggests that in June 2013, Ulbricht accessed a server used to control the Silk Road site from an Internet cafe that was 500 feet from the hotel he was staying at in San Francisco.

Continue reading →