Monday, November 17, 2008

McColo - Who Was Behind It?

Last week we all witnessed the shutdown of the hosting provider McColo that was widely known for its affiliation with cyber criminals.

An attempt to understand what McColo business was and who stood behind it led to some interesting discoveries.

According to the evidence mined from multiple underground forums, McColo company was established by a 19-year old Moscow student. His name was Nikolai and his nickname was Kolya-McColo - hence, the name of his "business".

Nikolai, the founder of McColo, has died in a tragic accident in September 2007 during the drag racing on the streets of Moscow. At the time of the accident, he was in the car with his friend Jux. Their car has crashed into the pole at the speed of 200 Km/h - it was virtually torn in half:

McColo's friend, Jux, who was driving the car and who survived the accident, has once been slammed in the Russian hacking underground community as "kidala" (fraudster). Months before the accident, Jux has reportedly stolen some money from the "carders" (credit card fraudsters) who relied on his money laundering service.

In an attempt to find Jux, one of the "carders" has even sponsored the writing of a song to deliver "the message" to Jux. The lyrics of that song are quite intriguing (translated from Russian):

Poor architect Mr Smith has his credit card ripped off
He's calling for doctor but the doctor won't come
In the same time, one geek over computer gets heaps of cash
He finds a guinea-pig "drop" who gets caught by police
But all the leads are hidden smart so they fail to find anything

Hey user, watch out! Or, next time your money won't get to the beneficiary
Why? Because you're dealing with a pro who's breathing with Internet
He knows thousands of tricks, he's cool with writing any software or crack..

To get the money out of Internet he doesn't have to risk with a prison
Moreover, he can live in a house that has no neighbors
And his new BMW 7 is way better than his old bicycle
His account has lots of zeroes that will stay there even if his "drops" will get caught

We know one boy who was getting lots of cash by using WebMoney
He started spending a lot living life of the rich
From a humble guy he turned into a bighead
Once he gained trust from the "carders" and his profit was stable
While he was steadily sawing America with his virtual drill
Jux decided that now he wants more wealth
So, he sold his reputation off by stealing $50K from all the "carders" he knew
Without caring for his own life or whether he can be buried for what he did
So now we ask you, brother - where are you heading, what you gonna do now?
Are you going to eat in the restaurants and celebrate till the rest of your life?

Dollars, money - it's not what the real "carders" are living for
Hey, you - step aside, watch out!
We'll tear in pieces anyone who wants to steal from us

This track was named "About the carder Jux" and included into the album of one Russian rap group. You may listen to it here.

For those who don't know, "drop" in the slang of the hackers is an important element of the money laundering schemes - it's a person who agrees to receive the illegal money transferred to his or her account with the purpose of withdrawing the cash and handling it back to the person who asked for such service. The "drop" normally receives commission. If arrested by police, the "drop" insists that he or she knows nothing about the crime and has only agreed to help for a small reward. "Carders" hire "drops" to accept and then withdraw cash produced by their criminal cyber activity, e.g. funds that the "carders" steal from the compromised banking accounts.

Where did the "carders" host their exploits and malware? Where did they store data received from the malware that was implanted on the victims' computers? Where the spambots were operated from?

That's right - they used the service that Nikolai provided to them. It's called collaboration.

Just like in their rap anthem above, these guys had "all the leads hidden smart". Meanwhile, the security community was talking about McColo for years, drawing charts, staring at their fancy website with Cisco Systems and Hewlett-Packard indicated as the company’s partners, reading testimonials written by McColo's friends and evaluating the risk of being sued by a "legitimate business operating out of Delaware".

While all that really mattered was to stand up and shut it down, like Security Fix did. Good lesson from Brian Krebs for all of us indeed..