A Look at Romanian ‘Hackerville’ Reveals Human Element of Cybercrime

“Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Cybercrime if often thought of as something that only happens within the generalized, invisible space of the internet. It is seen as virtual rather than physical, and those who commit cybercrime are thought of as anonymous individuals whose activities are all within the confines of the web. Run an image search for “hacker” or “cybercriminal” and you will see plenty of pictures of people with their faces hidden by hoods or masks, sitting alone in a dark room in front of a computer. But what if, instead of a hooded loner, the universal image of cybercrime was that of a group of neighbors in an impoverished part of the world, gathered together at a local cafe?

The latter is a new picture of cybercrime that researchers Jonathan Lusthaus and Federico Varese hope to make more people aware of in their recent paper “Offline and Local: The Hidden Face of Cybercrime.” The co-authors, working on the Human Cybercriminal Project out of the sociology department of the University of Oxford, traveled to Romania in 2014 and 2015 to study the oft-ignored real-world aspect of cybercrime in an area known to be a hub for one specific form of this crime—cyber fraud.

“Hackerville”

The town of Râmnicu Vâlcea, which has a population of around 100,000, has faced some economic setbacks in the last decade, including the loss of a major employer, a chemical plant; in addition, the average monthly salary in Romania as a whole (in 2014) was only €398 compared to €1,489 across the European Union. However, upon arriving in town, Lusthaus and Varese found themselves surrounded by luxury cars, “trendy” eateries, and shopping malls stocked with designer clothes and electronics. Though Râmnicu Vâlcea is poor “on paper,” the town seemed to be thriving, and interviews with Romanian law enforcement agents, prosecutors, cybersecurity professionals, a journalist, a hacker, and a former cybercriminal would soon give the researchers a clue as to why that might be.

“It was rumored that some 1,000 people (in Râmnicu Vâlcea) are involved almost full-time in internet fraud,” Varese told me, explaining why the town sometimes nicknamed “Hackerville” became a key target of their research (although the authors point out, in their paper, that the more accurate term would be “Fraudville,” as scams are focused more on the sale of fake goods than hacking or the spread of malware).

Varese said major findings from their interviews in Râmnicu Vâlcea as well as the Romanian cities of Bucharest and Alexandria were that cybercriminals knew each other and interacted with each other at local meeting spots offline, such as bars and cafes; that they operated in an organized fashion with different people filling different roles; that many in the town were aware of the organized crime but either didn’t say anything or sought to become involved themselves; and that there have been several cases throughout the years of corrupt officials, including police officers, who accepted bribes from the fraudsters and allowed them to perpetuate their schemes without interference.

“These are almost gangs,” Varese said. “They are not the individual, lonely, geeky guy in his bedroom that does the activities, but it’s a more organized operation that involves some people with technical skills and some people who are just basically thugs.”

The paper describes a culture of local complacency, often under threat of violence by a network of seasoned cybercriminals. This picture is far from that of the anonymous, faceless hacker many have come to envision, and instead reveals how internet crime can become embedded in specific populations.

“Most people think of cybercrime as being a global, international sort of liquid problem that could be anywhere and could come at you from anywhere,” Varese said. “In fact, the attacks—the cybercrime attacks or the cyber fraud—really come from very few places disproportionately. So cybercrime is not randomly distributed in the world. It’s located in hubs.”

Cultural and Human Factors

I asked Varese two major questions—why Romania and why cybercrime, as opposed to other forms of profitable crime? He responded that a look at the country’s history reveals why, instead of weapons or drugs, criminals in Romania might turn instead to their computers.

“Romania is a very special place. Mainly because, during the dictatorship of Nicolae Ceaușescu—that was the communist dictator that ruled Romania from the 60s to the 90s—he emphasized the importance of technical education, and especially IT,” Varese explained. “There was a very good technical basis among people. When the internet arrived, a lot of Romanians built up their own micro-networks. And so it turns out that when the regime fell, Romania turned out to be a country which was very, very well-connected.”

The high level of technical education, combined with a high level of poverty and a high level of corruption—as shown in the paper, which points out that Romania’s score on Transparency International’s 2016 Corruption Perceptions Index is only 48 out of possible 100—created a perfect storm for a culture of cybercrime to grown, Varese said.

But Romania is not the only place where cybercrime is highly concentrated and where online activities are strongly tied to offline factors. Varese identifies Vietnam in Asia, Nigeria in Africa and Brazil in the Americas as three other cybercrime hubs. Varese and his coauthor also plan to take their future research to Eastern Europe, where “corruption and the technical and economic of legacy of communism” have created “a highly conducive environment for cybercrime,” their paper states.

Varese hopes this sociological research will help authorities recognize and manage the human element of cybercrime that is often ignored in the fight against online threats.”

Read More

GLOBAL POLICE SPRING A TRAP ON THOUSANDS OF DARK WEB USERS

“WHEN ALPHABAY, THE world’s largest dark web bazaar, went offline two weeks ago, it threw the darknet into chaos as its buyers and sellers scrambled to find new venues. What those dark web users didn’t—and couldn’t—know: That chaos was planned. Dutch authorities had already seized Hansa, another another major dark web market, the previous month.

For weeks, they operated it as usual, quietly logging the user names, passwords, and activities of its visitors–including a massive influx of Alphabay refugees.

On Thursday, Europol and the US Department of Justice jointly announced the fruits of the largest-ever sting operation against the dark web’s black markets, including the seizure of AlphaBay, a market Europol estimates generated more than a billion dollars in sales of drugs, stolen data, and other illegal goods over its three years online. While Alpabay’s closure had previously been reported as an FBI operation, the agency has now confirmed that takedown, while Europol also revealed details of its tightly coordinated Hansa takeover.

With Hansa also shuttered as of Thursday, the dark web looks substantially diminished from just a few short weeks ago—and its denizens shaken by law enforcement’s deep intrusion into their underground economy.

“This is likely one of the most important criminal cases of the year,” attorney general Jeff Sessions said in a press conference Thursday morning. “Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity by ‘going dark.’ This case, pursued by dedicated agents and prosecutors, says you are not safe. You cannot hide. We will find you, dismantle your organization and network. And we will prosecute you.”

The Sting

So far, neither Europol nor the Department of Justice has named any of the administrators, sellers, or customers from either Hansa or AlphaBay that they plan to indict. The FBI and DEA had sought the extradition from Thailand of one AlphaBay administrator, Canadian Alexandre Cazes after identifying him in an operation they called Bayonet. But Cazes was found hanged in a Bangkok jail cell last week in an apparent suicide.

Still, expect plenty of prosecutions to emerge from the double-takedown of Hansa and AlphaBay, given the amount of information Dutch police could have swept up in the period after Alphabay’s closure.

“They flocked to Hansa in their droves,” said Interpol director Rob Wainwright. “We recorded an eight-times increase in the number of new users on Hansa immediately following the takedown of Alphabay.” The influx was so large, in fact, that Hansa put up a notice just last week that it was no longer accepting new registrations, a mysterious development given that Dutch police controlled it at the time.

That surveillance means that law enforcement likely now has identifying details on an untold number of dark web sellers—and particularly buyers. Europol claims that it gathered 10,000 postal addresses of Hansa customers, and tens of thousands of their messages, from the operation, at least some of which were likely AlphaBay customers who had migrated to the site in recent weeks.

Though customers on dark web sites are advised to encrypt their addresses so that only the seller of the purchased contraband can read it, many don’t, creating a short trail of breadcrumbs to their homes for law enforcement when they seize the sites’ servers.”

Read More

Foot Surveillance: Keeping Your Cover

Vehicular surveillance and foot surveillance each have their challenges, but they share a common objective: to be invisible by hiding in plain sight. I’ve done plenty of both and tend to enjoy foot surveillance the most—mainly because I like the freedom of not being confined to a car.

The success of any surveillance operation relies heavily on preparation. And a good surveillance operative should be ready to go from mobile vehicular to foot surveillance at a moment’s notice. You might be riding along with another investigator as a passenger, ready to jump out and follow on foot. Or you might be following a subject by public transport—which means that surveillance on foot is your only option.

If you suspect that you’ll be on foot for all or part of the job, plan accordingly. Choose clothing that blends well into the places you’re likely to go (and is weather-appropriate), carry lightweight recording equipment that won’t attract attention (including your smartphone), and review the local transport system thoroughly.

Once you arrive at the initial assignment location, canvass the area for surveillance cameras, security guards, or anyone who might notice your activities (such as a doorman). Check for all possible exits from the location under surveillance, and choose the best possible observation post.

From there, don’t just watch the exit(s); keep assessing the whole area, and planning how you might follow your subject(s) once they appear. Is the area busy enough with foot traffic for you to follow closely on the same side of the street, or should you stay further back, or even cross the street to follow? You may be in a busy area, but if there aren’t many pedestrians, you’ll have to maintain your distance. You don’t want be too close, as illustrated in figure 1, without any cover.

Read More

How To Know Which NIST Framework To Use

“One of the most important aspects of the recent cybersecurity executive order is also the aspect causing the most confusion.

When President Donald Trump signed the executive order in May, it included the requirement federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risk. However, some have confused the NIST CSF with the NIST Risk Management Framework, which all federal agencies have been required to follow since its 2010 introduction.

To put it succinctly, they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.

NIST CSF Overview

The NIST CSF was released in February 2014 in response to a 2013 executive order that called for a voluntary framework of industry standards and best practices to help organizations manage cybersecurity risk.

The CSF was created as a result of collaboration between government and the private sector. It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”

The heart of the NIST CSF is the Framework Core, which consists of five functions: identify, protect, detect, respond and recover. The functions and their components aren’t a checklist of actions to be performed in order. Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the life cycle of an organization’s management of cybersecurity risk.”

Read More

Corporate Sector Special Operations: Myths & Realities

“It was still dark outside when the first undercover operative arrived at the Palace Hotel in San Francisco. A thick layer of fog swirled through the streets as the operative made his way into the lobby. He sat down to wait for his partner, and for the man who had hired them for the job. The hotel was to be the site of a large tech conference that day, and the two operatives had to be in position fast. Conference attendees would soon be streaming in for registration, and before long, the guest speakers would begin to arrive—including one specific Silicon Valley billionaire they would be watching for.

As the hubbub in the lobby built to a crescendo, the operatives slid into the background. It was imperative for their mission that no one knew who they were or what they were doing there.

While this might sound like a nefarious plot in some Hollywood movie, this was actually a covert protective operation, and part of a whole undercover world that very few people know exists—an invisible world I call the “surveillance zone.”

Introducing the “Surveillance Zone”

Let me offer you a peek behind the curtain—and into the “zone.” That first undercover operative mentioned above? That was actually me, and the man who had hired us was the senior security director for a well-known Silicon Valley corporation. We’d been hired to covertly protect the billionaire founder and CEO, whose company—despite some dramatic downswings and falling stock prices—was about to unveil a new venture. The mix of angry stockholders, excited techies, and nervous investors had company execs feeling skittish and us on our guard, and made for a tricky and interesting assignment.

On top of all that, the CEO had been receiving increasingly violent threats from a dedicated stalker who had demonstrated the will and ability to take things to the next level. Having surveilled the CEO’s home and workplace, and even physically confronted the CEO, there was ample reason to take the stalker’s intentions seriously.

When the threat to harm the CEO at the convention had come in (just a day before the event), the company decided to take action. At ten pm, I received a call from the security director, requesting our presence at the hotel at six am the following morning.”

Read More

Texas school police to use drones to keep campuses safe

“School district police officers here completed a months-long drone training program at Sanchez Elementary on Friday.

This spring, Drone Pilot Inc., a Central Texas training firm, taught four officers from the McAllen Independent School District Police Department on the usage of drones. The 100-hour training, which began in February, went through various real-life scenarios.

Friday, the officers had their final exam on completing would-be scenarios of search and rescue. Their drone skills were tested on finding a missing child/endangered adult and identifying an unknown object, a skill that could help diffuse a bomb scare. Another mission was going through hazardous materials like an ammonia leak from a car.
Gene Robinson, vice president, co-founder and flight team director of Drone Pilot, said the officers learned to problem solve and jointly worked together in their missions.

“They (officers) will use the skills that we taught them, go out and try to solve,” Robinson said.
The drones will be used for faster response times and be used for investigative purposes to hold aerial views of parking lots, reconstruct collisions, look for evidence/crime scenes, and assess structural damage to buildings after a natural disaster or arson and most commonly, locate intruders in and around campuses.

“This training will be good for the public to keep them safe,” McAllen ISD Police Sgt. Charles Eric Treviño said. “When you look at it at ground level, it doesn’t look the same when you take it at aerial photographs. It’s different.”

“It’ll take minutes versus possible hours bringing an agency to check it out,” Treviño added about response times.

The drone training was divided into three phases. The introductory section covered legal issues and copyright information. Section two, covered the proper usage of equipment and regulations with recording and documenting the missions on logbooks. The final section was team cooperation and following proper procedures before beginning a mission.
Government use of aerial drones became much easier when the Federal Aviation Administration flipped the switch on new regulations last year, prompting some law enforcement agencies to adopt the technology.

The San Marcos Police Department has purchased a drone that will be used for investigations into vehicle crashes involving serious injury or death.

Before the FAA created new regulations last summer, the Austin Fire Department had already been operating drones to monitor and respond to wildfires for more than a year under a rare exemption that made it one of the first public safety agencies in the country allowed to use drones.”

View Source

Barona Casino Security Points Deputies to International Counterfeiting Ring

“Barona Resort and Casino security guards alerted San Diego County Sheriff’s Department deputies to an international counterfeiting operation.
Deputies arrested Lien Do, Hao Nguyen, and Ben Ven Pham on Christmas Day last year.
They found $300,000 worth of counterfeit chips in the suspects’ car.
“It appears that what they were seeking to do was convert those chips into cash and to walk out the casino with the cash,” said Prosecutor Daniel Shim.
The defendants were charged with multiple felonies, including grand theft, burglary, forgery and possession of counterfeit marks.
“When the sheriff’s department searched their home in Garden Grove, they found about $2 million in casino labels,” Shim said. “During Mr. Pham’s interview, he indicated he received those chips from Vietnam.”
Two of the defendants plead guilty to lesser charges and are serving one-year jail terms. Charges against a third defendant were dropped and he returned to Vietnam.
“The Sheriff’s department did a great job in investigating this case. They did a very thorough investigation,” Shim said.
The criminal investigation expanded to at least six other casinos in Southern California, several of which are located in San Diego.
It remains unclear if any of the fake chips were actually used in any of those casinos.
“It is still unknown if the operation had any ties to organized crimes,” Shim said.”

View Source

Facebook post leads to arrest of alleged Macy’s shoplifter

PARAMUS – An alert security guard who spotted a Facebook user selling designer watches told police the man resembled a shoplifter who stole merchandise from Macy’s, authorities said Thursday.

The man, Alfredo “Freddy Vega,” 49, was arrested Wednesday and now faces shoplifting and other charges, according to Paramus Police Chief Kenneth R. Ehrenberg.

The theft of several Tommy Hilfiger watches occurred April 7 at the Westfiled Garden State Plaza, Ehrenberg said in a statement.

“The security manager at Macy’s found an Internet posting that the stolen watches were being sold online by a male with a Facebook profile identified as ‘Freddy Vega,’” Ehrenberg said.

“The Facebook picture resembled the suspect in the theft,” the chief said.

Paramus Police Det. Mark sent out an all-points bulletin that included surveillance photos and the Facebook photo of Vega, Ehrenberg said.

After receiving the bulletin, Lt. Michael Cumiskey of the Bergen County Sheriff’s Office recognized Vega from previous times Vega had been jailed, Ehrenberg said.

“Based upon this information a warrant was issued for Mr. Vega,” Ehrenberg said.

About 6 p.m. on April 27, a suspect later identified as Vega shoplifted several pairs of men’s shoes from J. Crew in the Bergen Towne Center, police said.

The suspect ran from the scene before police arrived.

On May 3, Paramus Police Officer David Betancourt was flagged down by a security officer at Westfield Garden State Plaza. The security officer told Betancourt that a man who had shoplifted from Sunglasses Hut the day before was again at the mall.

Read More

Plane loaded with drugs makes emergency landing at Ohio University

Columbus OH April 1 2017 Pilot Sylvain Desjardins and passenger David Ayotte were the only two aboard the twin-engine turboprop that left Grand Bahama Island on Wednesday, bound for Windsor, Canada. But they were not alone.

About 2,400 miles to the west, in Riverside, California, the Piper Navajo was being watched, like many closing in on U.S. borders, especially from the Caribbean.

When the plane experienced mechanical problems and diverted from its flight path toward Athens, Ohio, the U.S. Customs and Board Protection Air and Marine Operations Center and other federal and local agencies went into action.

The Department of Homeland Security notified the Athens County sheriff’s office and OU police that the pilot planned to land at Gordon K. Bush Ohio University Airport. The airport is not a port of entry with a customs station. Officials told the locals to hold the plane for federal authorities.

Homeland Securities investigation agents and Customs and Border Protection agents based in Columbus hurried southeast to Athens. Homeland Security said a database search revealed that both men had prior drug convictions in Canada.

The plane landed about 2:30 p.m. and the pilot told OU police and Athens County deputies who met the plane that mechanical problems necessitated the emergency landing. The California center notified Desjardins that his plane was going to be searched. Desjardins consented to the search, according to an affidavit filed in federal court in Columbus.

Agents found more than 290 pounds of cocaine hidden aboard the plane’s tail section.The amount likely is the largest cocaine seizure in southern Ohio, said U.S. Attorney Benjamin Glassman in Columbus.

Read More

76 fake $100 bills discovered in Walmart store safe

DELTONA, Fla. – A Walmart employee in Volusia County was arrested Monday night after a fellow employee noticed counterfeit bills in the Deltona store’s safe over the weekend.

On Sunday, an employee noticed the fake bills in the safe’s $10,000 cash bundle were counterfeit and told a manager who took a closer look at the bills, officials said.

The 76 bills totaling $7,600 were blue in appearance, each having a different thickness, texture with “FOR MOTION PICTURE USE ONLY” printed on them, officials said.

Officials said the manager told them the bills were wrapped in a bundle marked “DO NOT USE.”

When loss prevention officer went back to the safe on Monday to take another look at the counterfeit money, the bundle marked was still there, but the fake bills inside were missing, officials said.

After a review of the surveillance footage, officials said that Walmart employee Xiomara Matias-Cruz, 32, was on the footage.

Matias-Cruz who worked in the cash office went into the office on Monday at 6 a.m. to count and verify the money in the safe, which was a part of her normal shift duties.

“Then she found the white “DO NOT USE” package, opened it, made a phone call and appeared to take something from the bundle,” the release said.

Officials said she then left the store and drove off in her vehicle only 15 minutes into her work shift.

Further surveillance video review found that Matias-Cruz opened the safe in the cash office on Friday morning.

Read More