Ken Dunham, you could say, spends his life peeking at the bowels of the Internet.
As director of the Rapid Response Team at VeriSign-owned iDefense, of Dulles, Va., Dunham and his team of malware hunters infiltrate black hat hacker forums, chat rooms and newsgroups, posing as online criminals to gather intelligence on the dramatic rise in rootkits, Trojans and botnets.
Based on all the evidence gathered over the last two years, Dunham is convinced that groups of well-organized mobsters have taken control of a global billion-dollar crime network powered by skillful hackers and money mules targeting known software security weaknesses.
"There's a well-developed criminal underground market that's connected to the mafia in Russia and Web gangs and loosely affiliated mob groups around the world. They're all involved in this explosion of phishing and online crime activity," Dunham said in an interview with eWEEK.
Just two years after the Secret Service claimed a major success with "Operation Firewall," an undercover investigation that led to the arrest of 28 suspects accused of identity theft, computer fraud, credit card fraud and money laundering, security researchers say the mobsters are back, with a level of sophistication and brazenness that is "frightening and surreal."
"They never really went away," Dunham said. "They scurried away for a few months and tightened their security controls. It became harder to get on their lists and into their chat rooms."
Not these days. A law enforcement official familiar with several ongoing investigations showed eWEEK screenshots of active Web sites hawking credit card numbers, Social Security numbers, PayPal and eBay credentials and bank login data by the bulk.
"They're very public about all this, especially on the Russian sites. It's almost comical how open and barefaced they are," said the official, who requested anonymity because of the sensitive nature of the ongoing probe.
Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs.
Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software.
"I saw one case where an undetectable Trojan was offered for sale and the buyers were debating whether it was worth the price. They were doing competitive testing to ensure it actually worked as advertised," said Jim Melnick, a member of Dunham's team.
"We even have proof of actual job listings on Russian-language sites offering lucrative pay for coders who can create exploits and launch denial-of-service attacks. We've seen evidence of skilled hackers stealing corporate data on behalf of competitors. This isn't just about credit card and bank information. It has all the elements of traditional mafia-type crime," Melnick said.
Roger Thompson, a computer security pioneer who created the first Australian anti-virus company in the late 1980s, is convinced the secretive Russian mafia is masterminding the use of sophisticated rootkits in botnet-seeding Trojans.
"They are paying to recruit bright young hackers and using teenage kids around the world to move money around. They're into everything: spyware installations, denial-of-service shakedowns, you name it. It's the traditional mafia finding it easy to make money on the Internet," said Thompson, who now runs Exploit Prevention Labs in Atlanta.
Yury Mashevsky, a virus analyst at Kaspersky Lab, said there is even evidence of turf wars in the criminal underworld.
"They use malicious programs that destroy the software developed by rival groups and include threats directed at each other, anti-virus vendors, police and law enforcement agencies in their creations," Mashevsky said, in Woburn, Mass.
He has also seen fierce online confrontation in the battle to control the resources of infected computers. In November 2005, Mashevsky discovered an attempt to hijack a botnet.
"[The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets, or to spend money on buying parts of botnets which are already in use," he said.
On message boards and newsgroups where malicious code is put up for sale, Mashevsky said flame wars and attacks against each other to steal virtual property amounts to normal everyday activity.
Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging threats, said there have been cases in Russia where mafia-style physical torture has been used to recruit hackers.
"If you become a known hacker and you start to cut into their profits, they'll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this," Dunham said.
One key aspect of Web mob activity that flies under the radar is use of "money mules," or individuals who help to launder and transfer money from hijacked online bank accounts.
On career Web sites such as Monster.com, a job listing for a "private financial receiver," "shipping manager," or "country representative" invariably is an active attempt to recruit people around the world to withdraw funds and deliver it to crime bosses, according to a detailed research report by iDefense on the so-called money mules.
Money is transferred into the mule's account, withdrawn as cash and then wired to an offshore account.
"We've only scratched the surface of what's going on in the underworld. It's like the iceberg that took down the Titanic. No one knew how big and dangerous it was," Dunham said.
He cited the recent discovery of MetaFisher, also known as SpyAgent, a Trojan connected to a Web-based command and control interface that highlighted just how advanced the attackers have become.
"In just a few weeks, MetaFisher spread to thousands of computers. We found conclusively that these attacks were going on undetected for more than a year. Can you imagine the amount of data that has already been stolen? It's unimaginable," Dunham said.
Eric Sites, vice president of R&D Sunbelt Software, in Clearwater, Fla., showed eWEEK screenshots of the Web interface that showed specific targeted phishing attacks against European banks and keeps detailed statistics on actual bot infections around the world.
The interface also can be used to add exploits, keep track of anti-virus signature definitions and keep track of callback from injected machines.
"This isn't the work of the guy in the basement. This is organized and simplified to make it super easy to control all those bot drones," Sites said.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Copyright © 2006 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.