Kevin Poulsen highlights new crime areas Max Vision and his partner got into: ATM fraud based on CVV system vulnerability, restaurant hacks, and running a carder forum of their own.So things changed – I almost forgot this. At the same time that Max was doing this, one of the people that were infected with a “free AmEx” hack was involved in another major scam that was very-very big in the computer underground around 2004, which very few people are familiar with outside the computer underground. They called this the “Citibank cashouts”. Because Citibank was the most high-profile target, about half of the U.S. banks were apparently vulnerable to this.
The problem was that it turned out that whole CVV system – the secret code on the back of the magstripe that keeps you from being able to forge a credit card with just a credit card number – that wasn’t being checked on ATM transactions. The code was there, but about half the banks just weren’t checking it. I’ve never been clear on why, but I think it had to do with the migration from classic ATM cards that were only good for withdrawing cash, to debit cards that were also credit cards. But it was a huge vulnerability and, basically, the way this was exploited was there were phishing attacks targeting the major banks, particularly Citibank; very good phishing attacks – they would ask you for your ATM number.
And to the casual observer this was very puzzling, because the ATM card number – you shouldn’t be able to do anything with it. You can’t make a fake card with it because of the CVV. But they weren’t checking CVVs. So they would phish ATM numbers; they would program them; they would give them out to crews, cashiers who would then put them on the back of blank cards, put them in ATMs and withdraw cash. Max had hacked a cashier who was working for a big Eastern European cyber criminal that was a major player in all of this. He started stealing the ATM numbers, pulling the scam himself, going to ATMs. Ultimately he contacted this cashier’s upstream provider in Eastern Europe, told them what he’d done, said: “I hacked your cashier; he’s not taking security seriously, as you can see – I’ve been using your dumps for a long time.” So the Eastern European guy cut off the cashier and started giving his business to Max.
So Max started hitting ATMs, basically doing straightforward business now just as a criminal mule for this guy in Easter Europe. In the course of a few months of doing this he wound up making a quarter of a million dollars.So things changed, they got more intense after “Operation Firewall” in October 2004. By this time the first big carder forum in Eastern Europe had gone down; the biggest one now was called ShadowCrew, this was based in the U.S. The secret service compromised one of the administrators after he was busted doing a cashout in New York, turned him and they busted all the leaders of ShadowCrew. It was a huge move against the carding underground. And it left everybody kind of scattered and confused – the people hadn’t been charged, there were thousands of them still, but a lot of the leaders had been taken down and it showed that you can’t trust anybody. Basically, it left everybody very disoriented. It was about a year before they started to recover, and what happened then was a lot of competing forums came up, but they were smaller now. There was no supermarket like ShadowCrew was. So the whole underground was very disorganized: you’d have a couple thousand people on one site, a couple thousand people on another; they’d be using different names on one site, so it was kind of confused. Max entered into this a year after the “Operation Firewall”, and with Chris he started his own forum, which he called Carders Market. Him being Max, he wanted to call it Sherwood Forest. He still thought of himself as kind of a Robin Hood guy, but Chris Aragon was more of an experienced marketer, and he thought Carders Market would appeal more to the other criminals.
So Max started Carders Market with Chris. He took on two identities at this point: he called himself Iceman for running Carders Market. So Iceman was the king of Carders Market. Another identity, Digits, was a vendor who was selling dumps. His theory was that nobody could come after him for running this site if he wasn’t also known to be selling stolen data. He figured he had, like, a First Amendment argument: we can talk about crime as long as we’re not committing it.
By this point he was no longer stealing from other criminals, but he had his own source of dumps. This was a result of a very cool vulnerability in RealVNC, where basically you could turn any VNC client with a very small tweak into a skeleton key that would get you into any real VNC server.
When Max saw this vulnerability pop up, he basically swept the entire IPv4 address base looking for vulnerable systems. He got into a lot of cool stuff, but what interested him most were these point of sale systems which were then used at restaurants around the country. The point of sale systems were responsible for checking you out when you’re done eating your meal: they swipe your credit card and it charges you, and it gets stored on a server in the back office. But he was getting into those servers where he found that a lot of them were actually storing the dumps even after they’ve gotten an authorization for the transaction.So he would go in and he would pop them. He wound up being in hundreds of restaurants around the country. His first one was the Pizza Schmizza in Vancouver, Washington. He was in everything from hi-end restaurants to Burger King in Texas. So you order food, you swipe your credit card and Max has it and Chris Aragon has it, and now as Max is vending as Digits, other people in the underground are buying it as well.
So he wound up getting about 1,1 million credit card numbers from restaurant point of sale terminals, and he’d got another million by stealing from other hackers before that. That wound up not being enough.