People call me a lot of things. Nobody would ever call
me a CIO, but after reading CIO magazine a little bit, I guess
that’s basically what I am. Maybe I’m a little
younger than you. A little more techy. I know my routers and
Most of the guys I work with, they don’t like
computers. They get frustrated. Lots of times they want to
shoot their computers, like that guy in Colorado did. I printed
out that story and gave it to one of my guys. He loved it,
especially the part where the guy hung the dead computer on the
wall of his bar. “I love this Colorado guy,” he
said. And he passed it around to all the guys. “You have
to read this story MIT gave me.” Yeah, they call me MIT,
like, “Let’s ask MIT if we can set up an online
account” or “Maybe MIT can make a website for
that.” A website for what? For making money, what else?
Isn’t that why anyone sets up a website?
More On Cybercrime
How You Can Fight
How the Mob uses IT
What Adult and Gaming Sites
Can Teach You About Innovation
A Brief History of
Yeah, I deal with the same stuff you do. Same headaches.
I’m constantly fixing stuff and trying to do whatever
helps the bosses grow the business, as you call it.
Bosses. I mean, bosses are the worst, right?
The Penny Stock Scam
We’re in a real boom right now. Credit cards. Gambling.
You heard about that stock deal? The one that uses that new
kind of spam? Image spam? This is an old-fashioned
pump-and-dump scam but with a cool techno twist.
This wasn’t mine, but I know a guy who knows the guy
who set it up. Here’s how he worked it.
First, he rented a botnet. That was for e-mail distribution.
He pays, I don’t know, say $50Gs for a month, turns
around and promises the bot-herder a taste in exchange for that
month’s usage and some guaranteed uptime. You know, he
says, deliver me 10 million e-mail messages and I’ll
guarantee you some back-end cash.
So the bot-herder knows a kid who wrote this absolutely
killer image spam application that creates the e-mail messages.
Pays him a flat fee. I mean, the kid could’ve asked for a
lot more, but a lot of these programmers are pretty young and
dumb. You wave some cash and they think, “Flat-screen
TV!” Anyway, he tells the kid to make the program create
advertisements for pink-slip stocks, those unlisted ones that
trade for pennies. It all gets done in like 15 minutes after
they get some of the basic wording down.
So then this guy sets up offshore accounts online (in
Brazil, I think) to collect the investments. His guys all buy
something like 10,000 shares at 30 cents per. Then the botnet
goes to work. Starts mass mailing the ads for the stocks. And
the beauty part is those little messages get by all the spam
filters because the filters are looking for text, but with the
image spam all the filters see is a million different images,
each one unique, even though they all say the same thing: Buy
this stock. (For more about this technique, read The Scourge of
Genius. Finally, enough people invest to drive up the price.
Eighty cents a share. A buck. Two. Eventually, our guys sell,
make a nice chunk of change, the stock tanks and the suckers
who got in on the e-mail tip lose their shirts. Like I said, a
classic pump-and-dump, but back in the day it was a lot harder
to do. It required a lot of legwork, relationships with
reporters and brokers. Compared to that, this is, like,
I know what you’re thinking: Who believes an anonymous
e-mail that says such-and-such company you’ve never heard
of is at a quarter a share now but is heading to five bucks?
Hey, I don’t know, but you send out 10 million messages,
you get 1,000 to invest, that’s only, what? A hundredth
of a percent? I’d say the sucker population is a lot
bigger than that.
It was a great little business. One of those stocks hit six
bucks! But then the feds sniffed it out and suspended trading
on those penny stocks in March. Maybe when things cool off,
it’ll pick up again. By that time, the spam filters will
probably have adjusted and we’ll have to go back to the
programmers for their latest bots.
Everyone Wants IDs, Just Not Their Own
The big money is in credentials.
Look, the world runs on credit, and what you need to get
credit are personal credentials. That’s what everyone is
after right now. And that’s where a lot of our
investments are: credentials for lines of credit.
That TJX thing last January? No, not me. But let’s say
I had beers with someone who might have worked on that job. It
sounds like the heist of the century, right? What, 40 million
personal records? But really it’s pretty basic stuff. If
you want to get into the credentials market, you do three
things: One, get inside access to someone who stores lots of
personal data. Retail is great for that. Think about how many
cards are swiped every second at those places. Two, invest in
antiforensics, because once you’re in, you want to stay
invisible until you’re done. (For more on antiforensics,
see How Online Criminals Make
Themselves Tough to Find, Near Impossible to Nab.) Three,
after you got the credentials, behave. I’ll explain that
one in a minute.
The papers say the wiseguys got into TJX, they got employee
IDs, by intercepting wireless data flowing between cash
registers, handheld price-checking devices and such. Maybe. But
this is how I’d do it. Inside access. That’s easy.
You spread some USB keys around. People see them and go, Cool,
free dongle! Only when they plug them in, a little program
installs some bots or keyloggers onto their machine. From
there, you root around until you get deeper into the network.
(There are other ways too. Dumpster diving for paper records
and credit card statements. Paying off the custodial staff.
This stuff is as old as time; computers just make it
After gaining access, it’s time to invest in
antiforensics. Look, I don’t care if they can see what I
did as long as they can’t see it was me that done it. We
have this saying here about antiforensics: Make it hard for
them to find you and impossible for them to prove they found
you. We’ve got a whole bunch of software that allows us
to cover our tracks and keep us basically invisible while
we’re inside someone’s system. What’s great
is a lot of antiforensic tools are free. They’re all over
the Internet. We buy others, like encryption programs and data
wipers like Evidence Eliminator. This guy I had beers with says
a few guys are even experimenting with ways to make other guys
look guilty. You know, set someone up, send the cops down the
At that point, you install a little program that collects
the credentials. Sometimes we use ’em; most of the time
we sell ’em. We’ve been working on a subscription
service. You pay for access to credentials for a certain period
of time. We can get $1,000 a month or more for a subscription
pretty easy. That adds up.
But what we’ve run into—a big problem—is
that lots of guys get their hands on this information and just
start buying stupid stuff. They have no discipline. Look at
TJX. Those guys got busted for using the credentials they
lifted to buy gift cards for, what, like $20Gs or something? I
mean, you buy a $20,000 gift card, someone’s going to
notice. So don’t do Visa’s job for them. All it
takes is one jerk who gets some credit and buys a Bentley to
take down an entire business. Find guys who can wait to use the
credentials and then, when they do, use them in a way that
Other People Gamble; We Don’t
Right now, we’re setting up a service out of Costa Rica.
It’s a—how do I put it?—it’s a
high-risk, high-return investment service for sports fans. So
how do I set up something like that? Like any project, with a
lot of legwork. I’ve got to get my guy in Costa Rica to
set up the back-end servers. Costa Rica’s great because
everything’s available right in one building. I call my
guy and say, “It’s MIT. I need some stuff.”
He just walks down the hall to the ISP, gets servers and
backups, and then goes upstairs to the Web developers.
It’s out-of-the-box, like calling up IBM Global Services
or something. There’s even a little online payment
service outfit down there. We like it better than the big ones
up here because those guys, they’re better with
international currency and security.
After we get all that going, we’ve got to do all the
testing. I’m telling you, it’s really not much
different than those e-commerce projects I read about in CIO.
We do the same due diligence. Same troubleshooting. Same thing
with bosses yelling, “MIT, you got that site up yet?
Super Bowl’s in a few weeks. Site’s gotta be up for
They ask for some ROI up front, by the way. It’s a
little more informal than the way most of your readers do it.
They’ll ask, “Ballpark, what do we gotta
spend?” I give them a number. They say, “What can
we clear in an average month?” I give them another
number. I’m not making these up either. I ask around. I
mean, that’s cost-benefit analysis right there,
Anyway, once that site’s up and running it’ll be
a nice little business…for the overseas market, of
Even Crooks Need Security
I invest in top-notch security because, believe me, gaming
sites are constantly dealing with extortion. Criminals. Not a
day goes by when a site doesn’t have some Russian hacker
launching a DDoS attack, asking for cash to call it off. We
encrypt everything, and we’ve got pretty severe
authentication for access. We don’t outsource or contract
the security. We keep it in-house. I pay my security guy well.
I’d say about 25 to 30 percent above what you’d
pay. Met him at the Black Hat conference in Vegas a couple of
years ago. I liked him right away because he wasn’t
presenting or bragging about what a hotshot he was. He was in
the back, taking notes, trying to learn. Quiet. I knew right
away he’d fit in.
I’ve also tasked him (that’s how you say it,
right?) with internal security. Basically, his job is chief
privacy officer for a bunch of guys who really value privacy.
All this technology—phones, the Internet—it’s
all great for making money, but the problem is, everything gets
logged. My security guy has written and used lots of
antiforensic tools to erase those logs, and I’m
comfortable telling my boss we have better privacy than the big
banks. My security guy knows how to disable the GPS in our cell
phones. He’s building some routing programs, sort of like
that Onion Router project that, like it says on their website,
“prevents the transport medium from knowing who is
communicating with whom” so that anything we send over
the Internet is scrambled through different routes and hops all
over the world, completely anonymous and untraceable. And
everything, I mean everything, is encrypted. Say someone stole
the servers we keep here at the home office. My guy designed it
so that really only two people can access the data: me and him.
We have the private keys and no one else does. Not even the
My Kind of Guys
The guys I keep, or keep on a kind of retainer, are the ones
that show me something extra. We had one guy who came to us
selling a great new way to set up temporary international cell
phone accounts, using credentials bought in the identity
market. Guys will pay a lot for a disposable international cell
phone. We bought some and were so impressed we decided to get
into business with him. He set up the phones; we handled
distribution. I asked the guy what else he was working on. He
flips his laptop around and shows me his own website where
he’s auctioning off credit credentials to the highest
bidder. Slick. I said to him, “You could be our
R&D.” He said, “Cool.” And that was
Compared to you guys, I’m pretty lucky with talent. My
guys are way ahead on the technology. They work hard.
They’re innovative and entrepreneurial. I think
they’re some of the most talented IT staff around.
Business-Technology Alignment Among
Actually, there is one way you and I are different. I read all
those stories in CIO about how hard you have to work to align
technology with the business’s goals. That’s one
problem I don’t have. My bosses don’t let me spend
a dime on anything that’s not going to make them money.
Why should they? And I wouldn’t even think about
investing in a huge project that might fail to live up to
expectations. I don’t get play money to buy technology
that doesn’t work. I don’t have vendors paying the
freight to conferences at swank resorts to convince me to
invest in something that’s half-developed and overhyped.
I never use jargon. I spend zero time doing PowerPoints.
Speculation? That’s not part of our business model. So
maybe I don’t get the newest gadgets all the time but,
man, I am aligned. With the business. With the bosses.
There’s really no other choice, you know?
CSO Executive Editor Scott Berinato can be reached at