Important! Have you been directed to this webpage after opening a document seemingly sent to you by the Internet Crime Complaint Center? If so, beware! You could have been targeted by some fraudsters using the lure of a million dollars worth of compensation. Learn more.
The US Federal Bureau of Investigation announced today the arrest of 24 individuals and charges against 4 more who remain at large resulting from a two year long investigation into credit card and ID theft conducted through internet forums.
Criminals who steal credit cards and trade them online are known as "carders" to those of us in the information security space. The FBI setup a carder message forum in 2010 in an attempt to get the inside track on who was involved, and from whom they had stolen the information.
Over the last 24 months they were able to obtain enough evidence to press charges against these 28 individuals including 13 from the USA, 6 from the UK, 2 from Bosnia, 1 from Bulgaria, 1 from Norway, 1 from Germany and 2 others from undisclosed locations.
The FBI estimates it has prevented more than $205 million in fraudulent transactions and alerted card issuers of over 411,000 compromised credit and debit cards. Through the intelligence gained during its investigation it also notified 47 companies, government organizations and educational institutions that they had been compromised.
Charges against a few of the defendants shed some light on the specialization practiced in this underground ecosystem.
Michael Hogue (21), a/k/a "xVisceral", allegedly specialized in creating remote access Trojans (RATs) that enable attackers to take full control of victim PCs, including accessing web cams and keystrokes. He sold his RATs for $50 a piece on average. Hogue from Tuscon, Arizona faces up to 20 years in prison for his crimes if convicted.
Ali Hassan (22), a/k/a "Badoo", sold what are referred to as "fulls", which references that he not only had credit card numbers, but also names, addresses, Social Security Numbers, birth dates, mother's maiden names, expiration dates and CVV codes. He bragged that he had obtained some of these details from a compromised online hotel booking site. Hassan faces 27 years in prison if convicted.
Mark Caparelli (20), a/k/a "Cubby", was a specialist in defrauding Apple product warranties. He obtained stolen credit cards and serial numbers from Apple products to defraud Apple by having them ship advance replacements for supposedly broken Apple products he didn't own. He would use the stolen cards to "secure" the advanced shipments which he sold and traded. Caparelli faces 30 years if convicted.
Joshua Hicks (19), a/k/a/ "OxideDix", sold credit card dumps to an FBI agent for $250 and a DSLR camera. Agents met Hicks in person in New York City to provide him the camera according to Hicks' indictment. Hicks faces up to 10 years in prison if convicted.
Mir Islam (18), a/k/a "JoshTheGod", is the most interesting of the arrests. In addition to being in possession of more than 50,000 stolen card details he was also a member of hacking group UGNazi and founder of a competitive card trading forum carders.org.
After arresting Islam, the FBI also shutdown the websites of both UGNazi and carders.org. UGNazi has been in the news recently claiming attacks against high-profile web businesses including Twitter. Islam faces 25 years in prison if convicted on all charges.
This isn't the first time the Feds have intervened and disrupted carder activities. They also shutdown another carder ring in September 2008 called Dark Market after a long-term undercover sting.
It is a good day when I can honestly say that crime doesn't pay. The FBI did a fantastic job, working with federal police from around the world to shut down these fraudsters. It's nice to see the FBI taking the initiative by creating a honey pot to snag these guys.Follow @chetwisniewski