Here's how I steal passwords, officer

Perps: Alexei Ivanov and Vasily Gorshkov

Status: Ivanov released in 2006; Gorshkov to be released later this year

Dossier: When a pair of Russian programmers was asked to come to America for a job interview, they had no idea the job was to wear a jumpsuit in a U.S. jail cell, and that the interviews would be conducted by the FBI.

Exploiting well-known but unpatched security vulnerabilities in Windows NT servers, Alexei Ivanov and Vasily Gorshkov began building their résumés early this century, stealing credit card numbers and Paypal credentials of thousands of people along the way. One early bullet point for their criminal curricula vitae, first reported on Sept. 11, 2000, involved the theft of 15,700 credit card numbers from Western Union -- among the earliest known incidents of its kind.

Hot on the trail of the duo in 2001, but bereft of a computer crime law on the books in Russia and without hope of getting Russian authorities to comply with an extradition request, the FBI employed another item from its playbook: the classic sting operation.

Ivanov and Gorshkov were asked by a fictional computer security firm ("Invita") to come to the United States for a job interview where they could show off their l33t skills to FBI agents posing as company officials. During the interview, the pair was asked to demonstrate their abilities on a PC loaded with commercial keylogging software. They logged in to a server in Russia, downloaded their crimeware toolkit, and proceeded to demonstrate how it worked.

After the interview, technical specialists used the recorded information to log back in to the Russian server Ivanov and Gorshkov had connected to. The FBI downloaded the entire contents of the pair's remote servers as evidence and then -- in what was a brash move back then -- obtained search warrants after they'd collected the evidence, followed soon afterward by arrest warrants.

Following the duo's conviction, one Russian cybercrime Web site reported that "Lieutenant Colonel of Justice Igor Tkach has initiated criminal case against FBI agents Michael Shuler and Melissa M. Mejlon under the article 272 Criminal Code of Russian Federation [sic]." No word on whether the FBI agents were handed over for a taste of Russian justice, but it seems doubtful.

Upshot: Ivanov and Gorshkov were convicted of computer crimes in 2003, with Ivanov sentenced to three years and Gorshkov sentenced to four years in prison. Suffice it to say, performing illegal acts as part of a job interview process, especially with a security company, is worth adding to the list of no-brainer no-nos.

[ Stupid hacker index ]