The Great Cyberheist - 5

“I’ve been asking myself, why did I do it?” Gonzalez told me over the phone from prison recently. “At first I did it for monetary reasons. The service’s salary wasn’t enough, and I needed the money. By then I’d already created the snowball and had to keep doing it. I wanted to quit but couldn’t.” He claims his intentions were partly admirable. He genuinely wanted to help out Patrick Toey, a close friend and hacker who would later do much of the more sophisticated legwork involved in Gonzalez’s hacking into corporate networks. Unlike Gonzalez and Watt, Toey, who is 25, had a rough upbringing. After dropping out of high school, he supported his mother and his younger brother and sister by hacking. Gonzalez invited Toey to live in his condominium in Miami, rent-free. Gonzalez owned it, but he enjoyed living at home with his parents more. He says he loved his mother’s cooking and playing with his nephew, and he could more easily launder money through his parents’ home-equity line of credit that way.
Gonzalez relished the intellectual challenges of cybercrime too. He is not a gifted programmer — according to Watt and Toey, in fact, he can barely write simple code — but by all accounts he can understand systems and fillet them with singular grace. I often got the impression that this was computer crime’s main appeal for Gonzalez.
But he also liked stealing. “Whatever morality I should have been feeling was trumped by the thrill,” he told me. And he liked spending. Partly but not entirely in jest, he took to referring to his scheme as Operation Get Rich or Die Tryin’, after the 50 Cent album and movie. Gonzalez would not discuss with me just how rich he got, but he certainly was seeing profits in the millions of dollars. Little of that found its way to Toey, however, and probably none to Watt. For himself, Gonzalez bought, in addition to the condo, a new BMW 330i. He often stayed in luxury hotel suites in Miami on a whim. He took frequent trips to New York, where he and Watt — who worked by day in the I.T. department of Morgan Stanley and later developed securities-trading software and moonlighted as a nightclub promoter — spent thousands on hotels, restaurants, clubs and drugs. Lots of drugs. “I don’t know when he slept,” Agent Michael says, referring to Gonzalez’s lifestyle during the time they worked together.
It seems clear now that Gonzalez didn’t mind betraying people. What would come to anger the Secret Service most is that he used information from their investigations to enrich himself. “He would be working for the service during the day, and then come home and talk to me, and I’d be selling dumps for him,” Toey told me, referring to databases of stolen card information. Gonzalez sold dumps to hackers who he knew were under investigation, in effect setting them up. In the case of one Miami suspect being investigated by the service, Toey told me: “We basically ripped [him] off and sold him databases that were all dead and expired. They came from a company where a breach was being investigated by the service. He got caught with the database, and it looked like he’d done it.” Toey and Gonzalez then split the profits. (Gonzalez confirmed this account of events.)
When I asked Toey how he felt about using information from government investigations to betray other hackers, including black hats, he said: “I didn’t like it at all that he did it. But at the same time, I don’t know any of those people.” He added, “More money for us.”
Agent Michael investigated the Miami suspect, but he did not know until I told him that Gonzalez had set the man up. “It doesn’t surprise me,” he said. “Looking back, we knew what he wanted us to know. . . . He was leading a double life within a double life.”
BY THE SPRING of 2007, Gonzalez was tired of working for the Secret Service. “He wasn’t showing up on time,” according to Agent Michael, who began talking with other agents about cutting Gonzalez loose. “He didn’t want to be there.” He was also tired of war driving. He wanted a new challenge. He found one in a promising technique called SQL injection.
SQL (usually pronounced “sequel”) stands for Structured Query Language, the programming language that enables most commercial Web sites to interact with their associated databases. When you log on to the Web site of a clothing store to buy a sweater, for example, the site sends your commands in SQL back to the databases where the images and descriptions of clothing are stored. The requested information is returned in SQL, and then translated into words, so you can find the sweater you want. But there is a vulnerability here: such databases in a company’s servers often exist in proximity to other all-too-accessible databases with more sensitive information — like your credit-card number

No comments:

Post a Comment

What is next?