Automated Identity Theft

89 otherwise shed light on their underground activities. In one recent case, honeynet intruders exposed the existence of automated tools that support and facilitate identity theft and credit-card fraud. Members of a community who call themselves carders use these tools to defraud Internet merchants and consumers of potentially large financial sums. The preceding installment of this department 1 described an attack on a Microsoft Windows 2000 honeypot that was subsequently incorporated into a large IRC botnet consisting of at least 15,164 distinct hosts. Human intruders later entered the honeypot by means of the same attack vector— capitalizing on a null administrator account password—used in an earlier attack. Because the honeypot was not instrumented for data capture , researchers could observe the new intruders' activities via packet captures of network traffic obtained with the Snort intrusion-detection system (IDS). After entering the honeypot, the new intruders downloaded and installed Cygwin (www.cygwin.com), a dynamic link library (DLL), and a collection of tools that provide a Linux-like environment under Windows. The intruders used Cyg-win to compile and run PsyBNC (www.psychoid.net), an IRC proxy popular in the black hat community. Black hats frequently use PsyBNC to conceal their online identities when using IRC and to maintain continuous contact with one or more IRC servers. They refer to PsyBNC and similar proxies as bouncers. The intruders configured Psy-BNC to access several channels of the DALnet IRC network (www. dal.net) including #cc and #mas-terccs. Because the honeynet's Snort IDS logs network traffic and because IRC is a plain-text protocol, the honeynet's operators could monitor traffic on the channels ac-cessed by the intruder's PsyBNC. The operators monitored IRC traffic from its inception on 2 April 2003 to 13 May 2003, the date on which DALnet began successfully enforcing a ban against the channels, as explained in the " DALnet acceptable use policy " sidebar. The honeynet operators immediately noticed instances of credit-card and other identity-related information being illicitly shared and traded on the monitored channels. They also saw instances of highly specialized communication, which was indicative of communication with software programs rather than humans, such as the following: (Any identifying information in the example is obfuscated to avoid disclosing personal information.) The strings TH3-RELO4D and busàre names by which two IRC users are known. Based on subsequent observation, the observers determined that TH3-RELO4D is a human and busìs a bot—a software program that communicates with humans and other …