05/17/14

Bitcoin 2.0 and the Segway Bike

Bitcoin 2.0 and the Segway Bike

gAtO Imagine - some of the business side applications we can build with future triggered events being executed by Autonomous Cyber Robots. All build on the basic Bitcoin 1.0 code but not using the coins but the blockchain – there be treasure in that blockchain but it’s all math ugh!!!.

segway_bike_Bitcoin

Ok first what is Bitcoin 2.0? Basically it’s a new way to have a cyber robot or a cyber drone that can do what you instruct them to do. It is a timestamp triggered event and you can now just add business rules to it that will work in cyberspace.

What do you do online today?

  • Shop for things and have them delivered
  • Online banking
  • Buy and sell stocks and bonds
  • Send donations to Charities or political organizations

So now you can build cyber-business rules to be execute on the web and put them into one of these cyber robot or a cyber drone. I use these 2 terms because when people hear drones they think attacks and such and yes you can now build digital FINANCIAL  warriors that can execute based on events, millions of them and they can be used for good and evil.

timeStamp- or -blockchain-trigger event – robots with business rules- example//

  • Send 100 Bitcoins to my family every 6 months after I die.
  • Buy or sell stocks ambiguously  – Digital Business Contracts – or Personalities
  • Any transaction that can be performed on the web!
  • Set up a corporation by an Ethereum digital actors
  • Any Business rule that can executed digitally 

gAtO lOvE Ethereum //= it is a platform and a programming language that makes it possible for any developer to build and publish next-generation distributed applications. https://www.ethereum.org/  Next Generation Smart Contracts and a Decentralize Application Platform. Non-geek cyber-business rules OK…

GAtO used to lug around an Osborne luggable computer… 1.0 laptops – but gAtO was cool aligning 10MB (yes 10 Mega Bytes) hard rives the size of a large home freezer. The good old computers days… Out of hardware back to Biz -mEoW

MasterCoin – The Master Protocol facilitates the creation and trading of smart properties and user currencies as well as other types of smart contracts. Mastercoins serve as the binding between bitcoins (BTC), smart properties and smart contracts created on top of the Mastercoin Protocol. Non-geek cyber-business rules OK…

Similar Alt-coins but both the same (going after the business side) in a way but these seem to be a new wave of Bitcoin 1.0 off shoots. Now NameCoin and Trusted coin are on a different course, since they are more into the digital Notary service that can be done with any blockchain type Bitcoin off shoot. And LiteCoin 84 Million -versus- 21 Million in Bitcoins another fight but of a different financial play on this alt-coin. LiteCoin is around $10 bucks Per so we have to keep an I on them too.

Once again these another development are being built on the shoulder of the great Satoshi Nakamoto work. GaTo as a technologist love all these new and exciting toys to play with. Then I think about the Segway Bike I alway wanted one but then again really, I’m I really ready to give up walking? Back in 2001 it was so cool, it was the evolution of the bicycle or was it???

13 years later this evolution the revolution of the bicycle is seem by most as the Mall Police ride by. Ok maybe in Seattle or San Francisco I can see that but really. Now Bicycle Cops are everywhere but real cops on a Serway Bike – you know maybe I don’t really want one anymore. But I wonder if I can buy one with Bitcoins? ummm

DogE-Coin is hot with the young bloods as a NEW digital currency that’s taking Reddit and other places by storm- I know gAtOCoin, maybe I’ll start one of my own, there only about 500 Alt-Coins around and growing all built on the Bitcoin core code. Bitcoin is only 5 Years Old -Wow- Imagine in another 3-5 years // world wide currencies all over doing different things creating the NEW Cyber-System D-(system) that no government can controls, of the people and by the people. Double -Wow

gAtO’s bet is on Bitcoin, simple it has payed it’s dues, from an underground play toy to International financial deals like flying to the Moon on Virgin Air, I wonder if I can buy that with Litecoins- you listening Richard Branson I’m mining Namecoin too Richard.

The new Bitcoin business Investors and Incubators are hopping with new Bitcoin 2.0 ideas, but is it different if it’s control by the users, not the sole players like the bankers and older financial players. But truth be told these will bring newer workable solutions that will trickle down to the normal person. We must be careful because these new worldwide cyber solution will have little government controls so the game is changing and the ability to jump on this but NOT to give up privacy with government toys like TPM – Trusted Computer Platform – yes July 2015 all Windows 8 devices will have TPM 2.0 in control of your devices. The US solution cyber Kill Switch.

AT least Apple has not added TPM into it’s hardware but they banned against Bitcoin -Steve told you to Innovate Apple- But that’s another battle.

You can trust your government spying on you IF you have nothing to hide RIGHT!!! - gAtO oUt

Digital System D-

System D is a slang phrase pirated from French-speaking Africa and the Caribbean. The French have a word that they often use to describe particularly effective and motivated people. They call them débrouillards. To say a man is a débrouillard is to tell people how resourceful and ingenious he is. The former French colonies have sculpted this word to their own social and economic reality. They say that inventive, self-starting, entrepreneurial merchants who are doing business on their own, without registering or being regulated by the bureaucracy and, for the most part, without paying taxes, are part of “l’economie de la débrouillardise.” Or, sweetened for street use, “Systeme D.” This essentially translates as the ingenuity economy, the economy of improvisation and self-reliance, the do-it-yourself, or DIY, economy.

 

10/30/12

What is Digital Currency:

What is fiat currency:  — Fiat money is money that derives its value from government regulation or law.  —

What is Currency: —  In economics, currency is a generally accepted medium of exchange. –

What is Digital Currency: – 

gAtO cOnFuSeD - with the above definition currency and fiat currency it’s a bit confusing were does Digital currency fit in. I think it’s how you look at it – Today we have Internet banks – that would be digital currency because it’s only in digital form – We also have PayPal one of the leaders in digital currency but both are tied to fiat currency- a government. 

Now when you add E-gold, Liberty Reserves, Pencunix or WebMoney these are a mix of traditional fiat and plain old fashion currency – But when you add BitCoin well that throws a shoe into the jet engine. You see unlike e-gold Bitcoin is not tied to real gold. Bitcoin is defined as a currency but not fiat and that’s the part that really hurts governments and bankers.

I know gAtO is lOcO but it seems that every time a digital currency like e-gold get’s close even when they try to do it right – the good guy’s (governments) come in and stomp on it till it’s a puddle of mud in the ground, next digital currency come on in– get in line, next… Ok e-gold made it too easy to get an account and the bad guy’s got hip to it and ruined it for everyone but the FBI was out to get e-gold from the start. We just can’t have joe-blow in a basement with a e-gold account and the IRS, TAX people not wanting a piece of that action.

Bitcoins are being blamed as EVIL – but Swiss Banks account, Bermuda Shell Games, Luxemboug Shelter, The Cayman Cash or IRA tax-free, tax-exempt, lower Tax rates- tax-free trust – there are all kinds of tricks for the bankers to shelter their money. To hide it they know all the tax codes, all the regulations…and they are very happy.

If we go to Bitcoin or a version of a digital currency that has no -governments, no bankers, and no printing press to go Bitcoin printing making Happy—/ every ounce of pressure will be put on every new digital currencies that do not tie to the BANKS…. they will not allow it.. Who are THEY…you know??? -next Digital Money Laundry -gAtO oUt

09/22/12

Hacking the Credit Card Code

gAtO wAs- surfing around and found this information targeted at future cyber gAtIcOs- These are the basic tricks that the bad guy’s are using to game the system. and they share this basic information to help other stupid wanna-bee bad guys. TRUST but VERIFY – be a critical reader and remember that this comes from bad guy’s always trying to trick you. I checked out most of the LINKS and deleted any ones I though may be bad. Some of this is a bullshit, some stupid  and some is real from what I can tell – enjoy–gATO oUt  

for educational PURPOSES ONLY. – how the Cyber Criminals are using the system for cyber-money laundering. 

Cracking The Credit Card Code

Credit Cards 2 BTC-Bitcoin – BTC-Bitcoin 2 Credit Cards

 

Wasn’t quite sure where to put this, but I decided I’d share some information on the actual code of a credit card.

In reading this you will be able to interpret credit card codes efficiently and actually be able to learn about the card itself. This is all simply by knowing the 16 digits on the front of a card.

The first digit of a card is called the Major Industry Identifier (MII). It designates the category of the entity which issued to card. This is useful in finding what exactly the card is for.

1 and 2 are Airlines,

3 is Travel and Entertainment

4 and 5 are Banking and Financial

6 is Merchandizing and Banking

7 is Petroleum

8 is Telecommunications

9 is a National assignment

The first 6 digits are the Issuer Identification Number (IIN). It will identify the institution that issued the card.

Visa: 4xxxxx

Mastercard: 51xxxx – 55xxxx

Discover: 6011xx, 644xxx, 65xxxx

Amex: 34xxxx, 37xxxx

Cards can be looked up by their IIN. A card that starts with 376211 is a Singapore Airlines Krisflyer American Express Gold Card. 529962 designates a pre-paid Much-Music MasterCard.
The 7th and following digits, excluding the final digit, are the person’s account number. This leaves a trillion possible combinations.

The final digit is the check digit or checksum. It is used to validate the credit card number using the Luhn algorithm

How to use this information to validate a credit card with your brain:

Take the below number (or any credit card number)

4417 1234 5678 9113

Now, double every other digit from the right

(4×2, 1×2, 1×2, 3×2, 5×2, 7×2, 9×2, 1×2)

Add these new digits to the undoubled ones (4, 7, 2, 4, 6, 8, 1, 3)

All double digit numbers are added as a sum of their digits, so 14 becomes 1+4.

8+4+2+7+2+2+6+4+1+0+6+1+4+8+1+8+1+2+3 = 70

If the final sum is divisible by 10, then the credit card number is valid.

If it’s not divisible by 10, the number is invalid or fake.

In this case, 70 is divisible by 10, so the credit card number is indeed valid. This works with every credit card and opens many ideas to the mind.

 

Credit Cards to BTC-Bitcoin

These are methods that have been discussed on HackBB for cashing CCs into bitcoins. Before I continue let me get this out of the way. No you can not cash your CVV directly into bitcoins. Exchangers know the risk involved in accepting reversible credit for non-reversible currency, and the few that have ever accepted direct CC payments were scammed out of business. There are ways around this issue..

CC -> SLL -> BTC

Editors Note:

VirWox wised up to this method and started forcing users to validate their SL avatars..

http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=49&t=1836

Thought I’d tidy this up a bit with a noob-friendly tutorial on how to buy bitcoins with a CVV through VirWox.

What you will need.

  • Valid CVV (any country will do)
  • Clean Socks5 proxy as close as possible to cardholder’s address
  • Good DNS setup

Ok lets get started.

You’ll need an email account. Go create a new one at yahoo/gmail/whatever…..doesn’t matter which (i wouldn’t use tormail for this……too much of a flag).

Go to https://www.virwox.com/, and create a new account using the email you just set up and the name on the CVV. Just make up a fake SL avatar – you don’t need to validate it.

You will then have to confirm your new account by retrieving the temp password from your email.

First thing to do in Virwox is change your password in the “Change Settings” tab on the left.
Now we’re ready to do some carding. Click “deposit” and scroll down to the Skrill(moneybookers) option. Then enter the max amount for the currency of your card (currently $56 for USA cards) and click the moneybookers logo.

If you have NoScript installed you will have to temporarily allow all this page. Enter the details you have for the CVV and make up a fake date of birth if you dont have a genuine one.

If all goes well, you will then be taken back to the main page with your USD/EUR/GBP balance filled.

On the “exchange” menu left of screen choose USD/SLL to convert to Linden $s, then BTC/SLL to convert to bitcoin.

Now withdraw.

Easy Profit.

Note:

  • Typically Virwox hold funds for 48 hours before releasing.
  • You can process payments a total of 3 times with each card…..one transaction every 24hours.

CC -> Moneygram -> BTC

If you have fulls (ssn, dob, etc) you can try cashing out through moneygram. To do this just go to site and sign up for an account under the cardholders name. Be sure to chain a regional socks5 with your Tor connection so you appear to be from the same country that the cardholder is in [4]. Select Same Day service. It will prompt you for the card details, dob, and the last 4 digits of the ssn. I would suggest running this name through a background check (any background search site will do) in case you have to answer a security question to send the funds over. Don’t try to send over too much. If you accidentally go over the limit or try to send a suspicious amount you risk flagging the account. No more than $300 from each CC. If everything goes smoothly you can try exchanging through https://wm-center.com for bitcoins. You can find more information on WM-Center here: https://en.bitcoin.it/wiki/WM-Center

CC -> Forex -> BTC

The process is actually really simple. I was surprised to find the site. Kinda found it by accident actually.

Site: http://www.rationalfx.com

Using a foreign currency exchange site to change money on a credit card into a foreign currency and to wire transfer the money into a bank account.

In this case, the bank account is at https://mtgox.com

The process goes as follows:

  • Make an email account anywhere.
  • Make an account at MtGox.
  • Make an account at rationalfx.com. (all account info in the name of the cc holder).
  • In rationalfx, add account details, addy, card number, MtGox wire info.
  • Make a transfer.

Process takes 3-5 business days… It turns a cc transaction into a wire transfer so it takes a couple days… (Note: in the interest of speed and not getting the transaction reversed, Monday/Tuesday is the best day to start the transaction)

Once the money is in MtGox, turn it into bitcoins as quickly as possible and move it into your other bit wallets. Wash the coins if necessary…

Easy huh?

Already pulled it off once. 400GBP through a MC without any issues. rationalfx does not seem to have any real safeguards in place. Tor works fine there (though it is best to use an exit node wherever your card holder lives).

When I was testing it first with a visa, it told me 3 times in a row that the transfer failed. I lowered the amount each time and tried again. After the 3rd time it went through but I didn’t have the Verified by Visa password so I couldn’t continue. BOTH Visa AND MC , it seems, will pop up with a verification thingy if its enabled on the card. (Usually US/UK cards)

Make sure when you deposit to MtGox, you include the account identification info for that spacific account. You can find it on the ‘funding options’ -> ‘Bank wire’ page… If you forget that info you wont get your money..
So there you have it. Its simple as pie.. This is not 100% of the info but ya’ll can figure out the rest..

I know ya’ll prolly wont but if you are feeling generous…

Hope you enjoy..

Cashing Methods

This is a collection of cashing techniques that have been discussed on HackBB. Keep in mind before you get started you will need to know how to chain a socks5 with Tor to avoid tripping a fraud filter [1].

Easy PP/CVV cashout

I will preface this by admitting that I may have something to gain since I sell the tools needed to make this work. My mind played connect the dots when reading the forum and checking my messages, and I realized it’s easy to cash out with a little investment and work ahead of time.

I can’t guarantee this will work, I never tried it. But I do understand the systems involved so I’m as confidant as I can be.

Everybody wants to know how to cash out. Well, that is easy, the hard part is getting away with it. Any fuckin moron can rob a bank, but it takes a genius to do it time and time again while leaving the investigators in a state of mental confusion akin to drinking mercury and pithing their brains with an icepick.

This is not a step-by-step. Google is your friend (unless you’re signed in). I don’t hold hands, if you can’t figure it out on your own from here, it’s not in your scope.

Ingredients:

  • EU paypal account
  • Fresh email.
  • Anon debit card
  • CVV’s
  • Balls

Ok, Open an EU paypal account from one of the countries below. You can use fakenamegenerator.com or whatever you want. Just make sure is is a merchant and not personal. There are 3 levels, go with the middle. Get an Anonymous debit card, and link it to the paypal, using the CC and not the bank. I know for sure that the bank wont work for US accounts, as it is a deposit only bank account number. Depending on the country and the country’s banking regs, paypal may or may not try to take back the verification amount they sent. Forget that.

Once the paypal and debit card are connected successfully, it is time to get your free money. I don’t know what language you are using in the EU paypal, but it goes something like this: Merchant tools–>Generate Paypal button. Alternatively, you can google “paypal but it now button” in quotes. Figure it out.

I hope to god you got a CVV by now, because that’s whats next. Using the code you got for the BIN button, go to http://htmlpreview.richiebrownlee.com/ Paste the code, click the button, and now you are at a paypal purchase page. Depending on where you are, and I haven’t figured this out yet, you may have an option to pay with CC. It used to be that with USA, you could pay with CC but not sign up. So make sure you have a USA CC. If you registered a simple personal account, paypal will ask buyers to sign up first, and you might as well stop there.

If you see the option to either sign up or pay with CC, you are GOLD.

The amount will be immediately available on the paypal you created. Now, just withdraw funds to the debit card. 3-5 days, it will be there. Go shopping. See the girl with the big titties? Buy her a drink. You win.

I cannot account for moneybookers, as I’ve never used it, but I imagine it would work the same way. To test with moneybookers, I suggest linking to a greendot card with a throw away account, since you need to verify SSN. That can be your legit moneybookers anyway.

Here is a list of countries that SUPPOSEDLY don’t need a VBA, only a CC:

Bulgaria

Chile

Cyprus

Estonia

Gibraltar

Iceland

Indonesia

Latvia

Liechtenstein

Lithuania

Italy

Israel

Liechtenstein

Luxembourg

Malaysia

Malta

Philippines

Poland

Romania

San Marino

Slovakia

Slovenia

Turkey

UAE

Uruguay

 

I’ll share with you a cashout method

I’ve been using square on my android to cash out cards… All I did was register with jingit com and apply for their visa debit card… I do it this was cause I just watch some ads until I make $2.00 which is the fee for the card… once the card arrives you’ll get an account # and routing # as if it were a checkings account. (when you apply for the jingit card make sure you match FB’s DOB with jingit card on the application form)

now you register on squareup com and link it to the debit card acc. to verify the initial deposit they make don’t wait til you get the statement, call the # on the back of the card and you can get your transaction history over the phone. (I forgot you have to activate the card over the phone. this is why you need the SSN and DOB)

I only do this over open wifi and my android is not activated with any company. Also you must have location services enabled so don’t do it close to your home.

you don’t need the reader, you can charge cards manually entering the card info. you need at least the billing zipcode. transactions under $25 don’t require signature and you can skip the receipt.

I always get another prepaid card to swipe it when I use a new acc for the first time, I never start using an acc entering numbers manually… it’ll raise flags. don’t use your own card linked to your bank… that would be stupid

Beating the Online Casinos/Bookies (uk)
What you need

  • 2 machines, or an accomplice to play your dummy account.
  • UK non-3DS CVV
  • 50 GBP cash
  • Access to a William Hill shop

Create 1st account

Setup VM on system 1. I’m not going in to any great detail on how to do this as it’s covered elsewhere on the board. Use something like: Tor -> VM -> [UK]VPN / VPN1 -> VM -> [UK]VPN2.

Download the software and setup an account using either your genuine details, or some fictitious details from the local area of the shop you will be using. The deposit option you are interested in is “Quick Cash”

Off you go to a local William Hill shop to buy your Quick Cash voucher (say 50 GBP for this example). The shop prints 2 vouchers. One they keep which you will have to sign (in your fake name if you’ve used one), the other is given to you and contains the transaction code to enable you to deposit online.

Now either contact your accomplice who will play the other account or:

Create 2nd Account

Setup VM on system 2.

Download the software same as for Account 1, and this time setup the account using the details from your CVV. Deposit using CVV (eg 400 GBP).

Dumping Chips

Again, i’m not going into any great detail on this….if you don’t know how to play poker, then learn…fast. Become familiar with which hands tend to generate the largest pots (eg AA vs KK). 6-handed tables are a good choice (0.50/1 for these amounts).

Over the course of 1-2 hours, pass chips from Account 2 -> Account1, randomly losing some chips to the other players at the table. A reasonable target is for Account 1 to be +300.

Cashing out

Ok, you’re happy with your 300 profit. Click withdraw in the cashier, again choosing the “Quick Cash” option. Print off the voucher, then return to the shop where you were earlier in the day. Present the voucher, sign your name again to verify and walk out the shop 300 GBP richer for a few hours work.

Note: It’s probably not a great idea to use fictitious details if you use a shop in your own local area. No ID should be required for amount <500 GBP. If you’ve dumped chips with enough care, it’s almost impossible to prove you were involved in any fraudulent activity. You’ll have cash in your hand before anyone realizes any fraud has taken place, so no chance of freezing accounts.

Carding Online

Editors Note:

I edited out the “ATTAINING HIGHER LEVELS OF ANONYMITY” section due to it being

obviously wrong and changed the CC check link. Don’t add it in.

LEGAL TIDBITS

This FAQ is intended for educational PURPOSES ONLY.

THE BIG QUESTION: WHAT IS CARDING?

- Well, defined loosely, carding is the art of credit card manipulation to access goods or services by way of fraud. But dont let the “politically correct” definition of carding stop fool you, because carding is more than that. Much more.

Although different people card for different reasons, the motive is usually tied to money. Yea, handling a $9,000 plasma television in your hands and knowing that you didnt pay one red cent for it is definitely a rush.

But other factors contribute to your personal reason for carding. Many carders in the scene come from poor countries, such as Argentina, Pakistan, and Lebanon where $50 could mean a weeks pay, on a good day. Real carders (the one that have been in the scene the longest) seem to card for something more, however. The thrill of cc manipulation? The rush that the federalles could bust down your door at any minute? The defiance of knowing that everyday that you are walking among the public is another day that you have gotten away with a federal crime?

Whatever your persona reason for carding is, this tutorial should answer a few noobie questions and take the guessing out of the entire carding game. The resources and techniques mentioned in this tutorial are NOT, I repeat, NOT the only methods of carding. Experience in carding is key. You have to practice your own methods and try out new techniques in carding to really get a system that works for you. This tutorial is meant to get you on your way.

THE BASICS: WHAT DO I NEED AND WHERE DO I GET IT?

Credit Cards: Yes, CCZ.

“do you have any ccz” “where can I hack CCZ” “where can I get a list of valid CCZ?”

You need money to make money. Plain and simple. Which means that the only way your gonna be able to get ccs if you have ABSOLUTELY NO MONEY is if you successfully rip a noobie with 100 cards (but what noobie has 100 cards?), if you have any background in database hacking, if you trade for your shit, or if you know someone that’s willing to give you ccz all day.

I know thats a discouraging statement to all of you, but we have to keep shit realistic. The easiest way to get ccz is to purchase them.

“but I can’t get a job/I don’t wanna work!”

Having a regular 9 to 5 job is not a bad idea in the carding scene. Not only will you have some sort of alliby to why you have all this expensive shit in your house, but you can also use the money (who cant nowadays) to pay bills. You cant card forever, and you cant sustain yourself by carding alone.

If you are REALLY strapped for cash, you have to go through the alternative: trade for your resources. you have to be resourceful in carding, meaning you have to use what you got. Got a psybnc admin account? Offer psybnc user for a cc or two. Got shells? roots? Can you make verification phone calls? just ask yourself “what do I have that might be valuable to someone else?” and work with that. It dosnt have to be big, it just has to get you a few cc’s in your palms.

Once you’ve run your first successful cc scam, DONT SPEND ALL YOUR EARNINGS. Save $200 and re-invest back into the carding community. head to SC and get better cards. If you have level 2 cards, I suggest carding C2it/Paypal and using that $$ to buy ccs. (successful C2it/PP scamming techniques will not be discussed in this tut, sorry)

To other minor pointers on rippers and legit sellers, please scroll down to “SELLERS, TRADERS, AND RIPPERS, OH MY!”

“where can I check my CCZ?”

Knowing wether your cc is valid or not is really important for saving some time and energy. you can check them under http://www.soundcloud.com

The idea way for checking ccz is through an online merchant (authorize.net, linkpintcentral.) These merchants can verify cc amounts without charging your ccs. Good luck finding one. People on IRC want a ridiculous trade for These merchants (cvv lists, cash). So if you run accrosss a legit merc, dont give it out! even to your best buds! online mercs are gold in the world of carding.

Other methods for verifying cc amounts include registering your cc on an online bank. (You will need at least a level 2 card, level 3 for ATM cards). alot of online banks can give you limit, billing addy, ect ect but they require at least a level 2 cc (more info on ccz below)

CREDIT CARD FRAUD: INFORMATION IS KEY.

I want to make something clear right now. The secret to carding is not the number of cards you own, its what you can do with the cards. What do I mean by that? Simple.

Hypotherical situation: My name is Johnny and I have 3 ccs with SSN, DOB, CVV NUMBER, MMN, NAME, STREET ADDRESS, CITY, ZIP, AND BILLING TELEPHONE NUMBER. I have a friend named Billy. Billy has 300 CCCZ with CVV, MMN, NAME, STREET ADDRESS, CITY, ZIP, AND BILLING TEL. NUMBER. Whos more likely to successfully card something?

Simply put, I (Johnny) am. Why? Because I have more information that can prove that I am the person who owns this CC than Billy does with his 300 CCVZ. Does that mean Billy’s not gonna card anything? No, that just means Billy’s gonna have a hard time carding anything without verification.

So to sum up this lesson, you have to get information on your mark (the person that youre impersonating.) #1 rule in carding is: the more information you have on a person, the better chances you have for a successful transaction. Here is the information you’re looking for(note: the levels of a card is not a tehcnical carding term, I’ just used L1 L2 L3 to simplify shit throughout the tutorial.) :

NAME: ADDRESS: CITY: STATE: ZIP CODE: TEL. BILLING NUMBER: CARD NUMBER: CARD EXP DATE: CVV CODE:

(LEVEL 1: REGULAR CVV. If you have this much info, youve got yourself a regular cc. Nowadays you need this much info for carding ANYTHING worth mentioning. If you have any less than this information, you’re shit outta luck. :\)

Social Security Number (SSN): Date Of Birth (DOB): Mothers Maiden Name (MMN):

(LEVEL 2: (PARTIAL FULL-INFO) If you have this much info, your ccz are on another level. With this info, you should be able to card PayPal, C2IT, and other sites without too much of a hassle.)

BANK ACCOUNT NUMBER: ROUTING NUMBER: BANK NAME: BANK NUMBER: DRIVERS LICENSE NUMBER: PIN NUMBER (For CC or ATM card)

(LEVEL 3: (true full-info) If you have this info, youre cc is ready to card anything your heart desires)

Now if all you have is a regular cc, dont discourage. Just do some research and build your cards as much as possible:

First, go to whitepages.com and try to lookup your marks street address and phone number. Make sure it matches the info you have on your cc..

Last, but not least, take a quick look in ancestry.com. Ancestry.com is a bit of a pain, but you can lookup DOB and MMN (ie, if your marks name is anthony hawkins, his father is david hawkins and his mothers name is bella donna, Donna is the MMN)

So size up your cards and move on to the next lesson:

DROPS AND VERIFICATION TECHNIQUES:

The right drop is essential to your scamming needs. Finding legitamite drops inside and outside of the US is hard. Many people keep your shit and don’t send, or some people dont pick up the package at all! (theres nothing worse than watching your hard-earned laptop going back to the store because it was refused by the recepient)

If you live inside (or even outside) the USA, you’re better off scoping a drop out on your own. A drop is basically an empty home that looks to be inhabited. This is the shipping address you use for your carding needs. Your items should only picked up at night. As awlays, be sure to have a cover-story in case someone asks why youre snooping around an empty home. “I’m picking up a package for the person that used to live here” is a legit excuse. Or even “my father is the real-estate agent.” is good. Just keep in mind that if you order anything over $500, it will USUALLY need to be signed for, (this statement is based upon FEDEX/UPS policies. I’ve gotten feedback from people that state they have gotten their local UPS employee to drop merchandise worth 1k at thir doorstop using a note, but these are uncomfirmed rumours.) Wether youre willing to sit and wait all day on the doorsteps of your drop, or you rather leave the postman a note that says you’ll pick it up at the nearest postal station, its up to you. (Dont panic if you have to pick up a package at the station. When you walk in, you need to be calm so it dosent arise suspicion. If the clerk asks you to wait more than 3 minutes, PLEASE dont stand there waiting to get busted, tell him/her you have a prior engagement and quickly exit stage left. )

If you live outside the USA, youre just gonna have to trust someone. The easiest way to get a legit drop in the USA is to ask around for people that have had successful experiences with a drop. Most drops hold a 50/50 or “you card something you card me sommething” policy. If you’re talking so someone thats trying to cut themselves in to the deal “Ie yes, I know someone but you have to card me something too” just move on, they’re wasting your time.

Just a quick note, if you’re carding something like a plasma television, you’ll have better luck using a drop from the same state, changing the billing addy (you can change a billing addy with a level 2 card, youll need a L2 card for carding a plasma tv neways) and acting like you just moved. (have that mindset when you call in: I am (name of cardholder) and I just moved from (city a) to (city b)) Once you have the item in your possession, you SHOULD GUESS THAT YOUR DROP HAS BEEN FLAGGED. What does this mean? YOU SHOULD NOT – I REPEAT SHOULD NOT RETURN TO A DROP ONCE YOU’VE CARDED EXPENSIVE SHIT TO IT. Regardless of wether your drop is flagged or not, do you really want to take the chances?

The cellular phone: The anonymous cell phone is the carders sword. With it, you will make several calls to several companies using several names. You should keep this cellular phone for carding ONLY. (just in case you become confused and forget who youre talking to.) If you have a phone phreaking connection, youre a lucky SOB. For the rest of us, we gotta go out and get a pre-paid cellular phone. (a phone which dosent require much info to purchase and use.)

THE SITES: WHATS CARDABLE AND WHATS NOT?

Ok, so you got your ccs, your drop and youre as anonymous as you can make yourself. Now what sites are cardable? This is the easiest question I have to answer on this FAQ.

-ANY AND ALL SITES ARE CARDABLE- (THX CIA AND `Q_)

Why do I say that? because it’s true. Like I said in chapter two of this little tutorial, its not about how many cards you have, its what you can do with them. Alot of this has to do with your mindset as well.

If you have a card from Johnny Knoxville from Texas, you must be Johnny Knoxville from texas. Depending on the information that you have acquired from Johnny Knoxvile, you must convince merchants and I-stores that you A R E Johnny Knoxville.

When approaching these I-stores, you want to scope things out first. Ask yourself a few questions:

-whats their policy on different shipping address than billing addess?

If they have a “must call” policy, make sure to give them an anonymous number where you can be reached (have your anon cell phone ready for this.)

-do they accept other payments besides credit?

If they accept other payment methods, sometimes its easier to card with a different payment method. (Ive had more luck on Dell.com with online checks that I have with credit cards.)

Whatever you card, make sure that you have all your info prepped before carding it. If youre carding something over 1k, get on your anonymous celly and call up the banking institution of the person’s card youre holding. Make sure to let them know that youre making a purchase of a large limit, so they dont deny your card.

Know Thy Enemy: What the CC Payment Gateways Check for Fraud

These are the measures taken by CardPay which is a payment gateway to rate fraud. It wouldn’t be really hard to imagine that other gateways take the same measures. Although we all know the rules of thumbs, I thought it would be interesting to see what they *actually* measure to evaluate high risk of fraud. The amount of information that they actually collect is mind blowing.

Fraud Screening system of CardPay Inc. Payment gateway performs comprehensive analysis of transaction data, using several techniques simultaneously. Data from external systems used during screening process, also as internal transactions history and various lists.

Transaction passes through so called “pipeline”, consisting of following steps:

  • Rules system
  • Card and cardholder’s data analysis using automated fraud screening service
  • Multivariate regression analysis of in-house transactions database.
  • The above mentioned subsystems are described in more details in the following section.

Rules system: Fraud rules logic implemented in stored procedures by Oracle DBMS, which enables adding and modifying rules without service downtime. Before passing order through rules chain, additional information retrieved from MaxMind credit card fraud prevention service. MaxMind returns to gateway following data:

  • Cardholder located in high-risk country. At a moment following countries recognized as high risk: Egypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco, Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine, or Vietnam.
  • Whether country of IP address matches billing address country (mismatch = higher risk)
  • Country Code of the IP address
  • Distance from IP address to Billing Location in kilometers (large distance = higher risk)
  • Estimated State/Region of the IP address
  • Estimated City of the IP address
  • Estimated Latitude of the IP address
  • Estimated Longitude of the IP address
  • ISP of the IP address
  • Organization of the IP address
  • Whether IP address is behind an anonymous proxy(anonymous proxy = very high risk)
  • Likelihood of IP Address being an open proxy(transparent)
  • Whether e-mail is from free e-mail provider
  • Whether e-mail is in database of high risk e-mails
  • Whether usernameMD5 input is in database of high risk usernames.
  • Whether passwordMD5 input is in database of high risk passwords.
  • Whether country of issuing bank based on BIN number matches billing address country
  • Country Code of the bank which issued the credit card based on BIN number
  • Whether name of issuing bank matches entered BIN name. A return value of Yes provides a positive indication that cardholder is in possession of credit card
  • Name of the bank which issued the credit card based on BIN number
  • Whether customer service phone number matches BIN phone. A return value of Yes provides a positive indication that cardholder is in possession of credit card.
  • Customer service phone number listed on back of credit card.
  • Whether the customer phone number is in the billing zip code.
  • Whether shipping address is in database of known mail drops.
  • Whether billing city and state match ZIP code.
  • Whether shipping city and state match ZIP code.

After gathering of all data, rules in chain applies to order data sequentially, increasing or decreasing total fraud score.

Rules chain consists of following rules:

  • Cardholder country rating(global list)
  • Cardholder country rating(as set up by merchant)
  • Cardholders IP found in black lists
  • Cardholders IP range found in black list
  • Cardholders email found in merchants black list
  • Cardholders email found in global black list
  • Cardholders email found in forbidden email providers list
  • Card PAN doesnt present in global black list
  • Card PAN doesnt present in merchants black list
  • Cardholders address not in global black list
  • Cardholders address not in merchants black list
  • Order amount doesnt exceeds global purchase limit
  • Order amount doesnt exceeds local(merchant) purchase limit
  • Single PAN daily turnover doesnt exceeds global daily limit
  • Single PAN daily turnover doesnt exceeds local(merchant) daily limit
  • Billing address daily turnover doesnt exceeds global daily limit
  • Billing address daily turnover doesnt exceeds local(merchant) daily limit
  • PAN number brute force check
  • Expiry date brute force check
  • CVV brute force check

This is base rules set. Our fraud officer constantly monitors transaction flow and modifies existing rules and implements new ones to gain maximum fraud prevention efficiency.

Transaction history analysis(in-house service): After successful rules checking, transaction data verified against pool of existing transactions, enabling most accurate results and fraud decisions possible. If this routine detects no reasons to block further processing.

Transaction history analysis(external service): If in-house transaction history doesn’t shows signs of fraud, external database enters into business.

Online Verification Procedures
Over the years, I’ve come across dozens of procedure lists for top-tier merchants regarding online transations and fraud reduction. I’ll detail several companies verification procedures below.

While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit

  • AVS
  • CVV
  • IP/GEO/BIN
  • Cardholder Authentication (VbV/MSC)
  • Phone Verifications
  • Manual Order Reviews
  • Chargebacks & Representments
  • PCI Compliance & Data Security

 

AVS – Address Verification Service

How It Works

  • Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.

Benefits

  • Easy to implement Limitations
  • Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
  • A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.

Recommendation

  • If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.

CVV – Card Verification Value

How It Works

  • A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
  • Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.

Benefits

  • Works for virtually ALL cardholder accounts – both U.S. and international.
  • There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching numberfor this.
  • Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.

Limitations

  • CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.

Recommendation

  • CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.

IP/GEO/BIN Scrubbing

How It Works

  • Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
  • Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
  • Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.

Implementation

  • Custom direct integration into a service such as MaxMind.com
  • Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
  • Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.

•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.

Benefits

  • Fast, Cost Effective and Non-Intrusive
  • Provides merchants with an excellent “do the pieces fit consistently?” analysis.
  • Can block up to 89% of all fraud if properly implemented

Limitations

  • Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
  • Proxy database is always in a real-time process of being updated as new proxies open up.

Recommendation

  • IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.

Examples of what IP Geo-Location can tell you:

YELLOW ALERTS

  • Free E-mail Address: is the user ordering from a free e-mail address?
  • Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
  • BIN Country Match: does the BIN # from the card match the country the user states they are in?
  • BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
  • BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?

RED ALERTS

  • Country Match: does the country that the user is ordering from match where they state they are ordering from?
  • High Risk Country: is the user ordering from one of the designated high risk countries?
  • Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
  • Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
  • High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
  • Ship Forwarding Address: is the user specifying a known drop shipping address

IP/GEO/BIN Scrubbing (Continued)

Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.

26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.

High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.

Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.

Results that speak for themselves:

ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.

MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.

Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.

365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.

Whew. A lot of editing. I’ll post the remainder in a bit.

 

07/21/12

Anon iWot Team (Internet War On Terror)

gAtO see – a new twist on Anonymous – They are going after the money trail of terroristDahabshiil International Funds Transfer is their target. This team call’s itself  iWot -“Internet War On Terror” Now the reason gAtO looked carefully at this group is because #1 they are going after bankers –lulz– #2 this is a well though out plan to first show they have the real information before the big data bump. But there is more to this first announcement -

I kind of followed the data and when I saw – BAYD0009016 MOHAMED MURSAL SHEIK A/RAHMAN - this is Omar Abdel-Rahman also know as the Blind Sheikh – famed World Trade Center 1993 bombing. and tied to —  (Somali: Maxamed Mursal Sheikh Cabduraxman) is a former deputy district commissioner and Minister of National Assets and Procurement of Somalia -  Well this posting has got my attention.

This list also has CHILDREN’S VIILLAGES of SOMALIA and some other innocent looking people. After looking at some of the names and email and google a few —> this one is real there are some real terrorist on this list. These guy’s have a little class and I like that in a hacktivist. I will have to keep and eye out for this groups they have interesting lulz -gAtO oUt

This new paste  -http://pastebin.com/VqrSV5bG

Untitled

BY: A GUEST ON JUL 19TH, 2012  |  SYNTAX: NONE  |  SIZE: 11.12 KB  |  HITS: 739  |  EXPIRES: NEVER

After years of offensive hacking against many companies, governments, etc, we [Anonymous], decided to share data related to an internal confidential project from multiple l33t hackers worldwide. We called that “iWot“, meaning “Internet War On Terror“.

Though we will never forget what happened with Megaupload, Pirate Bay, Sopa, friends, etc, our sub-branch of the Anonymous was created with trusted hackers, to follow a specific goal. This email will be the first from us. Thanks to spread our words

We officially declare War on Terror. This is a call for actions of monitoring and/or destruction of companies and institutions that do work with terrorists, rogue countries, etc.

We already broke the security of multiple networks on earth. Each time we will be able to control them, and to steal data, we will then publish our documents on the net, or share them directly to people involved with Newspapers, Justice, etc, worldwide. Some documents, about some banks working with rogue countries, were already shared to some email addresses. And we are quite happy to see that the truth is on its way.. sometimes..

As some of us already explained, we are not a terrorist organization. It’s just that we are fed-up with the fact that our society is loosing time. So we just decided to speed-up actions against terrorists and their friends. We will first try to eradicate the sources of terrorist financing. It is not possible to know at this time the precise scope or the duration of our actions to counter terrorist threats linked to Internet.

Today, as a proof of concept, we will share information about a really evil bank, hiding ugly activities with terrorists. It’s called “Dahabshiil“, an international funds transfer company. Their networks have been broken by different hackers teams for many years. And it’s time for us to share information here in this mail.

Thanks to Wikileaks, secret documents related to Guantanamo detainees publicly explained part of the truth about Dahabshiil. A veteran extremist and a probable associate of Usama Bin Laden, provided direct financial support to Al-Qaeda, Al-Wafa and other terrorist and terrorist support entities through the Somalia-based company Dahabshiil. This bank is currently helping Al-Qaeda, including members of Al-Shabaab.

Despite the fact that the CEO of Dahabshiil tried to get rid of some people, and sometimes people from its own family, this will not be enough for us. We have stolen many many many documents from Dahabshiil. We have destroyed many workstations in Australia, Kenya, USA, UK, Sweden, Somalia, Dubai, Djibouti, etc. We can transfer money from accounts to accounts, despite the stupid security with tokens, passwords, etc. We have modified Windows kernel on many servers and workstations. We have added different kind of cyber-bombs hidden on many workstations and servers. We have powned switches, routers, firewalls, satellite stuff from Telco, etc.

As Dahabshiil members might think we are lying, we have to share data. Feel free to download and copy the data before everything get destroyed, as it’s totally illegal. And now, if Dahabshiil members were unable to understand why the network sometimes crashed, the computers sometimes died, data from internal servers sometimes died, etc, do not search. It was just our actions against you, with people from our team. As an example, we recently destroyed data on the internal LAN in Somaliland, from the Dahabshiil Headquarters (Hargeisa, etc). That’s why you guys, lost Gigs of internal sensitive data on main servers like \\Dahabshiil7, \\Dahabshiil6…

By the way, we also found out that many employees were looking at facebook stuff, personal email, and tons of incredible hardcore porn web sites especially in countries from the Arabian Peninsula, and from the bank (not at home). Also, the password of the account Administrator of the internal LAN in Somaliland, was mainly “Dahab1234″. Awesome. This is how they protect data of their customers. Quite a serious bank. As we have remote 0days against some of their tools, we easily took the control of any workstations there. Then we bounced and bounced, in order to explore this bank. Hopefully, we were a huge number of hackers at the same time, and during months, which helped at stealing sensitive data, spying on end-users and banking transactions, etc. After months and months of fun against these guys who support Terror on earth, we just decided that it was time to destroy them.

This was just the beginning… and just a proof. So from now, dear Dahabshiil members and customers, you can expect a global internal destruction in less than 2 months. You can keep on asking external consultants, even in Europe, about how to install Antivirus, Firewalls, NAC, IPS, Waf, etc. But we will still destroy your networks, steal your data, and sometimes share internal stuff to the public. This is called a sabotage… We had first to be sure that you could not get rid of our offensive tools. That’s why we used two layers of tools. Skilled stuff (with kernel 0dd modifications, etc), and easy tricks (to annoy and to play with your network/data). Now it’s ready. The bombs will kill your networks and your data in less than 2 months. You can also backup the poor data that you still have, but we also infected random Office/PDF documents left, so you’ll just backup some of our bombs, and your network will still die.

If you want us to immediately stop this cyber-sabotage, it’s quite easy. We just ask you to stop lying, to recognize your help with Somalia terror, and to officially change your behavior. We need a public message from you, as a proof. As you might have seen, public excuses of far more bigger banks than Dahabshiil, were done recently, from people who worked with rogue countries, etc. So, we just ask you to do do the same and to change. We will monitor you, as we already made these years. You have 2 months. Maximum. If we see that you are still asking for help against us, to your supposed-to-be IT Security consultants (UK, etc), or if we see that you are trying to clean our stuff in your kernels, etc, we will then launch the cyber-bombs before the 2 months. You don’t have the choice. You have to submit. You have to leave this world of hate, this world of slaughters, this world of killers, and to leave terrorists behind you.

Of course you needed money. Of course most of your employees/customers are not terrorists. Of course most of your employees/customers didn’t know your links with Terror. Of course someone else would have done this in your place. Of course our offensive actions are totally illegal (like yours when you support Terror). But according to us, these reasons are not good reasons. The countdown is already running. It’s too late. You have the choice between living, or dying with honors in the family of people who helped terrorists. You will be our first public example of cyber-destruction, as others already changed their minds. Be smart. Choose life.

And now a message to Dahabshiil customers: if you have money in this bank, if you are a customer of this bank, if you use this bank to transfer money from a country to another, and even if you are not a terrorist, we will let you less than 2 months before we either publish your personal information (passport, ID card, postal address, phone, email, etc), or we destroy your account by moving your money elsewhere, which will not be complex. As an example, we already shared this kind of information, as a proof of capability. Less than 2 months. After that, don’t cry if you lost your money at Dahabshiil, even if they told your that everything was under control (lulz), that they were able to clean their systems (lulz), etc. So, just take your money out of Dahabshiil now (!), and leave them behind you, before the destruction of this unofficial financial support for terrorists. First casualty of war is innocence. Be smart. Choose life.

And now a message to people in the same situation than Dahabshiil: If you are working with terrorists, if you are helping them, if you are linked to them, we will find you, and you will also be destroyed by our cyber-team, sooner or later. There is no place for you on earth. No place for you on Internet. No place for hate. Make love. Make kids. Be smart. Choose life.

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us

Anon iWot Team (Internet War On Terror)

Bonus: This is really sad to see that some companies helped Dahabshiil after our intrusions (sometimes from Europe, etc). We won’t reveal the names of these IT Security workers, cause we understood that they just wanted to make money. But, as a last advice for them and their family, thanks to think twice the next time you will help Dahabshiil and terrorists. You are helping people who helped Al-Qaeda, like many other unscrupulous Islamic banks that helped at laundering kind of donations. We know you. You are not anon anymore. *We are Anonymous.*

Credits: though we will hide the identity of the people who helped us, we will at least share our thanks to their organizations, for those who accepted it. So, many many thanks to people from Iomart (!), from Vizada and from Somtel. Some of them accepted to share technical stuff (passwords, remote access, etc) as they do follow our spirit and our values against Terror. *We are legion.*

Contacts: no need to answer to this email address, as it’s not ours. If you want to meet us, as always we’ll be at Defcon soon, and we hope that there will be a special prize for Dahabshiil, though it’s a bit late to propose them to the Powney Awards. We do believe that being an international bank, with really lame security, fake official answers, and real links with terrorists to kill people in Africa, Europe or America (Al-Qaeda), should bring them to a special prize. They deserve it. *We do not forget.*

Future: if you want to participate, just share your thoughts or ideas of targets on Internet with the official related proofs showing links with terrorists. Like any skilled hackers, we can have remote access anywhere on earth (gov, telco, comp, etc) as the current IT Security community is just selling dreams and fake products. If you like our values, thanks to support Anonymous iWot (internet War on terror) and put tags like #anoniwot2012 so that we can find your list of targets, your messages, your help, your ideas, etc. You cannot contact us directly, so, please shout enough so that we can hear you. You can just share message to our teams on public spaces, and we’ll read them. Before that, if you enjoyed our specific actions against terrorists in Somalia, thanks to really show your support about this Somaleaks operation, with the tag #somaleaks and just wait, as many other places might burn sooner or later. *Expect us.* –DATA Dump  http://www.animegist.com/old//Somaleaks/

06/25/12

System D- Bitcoin’s Underground Economy

bitcoins - system D gatomalo2

In Crypto-curency we trust. – I hate math but I like money – mAyBe sI-nO

gATO wAs- reading Forbes -Jon Matonis article about the shadow economy and bitcoins. The Bitcoin market is $10 Trillion and growing the crypto-currency is surpassing everyones imagination and why is that. System D is the answer, what is System D? It is a shorthand term that refers to a manner of responding to challenges that requires one to have the ability to think fast, to adapt, and to improvise when getting a job done. This can be applied to hackers, Anonymous, hacktivist and of course the Tor-Onion network.  They are all System D and growing because of it.

System D is a slang phrase pirated from French-speaking Africa and the Caribbean. The French have a word that they often use to describe particularly effective and motivated people. They call them débrouillards. To say a man is a débrouillard is to tell people how resourceful and ingenious he is. The former French colonies have sculpted this word to their own social and economic reality. They say that inventive, self-starting, entrepreneurial merchants who are doing business on their own, without registering or being regulated by the bureaucracy and, for the most part, without paying taxes, are part of “l’economie de la débrouillardise.” Or, sweetened for street use, “Systeme D.” This essentially translates as the ingenuity economy, the economy of improvisation and self-reliance, the do-it-yourself, or DIY, economy.

Essentially, bitcoin is the ‘System D’ of currencies — global, decentralized, and non-state sanctioned. In todays world were Greece, Spain and the U.S economy are falling apart we now have a currency that is not controlled by one governments it’s control by the people, and the powers that be the bankers are really pissed off.  This is why the “deep dark web” is being vilified. You hear about Silk Roads selling drugs and all kind of scary thing but in reality the black market is only a small portion of the dark web, but Bitcoins are a big part in it’s e-commerce and it’s not traceable that the bad part and the good part. You at home can set up a Bitcoin miner on your computer and start mining Bitcoins at home with a spare computer. It’s like a solar power cell on your roof top, or a windmill you can be in control of things again.

But the real issue is control! The bankers have no control of this new emerging economy. The 1% fear that if we the people start using this new currency we will diminish their power, their wealth and they can’t have that. Bitcoins are barley 3 years old and you hear everywhere that only criminals use it, it’s part of the bad guy’s and another fact that escapes people since it’s a crypto thing and we are talking about MATH they can only generate bit coins till 2030 so this is not the solution for a currency but at least we know where the end lies and we can make it better when nobody is in control.

History tell’s us that the robber (banker) barons use the same trick to spread rumors and crash the stock market in the early 1920, then they put in laws to get every one to sell their gold so they control it. We did have a currency based on Gold but they wanted this power and they payed the politicians off and got all our gold. Now they see this new currency and since it’s not under their control they want you to think it’s a bad thing.

Now a $10 Trillion dollar market will get these bankers up and ready for bear if they want to keep their power based and scaring the masses will not work when you can buy Bitcoins at any 7/11 or WallMart you can see that smart merchants are now accepting Bitcoins for the goods and services these early adopters will see themselves grow financially and hedge their bets on what is a winning worldwide currency. Governments will also go after this new markets because bankers have politicians in their pockets but this tidal wave of the new fiat currency will become de-facto very soon. Just in the last few months it has gone from $4.25 USD to today 6/25/2012 $6.28 according to mtgox.com one of the new traders in this new economy. That’s about about a %30 percent increase—/ now that’s a better rate than anyone can give you on your investmentCa$hing -mEoW- mEoW gAtO lIke that….//

So what does it mean to the average person well if you have Bitcoins in your portfolio you will make a killing as Bitcoins are expected to go to almost $30 USD by Christmas time 2012. gAtO predicts maybe $20-25 by the end of year but I lost my tail in the stock market in 2008 what do I know. Well I know that In that time frame I had no control of the market and today because I am active in this field of Cyberspace and cryptology I can see the patterns and I trust Bitcoins better than USD or EUROs. ViVa System D: – gAtO oUt

Read more Forbes -Could Bitcoin Become the Currency of System D?http://www.forbes.com/sites/jonmatonis/2012/03/19/could-bitcoin-become-the-currency-of-system-d/
06/24/12

Government -vs- Bitcoin Anonymity

Recently, there has been a surge of media attention on the Silk Road market, which connects sellers and buyers of illegal drugs and uses Bitcoin as a means of payment. Naturally, part of this attention is attention from government, and the government has every incentive to try as hard as possible to bring Silk Road down. “Never before has a website so brazenly peddled illegal drugs online,” a senator intent on cracking down on Silk Road said, and it is true. Silk Road’s website looks like a legitimate, professionally done E-bay like service, and represents a move away from black markets in the shadows to blatant agorism - acting as if the government itself is illegitimate. Why is Silk Road so much more brazen than before? The simple reason is – because it can. Before, the weakest link in a drug transaction was payment – either a physical meeting (risky), a credit card or Paypal transfer (easily traced to physical identity) or a mail cash transfer (requires too much trust) was necessary, so participants in the drug economy had to rely on security through obscurity, keeping their websites and forums known to few, to avoid detection. Now, however, physical delivery is the only weak link, so although the security is not perfect the internet side of the transaction is, in theory, almost completely anonymous.

In order for anonymous transactions to be possible through Bitcoin, however, a mixing system must be used. There are two types of mixing systems: those secure against attack from people viewing the public transaction block, like Bitcoin Laundry and those secure against attack from the mixing system itself, like Open Transactions. The first work in something similar to the following:

  1. Alice wants to transfer 10 BTC to Bob. Alice deposits 10 BTC into the system, and gets a 10 BTC balance within the system.
  2. Alice gives Bob her one-time account key.
  3. Bob withdraws 10 BTC, but the coins come not from Alice but from some other people who had deposited 10 BTC earlier. Thus, there is no chain from Alice to Bob in the public transaction log.

In BitcoinLaundry in particular, steps 2 and 3 happen internally and automatically, so Alice directly sends coins to Bob’s address without Bob participating in the process. The problem is that the mixing system knows that the key Alice got and the key Bob used are the same, or related, and thus knows that Alice transfetted money to Bob. Law enforcement agencies could potentially set up mixing systems as honeypots. The systems of the second type work in the following way:

  1. Alice deposits 10 BTC into the system, and sends an encrypted certificate to be blind signed. Blind signatures are a way that allows the bank to sign the certificate without knowing what the message signed or even the signature itself looks like; a more detailed description can be found here.
  2. The bank sends the blind signed certificate back to Alice. Alice decrypts the blind signed certificate and gets a normal signed certificate. She sends this to Bob.
  3. Bob sends the certificate to the bank, the bank verifies it and withdraws 10 BTC.

The advantage here is that the bank has no way of linking Alice’s certificate to Bob’s certificate even though it can tell that the certificate is legitimate. A useful real-world analogy is the one used in the name “blind signature”: Alice creates a piece of paper with some text on it, blindfolds the bank, the bank signs the paper blindfolded, then Alice gives the paper to Bob, the bank takes off its blindfold and verifies the signature. The bank does not know who the certificate that Bob provided came from, but it can recognize the signature as its own. This is still vulnerable to statistical attacks – if Alice deposits 13500 BTC into one of these systems and Bob withdraws 13500 BTC, then it is obvious that Alice and Bob made a transaction with each other. There are further ways of masking this – one is using “clean” coins to send as a payment; a 400 BTC donation to hacker group LulzSec (press release here) was done this way and is completely untraceable; another way is splitting up the transaction, sending it to many different addresses belonging to Bob, but no matter what (unless you have freshly minted coins, which will not exist in significant quantities forever) there is still substantial information leakage, so Bitcoin’s Jeff Garzik cautions: “Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb.” Minor illicit transactions, on the other hand, are easy to hide, and the sales currently made on Silk Road are almost all below 10 BTC.

Silk Road itself uses an internal mixing system of the first type, so it does have the weakness that users must trust it. The fact that the system is internal is itself a weakness: even if one cannot tell which drug someone bought, the fact that someone bought something off of Silk Road is easier to deduce, although there is always plausible deniability, since some legal products are sold there. Silk Road promises to delete the physical address of the buyer as soon as the transaction is complete, but there is no way to prove this. Because of this trust, it is a good idea for Silk Road users to use their own anonymity protection in addition to Silk Road’s: using another bitcoin mixer, like BitcoinLaundry or using a bank as a mixer, like MyBitcoin, adds a layer of obfuscation to the transaction, and use of post boxes under fake IDs or someone else’s house is often advised on Silk Road forums.

The de facto anonymity of Bitcoin can be increased by frequent use of mixers, and it is important to note that many types of services can be used as mixers: bitcoin accounts like MyBitcoin, Bitcoin poker sites and witcoin, no matter what their purpose, can be used. A startup promising Bitcoin debit cards and Bitbillsoffer the option to buy bitcoins anonymously physically, once again removing all traces of where they came from. As services like these are integrated into the Bitcoin economy, it may ultimately become impossible for investigators to see where coins came from more than 4 or 5 transactions back.

The senators’ attack against Silk Road does have serious consequences for the Bitcoin economy, since the price of Bitcoin would likely fall considerably without Silk Road users’ demand for the currency, but the government’s focus seems to be on Silk Road itself, not Bitcoin. Looking at some of Charles Schumer’s comments in this article, there is a lot of anger toward the brazenness of Silk Road, but no desire to attack the Bitcoin that is behind it. Senator Charles Schumerrecognizes that Bitcoin is “an online form of money laundering used to disguise the source of money, and to disguise who’s both selling and buying the drug”, but it is not, for now, the focus. Schumer clearly does not see Bitcoin as being of prime importance in allowing internet drug users’ blatantness to reach the level that it did, although his opinion should not necessarily be taken seriously: like most government officials, Schumer is not an expert in internet technological issues, since he advocated (see last paragraph) seizing Silk Road’s domain name, even though Silk Road currently does not even use a domain name and operates only as a .onion hidden service visible on the Tor network. The DEA, upon investigating, may turn government eyes toward Bitcoin, but this will take some time. It is important to note that some parts of the government are already aware of Bitcoin: Gavin’s speech to the CIA on Bitcoin is due to take place on June 14. Given that Gavin received the invitation to speak as early as April, the CIA has known about Bitcoin for some time and is not interested in a direct attack on it, and they will not change their course of action until they review Gavin’s comments at the conference. Whatever the response against Silk Road may be, for at least a couple of weeks Bitcoin is safe.

 read more –> http://bitcoinweekly.com
06/24/12

underground Financial Networks

gATO wanted-  to find out more about the underground financial network and these are some of my findings. Once again it from the black underground so little kittens ( gAtIcO’s) do not try this at home - gAtO oUt

Reloadable Debit Cards - Basics

Greendot and other Reloadable debit cards can be used in an attempt to allow for anonymous financial transfer between customers and vendors. Vendors need to cash money out. They can accomplish this by setting up Greendot cards with stolen identities and getting them shipped to mail boxes set up with fake identification cards. Customers need to load money in. They can do this by going to any store that sells Greendot reload

Summer is here so plant your money garden – mAyBe -sI -nO

paks. Customers merely hand the clerk some cash and in return get a cardboard card with a load number on it. The customer can transfer this load number to the vendor via an encrypted and anonymous channel. The vendor then applies the loaded funds to the card via the internet. The loaded funds can then be cashed out at an ATM.

Security

These cards should be viewed as financial networks. The financial information consists of the traffic and the cards are the nodes. Reloadable debit card networks have a high degree of cross network contamination. One additional network involved is the mail system, the vendor is required to have the card shipped to a physical mail box. This may not be particularly risky due to the fact that it is unlikely the card is being watched at this point as no customers are aware of it yet. However it is important for vendors to remember that the reloadable debit card company will keep their box information on record. Another network the vendor needs to utilize is the telecommunications network. Vendors are required to talk over a telephone to activate the card. The risk inherent in this can be minimized if the vendor uses a burner phone. Vendors are also required to make an initial visit to a store in order to obtain their temporary card prior to being mailed one. They will likely be recorded by CCTV cameras. Customers also have to worry about CCTV cameras as they must hand money to a clerk in a store. Customers can not take adequate measures to disguise their identity during this process as there is direct human interaction.

Reloadable debit cards have a distinct disadvantage of being highly centralized. Vendors tend to have many customers send funding to a single centralized card. This means that a single compromised customer can compromise the Greendot card of the vendor. The only way to prevent this is for the seller to use multiple Greendot cards, one for each customer to be perfect. This is not very feasible.

If a malicious customer identifies the card of a vendor it is possible for network analysis to map out the financial network involved with this buyer. Records are kept of funds being transferred from a reload pack into a cash out card. The time and location of reload pack sales that are used to fund cash out cards can be determined. A single compromised customer can use this information to gather video surveillance of every single person who has loaded funding to the card of the seller. This may not hold up as evidence by itself but it is strong intelligence indicating that a person who has sent funds to a vendor is in fact a drug customer.

Conclusion

Greendot and other Reloadable debit cards are not a safe means of conducting anonymous financial transfer. The financial networks created by these cards are very prone to network analysis. There is an unacceptable amount of cross network contamination for vendors. The load points for introducing finances into the network are also under too much surveillance.

Tips

Customers can out source the purchase of reload moneypaks. Good solutions may include utilizing bums and transients.

Vendors should avoid Greendot type reloadable debit cards. If they are used they should be highly compartmentalized (different cards for different groups of people). Compartmentalization is not possible in all cases though. Remember, if a single customer is malicious they can compromise the entire compartment. This puts customers at risk as well!

Greendot cards are prone to being frozen. Triggers include typical patterns associated with narcotics trafficking; cashing out very soon after cashing in, getting payments from diverse geographic areas (geographic based compartmentalization of customers is suggested), particularly large amounts of money going through a card in a short period of time etc.

WU/MG

Basics

Western Union and Moneygram money wires involve a customer sending funds to a vendor over the WU or MG financial network. Customers must go to a location that offers one of these services and hand money to a clerk. Depending on the country of the customer they may be required to show identification for any amount of money. In all locations identification must be shown for amounts of money over a certain limit, usually $500 or $1000. Customers fill out forms that are specially designed for gathering fingerprints and are usually under video surveillance.

Security

Despite their many short comings WU and MG both offer substantial benefits over reloadable debit cards. It is easier to use multiple pseudonyms for pick up from these services, the number of pseudonyms you have is limited only by the number of fake ID cards you can get. Unlike with Reloadable debit cards vendors are not required to use stolen identities. They are also not required to set up mail boxes or make telephone calls (WU). The ability to easily use multiple pseudonyms makes it easier to decentralize and compartmentalize the financial networks. If a different fake ID is used for each customer, a single malicious customer will not be able to map out the entire network based on transaction records.

It is possible that a single malicious customer could use video surveillance and facial recognition to tie a multiple fake ID pseudonyms to a single person. After identifying the vendor in a single transaction facial recognition could identify them every time they send funding, even if they use a different fake identification document. This attack is possible but it is not likely to be used against drug traffickers at the current time.

One of the primary disadvantages of WU and MG is the fact that there are a limited number of locations a vendor can cash out from. Customers know the rough geographic area a vendor will pick up the wire from because when sending a WU or MG the city of the vendor must be listed on the form. This allows for surveillance teams to stake out a number of possible locations the pick up may be made at. These surveillance teams can be alerted when the target attempts pick up and then move in on the target. This risk is much smaller with Greendot cards because Greendot funding can be taken out from a large number of ATM’s distributed through out a wide geographic area.

Tips

WU and MG have a substantial benefit over Greendot in that they can be used for funding E-currency. E-currency can dramatically increase the security of a financial transfer.

Customers and vendors can and should use fake identification to counter the record keeping of transactions. Even if a vendor is legitimate customers may be flagged if they send large sums of money with their real identification.

In some cases question and answer can be used to remove the need for identification. If this is allowed or not is highly dependent on the particular area of the customer/vendor

Wearing gloves or avoiding finger contact with the forms can countermeasure leaving fingerprints. Using stencils to fill out the forms at a private location can counter hand writing analysis. However, video surveillance is something that can not be countered.

Note: Forms are designed to pick up fingerprints

E-currency

Basics

Traditional E-currency systems (LR, PX) are relatively complex systems of financial transfer involving many companies. Usually an E-currency system is structured as follows; a main digital gold company stores gold bars in a vault and creates audited cryptographically secure digital currency units. The main E-currency company runs a website that allows owners of the currency to manage their accounts as well as send and accept funding. Usually the main E-currency company is not interested in selling small amounts of currency. The main E-currency company will usually only sell large amounts of digital currency to exchanger companies. Average users of E-currency systems only deal with exchangers and use the main digital currency company only to manage their accounts.

E-currency exchangers are located around the world and they accept payment in various ways according to their own policy. Usually E-currency exchangers have no affiliation with the main E-currency company. Some exchangers are even scammers so be careful who you work with!

To load E-currency first you need to set up an account with the parent company. It is free to do this and usually requires no identification at best or at worst easy to forge identification. You should make sure to protect your anonymity when you set up E-currency accounts, at the very least you should use Tor or similar technology to protect from network forensics. Make sure the E-mail data you register with is no tied to you in anyway and was also obtained anonymously. After you have your account set up you will be given a number which can be used to transfer currency to your account. Now you need to set up an order with an exchanger, it is suggested that you use offshore exchange services. How the exchanger accepts funding is totally up to their policy, many accept western union and some accept cash in the mail. After the exchanger gets the funding you send them they will transfer E-currency to your account minus a transaction fee. From here you can either send the E-currency to a vendors account or you can cash it out and have it sent to a vendor via another method through another exchanger. Exchangers cash in and out meaning you can not only buy E-currency from an exchanger for cash but you can also sell E-currency to an exchanger for cash.

Security

E-currency can be seen as similar to a financial multi-hop proxy, the first hop being the exchanger and the second hop being the E-currency company. This can add jurisdictional complication to financial network analysis attacks. You must make sure to follow normal operational security procedures when using E-currency, for example make sure to use anonymizers when interacting with the digital website and use fake identification for loading currency if possible. E-currency can also be used to create highly decentralized overlay networks, further adding to security of both customers and vendors.

Tips

If a vendor accepts WU but not E-currency customers can use E-currency to send WU. After loading E-currency merely cash it out via another exchanger to the WU details of the vendor.

Vendors can decentralize their financial networks by creating new E-currency accounts for each customer. Although this is time intensive the benefits are very extreme and it is highly suggested. If every customer is presented with a different E-currency account it will make it impossible for financial intelligence to map out customer networks. A malicious customer only knows the E-currency account they sent payment to, since no other customers sent payment to the same account the malicious customer gains no useful intelligence.

Vendors can appear to accept any payment method an exchanger offers while actually layering the funding through E-currency accounts. When a customer places an order merely set up a request for funding with an E-currency exchanger and then present the customer with the funding information of the exchanger. The exchanger gets the funding from the customer and then puts it into the vendors E-currency account. This allows vendors to accept payment to any location they can find an exchanger in.

E-currency can be layered through multiple accounts prior to cashing out. It may be difficult for a legal team to prove an account that cashed out marked E-currency belongs to the same person who was sent the E-currency in the first place.

Online E-currency casinos can be used to cheaply add more jurisdictions to a trace and potentially mix the finances of the vendor with many others. If a vendor loads E-currency to buy digital casino chips and then cashes the casino chips out for E-currency to a new account it will probably make it harder for financial intelligence agents to follow the trail and can unlink accounts from each other.

Trust Networks

Basics

Open trust networks are potentially a great way to cash out/in E-currency. Assume that Alice has obtained $10,000 worth of E-currency from her customers. Assume Alice and Bob are in a trusted relationship with each other. Perhaps Bob wants to purchase several thousand dollars worth of E-currency. Rather than go through an independent exchanger Bob may choose to send Alice his cash in return for E-currency. This allows Bob to obtain E-currency with high anonymity and also allows Alice to cash out via a trusted node. This can present a virtual dead end to financial intelligence teams. If the E-currency was watched they see it go to Bobs account but they do not know who Bob is or how he obtained the E-currency. Even if Bob paid for the E-currency via WU and was on CCTV, the agents will not know where the funding was sent from. Cashing out of this system is eventually required unless the system continues to grow (Open versus Closed). Cashing out of a closed trust network can be done by Bob ordering product from another vendor and then selling it locally.

Borrowed Bank Accounts / Underground ATM cards

Borrowed bank accounts and underground ATM cards are useful for cashing out E-currency anonymously. They are also useful for taking bank wires as a method of payment. You need to be able to get the details of a bank account as well as a skim of the magnetic stripe of the ATM card tied to the account. If you can do this, you can cash the E-currency out through an exchanger via bank wire to the account you have a card for. You can now cash the money out at any ATM the card is accepted at. If you can get the skim of the ATM card, you can simply encode it to blank card stock for cashing out with.

I suggest not to take money out of the persons bank account unless you put it in. This will reduce the chances that they quickly notice you borrowed their bank account. You could leave extra money in the account as well, the person it belongs to may be less likely to report suspicious transactions if they are afraid they will lose whatever you left behind.

There are various organizations willing to offer ATM cards capable of being funded with E-currency and cashed out with at an ATM. Some of these services are scams and others are legit. Some require identification but these can be countered with fake documents.

Mule Networks

Mule networks can be used to help cash out funding. Obtaining a mule network is a difficult and time consuming task. The most common technique is to offer ‘work at home’ job offers. People accept the job offer and are led to think that they are working for an official company when in reality they are merely picking up money and sending it on. It is expensive to fund these networks and only very realistic for large vendors. It is possible that feds will accept such offers in an attempt to perform human sybil attacks on the networks formed.

Bitcoin

Bitcoin is a newer type of decentralized digital currency. The underlying system of Bitcoin is quite complex and difficult to summarize. It is suggested that you go to the bitcoin[1] website and learn about the system. There are various ways to anonymize Bitcoin transactions. As of 2011 June 14, bitcoins trade for approximately 20 US dollars per coin. A combination of Bitcoin and blind signature digital currency systems is likely the ideal way to cash in and out, however such systems are still largely experimental and developing. Additional laundry systems were available as a hidden services, however they have gone AWOL.

06/17/12

Cyber Black Market- Underground Economy

gAtO rEaD -the FBI leaked an unclassified report 24 April 2012 Intelligence Assessment “BitCoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity” : – http://cryptome.org/2012/05/fbi-bitcoin.pdf  – At that time BitCoins (BTC) were going about $4.25 USD per coin

as of Sun: Jun17 2012 it trading at $6:26714 a high of $6.52999 and low of $6.22130 check out – https://mtgox.com/  — and going up to $30 USD by Christmas

All that glitters is gold and he’s buying a stairway to heaven – with BitCoins mAyBe -sI -nO – more info in our new upcoming book about “The Deep-Dark Web” - 

What are BitCoins -

Bitcoin is a new digital currency. By using proven strong cryptography, a new currency has been created for the internet. One of the key features of Bitcoin is that it is an open system with no person or authority that governs the system. This means that you can treat it like cash: nobody can freeze your account, no chargeback’s, complete transparency and more.

This new currency opens massive opportunities for the internet.

Perfect Money – Liberty Reserves -Wire Tranfer -Pecunix -HD-Money -C-Gold -VouchX -Cosmic Pay -MtGox Coupons -Boleto -Banco Rendimento -CyberPlat -Qiwi -Money Gram -CVS ?7-11 -Wallmart -BitStamps -Dwolla -BTC-E Coupons

GaTo use to support wall street back in the day from 1 New York Plaza. overlooking the Battery Park. Those were the day out of the windows we could see traders coming into the park at lunch time and score there powdered lunch from the locals but that’s another story… these traders will take a look at BTC and once they get a whiff of the virtual money they will strike and it looks like the commercial criminals are already doing it.

 

 

 

 

 

http://bitcoincharts.com/markets/currencies/ - As you can see from the chart above While currencies from all over the world are going down because of the current financial world problems BitCoins are going UP-

Hal-Cash – from Russia with Love—Video – Market to Latin America

Here is an add for selling 100% anon visa cards with loaded BitCoins or whatever currency you want on them – by the way there are opportunities for -Now Hiring – money Mules and Drop Shipments scams for any sucker that want this kind of job- your a fool to buy this in my opinion they can sell you loaded Visa Card on one hand and Selling 100% Valid CVV and dumps of these card I assume but I’m a paranoid gAtO – I may be wrong – don’t try this at home kiddies—//

 

BitCoins are coming up and they are replacing the new fiat currencies especially in EU why because of the current problems in Greece and Spain – Below I added a list of -[1]Ways to get bitcoins…    – As you can see if you go to these they are scams for Gamblin and all kinds of underworld stuff- BUT how many people play -Online Poker and other gambling games. Oh and these are all in the ClearWeb – Yes the evil Internet not the ToR-.onion network ..

 

Now the -gAtO fUnnY- part is you can go to 7-11, Wallmart and just about anyplace and buy into this new currency so it’s not illegal to use these currencies but maybe it’s me gAtO is to dumb to use these but many, many merchants are now accepting all these new online currencies – so maybe it’s not so

stupid If someone wants to buy my- 1972 Action GI Joe Doll why shouldn’t I let them pay in BitCoins or any other currency -

Now in the Black Market of the ToR-.onion network it’s alive and well - http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=50&t=1803&sid=4e3a4c75f43e3e82fe011d6c1e6601df&start=10  -

Now as you can see this is a boom to criminals to laundry their cash – but they been using FarmVille and other games to laundry money why not use this new untraceable money. I will leave the crime stuff for anther posting but I just wanted to give you all a taste of what is going on and what can happened with your money - gAtO oUt

Reference: Lab Notes —

http://bitcoincharts.com/

https://mtgox.com/

http://translate.google.com/translate?hl=en&sl=&tl=en&u=http%3A%2F%2Fgb.pl%2Fbanki%2Fkarty%2Fwyplata-z-bankomatu-bez-karty.html

From Russia with Love now in the USA -Hal-Cash and of course in Latin America

http://www.halcashusa.com/

How Does Bitcoin Work?

To use Bitcoin, an individual first downloads and installs the free Bitcoin software (client).

The application uses Public Key Cryptography (PKI) to automatically generate a Bitcoin address

where the user can receive payments. The address is a unique 36 character-long string of

numbers and letters and is stored in a user’s virtual “wallet” on his or her local file system. Users

can create as many Bitcoin addresses as they like to receive payments and can use a new address

for every transaction they receive.

 

To send bitcoins, users input the address they would like to send their bitcoins to and the

amount of bitcoins they would like to transfer. The user’s computer then digitally signs the

transaction and sends the information to the distributed, P2P Bitcoin network. The P2P network

verifies that the person sending the bitcoins is the current owner of the bitcoins they are sending,

prohibiting a malicious user from spending the same bitcoins twice. Once the transaction has

been validated by the Bitcoin network, receivers can spend the bitcoins they have received. This

process usually takes a few minutes and is not reversible.

 

(U) The Bitcoin software program controls the rate of bitcoin creation, but it does not control the

market value of a bitcoin; the market value is determined by the supply of bitcoins in circulation

and people’s desire to hold or trade bitcoins.52, 53 Unlike most fiat currencies, in which central

banks can arbitrarily increase the supply of currency, Bitcoin is designed to eventually contain

21 million bitcoins; no additional coins will be created after that point, preventing inflation.

 

Bitcoin was created in such a way that the clients “mine” bitcoins at a predetermined rate.

This chart illustrates the growth rate from 2009 to 2033, the year the last new bitcoin will be

created.

 

[1]Ways to get bitcoins… ClearWeb Sites not ToR-.onion network stuff 

 

http://bit.ly/cmpbx (exchange) https://campbx.com/

http://bit.ly/btcxchange (exchange) http://www.cryptoxchange.com/  Australian -Last Price : 6.49999 Buy :6.56200 Sell : 6.56115 Volume : 351.61962

http://bit.ly/virwox1 (exchange) https://www.virwox.com/    53,267 users / 15,320,752,995 L$ exchanged

http://bit.ly/coinabul Physical Gold http://coinabul.com/   BTC Spot: $6.41 Australia

http://bit.ly/triplemining (mining pool) https://opticbit.triplemining.com/register  -BTC Mining Pool

http://bit.ly/poolcoin (mining pool) http://pool.betcoin.co/

http://bit.ly/btcplus (java cpw web pool) http://www.bitcoinplus.com/  BTC Minig Scam

http://bit.ly/mycryptcoin (free btc) http://mycryptcoin.com/

http://bit.ly/bitcrate (free) http://www.bitcrate.net/

http://bit.ly/btcbonus (rebates for online purchaces) http://bitcoinbonus.com/

http://bit.ly/bitgigs (classified/fiverr like) http://www.bitgigs.com/  Work or sell for BTC money

http://bit.ly/freebtc1 (survey) http://www.freebitcoins.org/

http://bit.ly/earnbtc (survey) http://earnthebitcoin.com/

http://bit.ly/lfnu1 (url shorten) http://l.f.nu/?partner=15tZJ7sWuDJHgtYbyiymo1zbR3FkGkRBTq

http://bit.ly/coinurl1 (url shorten) https://coinurl.com/

http://bit.ly/anonads (ads) http://anonymousads.com/

http://bit.ly/qmt5sL (ads, and free btc) http://dailybitcoins.org/

http://bit.ly/coinad (ads, and free btc) https://www.coinad.com/

http://bit.ly/5minbtc (ads free btc) http://www.fiveminutecoin.com/

http://bit.ly/btckamikaze (gamble) http://bitcoin-kamikaze.com/

http://bitcoin-kamikaze.com BitCoin LoTTo

http://bit.ly/btcminefield (gamble) http://minefield.bitcoinlab.org/

http://bit.ly/bitcoindarts (gamble) http://bitcoindarts.movoda.net

http://bit.ly/btcchess (gamble) Chess www.fantasypublishings.com/

BitCoin Ptramid Features

http://bit.ly/bpyramid (ads and pyramid scheme) http://bitcoinpyramid.com/

http://bit.ly/bidbtc (pyramid) http://bidonbitcoins.com/

http://bit.ly/btcmatrix (pyramid) http://btcmatrix.com/

http://bit.ly/sldoubler (ponzi) http://sldoubler.com/

http://bit.ly/smsdragon (txt) https://www.smsdragon.com/

http://bit.ly/btccalipers (calipers) http://www.goldenmeancalipers.com/

http://bit.ly/btctrading (forum) http://www.bitcointrading.com/

Use BitCoins to buy domain and hosting services

http://bit.ly/bitdomain (web host) http://www.bitdomain.biz/

http://bit.ly/cinfu (web host) https://panel.cinfu.com/

http://bit.ly/btchost (web hosting) http://www.btcwebhost.com/

http://bit.ly/joinorangewebsite (web host) http://www.orangewebsite.com/affiliate/

http://bit.ly/surf4btc (paid 2 surf) http://surfformoney.net/ref/

http://pyramining.com/referral/

Underground Economy – basics

Reloadable Debit Cards

Basics

Greendot and other Reloadable debit cards can be used in an attempt to allow for anonymous financial transfer between customers and vendors. Vendors need to cash money out. They can accomplish this by setting up Greendot cards with stolen identities and getting them shipped to mail boxes set up with fake identification cards. Customers need to load money in. They can do this by going to any store that sells Greendot reload paks. Customers merely hand the clerk some cash and in return get a cardboard card with a load number on it. The customer can transfer this load number to the vendor via an encrypted and anonymous channel. The vendor then applies the loaded funds to the card via the internet. The loaded funds can then be cashed out at an ATM.

Security

These cards should be viewed as financial networks. The financial information consists of the traffic and the cards are the nodes. Reloadable debit card networks have a high degree of cross network contamination. One additional network involved is the mail system, the vendor is required to have the card shipped to a physical mail box. This may not be particularly risky due to the fact that it is unlikely the card is being watched at this point as no customers are aware of it yet. However it is important for vendors to remember that the reloadable debit card company will keep their box information on record. Another network the vendor needs to utilize is the telecommunications network. Vendors are required to talk over a telephone to activate the card. The risk inherent in this can be minimized if the vendor uses a burner phone. Vendors are also required to make an initial visit to a store in order to obtain their temporary card prior to being mailed one. They will likely be recorded by CCTV cameras. Customers also have to worry about CCTV cameras as they must hand money to a clerk in a store. Customers can not take adequate measures to disguise their identity during this process as there is direct human interaction.

Reloadable debit cards have a distinct disadvantage of being highly centralized. Vendors tend to have many customers send funding to a single centralized card. This means that a single compromised customer can compromise the Greendot card of the vendor. The only way to prevent this is for the seller to use multiple Greendot cards, one for each customer to be perfect. This is not very feasible.

If a malicious customer identifies the card of a vendor it is possible for network analysis to map out the financial network involved with this buyer. Records are kept of funds being transferred from a reload pack into a cash out card. The time and location of reload pack sales that are used to fund cash out cards can be determined. A single compromised customer can use this information to gather video surveillance of every single person who has loaded funding to the card of the seller. This may not hold up as evidence by itself but it is strong intelligence indicating that a person who has sent funds to a vendor is in fact a drug customer.

Conclusion

Greendot and other Reloadable debit cards are not a safe means of conducting anonymous financial transfer. The financial networks created by these cards are very prone to network analysis. There is an unacceptable amount of cross network contamination for vendors. The load points for introducing finances into the network are also under too much surveillance.

Tips

Customers can out source the purchase of reload moneypaks. Good solutions may include utilizing bums and transients.

Vendors should avoid Greendot type reloadable debit cards. If they are used they should be highly compartmentalized (different cards for different groups of people). Compartmentalization is not possible in all cases though. Remember, if a single customer is malicious they can compromise the entire compartment. This puts customers at risk as well!

Greendot cards are prone to being frozen. Triggers include typical patterns associated with narcotics trafficking; cashing out very soon after cashing in, getting payments from diverse geographic areas (geographic based compartmentalization of customers is suggested), particularly large amounts of money going through a card in a short period of time etc.

WU/MG

Basics

Western Union and Moneygram money wires involve a customer sending funds to a vendor over the WU or MG financial network. Customers must go to a location that offers one of these services and hand money to a clerk. Depending on the country of the customer they may be required to show identification for any amount of money. In all locations identification must be shown for amounts of money over a certain limit, usually $500 or $1000. Customers fill out forms that are specially designed for gathering fingerprints and are usually under video surveillance.

Security

Despite their many short comings WU and MG both offer substantial benefits over reloadable debit cards. It is easier to use multiple pseudonyms for pick up from these services, the number of pseudonyms you have is limited only by the number of fake ID cards you can get. Unlike with Reloadable debit cards vendors are not required to use stolen identities. They are also not required to set up mail boxes or make telephone calls (WU). The ability to easily use multiple pseudonyms makes it easier to decentralize and compartmentalize the financial networks. If a different fake ID is used for each customer, a single malicious customer will not be able to map out the entire network based on transaction records.

It is possible that a single malicious customer could use video surveillance and facial recognition to tie a multiple fake ID pseudonyms to a single person. After identifying the vendor in a single transaction facial recognition could identify them every time they send funding, even if they use a different fake identification document. This attack is possible but it is not likely to be used against drug traffickers at the current time.

One of the primary disadvantages of WU and MG is the fact that there are a limited number of locations a vendor can cash out from. Customers know the rough geographic area a vendor will pick up the wire from because when sending a WU or MG the city of the vendor must be listed on the form. This allows for surveillance teams to stake out a number of possible locations the pick up may be made at. These surveillance teams can be alerted when the target attempts pick up and then move in on the target. This risk is much smaller with Greendot cards because Greendot funding can be taken out from a large number of ATM’s distributed through out a wide geographic area.

Tips

WU and MG have a substantial benefit over Greendot in that they can be used for funding E-currency. E-currency can dramatically increase the security of a financial transfer.

Customers and vendors can and should use fake identification to counter the record keeping of transactions. Even if a vendor is legitimate customers may be flagged if they send large sums of money with their real identification.

In some cases question and answer can be used to remove the need for identification. If this is allowed or not is highly dependent on the particular area of the customer/vendor

Wearing gloves or avoiding finger contact with the forms can countermeasure leaving fingerprints. Using stencils to fill out the forms at a private location can counter hand writing analysis. However, video surveillance is something that can not be countered.

Note: Forms are designed to pick up fingerprints

E-currency

Basics

Traditional E-currency systems (LR, PX) are relatively complex systems of financial transfer involving many companies. Usually an E-currency system is structured as follows; a main digital gold company stores gold bars in a vault and creates audited cryptographically secure digital currency units. The main E-currency company runs a website that allows owners of the currency to manage their accounts as well as send and accept funding. Usually the main E-currency company is not interested in selling small amounts of currency. The main E-currency company will usually only sell large amounts of digital currency to exchanger companies. Average users of E-currency systems only deal with exchangers and use the main digital currency company only to manage their accounts.

E-currency exchangers are located around the world and they accept payment in various ways according to their own policy. Usually E-currency exchangers have no affiliation with the main E-currency company. Some exchangers are even scammers so be careful who you work with!

To load E-currency first you need to set up an account with the parent company. It is free to do this and usually requires no identification at best or at worst easy to forge identification. You should make sure to protect your anonymity when you set up E-currency accounts, at the very least you should use Tor or similar technology to protect from network forensics. Make sure the E-mail data you register with is no tied to you in anyway and was also obtained anonymously. After you have your account set up you will be given a number which can be used to transfer currency to your account. Now you need to set up an order with an exchanger, it is suggested that you use offshore exchange services. How the exchanger accepts funding is totally up to their policy, many accept western union and some accept cash in the mail. After the exchanger gets the funding you send them they will transfer E-currency to your account minus a transaction fee. From here you can either send the E-currency to a vendors account or you can cash it out and have it sent to a vendor via another method through another exchanger. Exchangers cash in and out meaning you can not only buy E-currency from an exchanger for cash but you can also sell E-currency to an exchanger for cash.

Security

E-currency can be seen as similar to a financial multi-hop proxy, the first hop being the exchanger and the second hop being the E-currency company. This can add jurisdictional complication to financial network analysis attacks. You must make sure to follow normal operational security procedures when using E-currency, for example make sure to use anonymizers when interacting with the digital website and use fake identification for loading currency if possible. E-currency can also be used to create highly decentralized overlay networks, further adding to security of both customers and vendors.

Tips

If a vendor accepts WU but not E-currency customers can use E-currency to send WU. After loading E-currency merely cash it out via another exchanger to the WU details of the vendor.

Vendors can decentralize their financial networks by creating new E-currency accounts for each customer. Although this is time intensive the benefits are very extreme and it is highly suggested. If every customer is presented with a different E-currency account it will make it impossible for financial intelligence to map out customer networks. A malicious customer only knows the E-currency account they sent payment to, since no other customers sent payment to the same account the malicious customer gains no useful intelligence.

Vendors can appear to accept any payment method an exchanger offers while actually layering the funding through E-currency accounts. When a customer places an order merely set up a request for funding with an E-currency exchanger and then present the customer with the funding information of the exchanger. The exchanger gets the funding from the customer and then puts it into the vendors E-currency account. This allows vendors to accept payment to any location they can find an exchanger in.

E-currency can be layered through multiple accounts prior to cashing out. It may be difficult for a legal team to prove an account that cashed out marked E-currency belongs to the same person who was sent the E-currency in the first place.

Online E-currency casinos can be used to cheaply add more jurisdictions to a trace and potentially mix the finances of the vendor with many others. If a vendor loads E-currency to buy digital casino chips and then cashes the casino chips out for E-currency to a new account it will probably make it harder for financial intelligence agents to follow the trail and can unlink accounts from each other.

Trust Networks

Basics

Open trust networks are potentially a great way to cash out/in E-currency. Assume that Alice has obtained $10,000 worth of E-currency from her customers. Assume Alice and Bob are in a trusted relationship with each other. Perhaps Bob wants to purchase several thousand dollars worth of E-currency. Rather than go through an independent exchanger Bob may choose to send Alice his cash in return for E-currency. This allows Bob to obtain E-currency with high anonymity and also allows Alice to cash out via a trusted node. This can present a virtual dead end to financial intelligence teams. If the E-currency was watched they see it go to Bobs account but they do not know who Bob is or how he obtained the E-currency. Even if Bob paid for the E-currency via WU and was on CCTV, the agents will not know where the funding was sent from. Cashing out of this system is eventually required unless the system continues to grow (Open versus Closed). Cashing out of a closed trust network can be done by Bob ordering product from another vendor and then selling it locally.

Borrowed Bank Accounts / Underground ATM cards

Borrowed bank accounts and underground ATM cards are useful for cashing out E-currency anonymously. They are also useful for taking bank wires as a method of payment. You need to be able to get the details of a bank account as well as a skim of the magnetic stripe of the ATM card tied to the account. If you can do this, you can cash the E-currency out through an exchanger via bank wire to the account you have a card for. You can now cash the money out at any ATM the card is accepted at. If you can get the skim of the ATM card, you can simply encode it to blank card stock for cashing out with.

I suggest not to take money out of the persons bank account unless you put it in. This will reduce the chances that they quickly notice you borrowed their bank account. You could leave extra money in the account as well, the person it belongs to may be less likely to report suspicious transactions if they are afraid they will lose whatever you left behind.

There are various organizations willing to offer ATM cards capable of being funded with E-currency and cashed out with at an ATM. Some of these services are scams and others are legit. Some require identification but these can be countered with fake documents.

Mule Networks

Mule networks can be used to help cash out funding. Obtaining a mule network is a difficult and time consuming task. The most common technique is to offer ‘work at home’ job offers. People accept the job offer and are led to think that they are working for an official company when in reality they are merely picking up money and sending it on. It is expensive to fund these networks and only very realistic for large vendors. It is possible that feds will accept such offers in an attempt to perform human sybil attacks on the networks formed.

Bitcoin

Bitcoin is a newer type of decentralized digital currency. The underlying system of Bitcoin is quite complex and difficult to summarize. It is suggested that you go to the bitcoin[1] website and learn about the system. There are various ways to anonymize Bitcoin transactions. As of 2011 June 14, bitcoins trade for approximately 20 US dollars per coin. A combination of Bitcoin and blind signature digital currency systems is likely the ideal way to cash in and out, however such systems are still largely experimental and developing. Additional laundry systems were available as a hidden services, however they have gone AWOL.[2]

04/6/12

Supply Chain Cyber Attack

gATO rEaDiNg - 2012 Maindiant “An Evolving Threat” and Trend-Micro LuckyCat ReDux reports. Great reading for any security geek but most important it’s about the business side of the hack. Take the old smash and grab of financial information and split town, process the financial windfall and party like it’s 2999. Now it’s more beneficial for the criminals to stay inside the victims servers and collect intelligence and espionage. Ok let the gAtO break it down for you, not as a criminal that’s easy, as a state actor I would go after AeroSpace, Energy, Shipping, Military Research, Engineering, India  and Tibetan Activist… Wait a minute a India, a Tibetan Activist group, oh yeah you know it’s China but this is to be expected from China. Now the new spin is why would they go into a banks and use advanced persistent threats (APTs) hacks, well as gAtO understands it the Chinese have a shit load of MONEY— follow the money is not only an american thing it’s for every player in the world.

We have to look at the data through 3 different set of eye’s (magnifying glass with gAtO’s old EyE’s) but it’s still the same – Your data (ALL- your little company secrets) needs protection.

Here is the Score-Card your Business — versus – Competition, Government, Criminals, Hacktavist, Economic Espionage, Nuisance Hackers. On top of all this 94% of victims were notified by an external entity that they were hacked. If that doesn’t send chills down every board member in every company in the world, nothing does.

Here you are doing your business and let’s be frank some business well they walk a thin line sometimes like dumping medical and radioactive waste on a beach in New Jersey ( I know Snooki lives there) . IS your company maybe polluting the ground water for a 100 mile radius of the plant. This is not the information that they want hackers, or the press to get a hold of. “Remmember Rudolf Murdock News Hacking Empire- hey hack anyone for a buck”

Protect Customer Data yeah companies and governments want to protect it, but their little illegal/legal stuff companies do like hiding the report of the of shore oil well that just blew up and spilled all kinds of stuff all over the Gulf coast. These are the real thing that keep business people up at night worrying about hackers, it’s plain and simple cover your ass and let’s get that no bid government contract after we pay off the senator and we better encrypt that information…..

Hackers come in all flavors but if you look at the LuckyCat crewz these are very unique. Not only real computer scientist but marketing campaign and project management. They dual tier C&C (Command and Control), they use the victims supply chain to move laterally across trusted networks in order to be more invisible. Invisible takes a new trend here these hacker hide their code in plain site, they used older malware as insertion points sometimes and of course social engineering to gain access.

Bottom line these new hackers- they  are business-men, -they are governments, -they are commercial criminals, -they are hacktivist or -they are a lone wolf hacker. Companies are finally getting the message. Protect your data, not just your customer’s data, but all your little secrets because if your online– someone is watching you and these can be a 15 year old kid or a Dual Master degree in computer technology that is unemployed or works for a government. Trust but verify takes on a new meaning now -gAtO oUt

lab notes - The report, which is based on hundreds of advanced threat investigations conducted over the past year, includes analysis, statistics and case studies that highlight how advanced and motivated attackers are stealing sensitive intellectual property and financial assets.

Malware Only Tells Half of the Story Organizations’ investments in malware detection and antivirus capabilities, while effective in detecting characteristics associated with common worms, botnets, and drive-by downloads, do little to help defend against targeted intrusions.

The use of these publicly available tools has added some complexity to identifying threat actors because when organizations identify a piece of publicly available malware they often cleanse the file and — in the process — obscure what could be a larger incident.

It’s unclear why banks wouldn’t already be looking for unusual settlement activity and conducting daily monitoring, but there it is. At any rate,  “high-risk” merchants generally handle the dicey and vicey types of online commerce, such as Internet gaming, adult Web sites, rogue anti-virus software sales and online pharmacies. Might be a good idea to keep an extra close eye out for these types of unauthorized charges over the next few days

10/12/11

Cyber War’s of (1) One and (0) Zero’s | Cyber Attacks Timeline Sept. 2011

Cyber War’s of (1) One and (0) Zero’s.

In the last week so far, hackers hit the NYSE (New York Stock Exchange), and we find out that hackers hit unmanned drones flying covert and military operations around the world. The U.S has resisted all attempts till now to internationalize treaties on cyberspace.  Below are some of the major attacks from September alone. USCyberLabs was one of the sites getting hacked via the InMotion attack by Tiger-M@te. Were am I going with all this, well let start with the cyber attacks in September-2011 I outlined them in red on the timeline below, these are all attacks going after governments.

Who knew that “The Arab Spring”, “LulzSec” and “Occupy Wall Street” all have a unify message. Were sick and tired, you had your chance now it’s ours.

Useful Resources for compiling the table include:

My inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.

http://paulsparrows.wordpress.com/2011/10/02/september-2011-cyber-attacks-timeline-part-ii/

Update: On 09/30/2011, Betfair reported a 3.15 million records breach with a total estimated cost of 1.3 billion USD winning the laurel wreath of the most expensive breach of the month.

Date Author Description Organization Attack
Sep 16 Websites of several Mexican government ministriesAs part of OpIndipendencia, websites of several Mexican government ministries, including Defense and Public Security, are teared down in the same day of the symbolic beginning of Mexico’s independence from Spain. DDoS
Sep 16 Mikster
Clubmusic.comClubmusic.com, a worldwide dj website. is hacked and the leak dumped on pastebin. SQLi
Sep 16 Sec Indi Security Team
Official Website of The United States Navy
An hacker crew called Sec Indi Security Team Hacker uploads a custom message on the server to warn a WebDav vulnerability.
WebDav Vulnerabilty
Sep 16 ? California State Assembly
More than 50 employees of the California State Assemby, including some lawmakers, have been warned that their personal information might have been obtained by a computer hacker.
?
Sep 17 ?
Intelligence And National Security Alliance
Names and email addresses of hundreds of U.S. intelligence officials have been posted on an anti-secrecy website. On Monday Sep 10 INSA published a major report warning of an urgent need for cyberdefenses. Within a couple of days, in apparent retaliation, INSA’s “secure” computer system was hacked and the entire 3,000-person membership posted on the Cryptome.org website
  N/A
Sep 17 ?
Fake FBI Anonymous Report
Fake FBI Psychological profile of the Anonymous group is published. Although not a direct cyber attack, this event can be considered an example of psychological hacking and a “sign of the times” of how information and counter information may play a crucial role in hacking.
  SQLi?
Sep 18
Texas Police
Anonymous/Anti-sec releases a documentcontaining a list of about 3300 members of the Texas Police Association
  N/A
Sep 19 ? Mitsubishi Heavy IndustriesMitsubishi Heavy Industries, Japan’s biggest defense contractor, has revealed that it suffered a hacker attack in August that caused some of its networks to be infected by malware. According to the firm,  45 network servers and 38 PCs became infected with malware at ten facilities across Japan. The infected sites included its submarine manufacturing plant in Kobe and the Nagoya Guidance & Propulsion System Works, which makes engine parts for missiles. APT
Sep 19
City Of Rennes
TeaMp0isoN takes responsibly to hack the official website of The City Of Rennes (France) via a tweet. They also publish the reason of hack on the defacement page.
Defacement
Sep 19
?
Hana SK
Hana SK Card Co., a South Korean credit card firm, announces that Sep 17, some 200 of its customers’ personal information has been leaked. Total cost of the breach is $42,800.
Hana SK Card SQLi?
Sep 20
? Former USSR Region
Source report that at least 50 victim organizations ranging from government ministries and agencies, diplomatic missions, research institutions, and commercial entities have been hit in the former Soviet Union region and other countries in an apparent industrial espionage campaign that has been going on at least since August 2010.The advanced persistent threat (APT)-type attacks — dubbed “Lurid” after the Trojan malware family being used in it — has infected some 1,465 computers in 61 countries with more than 300 targeted attacks.
APT
Sep 20
 Shad0w Fox Sports Website
Fox Sports website, on of the most visited Websites in the world (rank 590 in Alexa) gets hacked. An Hacker named “Shad0w” releases SQL injection Vulnerability on one of the sub domain of Fox Sports and exploit it to extract the database. Leaked database info posted on pastebin.Vulnerable link is also posted together admin password hashes.
SQLi?
Sep 22
Core Security Technologies
Another security Firm target of hacking: Core Security Technologies is hacked by an hacker called Snc0pe, who defaces some websites belonging to the firm. Mirror of the hack can be seen here.
N/A
Sep 24 ?
UKChatterboxPopular IRC service UKChatterbox advises users to change their passwords following a series of hacks which culminated in an attack that may have compromised user details. The password reset follows on from a succession of outages previouslyattributed to maintenance upgrades, back to the start of the summer. In a notice to users, UKChatterbox advises users to change their passwords and not to re-use them on other sites. The number of hacked account is unknown. N/A
Sep 25
Seven Major Syrian Cities and Government Web Sites
The Anonymous unleash a chain of defacement actions against the Syrian Government, hacking and defacing the official sites of seven major Syrian cities, which stayed up in their defaced version for more than 16 hours. The defacement actions kept on the following day in which 11 Syrian Government Sites were defaced as part of the same operation.
Defacement
Sep 25 ?
Indira Gandhi International AirportAlthough happened three months ago, it turns out that a ‘technical snag’ hittinh operations at the Indira Gandhi International Airport (IGIA) T3 Terminal was caused by a “malicious code” sent from a remote location to breach the security at the airport. APT
Sep 26
Inmotion Hosting Server
700,000 websites hosted on InMotion Hosting network are hacked by TiGER-M@TE. The hackers copied over the index.php in many directories (public_html, wp-admin), deleted images directory and added index.php files where not needed. List of all hacked 700,000 sites here.
Defacement
 Sep 26
Austrian Police
The Austrian Anonymous branch publishes the names and addresses of nearly 25,000 police officials, raising fears for officers’ personal security. An Austrian Interior ministry spokesman said the information came from an “association closely related with the police”. Estimated cost of the breach is around $ 5,400,000.
SQLi?
Sep 26
USA Today Twitter AccountThe USA Today Twitter account is hacked and starts to tweet false messages mentioning the other accounts hacked by the authors of the action: the Script Kiddies (already in the spotlight for hacking the FoxNews Twitter Account at the Eve of 9/11 anniversary)

Account Hacking
Sep 26
?
MySQL.comMySQL.com website is struck by cybercriminals, who hacked their way in to serve up malicious code to visiting computers with a Java exploit that downloaded and executed malicious code on visiting Windows computers. Brian Krebs reportsthat just few days before, he noticed on a Russian underground website that a hacker was offering to sell admin rights to MySQL.com for $3000. MySQL.com receives almost 12 million visitors a month (nearly 400,000 a day). Java Exploit to install malware
Sep 26
Harvard University
In retaliation for the defacements performed by the Anonymous targeting Syria, Syrian Electronic Soldiers deface the website of the prestigious Harvard University. The same group came in the spotlight during July and August for defacing Anonoplus engaging a “de facto” cyberwar against The Anonymous.
Defacement
Sep 26 ?
#Occupywallstreet
The month of September is characterized by theOccupyWallStreet Operation, started on September, the 17th and still ongoing. Although not directly configurable as an hacking action, it may rely on the support of the Anonymous who “doxed” a senior police who controversially usec pepper spray against a group of female protesters.
N/A
Sep 27
COGEL, Council On Governmental Ethical Law
Once again in this month,Snc0pe claims another resounding action. This time the alleged target is the official website of The Council on Governmental Ethics Laws (COGEL). He posts a message onpastebin, along with the database download link.

SQLi?
Sep 28
Tiroler Gebietskrankenkasse (TGKK)
AnonAustria in the spotlight again after the resounding hack against Austrian Police. This time the victim is an health insurance firm Tiroler Gebietskrankenkasse (TGKK) whose database of some 600,475 medical records AnonAustria claims to have hacked. The databse includes some celebrities. The total cost of the breach is around $128,500,000.00.
SQLi?
Sep 29 ?
SAIC (Science Applications International Corp.)
SAIC, one of the Pentagon‘s largest contractors reveals to have discovered a data breach occurred a couple of weeks before, affecting as many as 4.9 million patients who have received care from military facilities in San Antonio since 1992. The breach involved backup computer tapes from an electronic health care record. Some of the information included Social Security numbers, addresses, phone numbers and private health information for patients in 10 states. Statement of the data breach here Estimated cost of the breach is around $ 1 billion.
Car Burglary
Sep 30 ?
Laptop Virus RepairAlthough not resounding as the one which targeted MySQL.com, here it is another example of a website infected with malicious code targeting a free antivirus cloud based service. Laptop Virus Repair Malicious Code
Sep 30 ?
BetfairBetfair reports a leak including not only the payment card details of most of its customers but also “3.15m account usernames with encrypted security questions”, “2.9m usernames with one or more addresses” and “89,744 account usernames with bank account details”. The incident occurred on 14 March 2011 but was announced only 18 months later. Estimated cost of the breach is around $1.3 billion. ?

Reference:

http://newsclick.in/international/wars-21st-century-drones-cyber-wars

http://paulsparrows.wordpress.com/2011/10/02/september-2011-cyber-attacks-timeline-part-ii/

what else —