All Tech Considered
4:54 pm
Tue July 8, 2014

The Hazards Of Probing The Internet's Dark Side

Originally published on Tue July 8, 2014 5:00 pm

Late last year, hackers breached Target's data security and stole information from millions of credit cards. Brian Krebs, who writes about cybercrime and computer security for his blog, Krebs on Security, broke the story. A few days later, he broke the story of a credit card breach at Neiman Marcus.

Krebs spends time in the dark areas of the Internet, where hackers steal data off credit cards and sell the information in online underground stores.

"There are some very bad people and I think it's never a good idea to dismiss your personal security and safety and that of your family — particularly when you're dealing with what I would consider sociopaths," Krebs tells Fresh Air's Terry Gross.

To do his work, Krebs has learned computer code, the Russian language and how to get onto black market websites and cybercrime networks. And cybercriminals who don't appreciate his work have found creative and frightening ways to harass him, including calling in a fake hostage situation.

Krebs started his blog in 2009. Before that he spent 15 years working as a reporter at The Washington Post, where he covered tech policy, privacy and computer security and wrote the blog Security Fix.


Interview Highlights

On the Experian security breach last year

There was an identity theft service operating underground that sold access to people's most personal information ... their Social Security numbers, dates of birth, mother's maiden names, anything you'd need to assume somebody's identity. This service got the data — they bought it — from a company that was acquired by Experian. And this company, called Court Ventures, is a data broker, a data aggregator. And [its] job is just to basically Hoover up all the information they can about U.S. consumers and then sell that information to whoever wants to buy it.

So, in this case, companies like Experian, TransUnion, Equifax, these are the gatekeepers of your personal information as it relates to who you are online and in the real world. Data aggregators will sell information — it's basically packaged information — so they will sell this to marketers; they will sell it to advertisers.

They also sell information to ... law enforcement, private investigators, and that data tends to be a lot more sensitive ... driver's license information, criminal background records, civil court records, ownership records — things that would be useful in tracking people down.

On the Vietnamese man who posed as an investigator to buy data from Experian

He had 1,300 paying customers that looked up a total of 4 million consumer records over a couple of years. And these guys were using it for identity theft, establishing new lines of credit in people's names, and an increasingly common form of fraud where the fraudsters file your taxes for you — which is a kind of identity theft that I wouldn't wish upon my worst enemy.

I mean, it's bad enough that you get your identity stolen — but somebody files your taxes for you with the IRS and claims that you're due this huge refund and the IRS sends you this money and you figure out that not only was your identity stolen, but now you have to deal with the IRS too.

On being harassed by cybercriminals

The guy who was harassing me actually was an administrator of a very exclusive cybercrime forum that caters to Russian and Ukrainian criminals who, essentially, do all kinds of card fraud and identity theft. I worked with a source of mine who was able to essentially get me access to his forum, which was no small feat. But it was none too soon because it became very clear that he was in the middle of hatching a plan to send heroin to my house.

So he took up a collection of other crooks on the forum and I think they collected like two Bitcoins [digital currency], which at the time was about $1,000, and they went on the Silk Road, which is the place where you can buy heroin on the Internet, or guns or whatever you want. It's a black market bazaar.

So their plan was to send the drugs to my home and then call the police when it arrived and say, "Oh the drugs are well hidden, make sure you search his house really well." And [they would] spoof a call from my neighbors, basically saying, "Krebs [has] got people coming in and out of the house at all hours. He's been lazing around the porch. We're not sure, but we think he's on drugs and now he's buying drugs."

Thankfully I was able to track this scheme as it was unfolding. They even put the tracking number for the shipment in the forum posting so I could track the drugs as they were headed to my house.

I called the police and said, "Look, I'm not a druggie and here's how's you know." ...

I'll never forget, the cop that came out to take a report — I'm showing him all these screen shots and [saying], "Just trust me, OK? I know it's in Russian, but this is what they're saying ..."

The guy is just shaking his head the whole time.

He takes the report and he's like, "All right, give me a call when the drugs come and we'll pick them up." ...

Anyway they did show up, and I called the cops. They came and picked them up, and that was that.

On an incident where a cybercriminal called in a fake hostage situation

In March of last year, a heavily armed police force showed up at my home apropos of nothing. They call it "swatting." Somebody had called in a fake hostage situation at my home. They said Russians had broken into my home and shot my wife and that I was hiding in the closet. "Send guns and forces to get these guys out of my house."

They showed up ... . [The SWAT team] had me put my hands up ... walk down my front stoop backwards. [They] handcuffed me and put me in the squad car and this is happening at about five, quarter-to-six in the evening on a weekday so all the people trying to come home from work, the police had barricaded the entrance to our neighborhood. People are staring out their windows. It was quite a scene.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.