Black Hat Uncle Sam's lawyers have revealed the catalog of operational security mistakes that led to the cuffing of one of the world’s most prolific credit-card crooks.
Last year, Roman V Seleznev, 32, was found guilty of multiple counts of fraud and hacking by a jury in Washington, USA. He was later thrown in the cooler for 27 years. Seleznev – the son of ultra-nationalist Russian politician Valery Seleznev – also faces other charges.
This week, US Department of Justice prosecutors who worked on the case told the Black Hat security conference how the fraudster was brought down.
Seleznev first came to the American authorities’ attention in the early 2000s as a dabbler in identity theft using the screen name nCux – which sounds phonetically like the Russian word for psycho. By 2005 he had moved into the lucrative world of credit card theft.
By amassing online logs of his time on underground forums, the US Secret Service thought they had enough evidence that nCux was Seleznev and was working out of Vladivostok, Russia. They held a meeting with the Russian Federal Security Service to discuss the case and how to proceed.
Less than a month later, all activity by nCux stopped dead, and the name was never seen on forums again. The last forum post explained that nCux was going out of business permanently.
But shortly afterwards, another big-name credit card seller showed up on the Carder.SU criminal forum and the Feds immediately knew that something was up, because Track2 – who was supposed to be new to the site – had been marked by the admins as a trusted and verified credit card dealer.
Eventually the person set up the websites Track2.name and Bulba.cc, which were very similar in design. These started selling large numbers of credit card details and had user guides available telling people how to exploit them.
Around this time, a police computer specialist in Washington State was investigating a malware attack against a branch of the Schlotzskys Deli chain. The store had been flagged up as having an unusually large number of credit card fraud cases, and the investigators found that sales terminals were infected with malware that was siphoning victim's personal information to Russia – in particular to the servers behind the Track2.name and Bulba.cc websites.
The investigator got a warrant to search the email accounts used to register the domains, and found lots of interesting evidence. One of the email accounts, hosted by Yahoo!, had been used to open a PayPal account for a man in Vladivostok and had also been used to order flowers for a woman identified as Seleznev’s wife.
The Yahoo! account was also used to purchase a server from HopOne Internet in McLean, Virginia. The Secret Service got a dialed number recorder (DNR) order against the server, which allowed them to monitor network connections to and from the device and told them which IP ports were used, but not the content of any communications.
The DNR order showed that the machine was contacting hundreds of computers in the US, almost all of them restaurants running very similar point-of-sale software. They worked out that the server was scanning for misconfigured remote desktop protocol connections, pumping malware into vulnerable sales terminals, and then harvesting data back – presumably stealing credit card numbers of paying customers.
That breakthrough allowed law enforcement to get a warrant to search the server, where they found over 400,000 credit card numbers. They also found evidence that Seleznev had been using the server for his personal web browsing, leaving behind a trail of identifying documentation. For example, he had booked travel tickets that had his passport details on them, and there was evidence of numerous aliases that he was using online. That was enough to file an indictment against Seleznev in March, 2011.