BLACK HAT USA Conference. "How the feds caught the Russian mega-carder Roman Seleznev"

Original author: Norman Barbosa, Harold Chen
  • Transfer
A year ago at Giktayms this topic was actively discussed:

Russian carder Roman Seleznev, the son of a deputy, sentenced to 27 years in prison in the US

image

Carder and son of a deputy Roman Seleznev said that since 2008 he worked under the protection of the FSB.

In today's translation we will reveal details of how the feds caught the Russian mega-carder Roman Seleznev.

Good afternoon, my name is Norman Barbosa, I'm a prosecutor in computer crime investigations for the U.S. Attorney's Office in Seattle, my second assistant is here, Harold Chen, a former court prosecutor from the Washington DC Attorney General’s Office, now Google. He received a lot of money after we won this business, and now he is happy to be here with me.

I want to thank our friend here for giving me a laptop. Yesterday, when I came here, my computer began to “squeak” and immediately issued a critical error. I thought it could be “these” guys or the FSB. I’m not sure, but I know that many of you play the game "federal hardships." When we were dealing with the Seleznev case, among other things, we also played the game “find the FSB agent,” so if you see him, let us know.



Our presentation does not serve the purpose of picking up a password for your hacking empire, because it still does not work. It’s just a real opportunity for us, for the justice department, to talk in detail about how we investigate computer crimes so that our charges sound convincing to the jury. We must prove to the 12 jurors that this man was sitting at the computer and presenting detailed evidence, which is why he was put on trial.

There was a situation when we were forced to present all our evidence in such details that far exceed the generally accessible amount of information. And then, there are cases that are resolved if the accused pleads guilty or simply does not come to court.

We were very lucky that we got this case - Harold, me and another prosecutor from my office, Seth Wilkinson. It was a long investigation, and we participated in it from the very beginning, another assistant district attorney, who retired even before Roman was arrested, was involved in this matter. Her name was Katherine Worman, she was my mentor in management and was well versed in computer crimes. She worked on this case with agent David Dunn, who also left the government service before Seleznev’s arrest.

I am sure many of you have heard about him here this week, he is a wonderful investigator who returned to the service specifically to participate in court hearings.
So, today I’m going to tell you about the progress of the investigation, and then Harold will talk about the evidence we obtained as a result of Roman’s arrest, the difficulties of the process caused by the results of the forensic medical examination of the accused and how we had to deal with them.

Here is a small characteristic of Roman Seleznev: he was one of the largest credit card thieves in the world, was charged with three federal courts in different states, a Russian who has real estate in Vladivostok and Bali in Indonesia.



He had been involved in stealing bank card information from about 2005 until we were able to arrest him and bring him to court in 2014. From 2011 to 2014, we made several attempts to arrest him, which were unsuccessful.

The position of his father in the Russian government was of great importance, which the court could not ignore (Valery Seleznev is a State Duma deputy from the LDPR party). There was tension between our and the Russian government after Roman was detained in the Maldives in 2014, which resulted in putting me and other participants in the blacklist of the Russian government and a ban on entering Russia. Fortunately, this tension subsided, and again I can go to Moscow, where I studied Russian. But at that moment none of us could go there.

Thanks to his criminal scheme, Seleznev stole a lot of money, so he hoped to destroy the lawsuit with the help of them. He had a very monetary “support team” that provided him with protection.

Seleznev hacked card services using three different "nicknames": nCux, Track2 and 2Pac, associated with three periods of his hacking activity.



He was the first to use on carder forums, where he had been selling stolen card data since 2002, then he started using Track2's “nickname” and before using his arrest he used 2Pac “nickname”.
Identification of nCux took place at the beginning of 2009, when it “appeared” on many carder forums, on this slide you see his message about the sale of these cards: “Dear customers, don’t miss your chance - all AMEX cards are for $ 1 apiece, VISA, MC , DISCOVER - $ 5 a piece. " The “Great Sale” is due to the fact that in May 2009, Roman announced that he was retiring and ceasing to engage in hacking. His activity in this field has been monitored since 2002, when he started selling cards with all the data, including name, password, date of birth and social security number. In 2005, he took into account that the stolen credit card data was very popular and purchasing power, and developed a vigorous activity. Thanks to this, he came into the view of the Washington unit of the Secret Service of Cyber ​​Intelligence. They began to monitor his activity on the Internet and realized that he was a “big player” and began to try to find out exactly who was hiding behind the “nickname” nCux. In fact, the transliteration of this “nickname” in Russian meant “crazy” - friends nicknamed Roman for his “explosive” character.

During his surveillance from 2005 to 2009, the CIS Secret Service obtained a lot of information based on the “excavations” of open Internet trolling - a good “old-fashioned” investigative work.



In May 2009, they together with the FBI met in Moscow with the FSB and reached an agreement on the exchange of information, after which literally a month passed, and Seleznev disappeared from the Internet, destroying all known FBI accounts. He posted this post in May and disappeared in June.

This threw the Secret Service back and made it rethink how to conduct an international investigation and exchange information in this particular case.



Naturally, Seleznev was not going to retire - he just changed his nickname and during 2009-2012 he used Track2 and Bulba nicknames. This slide shows a new post by Seleznev, who began to re-create his empire on the site carder.su, the most authoritative resource of carders, where Roman already had a reputation as a reputable seller. This is indicated by a note in the upper left part of the message under the "nickname". This prompted the Secret Service that it was not just some new hacker who got a little stolen cards from his "stash", he has weight and fame among users of this resource. The site’s administration even granted him a monopoly in this matter, having thrown out Seleznev’s smaller competitors offering similar products.

CIS came to the conclusion that this is really a major player, and they immediately marked it on their "radar" and in May 2010 began an investigation. Around the same time, David Dunn, a local employee of our department, took part in the SWAT operation in Idaho, in the city of Ker-D'Alene, which was held at the restaurant of the famous Shlotsky's Deli fast food chain about the leakage of visitors' credit card data. He inspected computer equipment there and confiscated RAM, where he unexpectedly discovered that Shlotsky's Deli was connected to the network via a Russian IP address. David took note of this fact, and after a few weeks or a month, a lot of stolen credit cards surfaced on the network, which they managed to track to the place of data leakage, and this was the computer of the Slotsky restaurant.

Detective Dunn examined the computer of the suspect who was confiscated at the restaurant, and found that the guy was browsing these two sites: Track2.name and Bulba.cc and chatting with a man named Track2.



He told him that his website Track2.name had been covered up, but a restaurant employee could sell card numbers on another website, Bulba.cc. The detective began to investigate both of these sites to find out if one hacker is hiding under these two nicknames. He examined the domain registration and found out the e-mail box from which the registration took place, examined other mailboxes located in the USA, also associated with these accounts. Eastern Virginia supported the investigation of this case together with CIS, and in October 2010 they began to collect warrants for information. Detective Dunn had been expecting information for several weeks because it wasn’t such a thing that could be done in one night. In addition, some orders were returned, as there were cases when registrars of postal services refused to provide information.

And while he was waiting, on October 21, 2010, a second hack took place - this time in one of the oldest Broadway Grill restaurants on Capitol Hill in Washington.



Detective Dunn arrived in Washington and began to study point of sale computers with a local detective. They found that the computers were set up very poorly with regard to ensuring the security of visitors' information, as they stored 32 thousand credit bank cards in plain text files. And this information went to the same IP address that was used in the computers of the Shlotsky's Deli restaurant in Idaho. Here, the detective managed to advance a little further, as he managed to detect that someone had placed malicious software on Broadway Grill computers that redirected data to a malicious server by manually typing the address associated with the same IP address as Shlotsky's Deli.

Detective Dunn realized that now he had the opportunity to investigate the crime at home, so there was no longer any need to travel to Virginia or Idaho and you could initiate proceedings here in the western district of Washington.

Further, the business began to spin rapidly. During November 2010 - February 2011, the detective found out who registered the carding sites. He found Yahoo mailboxes that led to the HopOne server in McLean, Virginia. Here he found out that from the IP addresses of computers in “Slotsky” card numbers were forwarded to a server in Russia.



When researching Yahoo accounts, he found out who bought the HopOne server in McLean. To do this, he conducted legal penetration testing on the Yahoo server in order to track incoming and outgoing connections. This did not allow us to examine the content, but gave it the IP addresses of incoming and outgoing connections, the numbers of some ports, and the amount of data transferred. In addition, he saw that this server was connected to hundreds of computers throughout the United States, many of which were installed in restaurants. When he started checking their IP addresses, he found out that almost all of these computers were connected to the HopOne server, and he found dozens of victims throughout the country who used points of sale in these restaurants.

The next slide shows evidence of malicious interference with computers that processed credit card payments at many restaurants and cafes.



It shows the IP devices that this malware connected to and sent the map data to the same HopOne server.

The following is the infrastructure of this criminal scheme. There is nothing special here - it is an ordinary botnet network that uses several levels of data transfer.



Roman's computer is shown in the upper left. Detective Dunn discovered many hacking tools on the HopOne server, which allowed him to recreate Seleznev’s scheme. A Russian hacker scanned the victim's payment terminal ports for open RDP connections. As soon as he found such a connection, he cracked it using a Brute-force attack with a password and pumped out the card data to the user’s server under the Shmak / Smaus nicknames with IP address 188.120.255.66, the HopOne server with IP 66.36.240.69 and the Ukrainian server with IP 188.95.159.20. From there, the data went to the sites of carders - sellers under the "nicknames" of Track2 and Bulba.

On the left you see the Yahoo mailbox that was used to register the Shmak / Smaus server, on the right - Yahoo mailboxes for Track2 and Bulba. At the same time, the average mailbox associated with Track2 was also connected to the HopOne server. A study of the HopOne server led to the discovery of hundreds of files in which almost 400 thousand credit card numbers were stored. All of them were stored very conveniently for us, as they contained the IP addresses of the victims. This allowed us to quickly identify all the victims and collect more evidence.

As for the email addresses, they allowed us to identify Seleznev. He used one of the addresses of the Yahoo mail service, which received various notifications. In the mailbox rubensamvelich@yahoo.com we found a letter about the successful registration of Roman Seleznev in the PayPal payment system on September 19, 2009. This served as one of the strongest evidence against Roman that Detective Dunn discovered. The previous slide shows that the rubensamvelich account led to the sites of sellers of stolen cards, so using this PayPal registration box was Roman’s biggest mistake.



He did not think that the basis of American payment systems is to save copies of such messages about user registration, where all his identification data are available. Here is the address of his registration in Vladivostok, which served as the identification of the person during the verification of the passport during the arrest.

The second account, boookscafe@yahoo.com, which we found, was used by Roman for many years. This was another mistake Seleznyova, since he used this box back in 2006.
.


The boookscafe box did not help in investigating the modern infrastructure of Seleznev’s hacker network, but helped establish its connection with a user known by the nickname nCux. We tracked a lot of things related to this, including ordering a bouquet of flowers for his wife. A postcard was attached to it with the words that “you are the most beautiful, but Eve is still more beautiful than you”! Eve is the name of his daughter, which was also included in his passport, and served as further evidence of identification during the arrest. We also found his order for a Russian online store, with a home address in Vladivostok, placed using this box.
In the end, we found the most significant evidence on the HopOne server, where he kept all his hacking tools for hacking and the number of stolen credit cards. Seleznev used this server to book a ticket for the Indonesia-Singapore flight, and his personal data and the number of his Russian passport were indicated in the form of reservation. The coincidence of the data of this order with the data of the passport served as further evidence at the time of his arrest. In Indonesia, his second home was located.



The Secret Service put all this evidence together, and together with detective Dunne began to look for possible evidence of Seleznev's involvement in other frauds of carders. The next slide shows the proof that all such cases are somehow connected with each other, and carders have been working with each other for a long time and are related to each other by common interests.

This 2007 chat is from an investigation by the East District Department of New York. If you remember, the investigation began back in 2002-2003. It concerned the Carder Planet hacker community and was very successful for the New York office. Mr. Carranza was one of the detainees in this case, and a chat was found on his computer between him and a certain nCux 111, who told him his real data - name, surname, home address in Vladivostok, two mailboxes, including boookscafe@yahoo.com. These data were required by Karranze for a deal with Seleznev.



Having collected all this evidence, Detective Dunn and a representative of the prosecutor's office turned to the Grand Jury in 2011 and received an indictment that charged Seleznyov, known as 9 hackers, committing computer crimes, bank card fraud, using funds to crack traffic and etc.



Unfortunately, shortly afterwards, Roman, while in Morocco, was seriously injured by a cafe explosion in Mogadishu on April 28, 2011 during a terrorist attack. He and his wife sat on the 2nd floor of the restaurant, which was badly damaged by a bomb. He was taken to Moscow, where he spent several months in a coma and underwent several operations. Detective Dunn visited the bulba.cc website several times to check the activity of his administrator, however, they didn’t use this seller-administrator account, only messages from users who knew that the boss had an accident and wished him a speedy recovery . Finally, in January 2012, this stolen card store was closed.

Detective Dunn continued to study Roman’s past and present movements around the world throughout 2011-2013, looking for evidence of his criminal activity and related notes. He found out that Seleznev often flew to his home in Indonesia through Korea, and agreed with the Korean authorities to get a warrant for Roman’s arrest there, so that he could send him to America from Korea. Unfortunately, direct flights from Russia were soon introduced and this opportunity was no longer available.

There was a mistake in Germany when they almost detained a guy with a similar name, and Interpol at the last moment realized that it was not him. There were attempts to try to detain him in Australia if he used this country when traveling to Indonesia, but none of these attempts were successful.

You may ask why you did not contact the Russian authorities directly and did not demand his extradition, but the fact is that Russia does not extradite its citizens to other countries. As we saw earlier, our hope for good-natured cooperation failed.

Meanwhile, Roman founded a new empire - the site 2pack.cc, which existed from 2013 until the moment of arrest in 2014. There he positioned his site as a collection of the best sellers of stolen data in the world, promised round-the-clock support to customers and daily update of the assortment of a wide variety of bank cards. The greatest amount of data was sold on this site, and again it fell into the CIS Secret Service radar field. Seleznyov not only sold his malicious exploit, he wanted to not only sell the data of the cards stolen by him, but he was so world famous that the largest hackers-carders from Home Depot Neiman and Marcus Target turned to him about the resale of their cards. A whole bunch of hackers rushed to his forum, so he gave the best prices for their goods.

He lived luxuriously, rested in beautiful places, had excellent cars - the following slides show photos from his personal archive stored on his computer. He traveled to the Maldives, lived in Indonesia, in China, using the proceeds from his hacker empire. Now he has exchanged his luxurious apartment for a cell in a prison in the island of Guam.

Now I’ll tell you where we still managed to detain him - in the Maldives. I started this business in early July 2014, when Catherine Vormer invited me as an assistant to participate in the process, but then I did not know all the circumstances of the case. I got a call from Harold’s office when I was in my car and said: “We found Roman Seleznev in the Maldives” !, to which I replied: “Where are these Maldives and who is Roman Seleznev”?

About 20 people from the State Department and the DOJ Secret Service were involved in this case, our embassies in Moscow and Sri Lanka were in touch. It was a unique operation conducted by the US Secret Service - two days of continuous monitoring, no extradition threats and the smooth interaction of many agencies.



A typical extradition takes from 6 months to 4 years depending on the country with which we interact. We learned about Seleznev’s vacation in the Maldives on July 1, intelligence agents arrived there on July 3 and 5, and with the assistance of local authorities detained Roman when he arrived at the airport for 3 hours at the end of the holiday. They immediately put him on a private plane and after 3 hours he was already on the island of Guam. This operation is the greatest example of cooperation between the US government and the Maldives.

Further, our conversation will continue Harold, who will talk about the progress of the process.



We were lucky not only with the arrest, but also with the fact that we managed to get a lot of evidence that was with him - a laptop, iPhone, passport, travel documents. We were able to connect the data available in them with the evidence collected over the years, find his letters on the servers, establish an irrefutable connection with the nicknames nCux, Smaus, Ochko123. There was the same template that he used in emails - the same usernames and passwords smaus, shmac, ochko. Guess what was the password from his laptop. Ochko123! I’ll say why you should not use the word “point” as a password from your hacking empire - in Russian it means “hole in the ass” (butthole in English).



It was a big mistake to use the same technology, the same passwords when creating the infrastructure of your hacker empire. About 1.7 million credit card numbers were found on his computer, and you can no longer say anything when there are more than 1.7 million stolen cards in your laptop during your vacation.

We found on his laptop web pages that proved that he, like many in this room, was a marketer who tried to teach people how to use the numbers of stolen cards. He created a whole textbook that told how to buy a product in a store using such numbers, however, he posted information that it was illegal. He wrote that you can buy the MSR 206 magnetic card encoder, transcode your own cards and use them in stores, and taught how to write stolen data purchased on his website onto plastic cards, etc. This is how he built his empire.

Do you know what else was in his laptop? PACER - public access to electronic records of court hearings, which allowed the user to study cases in the US federal, appeal, county and arbitration courts. The novel was tricky - before setting off to travel, he checked to see if information about him or his “nicknames” appeared in any criminal case, including old aliases such as Bulba.

You may ask why, with so much irrefutable evidence, did he even agree to the trial, instead of immediately admitting his guilt and hoping for a mitigation of the sentence?

The fact is that Roman had 2 strategies of behavior in court. He hoped that his father would be able to “collect the cream” from his political position and be able to negotiate with influential people in the United States. They could not think of anything else but to bribe the prosecutor, and openly discussed this during their joint telephone conversations. Father told him: “We can pay them all, and that’s the end!” To which Roman replied: "I’m talking about this, offer them this." Father said: "Yes, I am studying this issue ... I think this is an option."



Later we learned that the size of the bribe reached 10 million dollars. I don’t know for whom he took those working on this case, but no one would have returned the money back to him.
Then there were calls from prison, which used code phrases such as “Uncle Andrey”, “travel to the hospital”, “magic potion”, “fishing trip” and so on. It was probably a discussion of escape options, and Uncle Andrei meant being able to get him out of prison. Here is a photo of Uncle Andrey on the slide, so if someone sees him here at the Black Hat conference, let him notify the guard.



His defense chose a well-known tactic, which consisted in the fact that someone framed Seleznev, no matter the US government or another hacker. His lawyers said in court that someone had planted evidence on his laptop, or a hacker, or the government, after agents took his laptop at the airport. They stated that after the laptop was returned, the dates of several thousand files were modified and this was confirmed by the examination. He had a laptop with Windows 8, a hybrid tablet computer that never turned off and was constantly on standby.

This OS in standby mode really does its job of checking data, overwrites some information, so it is natural that the time and date stamps of service files have been changed. Therefore, we turned to computer forensics specialists, who conducted an exhaustive comprehensive analysis of data on a laptop and answered key questions about the network, user and system activity, that is, we determined who last used this laptop.



They examined such Windows “traces” as registry keys, an event log, the use of system activity monitoring, the USN log, and the amount of shadow copy. The first question they addressed was about network connections. According to the records, the first time the computer connected to the network on Saturday June 21 and disconnected from it on July 3, and the user profile was called KANIFUSHI. This “Kanifushi” was the name of the hotel where Seleznev stayed while relaxing in the Maldives. So a hacker who would like to throw Roman’s evidence into a computer there would have to pay more than $ 20,000 to stay at this hotel. There was also a SIM card in this computer, which showed that the last connection was to the network of the Russian mobile operator Megafon. Network activity logs also showed

So, a solid evidence base was presented at the trial. Next, we used computer security event recordings to track who the last user of this computer was to prove that it was impossible to control it from somewhere remotely using the remote control, and a physical user worked behind it. And then we found the familiar login smaus, which meant that it was this person who used the computer for the last time.



The SRAM system resource usage monitor showed that the last program launched by the user was the TOR browser. Further in this magazine there were logs of the automatic activity of the operating system, which proved that no one else interfered with the computer.

We also examined hidden evidence such as deleted files and fragmented slack space clusters of hard drives, archived records in the form of shadow copies. We extracted a whole shadow copy file, which showed all the data available on the computer before the arrest of Seleznev. We also used the saved evidence in the form of cell phone records stored in the “cloud” and on the computer photos, examined his passport and so on. And the evidence presented by us served as convincing evidence for the trial, which lasted 8 days. As a result, a federal judge convicted Seleznev of 38 counts and sentenced him to 27 years in prison.



And now I am ready to answer your questions.

Norman Barbosa answers the question:

- Indeed, we did not have an agreement with the Maldives authorities on the extradition of criminals, on their part it was not extradition, but expulsion from the country. We settled the legal side of this issue, and we were told that if we have a warrant for his arrest on hand, then when agents of the Maldivian special service send Seleznev to Indonesia, we can indict him and arrest him.

Question:

- Were there any encrypted files on your computer that you had to decrypt?

Harold Chen's answer:

- No, he did not use any encryption at all.

Question:

- Have you learned any positive lessons from the fact that several operations to detain Roman were unsuccessful?

Harold Chen's answer:

- Yes, the security services are starting to work better and better, and if your equipment fails you or you make some mistakes, the security services will be able to track what the error led to and unleash the whole tangle.

Question:

- In your opinion, how difficult would it be to condemn Roman if you could not pick up the password for his computer and not collect all the evidence there?

Norman Barbosa answers the questions:

“I think that the evidence we collected would have been enough for the trial even before Seleznev’s arrest.” It might have taken more time, but we had very strong evidence of his guilt long before we managed to detain him.

Question:

- Was there a reason to wait after Seleznev’s wound in 2011 right up to 2014?

Answer:

- We simply did not have any opportunity to detain him before the circumstances were so successful for us, and we could only hope that he would appear in the country with which we had an agreement on the extradition of criminals.

Question:

- I met here in the USA with a well-known Russian lawyer who was offered to act as Seleznev’s lawyer and he refused, calling him a “stubborn idiot.” So, have your principles of cooperation with the FSB changed since then, and do you hope for interaction with them?

Answer:

- You know, I can’t discuss issues related to the political course of the government, I can only say that our experience has influenced the relationship strategy in such matters.

Question:

- Do you think that Seleznev was given a sufficient sentence?

Answer:

- As you know, according to the totality of the charges, the judge appointed him a 27-year prison term, which took into account a number of circumstances, including the amount of damage caused by Seleznyov, which was estimated at 169 million dollars. And this was based solely on the data found on his cards, but many things could not be estimated exactly, for example, what damage he did the rest of his activities. Another important circumstance for the judge was that Seleznev tried to deceive the court during the trial and persisted in his lies. There are many things that cannot be calculated by the training manual, here you need to be guided by the meaning of life and its values. We had more than 400 victims, and most of them were not large financial corporations, these were ordinary moms and dads visiting cafes and restaurants with their children,

Question:

- Why didn’t you contact directly the authorities of Indonesia, where Seleznyov lived?

Answer:

- I can not comment on this decision, because such a decision was made within the department, and we were connected only at the stage of completion of the operation to seize Seleznev.

Question:

- How did you use Seleznev’s iPhone?

Answer:

- We provided an Apple warrant and they helped us gain access to the phone, but there was no significant evidence, mostly personal photos.

Question:

- How many banks did you have to interview during the investigation?

Answer:

- We had to deal with approximately 3,700 banks around the world.

Question:

- Can you say what was the topic of the meeting between our and Russian special services in 2009?

Answer:

- No, I can’t.

Question:

- How were those enterprises whose security system allowed the theft of personal data of customers punished by placing card data in plain text in POS terminals?

Answer:

- I do not think that they were brought to criminal responsibility, information in such an open form was available only in one restaurant, where 32,000 cards were stored, but they were probably seriously fined.


Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to Build Infrastructure Bldg. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?

Also popular now: