Daily diaries show how computer criminals earn their living By Bob Sullivan MSNBC March 27 -- Claims of six figure "salaries" earned without ever leaving the bedroom. A hearty supply of "free" computer hardware and a never-ending e-mail inbox full of victims. Credit card accounts "phished" from fake porn sites, or clever e-mails promising "You've got Pictures" that ask for AOL user names and passwords. What do computer criminals do all day? Work the system -- and reap the rewards. In this MSNBC.com exclusive, you'll get a chance to peek inside the daily life of two computer criminals, and see how the system works to their advantage. SECURITY EXPERTS WILL tell you most of the computer attacks they see every day are initiated by clever teen-agers, so called "script kiddies." Many of these never get much past the stage of simply altering Web page content a few times, a temporal, harmless instance of graffiti in the virtual world. In fact, some argue these curious computer kids are hardly criminals at all. But there's no mistaking the other side of the computer underground, the so-called "carders." To them, anonymous e-mail addresses, credit card numbers, and uninformed Net users are all the basic ingredients for crime. Some claim to earn thousands each day just by working various scams. Understanding who these criminals are and what they're up to is part of the job of a computer security professional. Dan Clements, president of AdCops.com, has taken this "know your enemy" credo to a new level. Clements started AdCops.com two years ago to help Internet merchants fight credit card fraud. "No one else was really helping," Clement said. He wanted to form a community where merchants could swap horror stories and have frank conversations about theft at their sites. Hacks, Attacks & Scams o Curador pleads guilty to hacking o IE bug exposes e-mail and files o Internet company settles pyramid scheme claim o Microsoft digital certificate stolen o Associated Press Web site hacked o No genius needed to hack bad system o A tale of government 'panic' Since then, fraud and credit card theft have run rampant on the Internet, and Clement has collected so many horror stories that he's changed his site into a virtual museum -- the "Fraud Museum." Inside are AOL password-stealing schemes, fake Web pages designed to steal Internet access accounts -- even a free e-mail inbox full of hundreds of notes from fraud victims who willingly submitted their credit card account numbers to a con artist. In part to promote the site's work, and also to help merchants understand their minds of their enemies, Clements recently paid two criminals to keep a log of their daily lives. "We pay them to get front-line current fraud information," Clement said. "Until you see it, you don't completely understand it. It's shocking." Below, in excerpted form, are some of their entries. Editor's notes are in italics. Note that computer criminals are apt to exaggerate their successes. CRIMINAL NO. 1 11:00 a.m. Damn it's early I just woke up. My carded (purchased with a stolen credit card) laptops in bed with me. Hell, I don't even have to get out of bed to go to work. OK, some guy on Efnet (an Internet chat area) told me last night he would Western Union me $250 if I wrote a diary of one of my typical days and e-mailed it to him in .doc format. He was too stupid to be a Fed. Hell I don't care if he is, he can't track me. Now as soon as members sign on they get warnings all over the place about online frauds. Screw AOL. I'll still make six figures this year. They are always a step behind. 11:01 a.m. Well, I just checked www.westernion.com and he wasn't lying, he sent the funds. I got the tracking number and he paid by cash so I can pick up the money without an ID. Secret question/answer was "what's your mother's maiden name?" Answer was "tu madre." All I gotta do is tell the guy at the Western Union "tu madre" and he'll hand over the money. I make sure I rotate Western Union offices and go to the gas station ones. They usually don't have cameras. Let me check what I racked in on e-mail accounts from the lamers (potential victims). Damn, my Yahoo box is dead. Freak, I had to make another one. I got a script that will make me 10 yahoo e-mail accounts in 30 seconds, so this didn't put me back too much. I make 10 boxes and I'll have them for the whole week. Two weeks if I'm lucky. 11:03 a.m. Open up one of my new Yahoo accounts through an untraceable NetZero account. I use www.anonymizer.com to go to the Yahoo account because I'm paranoid. Hell if anyone's going to get my IP (Internet address). Screw the Feds, they are lazy they won't trace me back that far. Plus I got *67 on, they'll need subpoenas to, and a ton of tracing to even get close to me. By then I'll have a new number. Hell, I go through telephone lines about one every 2-3 months. If I'm super paranoid, I skip Anonymizer and hack me a Wingate. Then the Feds will trace back to one of the lamers' home computers not mine ;) LOL! Basically if I use a Wingate they can't track me at all! I should use gates more often ;( Hell I'm getting almost as lazy as a Fed. Ha! 11:08 a.m. Ahhhh, good old MaLad0ck from .ru promised me 50 phish (sets of stolen e-mail and account information, potential victims). I'll give him $100. I won't pay him cash. Too traceable. I don't even trust him. Met him about a year ago on efnet. Could be a Fed. He'll get paid with Paypal money. He's sending first. Don't ever trust a Russian :) I mail out something saying "You've got pics...click here." Of course it goes straight to my free site scam page and tells them to enter in their l/p -- login/password for the clueless. 11:18 a.m. Ahh. Nice. My "You've got pics" scam page up on my free host (name removed) hasn't been termed (taken down as a terms of service violation). This will save me some work. God I love (name removed) they are almost begging to get spammed. LOL. Their admins let my scam pages stay up for weeks sometimes. Most free sites, first thing they do in the morning is check abuse@theirsite.com to see who's been spaming. Not these guys. BTW actually (name removed) does. I'm not going to tell you what freesite never terms ... don't want the word to get out. I do like to use west coast free servers they are 3 hours behind the east coast. So their admins don't check till 12 noon east coast time. That gives me some time so all the 9-5 lamers can check their email and fall into my trap. WOW! We just got 30 fresh cc's. Now we gotta go call the 800 number on back to find a good cc with lots of cash :) 11:38 a.m. Freak! I forgot to start grabbing AOL e-mail addresses from member directory. Dammit, I ought to eat breakfast. It's almost noon time. What is that, brunch? I haven't left the house in three days, too much stuff going on. I'll get food delivered. I'll call on my cell -- not like I pay for service. LOL. Gotta love phreaked (stolen) cells. 11:40 a.m. OK, pizza's on the way. Just set up computer two on my network to start collecting some AOL members' e-mail addresses so I can spam. You gotta love AOL. Well, at least their members. I make bank on their stupidity. 12:41 p.m. OK, I got 12,000 AOL members. Time to go phishingggg!!!!! (spamming). I mail out something saying "You've got pics...click here." Of course it goes straight to my free site scam page and tells them to enter in their l/p -- login/password for the clueless. 3:30 p.m. Check yahoo account -- 22 more phish show up. AOL members are slow today. Damn, I should have about 50 by now. AOL is tightening up. They got ripped so bad last year on carders and all that stuff. Now as soon as members sign on they get warnings all over the place about online frauds. Screw AOL. I'll still make six figures this year. They are always a step behind. Actually about five steps ;) lol ok..... 3:54 p.m. Set up Yahoo mail account to dump credit card info into. 4:30 p.m. Put up phony adult site on free host, complete with front end and a back-end credit card submission page. I'm going to get me some "members" LOL. Going to be the most expensive site these members have ever joined..rofl (rolling on the floor laughing). That's what they get for buying porn. 4:50 p.m. Mail to AOL members about a hot new adult site, it's really my fake site on the free host so I can get their credit card numbers and card some stuff. ooooooooops! 5:30 p.m. I'm going to go meet my girlfriend. Take her out to dinner, go back to her place. Enough of this diary stuff. 7:50 p.m. OK, I'm back. Checked Yahoo mail account, 15 credit card forms are sitting in the account. All while I was at my girlfriend's. ;) Tommorow's going to be a nice day. I'll get me about 5 laptops with these cards. 8:30 p.m. Click on adult banners to create a clicks/sales ratio with a click generation program. I make about $2,000 a month on fake hits. Not much but it adds up :) My old box actually runs dedicated doing that stuff 24/7. Gotta love it :) 8:50 p.m. Sign up 2 adult sales. Making $100. Don't want to do too much, it will look suspicious. But think about it like this: $100 a day. times 30 days is ... $3,000 a month. Crime doesn't pay? :) 9:13 p.m. Click on Amazon banner and create an affiliate sale. Sent books anywhere. Net is $20.17 to advertising account. Lame money but I'm bored, watching TV so I do this when I don't have anything to do. I might make $1,000 a month doing this if I'm not lazy. 9:23 p.m. I better kill these cards. I need them to get worn out. More people that use them, the harder it will be for the Feds to narrow it down to me. Ill trade the 30 credit card numbers and ccv2 (number on the back of credit cards used for added security) for maybe $100. Not much but better than delete them. 10:30 p.m. I'm going to Efnet. I gotta find me a good site that will send lappies (laptops) w/o too much hassle. dIrkSTIR (not his real name) says (site removed) caught on and isn't sending stuff out any more. I'll find a good merchant. Maybe trade some shells (access to remote computers) or phish to find a virgin site. 11:00 p.m. OK I'm out. Time to go drinkkkkk away some of my $250 I got for writing a diary LOL. CRIMINAL NO. 2 DAY 1 11:00 p.m. Relax get on the computer, check e-mail account for some fresh credit card numbers. 11:04 p.m. Realize that I already used all my cc's, not fresh anymore :( gotta collect fresh cc's I do like to use west coast free servers they are 3 hours behind the east coast. So their admins don't check till 12 noon east coast time. That gives me some time so all the 9-5 lamers can check their email and fall into my trap. 11:05 p.m. Go open a new email@LA.com free e-mail account using a untraceable ISP account `shared among friends.' 11:15 p.m. Put the AOL billing scam page up on a free host 11:20 p.m. Start collecting AOL e-mail address from member directory with screen name collector program. 11:45 p.m. Load up `Bulk I-Mailing Program' to mail AOL billing scam 12:00 a.m. All mail sent now. We just wait and talk to friends until more cc's come. 12:30 a.m. WOW! We just got 30 fresh cc's. Now we gotta go call the 800 number on back to find a good cc with lots of cash :) 1:20 a.m. Now that we got 2 Credit Cards with $5,000 limits on them, let's go have some fun 1:25 a.m. Scan around Amazon.com, looking for something to buy -- PlayStation 2 1:35 a.m. Call and wake up my buddies to make sure it's still cool to use his house to use as a drop site. 1:45 a.m. Stop BSing with friend, and now about to order 2 PlayStations and lots of games 2:00 a.m. Now that I can use my friend's house to drop off the toys, filling out order info 2:05 a.m. Checking e-mail account, making sure order went through fine 2:15 a.m. Go back to IRC room and BS around and trade some CC's for some Paypal Accounts. 2:30 a.m. Got someone to hook me up with 2 verified Paypal accounts now Most free sites, first thing they do in the morning is check abuse@theirsite.com to see who's been spaming. Not these guys. 2:35 a.m. Going to www.ebay.com and find something to buy -- two new laptops 2:45 a.m. Log on to Paypal accounts and send off payments 2:50 a.m. E-mail the owners of the laptop that I just won and tell him I already sent payment from the Paypal account, and please ship to this address overnight mail. I added the extra $25-$50 for shipping charges. 3:00 a.m. Time to get some sleep [lnk_bbs.gif] What do you think about the hacker diaries? [dotblack.gif] Day 2 9:00 p.m. Time to get back online and check e-mail account and see if PlayStations and laptops are on their way 9:05 p.m. Just found out they both got shipped; everything went as planed 9:10 p.m. Going to http://www.usps.com/tracking.cgi and checking when it will get to my friend's house 9:15 p.m. Everything has been taken care of and in less then 24 hours I have ordered two laptops and two PlayStations with about 10 different game's total of about $4,000 not to bad of a day of work.