DarkMarket: How Hackers Became the New Mafia

Part I

1

AN INSPECTOR CALLS

Yorkshire, England, March 2008

The Reverend Andrew Arun John was in a minor state of shock one morning in early March 2008. Hard to blame him. Not only had he just survived the long journey from Delhi in cattle class, but it was two weeks before the opening of Heathrow’s new Terminal 5, and the world’s busiest international airport was exploring new standards in passenger misery. His flight had left India around three o’clock in the morning and, after negotiating passport control and the baggage mayhem, he still had to face a four-hour drive north to Yorkshire.

Switching on his mobile phone, Reverend John saw he had an inordinate number of missed calls from his wife. And before he’d had time to call back to ask her what the fuss was about, she was ringing again. She told him that the police had telephoned several times and were desperate to get in touch with him.

Taken aback and confused, the Reverend replied sharply to his wife, saying that she was talking nonsense – though he regretted his tone almost immediately.

His wife, happily, chose to ignore his grumpiness. Clearly and calmly, she explained that the police had wanted to alert him to the fact that somebody had broken into his bank account, that this was a matter of urgency and that he should ring the number she had for the officer in charge as soon as possible.

His wife’s call unsettled the Reverend still further and his weary brain went into overdrive. ‘Who has broken into my account?’ he wondered. ‘What account? My Barclays here?’ he speculated. ‘My Standard Bank account in South Africa? Or my ICICI one in India? Or maybe all three?’ Even more puzzling: what did she actually mean? ‘How have they broken into my account?’

Coming so soon after his exhausting flight, the whole affair made the Reverend anxious and edgy. ‘I’ll deal with this later when I get to Bradford and after I’ve rested,’ he muttered to himself.

Bradford is 200 miles north of Heathrow Airport. Sixty miles due east of the city lies Scunthorpe, where Detective Sergeant Chris Dawson’s small team was nervously awaiting the Reverend John’s phone call. The officer began to feel he was sinking in the quicksand of a case that he suspected was very big, and which presented him with one seemingly insuperable problem – he couldn’t get his head round it. The evidence gathered so far included hundreds of thousands of computer files, some of which were large enough to hold the complete works of Shakespeare 350 times over. Inside these documents lay a planetary library of numbers and messages in a language that was effectively indecipherable to all but a tiny elite around the world who are trained in the arcane terminology of cybercrime.

DS Dawson may have known nothing about that novel and particularly rarefied branch of criminal investigation, but he was a first-class homicide officer with many years of service behind him. He could detect among the endless lists and number strings an agglomeration of sensitive data, which should not be in the possession of a single individual.

Yet as police officers in many parts of the world were discovering in the first decade of the twenty-first century, it was one thing to stumble across an information trove like this. It was quite another attempting to link it to a specific crime.

If DS Dawson were to persuade a magistrate in the sleepy town of Scunthorpe on the Humber estuary to place his suspect on remand, then he needed to show crystal-clear evidence of a specific crime. Furthermore, there was always a fair chance that he would be presenting said evidence to a doddery old circuit judge who might have difficulty using a TV remote, let alone accessing email. Convincing wasn’t sufficient – the case had to be watertight and simple enough for anyone to understand.

Time was dribbling away. The suspect could only be held for three days and two of those had already passed. Among the files, figures, weblogs, chatlogs and who-knows-what-else, Dawson had only one tiny scrap of evidence.

He stared at the fifty words on a sheet of A4. These included an account number, 75377983; the date the account was opened, 24/02/2006, along with the account balance, £4,022.81. But there was also a name on it: Mr A A John; an email address: [email protected]; a physical address: 63 St Paul’s Road, Manningham, Bradford; a corporate sign-on ID and, crucially, a corporate sign-on password: 252931.

If he could just confirm the account holder’s identity, and if that man were to state that he had never knowingly divulged his password, then Dawson would probably be able to persuade the judge to send the accused for trial and refuse bail. And that might just buy enough time for the Detective Sergeant to comprehend exactly what he was dealing with.

When Dawson had tried to contact Mr A.A. John he had learned that he was a minister of the Church of England who was taking a group of underprivileged children on holiday around India. He was also told that he would not be contactable until his return from Delhi. The Reverend was scheduled to arrive a few hours before the suspect had to be released. If he failed to come through, then the quicksand of this case would swallow up the ocean of data upon which Dawson had stumbled. Along with the data, the suspect would doubtless fade back into the anonymity of his virtual alter ego.

It was Dawson’s misfortune that the Reverend John was sufficiently unsettled by the telephone conversation with his wife that he resolved to deal with the matter only once he had arrived in his parish, Manningham. Indeed, he had turned off his mobile phone and concentrated instead on his long drive from the airport.

So why was he so upset?

Short and compact, the Reverend John was by temperament a jovial man. Born on the edge of the Thar Desert in Rajasthan, his slightly hexagonal face was usually all sunshine, radiating from behind his professorial glasses. He was born into the minority-faith community of India’s Christians and joined the priesthood to work for the Anglican Church of India in Delhi for fifteen years.

But in 1996 he was approached by the Church of the Province of South Africa to take charge of a parish in the Indian township of Lenasia, three miles south of Soweto, during the transition from apartheid to multi-party rule.

It was a challenging move for anybody, as these were testing times for his new home. The joy that greeted the end of the racist regime was tempered by the knowledge of how deep the resentments ran that had accumulated over the previous 200 years. Outsiders like the Reverend John required sophisticated political and social skills to understand the meaning of those tensions and how he might help to reduce them.

His successful work in South Africa was noticed further up the Anglican Church’s hierarchy and, after eight years, the Bishop of Bradford in the English county of West Yorkshire urged him to consider an equally challenging post in Manningham, a residential district on the edge of Bradford city centre. The Reverend John was reluctant – England had always struck him as a rather gloomy place, with its miserable weather and urban sprawl.

Equally, he knew that Manningham was no bed of roses. Many Britons regarded Bradford, and Manningham in particular, as a symbol of their country’s failing attempts to integrate its many ethnic and confessional groups. More malignant types saw in Manningham an opportunity to ratchet up the mistrust between those communities.

In July 2001 this district exploded into brief but violent riots that reflected a deepening division between the city’s large Asian constituency and its white population. Even earlier, Manningham had experienced the phenomenon of white flight and, by the time the Reverend John arrived, three years after the riots, 75 per cent of the population were Muslims whose origins lay largely in the rural districts of north-eastern Pakistan. ‘The remaining twenty-five per cent are Christians, although only about five per cent of those are church-going. The white community here looks and feels like the minority it is,’ said the Reverend John. Although its climate, architecture and culture bore no resemblance to the townships of Jo’burg, in other ways Manningham felt uncannily like South Africa.

This was a hardship posting. When the clouds gathered or the snow fell, there was little that appealed in streets lined by sombre neo-Gothic buildings. Yet a little more than a century ago Manningham had been a most desirable area in which to live. This was during the period, now forgotten to the outside world, when Bradford was hailed as ‘the wool capital of the world’, acting as a mighty engine of Britain’s Industrial Revolution.

By the beginning of the twenty-first century, however, Manningham had been in a state of decay for many years. Employment and prosperity, once flourishing, had moved away long before. Drug abuse, domestic violence, property crime and prostitution had taken their place. The Reverend John cared for more people in his drop-in centre, all trying to escape the traps of poverty and criminality, than attended his church on Sundays.

With the ever-present threat that latent violence could break through the surface, the Reverend John’s work was on the front line of Britain’s class, cultural and social wars. Not easily scared, he maintained a readiness to chuckle in most circumstances. Given the challenges of his daily work, he wondered why the news of his compromised bank account unsettled him to such a degree. Above all, he wanted to talk to his sons, who understood about computer things. And then he decided that he needed to talk to the police quickly, to find out exactly what was going on. ‘Above all,’ he resolved, ‘I want this thing to be sorted out and put to bed as soon as possible.’

The Reverend’s nervous reaction is not uncommon. The psychological response on learning that one has become a victim of cybercrime is similar to that experienced on being burgled. Even though the act is confined to cyberspace, a world of accumulated tiny electronic impulses, it still feels like a physical violation. For if one’s bank account has been hacked into, what else might the thieves have discovered in the privacy of your computer?

Have they, perhaps, stolen your passport details, which some criminal or intelligence agent is now using as a fake travel document? Could they even, as you read this, be examining your emails, with confidential information about a colleague or employee? Might they have stumbled across some dangerously flirtatious emails or other indiscretion that you wrote or received? Is there any part of your life they could not explore, with access to your computer?

Now quite determined, the Reverend John called the police officer in the neighbouring county of Lincolnshire as soon as he arrived at the pleasant little cottage next to the imposing spire of his church in Manningham.

That this case should fall into the lap of Chris Dawson, a Scunthorpe-based policeman in early middle age, was especially unusual. Most cases of cybercrime in Britain are picked up by specialist units allied to three forces – the Metropolitan Police, the City of London Police and the Serious Organised Crime Agency (SOCA), also based in the capital. Untrained officers would mostly miss such cases because of their esoteric nature. But Dawson was unusual: he was an instinctive copper with a sharp eye. He also possessed a quiet charm, but was frank in a typical northern English fashion that contributed to his methodical and precise approach to policing. This attention to detail would serve him well in the coming months.

If Manningham was associated with ethnic tension and precipitous economic decline, nearby Scunthorpe (population 75,000), lying south of the Humber estuary, was more often regarded either as an English nowheresville or as the butt of jokes provoked both by its name and the perennially poor performances of its soccer team. (In fairness, one should add that at least it did not inherit its original Scandinavian name, Skumtorp, and until its relegation in May 2011 Scunthorpe United FC had been punching above its weight in the second tier of English football.) As far as one can establish, the town has never been cited in connection with large-scale organised criminal activity.

A mere four days before the Reverend John’s return from his charitable work in India, DS Dawson had been working happily at Scunthorpe’s central police station. He was watching the Command and Control log, a computer screen that relays information and crime reports phoned in by the public. The standard fare would include drunken fracas, the occasional domestic, and a kitten getting stuck up a tree. But on that Wednesday afternoon at 1.30 p.m. a message ran across the log that aroused the Detective Sergeant’s curiosity. It was very much out of the ordinary. He turned to his colleague and in his lilting Lincolnshire brogue said gently, ‘Come on then. We’d best go take a look. Seems like there’s something rather fishy going on at Grimley Smith.’

2

MIRANDA SPEAKS OF A BRAVE NEW WORLD

Grimley Smith Associates’ website displays a sepia photograph of their head office in Edwardian times when it functioned as one of Scunthorpe’s first ever car showrooms. Bizarrely the business proudly advertises the Belsize, an early symbol of vehicular chic in Britain whose manufacturer went into liquidation soon after the First World War. But this venerable antecedent and Grimley Smith’s Dickensian name deceive. For GSA, as it is also known, was established as recently as 1992 by a Mr Grimley and a Mr Smith.

The company offers far more complex technical services than the sale and repair of old jalopies. It specialises in chemical-engineering applications for the energy and pharmaceutical industries, and is recognised as one of Scunthorpe’s most successful young companies that now boasts a worldwide presence.

GSA’s two founders comprised the total original workforce, which has since expanded to include several dozen highly skilled engineers. Like all businesses where success drives expansion, GSA grew in an exciting but haphazard fashion. Its engineers would be contracted to mammoth projects in places as far apart as Iran, China and Venezuela. The specialist nature of their work and the zero room for error in their calculations required some powerful computer programs. In particular, they ran so-called CAD (Computer-Aided Design) software that offered intricate 2D and 3D simulation of projects.

By the middle of 2007 the company had reached a stage where it desperately needed to manage its computer infrastructure. Outsourcing its maintenance and security was proving an expensive option, and the company found the management of all its various cyber needs ever more taxing. The directors decided they would commission a fresh approach to the whole system.

In Darryl Leaning, an easygoing local lad, they found just the right person to take on the job. Apart from his technical competence, he was young, scrupulously honest, but perhaps most importantly his relaxed, friendly manner disguised an unusually sharp wit. For it is a little-appreciated fact that the very best computer managers are as talented in managing social and psychological expectations as they are in fixing widgets.

The minute he walked into the office for the first time, Darryl realised that Grimley Smith’s computers needed urgent attention. His overriding concern was that all staff members had ‘administrator rights’ at their workstations. They could install any program they wanted and use any online services they selected (except for pornographic material, which the previous IT regime had centrally blocked).

On a family computer, a single individual (usually a parent) will act as ‘administrator’. He or she can choose, for example, to limit electronically the amount of time other family members spend on the computer, or can restrict the type of website that the rest of the family is permitted to visit.

One of the most important ‘privileges’ that family PCs will confer upon the administrator concerns the installation of new software programs. In this way, parents can prevent children playing games that they consider unsuitable. But they may also exercise this privilege to stop software of dubious origin being downloaded, because the program could contain a virus or other malicious material that would leave the family’s entire digital world vulnerable to attack.

The same principles obtain in a business environment, except usually on a larger and more complicated scale. The first problem Darryl identified when he started work at Grimley Smith was the absence of a central administrator. It was insupportable in a modern business, he argued to the directors, that the staff could upload, download or install anything they desired.

He told them that central control was essential to prevent people from unwittingly allowing viruses to breach the network’s defences. He explained that the employees were, in all likelihood, entirely trustworthy – you don’t put anti-virus software on your system because you suspect your colleagues of wanting to infect it, because on the whole they don’t. The same applied, he continued, to the issue of software installation – and everything else, for that matter. The value of data in a highly specialised company like GSA is effectively incalculable. If it fell into the wrong hands, it might destroy the company.

Certain problems confronted Darryl in his crusade to purge Grimley Smith’s computer system of harmful vulnerabilities: those invisible digital holes through which worms, trojans and viruses could slip unnoticed. First, he understood that people resist surrendering privileges they already enjoy – and, apart from viewing writhing naked bodies, the GSA staff enjoyed a lot. For a young techie, Darryl demonstrated a firm grasp of the psychology associated with computer use. Somehow he had to wean staff off their local administrator rights. He decided the best way to do this was incrementally. He knew that people don’t like losing things they already have, but he further reasoned that equally they like receiving new toys.

So he used the next computer upgrade as an opportunity to introduce the first restrictions. Thrilled with their sparkly and ever more powerful new machines, the GSA employees were prepared to accept that they could no longer download their favourite games or pastimes whenever they chose.

Again demonstrating an innate grasp of psychology, Darryl avoided overtly draconian methods. Facebook was a problem. A lot of employees were draining resources, using the social networking site when they should have been working. But increasingly this was also what the security industry calls an attack ‘vector’, an instrument that virus-makers can hijack in order to spread their wares.

Darryl figured that banning Facebook altogether might lead to rebellion in the workplace, so instead he allowed access to the site between 12 and 2 p.m., when most people took their lunch. By setting the Facebook time himself, he was also able to increase his monitoring of malware and hacking attempts, to ensure that the site did not compromise company security.

Gently he introduced a system of relatively powerful central control, without alienating any of the computer users at Grimley Smith. At the heart of the new order was a complex program called Virtual Network Computing or VNC. This was Grimley Smith’s very own version of Big Brother. If Darryl identified any unusual or threatening behaviour on the network, he could release the VNC from its virtual hibernation to swoop down and investigate in detail what was happening on any of the dozens of computers he now managed.

One morning, when staff logged onto their computers, Darryl sent a message warning everyone from the Managing Director downwards that henceforth anyone might be subject to screening by the Computer Manager. Unbeknownst to most, Darryl’s newly installed VNC was humming away merrily in the background. If he received an alert that somebody had downloaded a virus or was trying to install some unrecognised software, the VNC would be activated.

The VNC is a mighty powerful tool. To some, its use will appear like a straightforward business practice, but in the global Internet, deployment of VNC software is fiercely contested. In much of continental Europe, governments and companies are strictly forbidden from accessing any information on their employees’ computers that is not related to work (and even that is not easy). The monitoring of emails is strictly illegal.

Crime detection and civil liberties have always been uneasy bedfellows, but their coexistence has become significantly more troubled since the spread of the Internet, and this will continue in the future. In Germany, if a police officer is tracking a suspect anonymously over the Internet, he or she is legally bound to identify themselves as belonging to law enforcement, if asked by an online interlocutor. This makes very difficult the practice widespread in Britain and the United States of officers posing as underage girls and boys in order to entrap paedophiles who appear to be grooming children online. The deployment of a VNC is politically charged and circumscribed by important data-protection laws. So Darryl Leaning had to handle his pet with great care.

One day in early February 2008 an alert that warned of suspect software flashed up on Darryl’s screen. Unauthorised Application: Messenger. Darryl’s systems were looking out for several different types of unauthorised application. The word ‘Messenger’ suggested that someone was trying to install or operate some form of communications package like Skype. Within minutes Darryl had traced its origin to one of the chemical engineers who represent the backbone of GSA’s business. Walking over to the workstation in question, Darryl decided simply to ask him outright whether he was running any new instant messenger on his machine.

‘And he turned to me quite cooly and said No! He flatly denied it. So I replied, Oh, okay. That’s weird, though, because I just had a warning saying that this computer was running an unauthorised messenger application.’

Darryl shrugged his shoulders. He wasn’t unduly surprised by the engineer’s reply, because security systems are sensitive devices and, by his own admission, he was running various scanning tools, which look like hacking devices to his own anti-malware software. In any event, Darryl figured, even if the engineer was running the program, he was probably just chatting to his mates in company time. Now at least he would realise that it was the wrong thing to do and that, if he did use it again, Darryl would be watching. So he just forgot about it.

Two weeks later, however, the same thing happened. This time, Darryl decided, he would wake the mighty VNC beast. Diving into the engineer’s computer, he started to search for the communications program – which he quickly identified as Miranda Instant Messaging. Many people now use instant messaging, which enables them to talk in real time to friends by sending a few words or sentences in little text boxes. In most cases Windows Instant Messenger (IM) can only talk to someone else who has the same software. Miranda’s advantage lies in the fact that you can communicate with a variety of different IM programs. It is especially beloved of some obsessional computer users.

Before unleashing the VNC, Darryl checked the engineer’s hard drive to see if he could spot anything peculiar, but the search proved fruitless. It was about 12.15, lunchtime. Just the time, Darryl thought, to run a little VNC session on his machine to ascertain once and for all whether this unauthorised program really was running on the engineer’s computer.

Miranda IM was as nothing compared to what Darryl saw when the VNC began to explore the secrets of the employee’s computer. The engineer had opened ten text documents at the same time and was scrolling through them at unnatural speed. Darryl was open-mouthed. Never had he come across anyone able to work with documents so quickly. All he could see as he watched the engineer’s screen was a blur of numbers, symbols and words. Slowly he realised that the engineer was copying parts of the document and then pasting them into a separate wordpad file.

He could not yet grasp what was happening, or from where all these documents were coming, but as far as he could establish, this did not resemble anything like company work. The name of the file into which he was pasting the text was confusing. It was called ‘Sierra Leone’. The engineer was indeed working on an oil-refinery project in Sierra Leone. Darryl breathed a sigh of relief – perhaps it was legitimate business after all. It was later on that it dawned on Darryl why the engineer had chosen this name. If anyone walked past his computer, he would just minimise the file and all they would see on the task bar was a tab named ‘Sierra Leone’: the very project he was working on.

It would have fooled Darryl, too, had the VNC not then spotted an unregistered drive – F: – which indicated that the engineer was using a portable disk of some type. Darryl sent the VNC into the mystery drive and ordered it to copy the tens of thousands of documents that he found