Anatoliy Serov was intensely staring at his computer monitor. "Yes, there it is; place a sell order now. Sell order complete!" Anatoliy was jubilant, and he immediately called his girlfriend, "Lenchik, be ready by six — we are going to Onegin to celebrate." Onegin was a fashionable, high-end restaurant in St. Petersburg, Russia, and Anatoliy's girlfriend was understandably confused.
"Celebrate what? Tolik, are you crazy? Do you know how expensive Onegin is?" she asked.
"Yes, baby, I know. We are finally rich! I made 30,000 bucks today on the financial market, and this is just the beginning."
Anatoliy could have been mistaken for a successful investor, financial broker or lucky day trader, but in fact he was none of the above. He was a talented computer programmer working for a small development firm in St. Petersburg. And Anatoliy (along with a few of his work colleagues) had just successfully executed a pump and dump scheme with a new, high-tech twist. The Securities and Exchange Commission (SEC) defined these schemes as follows:
"Pump and dump" schemes, also known as "hype and dump manipulation," involve the touting of a company's stock (typically microcap companies) through false and misleading statements to the marketplace. After pumping the stock, fraudsters make huge profits by selling their cheap stock into the market. Pump and dump schemes often occur on the Internet where it is common to see messages posted that urge readers to buy a stock quickly or to sell before the price goes down.
The SEC did not mention a more recent improvement on the scheme by my creative and computer-savvy compatriots, Anatoliy and his friends, which added the term hack to pump and dump.
With unemployment rates reaching 40 percent in certain regions, former Soviet states were replete with characters like Anatoliy who had a good technical education, were extremely hungry to make it big in the new capitalist society but were unemployed or severely underemployed. It was the perfect storm for the development of some of the best hackers the Internet has seen. When a fraudster's command of English was limited to a profound knowledge of Perl, Java and C++ syntax and a familiarity with computer-geek speak, it was a bit of a challenge to create a persuasive media campaign to convince investors to buy penny stocks — a necessary step in a traditional pump and dump campaign. Anatoliy found himself in that position and decided, why not just hack into investors' accounts and make the trades on their behalf?
Jeffrey Scott was strongly attached to his Saturday morning routine: coffee, newspaper and then the deeply despised yet necessary process of going through the pile of weekly mail. "Ah, there it is; my monthly statement from my brokerage account. Straight to the filing cabinet for you."
Jeff did not closely follow the market — the morning Bloomberg broadcast did not go down well with his leisurely cup of coffee. He was a conservative investor who had learned early in business school that investors cannot beat the market. Therefore, he developed an investment strategy that was plainer than vanilla: buy and hold, at regular intervals.
With a well-practiced gesture, Jeff stripped the statement of its envelope and shoved it into the designated pile, but then something caught his eye. "CGDC — China Gold Corporation." Jeff thought, "Chinese gold, that's interesting. When did I buy that? It must be part of some international growth fund that I hold. Let's see how it is doing — must be fairing really well." He thought that because at the time China was the darling of the investment world. The Chinese economy was experiencing explosive growth and many were rushing to invest or outsource their operations to China. Jeff scanned the statement for a moment and then his face became virtually indistinguishable in color from the paper he was holding. "This has got to be a mistake. Is this even my statement? A balance of $1,932.54? That can't be. I should have at least $120,000 in there."
Jeff ran to his computer and logged into his Internet brokerage account hoping to see that indeed it was a big mistake and his $120,000 was safe and growing daily. But no, $1,932.54 was starkly staring at him from the screen. What happened? How could that be? Jeff feverishly dialed his broker.
The broker promptly transferred Jeff to the fraud prevention department, where a representative informed him that he was a victim of a hack, pump and dump scheme. His online brokerage account was compromised by hackers who held stocks of China Gold Corporation in their own accounts in Latvia and St. Petersburg, which at the time was trading at about $0.005 per share. Hackers broke into Jeff's account, sold his holdings (the retirement savings that he proudly and painstakingly built up over the years) and purchased China Gold on his behalf, thus elevating the share price to previously unseen high levels. Shortly after, they sold their holdings of the CGDC, reaping thousands of dollars in profit. The customer service representative told Jeff the crime was virtually untraceable.
Jeff Scott was not the only victim of the China Gold hackers — far from it. Not only were the accounts of other customers at his brokerage firm well stocked with China Gold, but those of many other firms across the United States and Canada were also victims of the same scheme. When the first few incidents of the hack, pump and dump scheme were reported, the financial community believed they were separate, unrelated incidents not worth worrying about.
But when a flood of similar Internet transactions suddenly rushed through the regulators' gates, my firm was brought in to investigate. Were these unrelated, copycat events that had become a new fad for the online criminal community or were they representative of a centrally orchestrated campaign on a massive scale?
I was working for the private firm that was hired to investigate this case, and I was assigned to the team. We had a lot of questions to answer: How did they do it? What means did they use to hack into the systems? What vulnerabilities, if any, were exploited? Who was behind the attacks? And the ultimate question: How could we stop them?
We began by examining the server logs associated with access to the compromised accounts, including the Internet protocol (IP) addresses and thousands of connections stemming from them. What we immediately noticed was that most of the logins were coming from many, but consistently repeating, IP addresses in the United States — not what we were expecting to see. If this was a crime ring operating from the former Soviet Union — which was our working theory — we expected to see logins from IP addresses registered in Russia, Ukraine, Latvia and perhaps several proxy servers. However, the IP addresses that were used to illegally access the online brokerage accounts were registered to large U.S. corporations, the U.S. government or U.S.-based Internet service providers (ISPs).
After looking into the suspect computers and IP addresses more closely, we discovered that the addresses used were part of various botnets. A botnet is a group of computers (bots) that are controlled by a different, usually remote, computer to perform specific coordinated tasks. The computer that controls the bots is known as the herder. In this case, groups of computers had been infected with the same spyware program and were used by a herder to perform a number of tasks: login to the Internet brokerage site, guess account numbers, crack passwords, confirm that accounts were active and transfer funds.
When we analyzed server logs over a longer period of time, we noticed a peculiar pattern: The suspicious activity started with multiple logins from IPs in the United States (often coming from the same network) and ended with a single login from somewhere in Russia, Estonia, Latvia or Ukraine that executed the illegal trades. Even more strange was that some of the initial attempts to access accounts occurred within regular time intervals — a clear signature of an automated process. Therefore, we concluded that botnets were being used to break into online accounts and, once they were compromised, the criminals themselves placed trading orders.
One of the standard procedures that our investigative team performed was to remotely scan the suspicious computers. Following this protocol, the team selected a few IP addresses at random and started monitoring the activity coming from them. However, within a few hours of our scanning, the targets went silent. The bad guys turned out to be extremely smart; they realized they were being scanned. As a result, we did not collect much evidence by that method. Then the next day, the team chose another set of IP addresses to monitor in the hope of collecting more information but suddenly the unexpected happened. Our computer lab was attacked by the hackers. It was their way of saying, "We know who you are. Do not mess with us." That made us realize the fraudsters were extremely sophisticated and well organized. It also confirmed our theory that most of the fraudulent activity was related and committed by an organized group.
The onslaught of hack, pump and dump schemes not only reached major financial institutions in the United States but a number of brokerage firms in Canada were also targeted. In response to these incidents, every victim institution introduced its own security measures, among them:
Blocking the known suspicious IP addresses
Continuously updating the list of known suspicious IP addresses
Locking the online accounts after a certain number (10 or fewer) of unsuccessful login attempts
Notifying customers after numerous unsuccessful login attempts
Blocking online trades in known penny stock targets
Generating alerts when orders for certain thinly traded securities were placed
Using multifactor authentication methods, such as SecureID token, smart cards, and other similar technologies (physical devices the individual customers install on their computers to provide security protection)
Automatically referring accounts to customer service when suspicious activity was detected
A large number of financial institutions joined forces and created an industry group to coordinate anti-fraud activities in real time. The group notifies participants of the recent attacks and modes of operation used by the fraudsters, IP addresses involved, securities traded and other pertinent information. The FBI and other law enforcement agencies have begun to dedicate significant resources to the investigation of these types of Internet securities frauds. As a result of these measures, several of the perpetrators have been apprehended and prosecuted.
However, fraudsters have become more sophisticated in response to increased preventive measures; their techniques and methods have evolved. They stopped logging in to computers that could allow law enforcement agencies to detect their physical location and began using proxy servers, which masked their location. Their trading activity also changed. As many financial institutions began to monitor trading in penny stocks, fraudsters moved to other securities that do not exactly fit the definition of penny stocks but whose prices can still be easily manipulated. These modes of attack are much harder to proactively detect because they cause a significant — but not unusual — fluctuation in the price of the stock, and thus are unlikely to raise a red flag.
Why is the fraudulent activity that started several years ago and caused the largest fraud-related monetary losses to the industry still occurring? Why aren't the criminals behind the bars? Though some small fry — like Alexei Kamardin, a 21-year-old Russian student living in Tampa, Florida — have been caught, the really big fish — the Anatoliy Serovs — are still at large. This is due to several factors:
Fraudsters' use of technologically sophisticated methods that prevent detection and identification
Difficulty linking illegal trading activity in compromised accounts to the financial gains reaped by account holders in other financial institutions absent direct computer forensic evidence
The international nature of the fraud
Lack of cooperation of the Russian government and other foreign law enforcement agencies
Corruption in the former Soviet countries
Many believe that the Russian Business Network (RBN), a cybercrime organization that originated in St. Petersburg, was behind most of the hack, pump and dump activity, but there is not enough evidence to prove it. RBN first started as an ISP that provided hosting to many shady and illegal businesses that distributed child pornography, phishing, spam and malware. It developed partner and affiliate marketing programs in different countries to provide a method for organized crime to target victims internationally. It is also believed that in response to law enforcement actions, RBN moved much of its operation to China. It presumably operates several botnets and is also known for distribution of fake antispyware and antimalware applications for the purposes of PC hijacking and personal identity theft.
The hack, pump and dump fraudsters used any number of the available cyber means of collecting personal identity information — phishing, malware, spyware and password-cracking algorithms to name a few — to access the online brokerage accounts of unsuspecting victims like Jeff Scott.
Note
Lessons Learned
What are the key lessons learned here?
The Internet is making our world much more efficient and connected, but it also creates exposures of a global nature.
Computer technologies allow criminals to commit fraud that is large in scale (target multiple institutions and accounts) and that crosses national borders.
The Internet also creates opportunities for the formation and growth of online criminal rings and communities.
Criminals are increasingly using technologies and fraud schemes that make detection and prosecution extremely difficult.