July 27, 2012 at 10:16 How to steal a million?
0x00 Foreword
In childhood, we watched the films Hackers, Hacking, Password, Swordfish, and other Hollywood creations. Despite his young age, inspired, we looked for information about hacking, phreaking wherever possible. I remember back then CDs with sets of squeezes from different echo conferences. They mastered programming, comprehended the device of IP-networks, OSes and all kinds of hardware. Games of industrial espionage and other delights of childhood. The dream of stealing a million and preferably bucks with the help of computers was firmly sitting in our heads. But ... childhood passes, the school ends, attempts of own business, work in various telecommunication companies, and now the desire to steal has formed in the desire to build an honest high-tech business, which turned out to be more difficult and therefore more interesting. However, no wonder they say
0x01 Which IT ishniks live well or how it all began.
In our business, the best reputation is its absence. (from)
There was a payment system in 2008, not big, but not small, and they all had an admin familiar with information security and programmers who could write code not perfectly, but quickly. And the PS administration came up with the idea of introducing automated workstations from which it would be possible to replenish. No sooner said than done. AWP is written and delivered. True, the administration either in the park or in the innocence of the soul forgot to change the passwords on the test accounts. And quietly peacefully a new “business” was born at the admin, replenishing the balance of anything at half price. It so happened that on the occasion of the foolishness in the IT department, layoffs began, and the admin also fell under them. Having quit, I didn’t really worry, I replenished my mobile and Internet with my friends. It was possible not to work, and to live relatively freely. The left SIM card and mobile modem allowed to be anonymous. But this naturally could not continue for a long time, and in 2009 one fine spring day the interface was covered, either the password was changed, or the IP range was cut. And the admin is already used to getting money with minimal risk from the air. And thought.
0x02 Knowledge is power.
“If you are turbid, mutt is quiet. If you don’t know the phone, don’t pick up the phone ”(c)
Since the administrator built the entire infrastructure of the payment system, he naturally knew both the weaknesses and the internal structure of the network. It took about two weeks to get inside. After hitting the gateway, nc was quickly raised with an on-duty administrator forwarding to RemoteAdmin. And one dark night, at half-past 12 at night, sitting three blocks from the payment system office, in a small cramped room, three were leaning over the monitor. PgAdmin is launched on the screen in order not to fall under the sharp-sighted log of the insert SQL queries are written in pens, recalling from memory the fields of the table that is responsible for posting payments. Nerves are not to hell, the trinity manages to drive a few lines. After that, the mouse began to twitch on the screen, apparently on that side they noticed that something was happening on the monitor that was not at all good =). And instead of calling department K, the administrator on duty didn’t come up with anything better to close RemoteAdmin, although in fact it was possible to see where the “hackers" hang from and track. The connection is broken. Two times in one river are not included. The people behind the monitor nervously smoke. Calls from PS to mobile also add nerves. Apparently, the PS decided that only former employees could do this. In general, they were not far from the truth.
0x03 Freebie.
“Here, as in the market, I grabbed it and it’s good if there’s a faithful root” (c)
One and a half months have passed after that unlucky night. However, the idea of snatching a piece sat firmly in the head of the former administrator of the payment system, all this was discussed with some personalities who could come up with something. According to a long tradition, all this was discussed in the kitchens under a certain amount of alcohol. And on one of these evenings, luck allowed itself to be caught by the blue tail. Then there were two in the kitchen. The third one, being a tuner of the payment system terminals, was called to “drink beer,” he came after working with beer. And a working laptop. How long his laptop went into action for a short time, or the mobile modems on it tested something, the story on this subject remains deathly silent. It is only known that at one fine moment when he was distracted by a smoke, he and the landlord (aka the former admin) left the cramped kitchenette, another dark person quickly found a folder with terminal software, moved it to a USB flash drive through copying. We finished the beer, the adjuster left. The whole next week was spent by the admin to get somewhere CashCode, a thermal printer, and an old computer where you can stick it all. After all this has been found, the assembly is turned on and connected. A pair of VDS in Belgium with completely disabled logs for anonymity, payment by web mani from the initial accounts, and of VPN. Orders from acquaintances, after night forwarding of money, emulating terminals from different areas of the city. In the morning, the issuance of PIN-codes on hand for activation. Then some acquaintances who in the "topic" began to collect orders and began to take in bulk. It turned out about 30-40 thousand a month, but even this began to seem not enough, then one of my friends suggested bringing him to the owner of the electronic money exchanger. The first order amounted to 150 thousand. Further more. Probably these were the most unfortunate days for the payment system, since everything was done with left mobile modems with left SIM cards and numbers that were used 1 time and then thrown out. Along the way, the business of trading left SIM cards was mastered with this. Sales staff and employees. almost all mobile operators happily drove left passport data for small rewards.
0x04 Cache.
“I stole a lot when I was little.” But I never stole one candy, I stole the whole box. I also liked to rush into people's houses and pace about them. I found it quite comfortable to be in someone's empty house. (from)
It would seem that the matter is put on stream, what else is required? But the consciousness of the administrator wanted to play big. The training was appropriate. Fake notarized copies of passports for sending to WebMoney and Yandex Money. It was found out the time when it is possible to throw the maximum amount. Having connected all the necessary devices to the computer, and having stuck a line from a well-known provider into the computer, armed with a 5000 bill, he began the process. First, breaking into the database of the payment system again, he turned off the restriction on manual payments, for which it was only necessary to change one Boolean field in the payment settings table, after which, holding down the "blind" of the bill acceptor, he began to throw money into several accounts. Throwing more than 1 million rubles. He turned everything off and went to bed.
The dream came true on the accounts and let the virtual lay more than a million money, and yet it could be cranked more than once.
0x05 Instead of an epilogue.
They’ll give you a fuck, but you don’t steal. (from)
True dreams of the iteration of this process were not destined to come true. At that time, when the clock was about 6 in the morning, employees of department K. entered the apartment. It turned out that the employees read the logs of the payment system like a novel for the night for 3 months in a row. And before that they could not determine who and where from, these bold raids are being made. This time, something went wrong. Either the SIM card refused to work, or the modem. And our hero went through his Belgian VPN tunnels directly from the line of the home provider. Is it stupid? Probably yes. Having illuminated its real IP about 2 nights, after an hour, Department K knew the address at which to leave. Further arrest. SIZO. 9-long months waiting for a court decision. Then 4.5 years probation. The truth remains one vague question - what if the “conditionally anonymous” communication channel were used again? Would you take on cash? or did forwarding through any RBC Mani do its job? :)
PS: Answers to questions that are likely to appear after reading or during it:
All the events described are real and took place in 2009.
Well, I’ll say right away that I’m the author of the post, not the hero of this novel, I just had the opportunity to see all this with my own eyes, and know some details quite well. Therefore, I thought that perhaps it would be interesting to the habrastvo.
In childhood, we watched the films Hackers, Hacking, Password, Swordfish, and other Hollywood creations. Despite his young age, inspired, we looked for information about hacking, phreaking wherever possible. I remember back then CDs with sets of squeezes from different echo conferences. They mastered programming, comprehended the device of IP-networks, OSes and all kinds of hardware. Games of industrial espionage and other delights of childhood. The dream of stealing a million and preferably bucks with the help of computers was firmly sitting in our heads. But ... childhood passes, the school ends, attempts of own business, work in various telecommunication companies, and now the desire to steal has formed in the desire to build an honest high-tech business, which turned out to be more difficult and therefore more interesting. However, no wonder they say
0x01 Which IT ishniks live well or how it all began.
In our business, the best reputation is its absence. (from)
There was a payment system in 2008, not big, but not small, and they all had an admin familiar with information security and programmers who could write code not perfectly, but quickly. And the PS administration came up with the idea of introducing automated workstations from which it would be possible to replenish. No sooner said than done. AWP is written and delivered. True, the administration either in the park or in the innocence of the soul forgot to change the passwords on the test accounts. And quietly peacefully a new “business” was born at the admin, replenishing the balance of anything at half price. It so happened that on the occasion of the foolishness in the IT department, layoffs began, and the admin also fell under them. Having quit, I didn’t really worry, I replenished my mobile and Internet with my friends. It was possible not to work, and to live relatively freely. The left SIM card and mobile modem allowed to be anonymous. But this naturally could not continue for a long time, and in 2009 one fine spring day the interface was covered, either the password was changed, or the IP range was cut. And the admin is already used to getting money with minimal risk from the air. And thought.
0x02 Knowledge is power.
“If you are turbid, mutt is quiet. If you don’t know the phone, don’t pick up the phone ”(c)
Since the administrator built the entire infrastructure of the payment system, he naturally knew both the weaknesses and the internal structure of the network. It took about two weeks to get inside. After hitting the gateway, nc was quickly raised with an on-duty administrator forwarding to RemoteAdmin. And one dark night, at half-past 12 at night, sitting three blocks from the payment system office, in a small cramped room, three were leaning over the monitor. PgAdmin is launched on the screen in order not to fall under the sharp-sighted log of the insert SQL queries are written in pens, recalling from memory the fields of the table that is responsible for posting payments. Nerves are not to hell, the trinity manages to drive a few lines. After that, the mouse began to twitch on the screen, apparently on that side they noticed that something was happening on the monitor that was not at all good =). And instead of calling department K, the administrator on duty didn’t come up with anything better to close RemoteAdmin, although in fact it was possible to see where the “hackers" hang from and track. The connection is broken. Two times in one river are not included. The people behind the monitor nervously smoke. Calls from PS to mobile also add nerves. Apparently, the PS decided that only former employees could do this. In general, they were not far from the truth.
0x03 Freebie.
“Here, as in the market, I grabbed it and it’s good if there’s a faithful root” (c)
One and a half months have passed after that unlucky night. However, the idea of snatching a piece sat firmly in the head of the former administrator of the payment system, all this was discussed with some personalities who could come up with something. According to a long tradition, all this was discussed in the kitchens under a certain amount of alcohol. And on one of these evenings, luck allowed itself to be caught by the blue tail. Then there were two in the kitchen. The third one, being a tuner of the payment system terminals, was called to “drink beer,” he came after working with beer. And a working laptop. How long his laptop went into action for a short time, or the mobile modems on it tested something, the story on this subject remains deathly silent. It is only known that at one fine moment when he was distracted by a smoke, he and the landlord (aka the former admin) left the cramped kitchenette, another dark person quickly found a folder with terminal software, moved it to a USB flash drive through copying. We finished the beer, the adjuster left. The whole next week was spent by the admin to get somewhere CashCode, a thermal printer, and an old computer where you can stick it all. After all this has been found, the assembly is turned on and connected. A pair of VDS in Belgium with completely disabled logs for anonymity, payment by web mani from the initial accounts, and of VPN. Orders from acquaintances, after night forwarding of money, emulating terminals from different areas of the city. In the morning, the issuance of PIN-codes on hand for activation. Then some acquaintances who in the "topic" began to collect orders and began to take in bulk. It turned out about 30-40 thousand a month, but even this began to seem not enough, then one of my friends suggested bringing him to the owner of the electronic money exchanger. The first order amounted to 150 thousand. Further more. Probably these were the most unfortunate days for the payment system, since everything was done with left mobile modems with left SIM cards and numbers that were used 1 time and then thrown out. Along the way, the business of trading left SIM cards was mastered with this. Sales staff and employees. almost all mobile operators happily drove left passport data for small rewards.
0x04 Cache.
“I stole a lot when I was little.” But I never stole one candy, I stole the whole box. I also liked to rush into people's houses and pace about them. I found it quite comfortable to be in someone's empty house. (from)
It would seem that the matter is put on stream, what else is required? But the consciousness of the administrator wanted to play big. The training was appropriate. Fake notarized copies of passports for sending to WebMoney and Yandex Money. It was found out the time when it is possible to throw the maximum amount. Having connected all the necessary devices to the computer, and having stuck a line from a well-known provider into the computer, armed with a 5000 bill, he began the process. First, breaking into the database of the payment system again, he turned off the restriction on manual payments, for which it was only necessary to change one Boolean field in the payment settings table, after which, holding down the "blind" of the bill acceptor, he began to throw money into several accounts. Throwing more than 1 million rubles. He turned everything off and went to bed.
The dream came true on the accounts and let the virtual lay more than a million money, and yet it could be cranked more than once.
0x05 Instead of an epilogue.
They’ll give you a fuck, but you don’t steal. (from)
True dreams of the iteration of this process were not destined to come true. At that time, when the clock was about 6 in the morning, employees of department K. entered the apartment. It turned out that the employees read the logs of the payment system like a novel for the night for 3 months in a row. And before that they could not determine who and where from, these bold raids are being made. This time, something went wrong. Either the SIM card refused to work, or the modem. And our hero went through his Belgian VPN tunnels directly from the line of the home provider. Is it stupid? Probably yes. Having illuminated its real IP about 2 nights, after an hour, Department K knew the address at which to leave. Further arrest. SIZO. 9-long months waiting for a court decision. Then 4.5 years probation. The truth remains one vague question - what if the “conditionally anonymous” communication channel were used again? Would you take on cash? or did forwarding through any RBC Mani do its job? :)
PS: Answers to questions that are likely to appear after reading or during it:
All the events described are real and took place in 2009.
Well, I’ll say right away that I’m the author of the post, not the hero of this novel, I just had the opportunity to see all this with my own eyes, and know some details quite well. Therefore, I thought that perhaps it would be interesting to the habrastvo.