Hacking the hackers

An interview with Brian Krebs, recipient of the ACFE Guardian Award

By Dick Carozza, CFE; Photos by John Spaulding/AP Images

Investigative journalist Brian Krebs, the author of the blog, KrebsOnSecurity.com, has exposed — at personal risk — data breaches at Target, Home Depot, P.F. Chang's and many others. His reporting has abbreviated cybercrime schemes that have saved thousands for consumers and helped rescue identities. And he's just getting started.

Brian Krebs was hacked! Back in 2001, he was fooling around with an old computer and decided it would be fun to learn Linux and build websites. "But I didn't keep up with the operating system updates, and one day woke up to find the system I was using as my network firewall was compromised by a network worm," he says in an interview with Fraud Magazine. "After that, I became intensely interested in learning everything I could to ensure that such a thing would never happen to me again, and it's an obsession that hasn't released its grip on me yet."

Krebs, 42, the author of the blog, KrebsOnSecurity.com — with monthly readership of more than 1 million — pursues his obsession every day in his home office as he ferrets out secrets from the denizens of the dark Internet and sheds light on cybercrimes that affect all citizens. During a workday (or night), he'll receive emails and calls from Russian criminals — who want to spill the beans on rival thieves — and bank administrators who want his help in investigating some suspicious credit card dumps.

Krebs' diligence pays off. On Dec. 18, 2014, he broke the story that credit and debit card accounts stolen in a massive data breach at Target had been flooding underground black markets. On Dec. 19 of last year Target confirmed to him that cybercriminals had stolen more than 40 million debit and credit cards from the retailer's stores throughout the U.S.

Krebs soon discovered breaches at Neiman Marcus; Michaels, the arts and crafts retailer; and White Lodging, which manages franchises for major hotel chains, though it was unclear if those breaches were connected with the Target debacle.

Krebs eventually identified a Ukrainian man who was selling the stolen Target data. The man offered Krebs $10,000 not to report him, but Krebs posted the information on his blog.

He also was the first to break the news of major data breaches at other retailers, including Sally Beauty, P.F. Chang's, Dairy Queen, Jimmy John's, Goodwill, Home Depot and Kmart.

Krebs began collecting his contacts and learning his investigative techniques as a reporter at The Washington Post. He began working in the newspaper's circulation department in 1995, became a copy aide in the newsroom and eventually a staff writer for Newsbytes.com, owned by the Post.

When the Post sold Newsbytes in 2002, Krebs began work for Washingtonpost.com as a writer. He launched the Post's Security Fix blog and authored more than 1,300 blog posts. Krebs wrote hundreds of stories for the Post's website and its newspapers, including eight front-page stories in the "dead-tree" edition and a Post Magazine cover piece on botnet operators.

Before exposing the Target hack, Krebs was possibly best known for his Post investigative articles that eventually resulted in the demise of several Internet service providers that probably catered primarily to cybercriminals. In December of 2009, he and the Post parted ways, and he began his KrebsOnSecurity.com blog Jan. 1, 2010. That year he was credited as being the first journalist to report on the malware that would later become known as Stuxnet.

Krebs' business is to take the pulse of cybercrime. Now that spam is beginning to dwindle, Krebs says we're likely to see an increase in extortion and destructive attacks. "Attacks on health care providers — typically not terribly well protected from a network-security standpoint, even given the regulations and the data at stake — are the next big breach wave that's coming," he says. "Destroy and/or leak that data, and some very serious, and potentially deadly, consequences arise."

His insights haven't gone unrecognized. When the National Press Foundation announced that Krebs would receive the Chairman's Citation, Heather Dahl, the foundation's chairman, said, "Brian Krebs … has shown that one journalist can have an incredible impact across an entire industry by upholding the highest standards of reporting. He is a pioneer in covering crime and conflict in cyberspace — while facing frightening physical threats and relentless digital assault as a result of his ground-breaking coverage."

For example, in March of 2013, within just 24 hours, spammers allegedly targeted Krebs' website with a massive denial of service attack and sent a letter purportedly from the FBI that said his site was hosting illegal content. A SWAT team stormed his home and handcuffed him after the local police received a text message supposedly from him that said Russians had broken into his house and shot his wife. On top of that, his identity has been stolen half a dozen times. He's found fecal matter and heroin on his doorstep.

Why does he keep investigating cybercriminals? "I don't know how to do anything else, and I can't imagine doing anything else," he says. "The work is just too rewarding and interesting."

Krebs has written the 2014 bestseller, Spam Nation: The Inside Story of Organized Cybercrime—from Global Epidemic to Your Front Door.

He'll be a keynote speaker and will receive the ACFE's Guardian Award at the 26th Annual ACFE Global Fraud Conference June 14-19 in Baltimore, Maryland. The award is presented to a journalist whose determination, perseverance and commitment to the truth has contributed significantly to the fight against fraud.

FM: You wrote in your book, "Spam Nation," that "Bad press on these [cybercrime] companies from major media would force more law-enforcement agencies into taking action against them and thus reducing the threat they posed both to Americans and people all over the globe." Is this what motivates you to continue investigating for your blog?
BK: To some degree, yes. The Internet has brought tremendous societal benefits, but it also has made it insanely easy for thieves and scoundrels to profit by hurting other people. The more light we can shine on these ne'er-do-wells, the harder it becomes for them to get away with it.

FM: Most of us don't seem fazed by spam these days. We now see little of it because of improved email filters. But it's surprising to learn from your book that spam is alive and well and greatly supported by online prescription drug purchases. What do you think spammers would move to if this source dried up? What are the factors for this?
I think the connection between spam and the fly-by-night Internet pharmacy programs I detail in the book is less strong than it once was, but it's still fairly prevalent. Spam remains one of the most useful and prevalent vectors for launching cyberattacks. Many of the largest breaches and attacks over the past several years have begun with a booby-trapped email or phishing scam. This also is spam, and as I wrote about in "Spam Nation," many of the individuals who once sent Viagra spam for a living are now getting paid to pump out malware-laced emails by the millions each day.

FM: Even though you have a map of the U.S. on the cover of your book, the true spam nation appears to be Russia. Why is there so much illegal cyber activity in that part of the world? Is the geographical source of these crimes shifting?
The map on the cover is a nod to the reality that the spam problem has typically been driven by a near-constant demand for the things advertised in junk email — be it porn, knockoff designer goods or prescription drugs that can be bought off these sites for a fraction of what Americans pay for the same drugs. And the vast majority of that demand comes from Americans.

Many of those engaged in cybercrime hail from Russia and the former Soviet states because these regions for a very long time placed a heavy emphasis on science, logic and math in their education systems. Turns out, such skills are the building blocks of programming and computing. As a result, these countries have churned out millions of people who are quite good at coding — and finding logical flaws in coding — but who lack any sort of real pipeline for parlaying those skills into high-paying jobs.

Many of the guys I tracked down and interviewed for the book had day jobs, and got into hacking and cybercrime because they viewed that activity as a way to supplement their income and to live a certain lifestyle that they could not enjoy otherwise. Also, there is little deterrent for choosing this lifestyle because so few of these folks get busted for their crimes.

FM: It's remarkable that you've been able to identify and profile so many Russian cybercrime bosses. How have you been able to do that?
BK: In the case of those profiled in "Spam Nation," it helped a great deal that two guys who ran competing cybercrime and spam empires paid hackers to break into each other's operations and leak to me several years worth of emails, chat records and banking documents for these organizations. When you have that much detail about a criminal organization, it makes it pretty easy to follow the money and connect the dots — if you have the time and resources to do this sort of work, which I did.

FM: You include a chapter in your book, "Meet the Spammers." What do you think are some common denominators for these cybercriminals?
BK: They mostly live in countries that do not currently have great relations with the United States, including Russia, Belarus and the Ukraine, so they have little to fear from being prosecuted for their crimes unless they leave those countries or start attacking their own people. Most of them view cybercrime as a victimless crime — that consumers will get reimbursed for fraudulent activity and that the only ones who really get hurt are the banks, and nobody likes the banks so who cares. Some of them have a direct and intense animosity for the West and see this as a way to project Russia's power and influence abroad.

FM: You write that the spam business had taken a huge hit the last few years. Briefly, what are some of the reasons for that? 
BK: Much of it has to do with the legwork by a ragtag bunch of academic researchers who took it upon themselves to learn which banks were helping to facilitate the processing of credit cards for the things that were most commonly being advertised in spam, such as pirated software and knockoff prescription drugs. It's very expensive and time-consuming for these spam partnerships to arrange new credit card processing agreements, and these researchers figured out a way to do undercover "buys" from spam in a methodical way and then map that back to the banks in Eastern Europe and the Caribbean that were processing the payments for these transactions. Then, they worked with rights and brand holders to file official complaints through Visa and MasterCard, which threatened to rain down significant fines on banks that were enabling this activity.

FM: You write that not long ago, if a spammer or hacker wanted to launch a massive Internet attack, he had to assemble a huge botnet that included legions of hacked PCs. Now they can do that with just a few 100 bot-infected PCs, according to one of your sources. How is this possible? 
BK: This is not a new development. What's new is that more people understand how to launch these attacks, and there are more resources than ever online that can be abused to launch these attacks. Without getting too far into the weeds here, what's going on is that there are tens of millions of devices, such as older DSL routers online that are poorly configured, and that configuration opens them up to abuse by third parties. For example, many older DSL routers will happily run DNS lookups for anyone on the Internet who asks — not just for their local, legitimate users. This creates a problem because DNS — the basic Internet technology that helps direct traffic on the Web — does not require any sort of authentication or validation that the machine or person making the request for information is allowed to do so, nor does it validate that the request for said information actually came from where it says it was sent from. Worse still, DNS supports a feature whereby the response can be made to be much larger than the actual request.

In short, this allows attackers to spoof a request from an Internet address that they want to attack, and when the DNS server replies, it will answer with a much larger reply than the request, and it will send the answer to the spoofed — target — address. Send these requests from a few hundred machines to tens of thousands of misconfigured servers and routes, and all of a sudden you have a huge traffic flow aimed at the spoofed address.

FM: You've broken news on recent major credit card breaches before the mainstream media reported on the cases. You seem to have developed some helpful contacts at financial institutions who clue you into these possible crimes. Can you describe some of your methods for cracking these cases? How do you cultivate new contacts and sources? Can you describe how you discovered the Target case?
BK: Usually, it is me contacting banks and telling them their cards are for sale somewhere, and then they go and acquire a handful of cards and see if they can determine whether all of those cards were used at the same place during the same time frame. Most of my banking sources have reached out to me and asked me to alert them if their cards show up in a huge new batch of stolen cards. They're more than happy to help with this research and share what they found because the sooner a breached merchant owns up to a breach, the sooner the fraud on their customers' cards can be stopped.

FM: You also wrote in your book that "[T]he editors at the Washington Post said they were still deeply concerned about my focus on Internet bad guys. The Post higher-ups were nervous about my reporting on a crime-heavy subject in which the standard forms of documentary evidence don't typically exist. Also, they took the position that my focus on cybercrime — as opposed to a broader beat such as consumer technology of technology policy — was too narrow, and that I was getting too close to my sources to remain objective." How do you contrast your investigative methods at the Post with the ways you conduct business now?
BK: Not terribly different, except that I don't have people telling me what to write about and what not to write about anymore. I do, however, have a very good media lawyer with whom I consult from time to time when necessary.

FM: What are some of the processes you employ when you first get a lead on a fishy ISP, shady character or emerging cybercrime?
BK: Just building a mind map of all the information and data points that I have on this actor or organization. Often, just having all of the information in one place makes it easy to see where my gaps in knowledge and data are and to see correlations between and among data points. I do a lot of mind-mapping and white-boarding.

FM: How do you learn about cybercriminals? Who they are, where they work, what they do in their free time, who they're attacking?
BK: Few of them start out their lives thinking they will be cybercrooks. Most get into it gradually, and so they almost all have a side of their identities that are online going back several years, and a lot of that stuff is pretty hard to erase. The Internet has a tendency to index and remember things, so when these guys fail to fully air gap their online and offline selves, they run into problems. Very few of these crooks do that well, and most make stupid mistakes that make it fairly easy to connect the dots once you have a few details to go on.

FM: Have you considered what motivates cybercriminals to commit these infractions that are often connected to more serious crimes such as child pornography and murder? Are they motivated by simple greed, or is their reasoning much more complex?
BK: A surprising number of the guys I profile in "Spam Nation" got their starts in cybercrime by promoting pornography of one kind or another. The two kingpins in the book got their start by teaming up to create a processing platform for extreme pornography that few banks wanted to be associated with (rape, bestiality porn, for example), and so they quickly became an attractive place for people pushing even more offensive and repulsive content.

FM: A Dec. 23, 2014, article in The New York Times reported that the JPMorgan Chase computer breach last summer (resulting in compromised account information for 83 million households and small businesses) could have been prevented if the company had just upgraded one of its network servers with two-factor authentication, which requires users to enter a second one-time password to gain access. The article reports that JPMorgan spends $250 million annually to guard against attacks. How do cybercriminals find minor flaws like this, and how can organizations make sure small mistakes don't become major problems?
BK: Stolen credentials and passwords, in particular, are some of the most intractable problems in cybersecurity today. It's bad enough that many banks do not even offer their customers the ability to authenticate themselves with anything more than a user name and password which, when phished, lost or stolen, can be used to impersonate that person. However, the lack of two-factor authentication within organizations for employees with access to sensitive customer and employer data is a recipe for disaster.

I wrote about this recently after receiving a letter from my ISP informing me that my Social Security number, address, phone number and other information were stolen after a customer service representative was tricked into giving away her network credentials to someone impersonating an information technology technician at the ISP. Had my ISP required that employee to authenticate using a second factor — such as a mobile phone — this breach very likely would never have occurred. The same goes for JPMorgan. [See Krebs' blog entry.]

FM: What are some ideal anti-breach systems that any organization can build?
BK: What you're asking about doesn't exist. Security is a moving target, and staying secure means adapting your defense to the latest attacks. But more importantly, it means finding creative but meaningful ways to get your board of directors and C-level executives intensely involved and invested in making security a priority. The core question that security-savvy execs and board members should be asking on a regular basis is, "How much of our scarce security budget are we spending trying to keep the bad guys out, versus trying to detect as quickly as possible when (not if) they get in, and stopping the bleeding as soon as possible."

FM: Corporations often employ external security services for their cybersecurity needs. Do they need to employ internal staffers who are dedicated just to protecting systems?
BK: Yes. Most companies spend ridiculous percentages of their security budget on security stuff — namely, hardware, software and services designed to alert them when suspicious activity happens on their network that might indicate a breach. Unfortunately, these systems generate so much noise and false alarms that it becomes a challenge whittling down the alerts to a few that you really need to read and act on. This is a constant struggle because organizations are producing lots more data each day, and more devices are being added that generate alerts.

Somehow, companies need to invest more in boots on the ground to help them effectively man all this security weaponry. We saw this in the wake of Target. Analysts said, well, Target spent more than any other retailer on security, and yet they still got hacked. These are both true statements, but they didn't have the approach and/or talent needed to make sense of what all these security services and hardware were trying to tell them about the state of their networks.

FM: You write in your book that those who were once just content to steal banking information and blast out unsolicited commercial emails increasingly are using their skills to hold data for ransom via ransomware malware. They're becoming better at "situational awareness" — gaining a better understanding of their victims and the value of their assets. What can organizations do as the fraudsters ramp up their attacks?
BK: Get better at identifying and then placing extra strong monitoring and access protections around the "crown jewels" within any organization — the stuff that if lost or stolen could have a material impact on the company's bottom line and/or reputation and relationship with customers and partners.

FM: We're all familiar with cybercriminals who download malware when an unsuspecting victim opens an attachment or clicks on a suspect website. But how are spammers now hacking into email accounts, collecting personally identifiable information and selling it on the black market?
BK: The easiest way is by taking data stolen in one corporate data breach and leveraging it in another. For example, Company A gets hacked — its customer database of usernames and passwords stolen. Hackers take those hashed passwords and crack about 60 percent of them over a few days using specialized tools. The hackers then take the email addresses and corresponding passwords that they've cracked and divide those up by email provider — Yahoo, Gmail, Apple, etc. Then they try those same credential pairs at those providers to see if any of them work there. They will in all likelihood have great success with this approach because a non-trivial number of people reuse their email passwords at other sites. But when those other sites get hacked, you can bet it won't be long before your email account is hijacked if you've recycled that password elsewhere.

FM: What are some steps that users can take to protect themselves beyond the usual precautions?
BK: Enable two-factor or two-step authentication on all services where it's available. Twofactorauth.org is a good start for that. Update your software — not just the operating system patches from Microsoft and Apple, but particularly the browser plugins like Flash, Reader, Silverlight, etc. as soon as updates are available. This is usually once a month. Remove any software or plugins that you don't absolutely need (e.g., Java, Flash, Reader, etc.). I offer a ton more tips in the final chapter of my new book, "Spam Nation."

FM: Why can't credit card companies shut down spammers by refusing to process their transactions?
BK: They can, but the way their contracts work, the brand holders (pharma, handbag makers, et. al) need to file disputes with the banks, which in turn have to alert Visa and MasterCard. When that process starts, the card associations can then turn to the acquiring bank for the dodgy merchant and give them the choice between continuing to violate the terms of their contract with the card associations or face steep fines. But none of this happens without careful reporting, and few brand holders have been willing or able to do this on their own for some reason.

FM: I'll mention some of the Russian cybercrime bosses. Can you give me one-sentence descriptions of these men?

  • Pavel Vrublevksy, cofounder of ChronoPay, a high-risk card processor and payment service provider.
  • BK: Well-connected, spontaneous, spendthrift, very entertaining and ambitious guy. 
  • Igor Gusev, cofounder of ChronoPay and co-owner of the pharmacy partnerships Spamit and GlavMed.
  • BK: Reserved, private, careful, shrewd businessman. 
  • Dimitry Stupin, co-owner of Spamit and GlavMed.
  • BK: The technical brains behind these pharmacy operations.
  • Dmitry Nechvolod, one of Spamit and Rx-Promotion's most successful spammers.
  • BK: Typical spammer. Focused on his business and on spending cash earned from it on fast living.

    FM: I've always believed that excellent investigative journalists often can be a helpful extension of fraud examiners and law enforcement. How do you feel about that?
    BK: I'd agree, of course. It also works both ways.

    FM: Is Sony developing a movie based on your life and work?
    BK: I spoke with some producers from Sony about this, roughly a year ago. They hadn't even talked to the creative people at the time, so I told them to call me back once they did that. They haven't called back. And that's just fine with me.

    FM: Without giving away too much, what are some things that you'll be telling attendees at the 26th Annual ACFE Global Fraud Conference
    BK: You give me way too much credit for being that organized this early. Sorry. You'll just have to wait and see.

    Dick Carozza, CFE, is editor-in-chief of Fraud Magazine.


The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.