Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security United States Your Rights Online

Massive Online ID Fraud Ring Busted 353

Iphtashu Fitz writes "CNet News is reporting that the US Secret Service in conjunction with authorities in six foreign countries have arrested 28 people in the last 48 hours on charges of identity theft, computer fraud, credit card fraud and conspiracy. Dubbed Operation Firewall, the Secret Service identified a group of people who stole over 1.7 million credit card numbers as well as a passport-forging facility in Bulgaria. The investigation started in July 2003 when the Secret Service began investigating an unspecified financial crime. They identified the website Shadowcrew.com whose members traded tutorials and information about identity theft and forgery and exchanged sensitive personal and financial information. The Shadowcrew website has since undergone a makeover thanks to the Secret Service. A press release about the operation can also be found on their website."
This discussion has been archived. No new comments can be posted.

Massive Online ID Fraud Ring Busted

Comments Filter:
  • This is pretty big! (Score:3, Informative)

    by Seventh Magpie ( 826312 ) on Friday October 29, 2004 @03:46AM (#10661293)
    Hey this is the kind of case law enforcement needs. Take down the big boys. As much as some of you like to flame the USSS, you gotta give them credit for this one!
    • Wait (Score:2, Funny)

      by essreenim ( 647659 )
      Now where am I going to get my passports?

      oBet, oBkov, Vrat Vseki, zoV Gora, moDa, aDski, DZHob,

    • No way this is a scare tactic... Youi think they are hunting down all 4000 members? Bo they are trying to get they em ot lay low... which works in s situation like this... when someone goes down im sure that thy all go scattering like cochroaces.
      • Possbily, but since the USSS now seems to be in control of the shadowcrew website you can bet that they have all the server logs, posting histories, etc. from that site. By analyzing all that data they could very well identify other people to investigate. And if they managed to infiltrate this website then it means they can locate & infiltrate others.
    • by waterbear ( 190559 ) on Friday October 29, 2004 @05:01AM (#10661529)
      Absolutely this is the kind of case the law enforcers need to investigate and crack down on it hard.

      I'll wait with bated breath to see if they really did get the 'Mr Big's and can nail them.

      Unfortunately, it has occasionally turned out, with big organised crime operations, that the big guys really got away, and the criminal evidence against the others had crucial flaws, so that in the end, after years of delays and millions of taxpayers money in investigation costs and lawyers fees, even the smaller guys got off too.

      I really hope this isn't going to be another one of those. For the time being, we can hope that the cybercops have earned their credit here.

      -wb-
    • by Anonymous Coward
      USSS?

      United Soviet Socialist States? I didn't know Bush had gone that far just yet.

      oh, United States Secret Service. Still, you have to wonder about a secret government organization using 'SS' as its designation...
    • by Anonymous Coward
      I just sent a complaint email to the abuse team responsible for Net access at a particular USA educational institution that is now hosting, at time of writing, a fake eBay 'phish' site. Presumably, it's just a compromised system cracked by outsiders--if not, then somebody there at said institution has got some 'splaning [imdb.com] to do!

      The Feds may pay lip service to the spam email problem with Band-Aid [bandaid.com] approaches like the CAN-SPAM Act, [legalarchiver.org] but fvck with the USA money supply (via ID theft in this case) and they will ta
  • by mind21_98 ( 18647 ) on Friday October 29, 2004 @03:47AM (#10661298) Homepage Journal
    Identity theft can destroy people, literally. Not to mention the years it could take to clean up the damage. This is excellent, and hopefully more busts will follow. :)
    • by kentmartin ( 244833 ) * on Friday October 29, 2004 @04:28AM (#10661440) Homepage
      Identity theft can destroy people, literally.

      Identity theft, the worlds leading cause of spontaneous human combustion. Four out of five leading physicists agree.
    • Been There -- I've had to deal with identity theft. Trying to clean up the mess is like having a part time job. Your are victimized twice for each instance, once by the dirtbag who did it, and once by the "creditor". The collection agency will also try a number of illegal tactics also, don't give them any bank account information. These people need to get some real prison time, 10+ years, so the word gets out.
      • Identity theft should be a capital offense. Life sentences should be the minimum punishment.
        • by Proteus ( 1926 ) on Friday October 29, 2004 @09:28AM (#10662805) Homepage Journal
          Identity theft should be a capital offense. Life sentences should be the minimum punishment.
          Your so-called "Identity Theft" is actually something that's been around for a long time: fraud. In this case, financial fraud by impersonating another person.

          Fraud already carries some serious penalties -- the new wave of fraud has more to do with the difficulty of tracing someone who obtains personal information for the purposes of fraud using the Internet. We now have people capable of defrauding others from distant countries. I think we're much better off spending time and money on improving forensic abilities, requiring creditors and vendors accepting credit to implement better security measures, and educating consumers about how they can protect themselves.

          The punishment for identity fraud should be:
          • Restitution of funds gaind by fraud, by 200% (defraud me of $6000, pay me $12000 back)
          • Required to contact defrauded creditors, with a monitoring justice agent, and clear the accounts
          • Denied credit for a term of 20 years
          • For "grand" fraud (over $20000), some prison time
          • Fines constituting 20% of funds defrauded, the majority of which enforcment agencies can keep.


          Those might help agencies develop better security and forensics, which leads to more criminals being caught. When people are actually getting caught, then the penalties are actually effective deterrents.
  • by evenprime ( 324363 ) on Friday October 29, 2004 @03:48AM (#10661301) Homepage Journal
    The fed-version of their website is priceless. I especially like the music and the picture of hands reaching through the bars of a jail cell.
    • What makes that picture especially scary for the members when they visit it is that there is no computer in that jail cell. No computer for 10 years?!? That's worse than a death sentance to some of them!
    • Yeah, but some of it is scary --

      Proxies, VPNs, IP Spoofing, Encryption, etc....You Are No Longer Anonymous!!

      Yup, that's always good when it's the bad guys who're being affected, despite all this.

      But pray, what about the good citizens? Or maybe the argument goes that if I'm a good citizen, I've no business wanting all this?

      Hmmm....
    • by metlin ( 258108 ) * on Friday October 29, 2004 @04:02AM (#10661353) Journal
      LOL!

      From the source-code of the site --
      <meta http-equiv="Content-Language" content="en-us">
      <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
      <meta name="ProgId" content="FrontPage.Editor.Document">
      No wonder -- the word ShadowCrew does not render properly in Firefox =)

      Come on you guys at Secret Service!!! Use a good browser guys ;-)
    • Just what exactly is a Slashdotter doing using Internet Explorer?
    • But do you really think the secret service changed the website? Very unprofessional of them in that case... IMHO a more appropriate action would have been to just take it down.
      • by Seventh Magpie ( 826312 ) on Friday October 29, 2004 @04:15AM (#10661393)
        well lets think about this. 1) Take it down: 3972 members thinking "oh the site's just down temporarily" 2) Put up the cool USSS site: 3972 members scared for their lives so that they stop their illegal activities and turn themselves in to USSS. (Not to mention have a mental breakdown next time they see Mission Impossible!) Hmm..I think it's a damn good decision.
    • by balster neb ( 645686 ) on Friday October 29, 2004 @04:26AM (#10661433)
      The site seems to be slashdotted or something (doesn't load). Mirrordot to the rescue:
      http://www.mirrordot.com/stories/837e41d1433a26838 15e933bda4b46bd/index.html [mirrordot.com].

      And as for the background sound, the site uses the nonstandard bgsound tag, which will work in IE. It's the theme from Mission: Impossible.

      Classic stuff.
  • Yes, but... (Score:5, Funny)

    by IceFreak2000 ( 564869 ) <`ku.oc.yanetruocde' `ta' `de'> on Friday October 29, 2004 @03:51AM (#10661310) Homepage

    ... how long before the US Secret Service gets served a writ by the RIAA for damages related to the use of the Mission Impossible theme tune? ;)

    • Re:Yes, but... (Score:3, Insightful)

      by Viceice ( 462967 )
      I hope they do. Then the USSS will get pissed at em and raid them under Organised Crime charges. If the RIAA isn't an extortion racket, i don't know what is.

  • by Eudial ( 590661 ) on Friday October 29, 2004 @03:51AM (#10661312)
    Morons. If you want to conspire, wouldn't it be smart to do it somewhere with a wee bit less conspicuous name than shadow crew?
    • Never fear, I have it on good authority that the next US Secret Service targets are the massive online drug smuggling ring American Geneaology , another two identity theft conspiracies that go by the name Worcestor Collector's Society and The Royal Canon Assn then finally what will be their biggest bust yet, child pornographers at Teapot Cosy Appreciators of Georgia .
  • by upside ( 574799 ) on Friday October 29, 2004 @03:52AM (#10661315) Journal
    "...a group of people who stole ... a passport-forging facility in Bulgaria."

    Sorry, just had to nitpick. ;)
    • Glad I'm not the only one who spotted that. It's also interesting to note that according to the summary, the USSS has been renamed:
      Dubbed Operation Firewall, the Secret Service...
  • On the site: Proxies, VPNs, IP Spoofing, Encryption, etc....You Are No Longer Anonymous!!

    Well, aren't we glad? There's the proof that lifting anonimity is only for your own good </sarcasm>
  • Hey, attrition, did you make a note on that?
  • by marc252 ( 658303 ) on Friday October 29, 2004 @03:54AM (#10661324) Homepage
    I like the phrase:
    "CONTACT YOUR LOCAL UNITED STATES SECRET SERVICE FIELD OFFICE....BEFORE WE CONTACT YOU!!"
    Yeah! like I know where the local offices are :-) Aren't they supposed to be secret?
    Is it like a franchise? You get macdonalds and right next to it "your local us secret service office"!
    Great!
  • by account_deleted ( 4530225 ) on Friday October 29, 2004 @03:54AM (#10661326)
    Comment removed based on user account deletion
  • Too funny... (Score:3, Interesting)

    by Omniscientist ( 806841 ) <matt@badech[ ]om ['o.c' in gap]> on Friday October 29, 2004 @03:54AM (#10661328) Homepage
    I am no friend of identity theft, and I'm glad to see this happen.

    I find the website hilarious, especially the bottom line:

    "RECENT NEWS REPORTS SHOULD INFORM YOU THAT THE SECRET SERVICE IS INVESTIGATING YOUR CRIMINAL ACTIVITY. CONTACT YOUR LOCAL UNITED STATES SECRET SERVICE FIELD OFFICE....BEFORE WE CONTACT YOU!!"

    That is a hilarious signature they have left, but this seems so funny that I'm actually surpised that the Secret Service is having this much of a ball on the website, not something I expect, but like to see!

  • by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Friday October 29, 2004 @03:55AM (#10661329) Journal
    What I would really like, more than the arrest of identity thieves, is the entire identification system become more immune to this kind of theft. By simply eliminating the suspects, the actual threats posed by them have only been reduced in number, not in level of threat. All those identity insecurities still exist in the system waiting to be taken advantage of the next time some palooka decides it's worth it to skim off a few credit card numbers.

    I surely don't have the solution to fix the identity theft problem. In fact, I would leave it to my colleagues here at Slashdot who are much more knowledgable about security issues than I am to hammer out the fine details of a more secure system.

    As we become more dependent upon our identification numbers, credit card numbers, social security numbers, and every other number which identifies and tracks us, we open ourselves up to this kind of identity theft threat. The solution is not simply to lock up the perpetrators, it must be a technical solution which makes it difficult or impossible to steal an identity.
    • First of all, no system is 100% secure. There is no system that can't be hacked by people determined enough hack it, and exploited by those determined enough to exploit it.

      Second, the system you're proposing sounds overly draconian, and would raise a lot of flags with a lot of the slashdot crowd, the EFF, and liberals everywhere. Things like implanted RFID chips, finger print/retinal scan identification built in to your computer, hardware based ID chips. All a step up in security, and all circu

    • The trouble is that if you want your identity to be provably you, then you also have all the issues concerning privacy.

      See, even if you had a identity card, with a private key on it, issued by the government after you've proven who you are (the tax man definitely knows who you are :) ), and all your online dealings were logged with this key, (so that, to steal your identity, you'd have to steal the key and the passphrase used to activate it, and several biometric checks, etc), then everything you did onlin
    • by LoadWB ( 592248 ) * on Friday October 29, 2004 @05:33AM (#10661627) Journal
      Something which really irks me is how many of my accounts require that I provide my SSAN over the phone as proof of my identity. My SSAN appears on countless documents throughout my life, most of which have passed through insecure hands, and some probably misplaced or lost so others can read them. Primarily this includes my military medical documentation (as my sponsor, my father's information is more prominent on these, though my SSAN is used in documents from my early 20's,) and my college documentation.

      I deal with a number of companies which use my SSAN as the "key" to my account, some which (supposedly) supplant it with a passphrase -- though a representative of one company told me that if I couldn't remember my passphrase she would accept my SSAN! This completely goes against my reason for having a passphrase on the account in the first place! I will not go into detail about with which companies I have accounts covered by this policity, but suffice to say that just about every service I am provided suffers in this way.

      Like the parent, I cannot myself come up with a feasible system for replacement. I even had one company rep ask me what I would prefer to use, I answered "I don't care, just not my [SSAN]." Not necessarily true, since some companies ask for information which can be read directly off a stolen or misdirected envelope.

      None-the-less, the current system IS broken and IS too easy to subvert. I find that too many entities look to the end user for solutions to their problems, as illustrated by the above question posed to me. I am sorry, but it is not the customer's responsibility to provide a fix to a company's broken procedures; the company itself should invest whatever it takes to ensure its customer/client safety, regardless of the cost.

      Personally, I would opt to pay more for a service which made it more difficult to access my account information. If more companies provided a service like this, eventually it would become the norm and the price of such secure service would settle back down due to competition.

      I do feel the need to address something I provided in my introduction: college documentation. Something as simple as classroom roll sheets is a problem. In more than one class I have attended a sheet of paper was passed around the class (proof of attendance, clarification of class enrollment, or whatever) on which a student was to print his or her name, SSAN, and then sign. Need I say more? Put all of these elements together and think about our personal security. Even I wrote my SSAN on such documents until later in my college life when I thought better of this practice. Only once did my refusal cause a problem, and I ultimately won the argument in front of college administration.
    • it must be a technical solution which makes it difficult or impossible to steal an identity.

      The solution is low tech. It's when your grandparents knew their grandparents.
    • I've said it before [slashdot.org].

      ID theft is only a problem because we place so much importance on our identities. One person can get a home loan. The other can't. One persan can get health insurance. The other can't.

      The simple example is insurance. Insurance rates should not depend on the individual. The whole point of insurance is to spread the risk and cost of rare catastrophic events. Each should pay an equal share. When you get a system like today which is so perfect as to analyse each person's risk and ch
  • by dbCooper0 ( 398528 ) <dbc@@@triton...net> on Friday October 29, 2004 @03:55AM (#10661331) Journal
    I clicked on the link...twice even...now I'm earmarked for Federal Investigation, like I need that in my humble, growing-something-in-the-basement life I try to live.

    Shame on you, Slashdot!.

    My life is in despair because of you!

  • by alanw ( 1822 ) * <alan@wylie.me.uk> on Friday October 29, 2004 @03:56AM (#10661333) Homepage
    Shadowcrew has its very own entry in the Snopes [snopes.com] Urban legends page, after being the subject of "Joe-Job" [wikipedia.org] e-mails claiming that "your credit card has been charged $149.95 for child pornography"

    One can only wonder who was responsible. A rival group of fraudsters perhaps, or someone trying to bring them into further disrepute?

  • The Music (Score:2, Funny)

    by LordHatrus ( 763508 )
    ... makes me want to commit some crimes of my own lol *hangs over desk, typing this message*
  • Gov't HTML (Score:5, Funny)

    by nadaou ( 535365 ) on Friday October 29, 2004 @04:02AM (#10661350) Homepage
    The Secret Service has not yet learnt how to decode the untold mysteries of the <BR> apparently.

  • by koi88 ( 640490 )

    Secret Service can't afford a web designer?
    "GENERATOR" content="Microsoft FrontPage 5.0"

    I consider the design of this website also a crime.
    I'll send in Homeland Security. They seem to have nothing to do now, anyway (see previous story on slashdot).
  • Slashdotted! (Score:3, Insightful)

    by z1d0v ( 789072 ) on Friday October 29, 2004 @04:05AM (#10661364)
    How long will the will they take to check on all Slashdotters that clicked on the link? I think we just made their job just grew up a bit! :)
  • by bani ( 467531 ) on Friday October 29, 2004 @04:05AM (#10661366)
    now watch the RIAA prosecute the secret service under the DMCA for illegally distributing copyrighted music through a website operated by the secret service...
  • by yo303 ( 558777 ) on Friday October 29, 2004 @04:09AM (#10661372)
    During the course of the investigation, computer underground criminal groups were identified as Shadowcrew, Carderplanet and Darkprofits.
    I must remember to make my criminal activity website a little more innocent-sounding the next time.

    Darkprofits and Shadowcrew.com? Come on.... they should have gone with shinyfunplace.com or fluffylegitimateactivity.com...

    What do you expect to happen if you run imgoingtokillthepresident.com? Happy fun time?

    yo.

    • Comment removed based on user account deletion
    • Re:Note to self (Score:2, Informative)

      by Celvin ( 601177 )
      What do you expect to happen if you run imgoingtokillthepresident.com?

      Well, actually the Norwegian rap-group "Gatas Parlament" [gatasp.no] (The parliament of the streets) recently put up this [killhim.nu] page. It's in norwegian, but I really don't think anyone needs a translation.

      I doubt these guys will ever be going to the US...

      (For the reccord: I don't think this is a good joke)
  • Topics like "How To Replace a Photo on a Passport".

    I bet 'thebestofbc' will be happy to know the Secret Service can get his info from the Shadowcrew server after he's made a post like

    "...on the old canada PP, we used to cut out the pic, lam and all, replace the pic with a new one, then a thin overlam over the whole thing. looked pretty good, but this would not work with any of the new PP's."
  • We'd all take the Secret Service a lot more seriously if they updated their name. Back in 1865 [secretservice.gov] it may have been way cool to call your treasury cops a "secret service", but now it alternates between quaintness [du.edu] and confusion [fact-index.com] Since they're now part of DHS [dhs.gov], how about "Homeland Enforcement"? Make a great TV show [xmission.com]!
  • Does it strike anyone else as worrying that these people are dim enough to use a computer security related codeword to label a computer security related investigation?

    They probably have Password as their password too.

  • by Frogbert ( 589961 ) <frogbert@gma[ ]com ['il.' in gap]> on Friday October 29, 2004 @04:25AM (#10661426)
    the Secret Service identified a group of people who stole over 1.7 million credit card numbers as well as a passport-forging facility in Bulgaria.

    They stole an entire facility? I'm not even mad, I'm impressed. wow.
  • by Foresto ( 127767 ) on Friday October 29, 2004 @04:43AM (#10661479) Homepage
    I think the site is now slashdotted, but the wayback machine reveals [archive.org] a bit [archive.org] of what it used to look like.
  • by will_die ( 586523 ) on Friday October 29, 2004 @04:43AM (#10661480) Homepage
    The title of this should be Department of Homeland Security busts computer users.
    Then the 90% of the messages will consist of what is homeland security doing busting innocent computer users and how President Bush had a direct involvment.

  • By going undercover on the Shadowcrew.com Web site, investigators were able to find out which of the site's 4,000 members were actively taking part in criminal conduct, according to a Secret Service statement. The investigation led to two other Web sites--Cardplanet and Darkprofits--that the Secret Service alleges are the online portals to other financial-crimes organizations.
    You'd think by now these underground websites would learn that you can't just let anyone in to your trusted network. I've actually
  • I know I'd end up stealing the identity of Dwayne Dibley.
  • Boss: Agent Jones, I have a special assignment for you
    AJ: Sir! Yes Sir!
    Boss: I want you to go deep undercover, join this identity theft organisation and bring them to justice.
    AJ: Sir! Yes Sir!

    .. months later ..

    Boss: Agent Jones.
    AJ: what. I'm busy, just one more compile, k.
    Boss: Well done Agent Jones, the thieves are locked up and the world's a safer place.
    AJ: yo! right on! My l33t undercover hax0r sk1lls roxs!
    Boss: hmm. Let me have your mission report.
    AJ: yeah yeah, mission documentation is for

  • that there needs to be a huge increase in ways to combat identify theft, ways to make it more difficult to steal identies of people. realistically there is no bulletproof way but the more difficult it gets the better it is as less people will have the means to commit the crime and less people would hopefully be affected.
  • by SamMichaels ( 213605 ) on Friday October 29, 2004 @07:01AM (#10661844)
    I was recently brought on to an e-commerce project...day 1 was stopping the fraudulent orders being sent to Malaysia or to the drop sites in the US. All it takes is a 30 second call to the card company to get the issuing bank's number...99% of the bad cards were verified as stolen from the bank. One card wasn't reported as stolen yet...yay for me.

    If Paypal, IIS, etc can figure out key encryption, why can't we?

    1) Credit card company creates keys and issues it to the customer...the card number is replaced by a number identifying the key.
    2) Payment request certificates are sent to the customer who either signs it or doesn't sign it.
    3) Transactions are encrypted using keys....you, your bank, the merchant and the card company can decrypt the info, no one else.

    Didn't I just describe SSL/GPG? Oh wait..I did.

    It boils down to this: if you can't handle the technology (aka keep spyware off your machine, keep it updated, and keep your card number safe), DON'T USE THE TECHNOLOGY. Write a check...but of course, that's digitized now thanks to Check 21 [federalreserve.gov]...that old technology will be deprecated very soon in favor of direct debit.
  • by BenEnglishAtHome ( 449670 ) on Friday October 29, 2004 @07:34AM (#10661995)

    Shadowcrew. I knew I recognized that name.

    These guys did some weird stuff. For example, they spammed our internal email addresses at the IRS with offers to host child porn sites. For example, here's one of the emails they sent to an IRS employee, namely me.

    From: ipadmin@eng.xo.com

    [mailto:ipadmin@eng.xo.com]

    Sent: Saturday, January 24, 2004 4:48 AM

    To: b*******.b.o****@irs.gov

    Subject: Need to host child porn, illegal content, Spam advert site

    Need to host child porn, illegal content, Spam advert site? Try www.hopone.net you will be able to host anything you desire.

    You can get fresh stolen dumps here:

    http://www.shadowcrew.com/phpBB2/viewtopic.php?t =636

    Credit cards with cvv2 information are available here:

    http://www.shadowcrew.com/phpBB2/viewtopic.php?t =409

    Our site will be usefull for the those who want to wash their money also :) (If you don't want to pay taxes or you need to buy something illegal like weapons or drugs).

    Fresh paypal accounts here:

    http://www.shadowcrew.com/phpBB2/viewtopic.php?t =553

    Only using our site you can get every detail of any US citizen including SSN number:

    http://www.shadowcrew.com/phpBB2/viewtopic.php?t =701

    Fresh eBay accounts for a low price available as well:

    http://www.shadowcrew.com/phpBB2/viewtopic.php?t =290

    You can order by phone: : +1-703-547-2000.

    Best regards, www.shadowcrew.com

    But here's where I run out of expertise in how these things work. What on earth were they hoping to accomplish by sending out these spams? Are people actually dumb enough to dial up a phone number sent to them in spam and say "I'd like to host a child porn site. Please set it up for me. Here's my credit card info."?

    Or is that phone number one of those things that charges you outrageous sums just for calling it? I wouldn't know; I certainly didn't ring 'em up out of curiosity.

    These shadowcrew folks just strike me as weird. I wish I understood their "business model." OTOH, I'm just glad I won't be getting any more emails from them that I have to forward to our investigators.

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.

Working...