As a professional magician, David Garrity is an old hand at making things seem to appear out of thin air.
But even he did a double-take when -- Presto! -- his Visa card number and other personal information suddenly materialized on the Internet for the world to see. Garrity reported the incident to the Connecticut FBI office.
That January phone call sparked an investigation that revealed an elusive network of mostly Middle Eastern computer hackers who have stolen thousands of credit-card numbers from commercial Internet sites and used them to buy PCs, satellite dishes and stereos. The network's online hub is a Web site -- open to anyone and still operational as of last week -- where hackers freely exchange stolen card numbers and give advice on the finer points of computer crime.
While the FBI is aware of the site, and has served search warrants on U.S.-based Internet service providers for copies of the hackers' e-mail, the authorities so far have made no arrests. Investigators say they have been slowed by the procedural difficulties of pressing charges against online thieves based in faraway countries.
The hackers, meanwhile, apparently are aware of the FBI's interest in their activities. In recent months, the Web site -- run by someone claiming allegiance to a Kuwaiti group called Q8 Hackers -- has changed its Internet address several times to frustrate investigators, and now contains a threat written in broken English:
"May God Send All the damnations in the world to who backstabbed us."
The credit-card thefts are the latest in a wave of attacks by overseas Internet pirates, many of whom hail from Russia or Eastern Europe, where laws regulating computer crime are nonexistent or weakly enforced. To make an arrest, American authorities usually must lure the suspect into the United States.
An FBI affidavit obtained by The Courant shows that, in the Q8 hacker case, investigators have pinpointed at least one person in the United States who used a stolen credit card to make a purchase. But the main figure behind the Web site -- a Q8 hacker who refers to himself alternately as y2y or GSD -- appears to be based in the Middle East.
Adding a layer of intrigue is the involvement of so many hackers from Arab countries in the network. One calls himself "bin Laden." Another has a personal web page, which appears to be defunct, with an Arabic title that incorporates a reference to Sept. 11, 2001.
There is nothing to suggest that the operators of the Q8 Web site are involved in terrorism, and many of those exchanging messages appear to be young people more interested in music and video games than radical Islam.
But credit-card fraud is a favorite means for terrorist organizations to finance their operations -- al-Qaeda training manuals encourage it -- and law-enforcement officials are concerned that individual terrorists, or cells, can make use of information offered by groups like Q8 Hackers.
Last summer, German police arrested 100 Islamic extremists from North Africa and the Middle East linked to another international network of credit-card thieves.
Two Algerians convicted of plotting to bomb Los Angeles International Airport in 1999 told FBI agents that they supported themselves through credit-card fraud.
One case involved Middle Eastern graduate student Ali Al-Marri, detained last year in Illinois after authorities discovered that his telephone calling card was used to dial the same number in the United Arab Emirates used by Sept. 11 hijacker Mohamed Atta and his al-Qaeda financier.
Al-Marri was subsequently indicted on credit-card-fraud charges after investigators found hundreds of stolen card numbers on his home computer, according to a complaint filed in U.S. District Court in Manhattan.
Files and Web-site links on his computer were strikingly similar to ones posted on the Q8 hacker's site, including software for hacking and lists of "proxies," Internet computer servers used to mask a hacker's location.
Hackers frequenting the Q8 hacker's site seem to favor a small, hard-to-detect program known as a "worm" or a "Trojan horse" to sneak into computers hosting e-commerce Web sites and steal the credit-card information.
Some of that information is then posted on the site, under the heading "cc fraud," where it is accessible to anyone. Courant reporters downloaded a file containing 2,000 credit-card numbers, along with names, addresses and telephone numbers of the cardholders.
It is unclear how many of the card accounts are still valid. One file filled with credit-card numbers is prefaced with a note from the Web site operator saying he had "only found one valid cc from this list."
The Web site also contains a bulletin board where hackers exchange information, ideas and questions about the intricacies of hacking into commercial Web sites and using stolen credit-card numbers.
In recent weeks, a visitor to the site from Jordan posted a message seeking help creating a phony credit card and drivers license. Another, from Oman, wanted advice on arranging the delivery of stolen merchandise to an untraceable drop spot.
One visitor, calling himself "Nashu," posted a question: "I have a guy in spain with fake ID's and he has a bank account. How can i put money in it?"
Although the site features a disclaimer that everything in it is for "educational purposes," the bulletin-board exchanges make clear that visitors are interested in one thing: fraud.
When "Bookman" frets about whether to sign for a package containing an Mp3 music player purchased using a stolen credit-card number, others warn him not to take chances.
Instead, they advise him to take other steps, short of signing for the delivery, to obtain the item.
"Believe meit's not worth it," GSD said. That message continues: "today u r happy to get that mp3 player, and next day u r in jail."
Cracks in security
George Bakos, senior security expert at Dartmouth University's Institute for Security Technology Studies, said even so-called "secure" e-commerce sites are vulnerable to attacks.
While it has become hard for hackers to intercept information when it is passed from a vendor to the credit-card company, it's still all too easy for them to worm their way in and steal the information from the vendor's hard drives, Bakos said.
A recent study by banking technology consultant Celent Communications estimated that computer-based fraud costs the credit-card companies $1 billion or more each year. Other experts say the scope of the problem is impossible to measure, because many victimized firms keep their losses secret to avoid alarming customers and disclosing their vulnerability to other would-be intruders.
Some businesses have quietly paid ransoms to hackers who defeat their security systems in exchange for silence. Last year, a bank in California reportedly paid $500,000 to a cyberintruder who threatened to go public with sensitive information he gleaned after cracking into a corporate vice president's computer using a well-known Trojan horse called "Backorifice."
But one-time scores like that are not the bread and butter of hacking rings that are known in the Internet security industry as "black hats" or "malicious hackers." Such groups are more likely to bleed victims slowly through multiple purchases and cash withdrawals, or bundle stolen credit cards and sell them wholesale to other thieves.
Last week, someone posted information on a half-dozen newly stolen credit-card numbers in a chat room on the Q8 hacker's Web site. One of the cardholders, Michael Hudson, of Wheaton, Ill., said in an interview that he discovered his card had been pilfered when he got a call from an Internet service provider to verify a charge -- which Hudson had not authorized -- for registering a new Web site called myloveonline.com.
Hudson canceled the card, but not before the hackers used it to also withdraw hundreds of dollars in cash from online payment services scattered around the globe.
Garrity, the magician, learned that his credit card had been compromised after he got a letter from the East Hartford Federal Credit Union informing him that his Visa account number had been posted on the Internet.
After Garrity got the letter, he found the Web site using Internet search engines and alerted the Federal Trade Commission. But the response was not swift.
"They said they could only act if it was a private company that was compromising the cards," he said. "So I called Visa but couldn't find anyone who would take a report like that. So I called the FBI."
FBI agents began monitoring the Web site, and in July applied for a warrant to search computer servers owned by e-mail giants Hotmail and Yahoo for messages between the foreign hackers and Americans who act as their go-betweens. Because many U.S.-based Web merchants won't deliver internationally, the Americans agree to receive merchandise bought online with the stolen cards, take some portion of it for their troubles, then ship it along to the ringleaders overseas.
In an episode, cited in the FBI warrant, that shows one crude way of avoiding detection, an American in Houston who used a credit-card number provided by the Q8 hacker was surprised when the delivery person asked for his identification. He produced it, and apparently only then began to consider the potential consequences, which he guessed included jail.
So he sent a panicky e-mail back to the Q8 hacker begging him to post the card number immediately in as many hacker venues as possible so others would use it to make a flurry of purchases.
"The reason I need you to post in all channels is because they made me sign for the package and looked at my i.d," the e-mailer wrote late on the evening of Feb. 4. "So I need many others or yourself to have deliveries sent to other places. Because if you only have one charge on the cc they are likely to investigate 1/2hellip3/4 but if there are many charges they may not."