ICS Knowledge Base

1. A Breach a Month – Or More
2. Kaspersky Report: Targeted Trojans Will Plague 2007
3. Microsoft Security Bulletin Minor Revisions
4. Google Desktop Vulnerability Fixed
5. Giving Up Hope on Users
6. Hackers Use New Zero-Day Word Exploit In Targeted Attack
7. 'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable
8. Spam Volume Jumps 35% In November
9. Cyber Crime By The Numbers Oct 2006
10. Hacker stops business, uses server for SPAMMING
11. Cybercrime flourishes in online hacker forums

A Breach a Month – Or More

MARCH 7, 2007 | If your company has suffered fewer than three breaches of sensitive data in the last year, congratulations -- you are in the top 10 percent of security organizations in the U.S.

That's the conclusion of a new study that will be unveiled tomorrow by the IT Policy Compliance Group, a consortium of security organizations backed by Symantec. The study, conducted between August and October of last year, surveyed 201 companies of varying sizes about their experiences with data breaches, and their practices for preventing them.

The study found that the vast majority of companies -- about 70 percent -- had suffered between three and 22 breaches of sensitive data in the past year. A whopping 20 percent have experienced 22 or more. "Breach" was defined as unauthorized access of data, which includes loss, theft, and inadvertent viewing.

"What this says is that most companies haven't put all the pieces together yet," says Jim Hurley, managing director of the IT Policy Compliance Group and a former analyst at Aberdeen Group. "A lot of them are attacking the problem from one perspective and missing out on others."

So what's the difference between the top tenth percentile, which were hit by three or fewer breaches, and the other 90 percent of the survey base? Some of the answers may surprise you.

For one thing, there's a difference in the way organizations define their "sensitive data." The least successful organizations define it narrowly as financial and critical business information. The most successful organizations include IT security data and IT compliance data in their "sensitive" lists, according to the study.

"What we found throughout the study was that the organizations that did the best were the ones that paid the most attention to security data, compliance data, and security controls and policies," Hurley says. For example, the most successful organizations are those that not only have gained regulatory compliance, but who monitor and check that compliance as frequently as once a week, he says.

"What we saw is that there is a real benefit to establishing strong controls and policies and maintaining them," Hurley says. "If you think you can protect your data by just encrypting everything, you're mistaken."

How do the breaches occur? The top three causes are user error, violations of the corporate security policy, and Internet hacks and attacks, the study says. "But it was interesting, because we found a whole range of other causes that are less frequent, but still have an impact," Hurley says. "Most companies focus mostly on just the top three." Employee malfeasance, insufficient auditing, and insufficient controls are among the areas that many companies overlook, he says.

The origins of data breaches were no great surprise. The most frequently cited losses emanated from PCs, laptops, and mobile devices, followed by leakage via email or instant messaging. Many companies also reported breaches through applications and databases, the report says.

The ITPCG also offered a preview of data it will be releasing in its next study, which focuses on the financial impact of publicly disclosed data breaches. According to that study, companies that suffer a public breach lose an average of 8 percent of their customer base, and show a corresponding decline in revenue. In addition, those companies incur costs of approximately $100 per lost record due to the time and effort required to notify customers of the breach and restore customer data, Hurley says.

Aside from focusing greater attention on policies and controls -- such as monitoring security and usage logs -- companies should take steps to reduce human errors, the report advises.

"It's more than just user training, it's making users accountable for their actions," Hurley says. One company Hurley interviewed has instituted a compensation plan that depends, in part, on maintaining security, he reports. "If there's a breach, the employees don't get their commissions," he says. "I think a lot of companies would be surprised at how much they could improve security with the right carrots and sticks."

An executive summary of the report can be found here. Users must register with the ITPCG to get a full copy of the 32-page study.

— Tim Wilson, Site Editor, Dark Reading

Kaspersky Report: Targeted Trojans Will Plague 2007
By Sharon Gaudin, InformationWeek

The Trojan's takeover of the malware world will extend well into 2007, as wide-spread worm epidemics continue to be replaced by targeted attacks on specific companies.

And the fate of Microsoft's new Vista operating system -- how widely it's adopted this year and how well hackers do probing its coding -- largely will determine the security landscape for this year.

These are just a few of the many findings from the Kaspersky Lab reports, which document last year's battle with worms, viruses, Trojans and spam, while also looking ahead to gauge what the coming security storm will entail for 2007. Last year's story, the rise of the targeted Trojan attack, also will be a large part of the story for this year, according to Shane Coursen, a senior technical consultant with Kaspersky, a security company based in Woburn, Mass.

"Absolutely. Yes, we'll be seeing a lot more of the Trojan," says Coursen. "There will be nothing like Slammer or Code Red for quite some time. It'll be all about the Trojan. They're easy to put together and then recompile at a moment's notice to produce a new type of executable. Or they can be repackaged to look different to scanners and makes the anti-virus [programs'] job a bit more difficult."

A few years ago, major world-wide worm attacks, like the one caused by Mytob, were what IT managers had to worry about. Worms swept through the Wild infecting millions of computers and causing companies billions in clean up. The threat has changed, though. Today, managers' worries are turning to pinpoint attacks. Just a few weeks ago, hackers used a zero-day flaw in Microsoft Word to launch targeted attacks against a specific company. Hackers used the then-unknown vulnerability to launch an attack against two employees at the same company earlier this month. The Trojan not only focused in on one company but also specifically targeted the two victims by what they do there.

IT managers need to be on the lookout for that kind of attack, Coursen says. "The last year hasn't been a year of innovation," he adds. "It's been more about putting together many different technologies or approaches. Malicious hackers are not resting. They are constantly on the move, looking for more and more ways to steal our information and our money."

If nothing else, 2006 turned out to be a busy year for malware writers -- and those fending them off. The Kaspersky report notes that the total number of malicious programs was up 41% from 2005. Last year, saw the growth of Trojans in particular jump 46% from the previous year. That only seems like a big leap until you compare it to the 124% increase from 2004 to 2005, according to Kaspersky. Don't think, though, that this means Trojan writers are taking a hiatus. Kaspersy's analysts say there are thousands of new Trojans coming out every month.

What will they be focusing their attacks on this year? Banks and online banking customers will be heavily targeted, but so will online payment systems and online gamers, according to the report.

"Overall, epidemics and virus attacks will become defined in terms of geographical boundaries," writes Alexander Gostev, a senior virus analyst who wrote one of the four Kaspersky reports, which include Malware Evolution, Mobile Malware, Internet Attacks and Spam. "For example, in-game Trojans and worms with virus functionality are typically seen in Asia, while Europe and the U.S. tend to see Trojan spy programs and backdoors. South America is usually hit by a wide range of banking Trojans."

Microsoft Security Bulletin Minor Revisions
Issued: February 28, 2007

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-015
* MS07-013

Bulletin Information:
=====================

* MS07-015

* MS07-013

Google Desktop Vulnerability Fixed

By Kevin McLaughlin, CRN
2:13 PM EST Wed. Feb. 21, 2007
Google has fixed a serious vulnerability in its popular Google Desktop software that could allow remote attackers to access confidential data and gain full control over affected PCs.

Google Desktop, which extends Google's Web search and indexing functions to local PC hard drives, is susceptible to a cross-site scripting attack (XSS) because of its failure to properly encode output data, according to researchers at security vendor Watchfire, which discovered the flaw in January.

Google mixes search results from a local desktop search with those from an online search, and the mixing of data creates the XSS vulnerability, said Mike Weider, CTO of Watchfire, Waltham, Mass.

"The connection between online and offline search results creates windows of attack that wouldn't otherwise exist," Weider said. Current malware detection applications don't look for such a vulnerability, he added.

Google issued a fix for the vulnerability soon after being notified by Watchfire, and users are being automatically updated with the patch, according to a Google spokesperson.

To exploit the flaw, hackers would have to trick a user into clicking on a specially crafted link in an e-mail or on a Web site, or they could infect RSS feeds with links that have an XSS payload embedded, Weider said.

After clicking the rigged link, the user's PC instantly would be infected by malicious code, allowing an attacker to access everything on the hard drive that Google indexes or even take control over the machine, Weider added.

Although Google has fixed this XSS vulnerability, the fact that the online and offline connection with Google Desktop still exists means that the software could still be vulnerable, according to Weider.

"To be totally safe, there should be an option to not mix online and offline search results," Weider said.

Google has added a layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future, the Google spokesperson said, adding that there have been no reports that the flaw has been exploited. Users are advised to make sure they're running the latest version of Google Desktop.

Giving Up Hope on Users

FEBRUARY 15, 2007 | End users are hopeless.

That's the message we've been hearing this week as security experts speak out about managing vulnerabilities. These are the voices of IT people who have seen users pull off one too many dumb moves, setting security back for the rest of the network.

"Everything we're doing right now as security people is trying to mitigate the fact that people are stupid," says Rob Enderle, principal analyst with the Enderle Group, an IT consultancy. (See Getting Users Fixed.)

Ira Winkler, a well-known security expert and author of Spies Among Us, suggests that there should be sanctions against those who are exceptionally dumb. "After they've clicked on that phishing link for the fifteenth time, maybe we should blame them and take their computer away. They are a danger to everyone else."

RSnake, founder of ha.ckers.org, suggests that the security function should be taken completely out of users' hands. "Just like you shouldn't be fixing gas mains, you don't want your employees to try to create their own secure environment. They will almost certainly get it wrong, and when they do, it will degrade the life of the equipment. Worse, it will cost IT resources to fix the issue, the employee will no longer be working productively, and you may actually lose confidential information in the process. (See Why User Education's a Bust.)

Even worse, IT organizations find themselves defending their networks against the malicious as well as the stupid. In some cases, IT people are encouraged to monitor employees to see whether they are about to defect or go postal. (See 10 Signs an Employee Is About to Go Bad.)

So are users hopeless? Are they inherently brainless and/or evil?

I'm tempted to answer "yes," just to see what you'll say. But I'm actually afraid of how many IT people would agree with me. I'm not sure I want to know.

Truth be told, the vast majority of end users are reasonably intelligent, and they actually want to practice safe computing. These are the "silent majority" of the users we see every day.

In security, however, we aren't concerned with the majority. We're worried about that inevitable few who will make the same mistake a dozen times, the few who would sell a customer list for a few hundred bucks. Like cops, security people spend most of their time dealing not with the good citizens, but with the crazies on the fringes, the ones who break the rules on a regular basis.

So it's inevitable, I think, that security people have developed a cynical attitude about the average end user, because they've seen the boneheaded things that end users do. No effective security strategy can assume that users will know what to do, or do what they're supposed to.

From this perspective, then, it is safe (and not at all cynical) to say yes, users are hopeless. The best security strategies and technologies are those that take the issue out of the end-user's hands, and don't rely on the individual to do their own patching, update their antivirus software, or even follow the rules. End-user training may be helpful, but it will never filter through to everyone on the network. Some end users may help , but you can't rely on all of your users to do anything.

End users are hopeless. If you use that as your first premise, you've got a better chance of building a truly secure environment.

— Tim Wilson, Site Editor, Dark Reading

Hackers Use New Zero-Day Word Exploit In Targeted Attack

By Sharon Gaudin, InformationWeek
12:58 PM EST Thu. Feb. 15, 2007
Hackers have already used a new zero-day flaw in Microsoft Word to launch targeted attacks against a specific company.

The vulnerability, which is a buffer overflow problem, affects Office 2000 and Office XP, according to Dave Marcus, a security research manager for McAfee Avert Labs. McAfee received a copy of the exploit from one of its antivirus users, says Marcus. It sent it to Microsoft on Feb. 9, and Microsoft confirmed on Wednesday that it is a new zero-day vulnerability.

This makes about half a dozen zero-day vulnerabilities to plague Microsoft Word since the beginning of January, notes Marcus.

Hackers used the then-unknown vulnerability to launch an attack against two employees at the same company earlier this month. "It was used in an extremely targeted attack," says Marcus, who wouldn't name the company, the industry it's in, or the type of work the employees do. "The attack was based on the role of the people being targeted. It was that targeted, that surgical."

Marcus adds that the attack, which wasn't successful, was aimed at stealing both personal and corporate information. "This is the Holy Grail of exploits," he says.

In the advisory that Microsoft posted online Wednesday night, analysts explain that a user has to open a malicious Office file attachment, such as a Word document, in an e-mail. If the file is opened, a Trojan or bot is downloaded onto the victim's computer, leaving it open for remote access, according to Marcus. The infected machine then could be used as a zombie, or part of a botnet, to send out spam or launch denial-of-service attacks.

The vulnerability was discovered recently, and it wasn't fixed in Microsoft's Patch Tuesday release, which included 12 patches and covered 20 vulnerabilities. In its advisory, Microsoft stated that it's working on a patch for the vulnerability.

Marcus says McAfee analysts haven't seen the exploit for this vulnerability circulating in the wild.

"It comes down to the fact that this is, essentially, how the bad guys try to steal data," he says. "They take the application and continually pound it to try to find vulnerabilities, and then they work on exploiting it. It's another zero-day, and we'll have plenty more of them later this year. The bad guys have gotten very effective at analyzing the code, and they keep doing it."

'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable

By Gregg Keizer, InformationWeek
January 23, 2007 03:43 PM
The Trojan horse that began spreading Friday has attacked at least 1.6 million PCs, a security company said Tuesday.

In addition, it appears that Windows Vista, the new operating system Microsoft will launch next week, is vulnerable to the attack.

Originally dubbed the "Storm worm" because one of the subject heads used by its e-mail touted Europe's recent severe weather, the Trojan's author is now spreading it using subjects such as "Love birds" and "Touched by Love," said Finnish anti-virus vendor F-Secure. The Trojan, meanwhile, piggybacks on the spam as an executable file with names ranging from "postcard.exe" to "Flash Postcard.exe," more changes from the original wave as the attack mutates.

The first several spam blasts of the Trojan -- which was named "Peacomm" by Symantec -- came with current event subject heads, including ones claiming to include video of a Chinese missile attack or proof that Saddam Hussein lives, and bore attached files such as "video.exe."

"Peacomm has, not surprisingly, evolved. The attachments have new filenames, some files [dropped onto the PC] have changed, and the subject lines of the spam are also changing," noted Amado Hidalgo, a researcher with Symantec's security response group, in an entry on the team's blog.

By Symantec's reckoning, Peacomm is the most serious Internet threat in 20 months. Monday, it raised the alert level to "3" in its 1 through 5 scale; the last time the Cupertino, Calif., security software developer tagged a threat as "3" was for Sober.o in May 2005.

So far, Symantec has received 1.6 million detection reports from its sensor system. "This means Peacomm has hit 1.6 million systems in the past seven days," a company spokesman said in an e-mail. An accurate number of infected machines is not yet known.

The most recent variants of the Trojan include rootkit cloaking technologies to hide it from security software, said both F-Secure and Symantec. The latter, however, pointed out that flawed rootkit code voids some of the Trojan maker's plans. "The rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again," said Hidalgo. A personal firewall also offers some protection from the rootkit, as it will warn you that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871.

Peacomm's turn to rootkits brought out comparisons to Rustock, a year-old family of Trojan horses that has become a model of sorts for hackers. Rustock, as Symantec warned in December 2006, relies on rootkit technology, but adds an ability to quickly change form as another evasion tactic.

"It's similar to Rustock," acknowledges Dave Cole, director of Symantec's security response team, "but [Peacomm is] not nearly as technically sophisticated."

As with most large-scale Trojan attacks, the goal seems to be to acquire a large botnet, or collection of compromised PCs, that can be used to send traditional scam spams or for later identity mining.

Symantec's researchers said that PCs hijacked by Peacomm send "tons and tons of penny stock spam" in a typical pump 'n' dump scheme. "During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped," said Hidalgo. "We are speculating that the task of sending the junk e-mail is then passed on to another member of the botnet."

Windows 2000 and Windows XP are vulnerable to all the Peacomm variations, but Windows Server 2003 is not; the Trojan's creator specifically excluded that edition of Windows from the code. Symantec's Hidalgo took a guess why. "We presume the malware writers didn't have time to test it on this operating system."

Microsoft's soon-to-release-to-consumers Vista, however, does appear at risk, added Symantec Tuesday. "It appears most if not all variants could execute on Vista," the spokesman said. "The only way the Trojan would be unsuccessful is if somehow Vista is able to detect/prohibit the e-mail. This seems unlikely."

Anti-virus companies have updated their signature databases with fingerprints that identify and then delete (or quarantine) the Trojan as it arrives. Other defensive advice includes filtering traffic on UDP ports 4000 and 7871, update anti-spam products, and configure mail gateways to strip out all executable attachments.

Spam Volume Jumps 35% In November

By Gregg Keizer, InformationWeek
December 21, 2006 04:11 PM
Spam volume soared another 35% in November, an e-mail security vendor said Thursday, and the month saw spam tactics that reduced the efficiency of traditional anti-spam filters.

"There's been a huge increase in spam volume," says David Mayer, a product manager at IronPort Systems, "from 31 billion spams a day on average in October 2005 to 63 billion in October 2006. But in November, we saw two surges that averaged 85 billion messages a day, one from Nov. 13 to 22, the other from Nov. 26 to 28.

"The October-to-November increase is higher than any other month we've measured," Mayer says.

Like other anti-spam vendors, IronPort puts the blame on a surge in botnet use, the increased use of image-based spam, and a rapid rise in the number of URLs registered by spammers. That combination, along with profit-driven innovation, has dramatically changed the spam landscape in 2006, said IronPort, which released its annual trend report earlier this week.

But other trends are at work, says Mayer, including spammers picking up hacker techniques and applying them to the junk mail business.

Spammers are using malware development tactics such as trying out new strains of spam in limited quantities to gauge how effective they are against filters, then sending out huge quantities only when they're sure a good number will slip through defenses.

"They're doing test runs to see what the returns are," says Mayer, "and to see how many messages bounce back from invalid addresses. Only then will they send out the [spam] blast."

Scammers have been able to turn up the spam volume because of the seemingly limitless number of systems vulnerable to hijack, using an individual bot for only hours to send out large quantities of spam, then discarding that PC to move on to another. The volume, along with the constant tweaking they give to their messages, means that at times traditional rule- or blacklist-based anti-spam defenses can be overwhelmed.

In mid-November, for instance, IronPort monitored a new, large-scale spam attack that dropped filter efficacy by more than 10 percentage points, letting millions of messages through to in-boxes.

"It's a reaction gap," says Mayer. "It takes time for vendors to respond and come up with appropriate rules, but with their distributed [botnet] networks, spammers can send a huge attack in a matter of hours. It takes time for anti-spam solutions to catch up with the attack."

IronPort's appliances, Mayer added, can close that gap: the company can update rules as often as 12 times an hour, and if necessary -- because of a completely unknown form of spam, for example -- update the core scanning engine remotely as well. "Anti-spam needs to be very responsive," he says.

Even though December spam volumes have stayed at November's numbers, Mayer expects that 2007 will be a tough one for anti-spam vendors and end users alike. "There's a realistic probability that volumes will increase," Mayer says. "It's a game of economics; there's a lot of money to be made and [thus] a lot of innovation on their part.

"It's going to be a long battle."

Cyber Crime By The Numbers Oct 2006

• $67.2 billion: FBI estimate of what U.S. businesses lose annually because of computer-related crimes.
• $8 billion: Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams.
• 93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005.
• 26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006.

Typical costs of goods and services in forums:

• $1,000 to $5,000: Trojan program that can transfer funds between online accounts.
• $500: Credit card number with PIN.
• $80 to $300: Change of billing data, including account number, billing address, Social Security number, home address and birth date.
• $150: Driver's license.
• $150: Birth certificate.
• $100: Social Security card.
• $7 to $25: Credit card number with security code and expiration date.
• $7: PayPal account log-on and password.
• 4% to 8% of the deal price: Fee to have an escrow agent close a complex transaction.
• Free: Access to a service that gives details of the issuing bank for any credit card number.

1 -- Representative asking prices found recently on cybercrime forums

Source: USA TODAY research

Hacker stops business, uses server for SPAMMING

By Raj Mitta - Senior Programmer, ICS
September 10, 2006
ICS thwarted a hacker at an undisclosed company 9-6-06. “We were called because a Windows Small Business Server 2003 was repeatedly crashing nightly. We investigated and found that a malicious hacker was using the system nightly to send SPAM.” Said Robert Delgarbino, CTO of ICS. The customer was not running Exchange so their mail was still flowing though an outsourced POP3.

ICS removed the data from the system, formatted the drives and reloaded the OS to eliminate any undiscovered hack tools or rootkits. ICS also performed a security lockdown of the server, ran a baseline security audit of the network and further secured it by implementing a Sonicwall Firewall. The network and server have been running without another security incident since last September of 2006.

“It would have saved the company a lot of money and down time if they had installed the Sonicwall and done a basic security risk assessment before the trouble began” said Robert. ICS is available for security risk assessments for all small and large clients. Contact Robert Delgarbino at 480-905-0024 for more information.

Cybercrime flourishes in online hacker forums

By Byron Acohido and Jon Swartz, USA TODAY
SEATTLE — Criminals covet your identity data like never before. What's more, they've perfected more ways to access your bank accounts, grab your Social Security number and manipulate your identity than you can imagine.

Want proof? Just visit any of a dozen or so thriving cybercrime forums, websites that mirror the services of Amazon.com and the efficiencies of eBay. Criminal buyers and sellers convene at these virtual emporiums to wheel and deal in all things related to cyberattacks — and in the fruit of cyberintrusions: pilfered credit and debit card numbers, hijacked bank accounts and stolen personal data.

The cybercrime forums gird a criminal economy that robs U.S. businesses of $67.2 billion a year, according to an FBI projection. Over the past two years, U.S. consumers lost more than $8 billion to viruses, spyware and online fraud schemes, Consumer Reports says.

In 2004, a crackdown by the FBI and U.S. Secret Service briefly disrupted growth of the forums. But they soon regrouped, more robust than ever. Today, they are maturing — and consolidating — just like any other fast-rising business sector, security experts and law enforcement officials say. In fact, this summer a prominent forum leader who calls himself Iceman staged a hostile takeover of four top-tier rivals, creating a megaforum.

Security firms CardCops, of Malibu, Calif., and RSA Security, a division of Hopkinton, Mass.-based EMC, and volunteer watchdog group Shadowserver observed the forced mergers, as well, and compiled dozens of takeover-related screen shots. "It's like he created the Wal-Mart of the underground," says Dan Clements, CEO of CardCops, an identity-theft-prevention company. "Anything you need to commit your crimes, you can get in his forum."

The Secret Service and FBI declined to comment on Iceman or the takeovers. Even so, the activities of this mystery figure illustrate the rising threat that cybercrime's relentless expansion — enabled in large part by the existence of forums — poses for us all.

In the spy vs. spy world of cybercrime, where trust is ephemeral and credibility hard won, CardersMarket's expansion represents the latest advance of a criminal business segment that began to take shape with the formation of the pioneering Shadowcrew forum.

Shadowcrew, which peaked at about 4,000 members in 2004, arose in 2002. It established the standard for cybercrime forums — set up on well-designed, interactive Web pages and run much like a well-organized co-op. Communication took place methodically, via the exchange of messages posted in topic areas. Members could also exchange private messages.

Shadowcrew gave hackers and online scammers a place to congregate, collaborate and build their reputations, says Scott Christie, a former assistant U.S. Attorney in New Jersey who helped prosecute some of its members.

In the October 2004 dragnet, called Operation Firewall, federal agents arrested 22 forum members in several states, including co-founder Andrew Mantovani, 24, aka ThnkYouPleaseDie. At the time, Mantovani was a community college student in Scottsdale, Ariz. In August, he began serving a 32-month federal sentence for credit card fraud and identification theft.

Shadowcrew as catalyst
Shadowcrew's takedown became the catalyst for the emergence of forums as they operate today. With billions to be made, new forums have reformed like amoebas, splintering into 15 to 20 smaller-scale co-ops. "They learned that it's best to disperse," says Yohai Einav, director of RSA Security's Tel Aviv-based fraud intelligence team.

Forum leaders have become increasingly selective about accepting new members. "Vouching" for new members is now the norm, requiring a member in good standing to extend an invitation to new recruits. Some forums charge an initiation fee; others limit the power to invite new members to the forum leaders.

Veteran vendors and buyers typically do business in multiple forums simultaneously, in case any particular forum shuts down.

"If criminals get caught one way, they modify their behavior," says Kevin O'Dowd, an assistant U.S. Attorney in New Jersey who prosecuted the Shadowcrew case.

Some forums have become known for their specialties, such as offering free research tools to do things such as confirming the validity of a stolen credit card number or learning about security weaknesses at specific banks. A few offer escrow services, handling the details of complex deals for a fee.

The better-run forums invest in tech-security measures that have become the norm in the corporate world, such as use of encrypted Web pages. All forums run aggressive campaigns to identify and sweep out rippers — the con artists who gain membership and instigate deals, only to renege on their part of the bargain.

From this post-Shadowcrew milieu, Iceman has emerged as a forum leader to watch.

RSA Security has tracked Iceman's postings on CardersMarket since October 2005; CardCops has compiled an archive of hundreds of postings on several forums by someone using the nickname Iceman since January 2006.

In the boastful world of cybercrime, nicknames, or nics, are sacrosanct. It's not unusual for a hacker or cyberthief to go by two or three different nics, but unthinkable for two or three people to knowingly share the same nic, says RSA Security's Einav. "I believe we're talking about one guy and not a group hiding behind his name," he says.

Hostile takeover
Clearly enterprising and given to posting rambling messages explaining his strategic thinking, Iceman grew CardersMarket's membership to 1,500. On Aug. 16, he hacked into four rival forums' databases, electronically extracted their combined 4,500 members, and in one stroke quadrupled CardersMarket's membership to 6,000, according to security experts who monitored the takeovers.

The four hijacked forums — DarkMarket, TalkCash, ScandinavianCarding and TheVouched — became inaccessible to their respective members. Shortly thereafter, all of the historical postings from each of those forums turned up integrated into the CardersMarket website.

To make that happen, Iceman had to gain access to each forum's underlying database, tech-security experts say. Iceman boasted in online postings that he took advantage of security flaws lazily left unpatched. CardCops' Clements says he probably cracked weak database passwords. "Somehow he got through to those servers to grab the historical postings and move them to CardersMarket," he says.

Iceman lost no time touting his business rationale and hyping the benefits. In a posting on CardersMarket shortly after completing the takeovers he wrote: "basically, (sic) this was long overdue ... why (sic) have five different forums each with the same content, splitting users and vendors, and a mish mash of poor security and sometimes poor administration?"

He dispatched an upbeat e-mail to new members heralding CardersMarket's superior security safeguards. The linchpin: a recent move of the forum's host computer server to Iran, putting it far beyond the reach of U.S. authorities. He described Iran as "possibly the most politically distant country to the united states (sic) in the world today."

At USA TODAY's request, CardCops traced CardersMarket's point of origin and confirmed that it is registered to a computer server in Iran.

If Iceman succeeds in establishing CardersMarket as the Wal-Mart of forums, its routing through an Iranian server will make an already complex law enforcement challenge that much more difficult, security experts say.

"Chasing these carding fraudsters is like chasing terrorists in Afghanistan," says RSA Security's Einav. "You know they are somewhere out there, but finding their caves, their underground bunkers, is almost impossible."

The U.S. Secret Service declined to answer questions about Iceman and CardersMarket. It would not acknowledge whether they are under investigation as part of Operation Rolling Stone, the most intensive federal probe of cybercrime since Operation Firewall. This year, 35 suspects have been arrested. No names were initially released, but a few have surfaced after indictments were unsealed.

Suspects include Binyamin Schwartz, 28, of Oak Park, Mich., indicted in July in Nashville for allegedly trafficking more than 100,000 Social Security numbers, and Paulius Kalpokas, 23, of Lithuania, whose extradition to Nashville on charges of trafficking stolen credit card data has been requested.

Schwartz "got caught up in something on the Internet but did not profit from it," says Sanford Schulman, Schwartz's attorney. "He inquired about acquiring information online without criminal intent, nor was he involved in a sophisticated enterprise."

Secret Service spokesman Thomas Mazur says Operation Rolling Stone is designed to "disrupt and dismantle any of these carding forums," but he declined to say which forums or how many are being investigated.

Security experts worry that CardersMarket's emergence as a model for setting up hypersafe forums could translate into a spike of activity by the best and brightest cybercrooks.

"It's called bulletproofing," says CardCops' Clements. "Guys will now migrate to CardersMarket because they really are untouchable there."

Trust a thief?
Iceman's masterstroke rattled his rivals and raised suspicions among his peers.

In the tech industry, companies routinely spread what they call FUD — fear, uncertainty and doubt — about a competitor's business model. Shortly after Iceman swept up TalkCash's 2,600 members onto CardersMarket's website, TalkCash's leader, nicknamed Unknown Killer, e-mailed a shrill warning to TalkCash members: "I've talked to a number of guys and all say that they didn't merge a (expletive) with that site ... so please beware as they can be feds."

Speculation abounds on the Internet that the FBI helped install Iceman as head of a dominant forum set up to lure kingpin cybercrooks into capture.

In busting up Shadowcrew, law enforcement had used a high-ranking member of Shadowcrew as an inside informant, beginning in August 2003, according to court records. Security experts say it's possible, though unlikely, Iceman could be an informant. While not commenting directly about Iceman, FBI spokesman Paul Bresson says, "The FBI is not in the business of exposing Americans to fraud."

Instead of being admired by his peers, Iceman found himself scrambling to deal with an intensifying backlash. A forum member, nicknamed Silo, posted this public comment on CardersMarket: "How Can we TRUST you and this boards admin? You breached our community's security. Stole the Databases of other forums ... you've breached what little trust exist's (sic) in the community."

Ten days after the forced mergers, the deposed leaders of DarkMarket and ScandinavianCarding managed to reconstitute forums under those names. And CardersMarket appeared to be under assault, with some of the features on its website functioning sporadically, according to RSA Security's Einav.

Security experts expect the infighting to run its course. They say Iceman's attack prompted forum leaders to beef up database passwords and patch other security holes, making both hostile takeovers and law enforcement investigations more difficult. Most experts expect the activity level of the forums to rise, because many consumers and businesses are uninformed or apathetic.

Consumers' lax attitudes
Consumers continue to exhibit lax attitudes, even as Internet intrusions and scams rise in frequency and sophistication. John Thompson, CEO of anti-virus giant Symantec, contends Internet users must adopt the same "sixth sense about security" they use when they get in their cars or leave home.

Meanwhile, the commercial sector has been slow to ask consumers to take other steps, such as using a smartcard or fingerprint reader — along with typing a log-on and password — to prove they are who they say online.

Thomas Harkins spent two decades as operations director for MasterCard International's fraud division, gaining an insider's view of cybercrime's breakneck rise. Now COO of security firm Edentify, based in Bethlehem, Pa., Harkins says identity theft is poised to increase by a factor of 20 over the next two years.

"There's so many stolen identities in criminals' hands that (identity theft) could easily rise 20 times," Harkins says. "The criminals are still trying to figure out what to do with all the data."

Meanwhile, stories such as Kevin Munro's will continue to pile up. In late August, the name, Social Security number and other data of the 51-year-old Warsaw, N.Y., building inspector turned up for sale on a forum monitored by CardCops. Munro recalls changing checking accounts after a thief tried to cash several bad checks in 2002. Since then, his personal data have persisted in circulation.

Cybercrooks have used it online to order magazines, purchase three Dell computers and attempt to take out a real estate loan. Recently, MasterCard notified Munro that an account he's had for 20 years and uses infrequently was being canceled.

"I work for a living," Munro says. "I do everything on the up-and-up, and some lowlife comes by and takes it away."

Acohido reported from Seattle, Swartz from San Francisco.