Tuesday, March 25, 2008

Is a Trojan Just a Marketing Ploy in Disguise?

Welcome to a tale of a virus, but not necessarily the virus you might think. I've been aching to write about this one for a week or so, but frankly, I wanted to let it get the hell out of current Google search engine rankings for a bit.

A couple of weeks ago there was a story making the rounds of the poker news sites, or at least most of them, for at the one where I have some editorial say I made sure to give it a wide berth. It had to do with millions of dollars purportedly being stolen from online poker players who had had their computers unknowingly infected with a trojan (computer virus), which was then relaying their account information to some thief in distant lands. "Goodbye, online bankrolls," went the tale.

A lot of sites ran with their own versions of the story over the next two to three weeks. Some of them were good sites, some of them weren't. I'm not calling anyone out for biting on this one, by the way, because the poker-news world has been very spotty in recent weeks, with brief spurts of very busy activity mixed with days-long stretches where frankly, nothing much earth-shattering was going on. So, no naming of names, hokay?

But the story itself was bullshit. It didn't pass my personal smell test on first glance and every time I went back to check it for worthiness, it just didn't get any better. All the versions of the story that you see date back to a story that was first published on TechRadar.com, and is dutifully linked to and reprinted here. (This is a legit reprinting of the piece, by the way, because it is an examination of the veracity of the piece itself.) Here goes:

Millions stolen from online poker players
Criminals use Trojans to steal money from web users

March 10th

Mikko Hyppönen is the chief research officer at security software company, F-Secure. He also consults with European security agencies about the threats posed by cyber-criminals. Through his job, he hears many frightening stories of how people have been robbed blind without even realising it.

He said that hackers are robbing millions from innocent web users. He told of how your mobile phone could be spying on you. And he described how online banking might not be as safe as you'd hoped.

Online poker players, he says, are some of the ripest targets. And Hyppönen said he fears that most online poker players have absolutely no idea how much danger they’re in. He also revealed a link between money stolen through cyber-crime, and terrorism in Iraq.

Real money

“Online poker players are a massive target for hackers. People play it with real money obviously, so they’re a big target. We were just investigating a case where a professional online poker player was attacked by someone he would play against regularly online. And we’re talking about professional players, and big money. Hundreds of thousands of euros on the table at a time,” he said.

“All of a sudden he started losing. He would regularly lose even when he had a great hand – pocket aces for example. If he had an unbeatable hand, the other players would simply fold. And when he tried to bluff, he would lose. He lost a lot of money this way, we’re talking hundreds of thousands of euros.

“This went on for weeks. And when we looked into it we realised that one of the other players at the table had sent him a tool. A calculater to help optimise the poker playing or whatever. And we found that the application included a Trojan.

“Which means that when he was playing online poker against these people who were in another country, the guy could press a button and he would receive a screenshot of the target’s screen. So he sees the hold cards. If you’re playing poker and the other players know your cards, it’s pretty hard to win.

“It’s a clever attack because the hacker could have just stolen the account and moved the money away. But he would have been caught. But this way the target was losing his money to someone else and he didn’t realise it was a con. I don’t think many online poker players realise that those kind of attacks are being done.”

Iraq insurgents funded

Hyppönen highlighted the case of Tariq Al-Daour who was sent to prison after he used online poker sites to launder millions of pounds to fund the insurgents fighting allied forces in Iraq.

“Tariq Al-Daour was sentenced last summer in London with two of his friends, for using Windows Trojans. They were using keyloggers which save everything you type on the keyboard. And they waited until you did online shopping so they could get your name, address, credit card number etc, and this way they managed to get 36,000 cards. American Express, Visa, Mastercard - the lot. And what they did is they took those cards to online poker sites.

“They set up new accounts with the stolen cards and of course they played against themselves, losing on purpose. This way they were able to launder the money. Again it’s pretty clever because if someone comes asking about all their money, they can prove they won it at poker.

“They laundered close to about two million euros. And the really weird part is what they did with the money. They took the money back to online shops and bought really weird stuff like hiking boots, tents, knives, GPS devices, radios...

“And then they would use couriers to ship those goods to Iraq, to help the insurgents there fight against British and American troops. So what we have here is a link between online crime, Windows Trojans etc, and the funding of insurgents in Iraq. It’s quite an unusual case.”

. . .

And quite an unusual story, cobbled together from semi-related news pieces for the purposes of the agenda of, TechRadar, I guess. The story itself, however, is suspicious from the outset.

It wasn't the first time I'd encountered either "Mikko Hyppönen, [] the chief research officer at security software company F-Secure," or TechRadar itself, in a computer piece peripherally connected to the online game. In fact, ol' Mikko seems to be one of the talking mouths that the TechRadar writers use whenever they want to write a scare piece talking about computer viruses and online gaming. That's not to say, however, that Mikko and F-Secure don't have some legitimate history connected to online poker.

*Speaking of online poker, if you only played at a site that accepts USA poker players, like PlayersOnly.com, would you be able to be charged with terrorism, cause I don't know but that don't seem right* (ok, sorry now back to the story)

If you were to click on this link, you'd swim way back in time to the KickAssPoker Blog archives for May of 2006, and you'd find not one, but two stories related to a software trojan and online poker. Back then, the site Checkraised.com, one of many sites trying to elbow its way forward among new, fledging online poker communities, gave to its members a free poker calculator called RBCalc. Checkraised.com had the software developed for it by a contract programmer, one who reportedly worked previously in the IT department of a large, India-based software shop concerned with developing software for a major online poker site. It might have been Party; it might have been another room. I really don't know that part, and it's irrelevant.

But the checkraised.com folks did something a bit naive, in terms of understanding software security. Their way of checking to see if the software was "clean" was to install it on one of their computers and then see if McAfee or Norton or whatever they were running picked up a virus within. However, since this was a new variant of an existing software virus, part of a subset of viruses (or virii) called rootkit trojans, it wouldn't have been listed in the working libraries of any of those software companies. Checkraised.com went on and gave the software away, which infected dozens or maybe hundreds of people who downloaded and installed the RBCalc poker add-on on their machines.

The virus was discovered rather quickly, and it was discovered by F-Secure, a large Finnish firm that's like a smaller Euro version of McAfee or Norton. But it's unlikely that millions were stolen from the handful of Checkraised.com users who installed the thing, and remember, this was nearly two years ago.

Now, back to the TechRadar story. Do you notice how the piece is really two half-stories, rather than one coherent piece? Following the scare tactics of the lead, the story then talks about this unnamed poker player whose hole cards were being transmitted to another player, and supposedly, hundreds of thousands of dollars were involved. Does this sound like any recent scandals at major online rooms? Does the mention of Absolute Poker or Ultimate Bet, connected companies who have both had recent scandals with insider cheating and access to players' hole cards, ring any bells?

Well, duh. What you need to realize, though, is that through the entire first section of that TechRadar story, it is specific-free. The player wasn't named, nor the site, nor specific amounts, nor dates, nor much of anything else. It's an apocryphal tale. It might not even be be blind-referencing the AP or UB situations, though that's the obvious choice. It could also be a tale of someone who installed one of those idiotic "PokerBot" programs, all of which are complete scams and many of which might do something similar: capture screen grabs of some sucker's monitor and transmit the hole-card information to whoever it was that sold the sucker the software.

It was probably a play on AP or UB, however, and it was interspersed with previous details of something the F-Secure did have something to do with, that being the RBCalc trojan unmasking nearly two years back. But this tale as told sounds a lot like Hillary dodging bullets on the tarmac at Kosovo; it's believable as long as no one looks too closely.

Let's move on to the second part of the TechRadar piece. That's where the story gets all specific, when the F-Secure dude trots out the tale of al-Qaida terrorist Tariq al-Daour. Despite al-Daour's Arab heritage, he has been more closely linked to the Sri Lankan terrorist group the Tamil Tigers. Still, the facts related in the piece are more or less correct. al_Daour was sentenced last year for the theft of roughly 36,000 credit card numbers -- specifically UK credit-card numbers, though that's never mentioned anywhere -- which he then used to illicit create and launder online money.

There has been, to the best of my knowledge, exactly one documented case of online poker and other forms of online gambling connected to terrorist money laundering in any sort of large-scale organized fashion. This is the case. al-Daour loaded accounts with bogus credit-card charges on both poker and other types of online gambling sites, and bet freely with other accounts, attempting to launder the money. The nature of his method meant that he flat-out lost a lot of the money, one could suppose, though specifics are hard to find.

In an irony of ironies, the online poker site where al-Daour did more of his "laundering" than any other was... Absolute Poker. Noble Poker and Paradise Poker were also named as sites where al-Daour operated, but he also attempted to move money through sites such as Canbet and Betfair. But the scare tactics used in the piece hugely overstate the impact (and the amount) that al-Daour and his two terrorist compatriots were able to launder.

Here's a more specific passage on the case from a 207 Washington Post piece:

"All told, al-Daour and other members of the group conducted 350 transactions at 43 different online wagering sites, using more than 130 compromised credit card accounts. It didn't matter if they lost money on their wagering. Winnings were withdrawn and transferred to online bank accounts the men controlled."

Betfair, one of the companies named by the Post, has strenuously denied that the men laundered any money through it, saying "they were unsuccessful: they were identified; accounts were closed; and all relevant information was shared with the police."

As duly noted, al-Daour and the others used keyloggers to capture the illicit UK credit-card numbers. However, note that the keyloggers referenced by F-Secure mouthpiece Hyppönen have absolutely nothing to do with the rest of the tale he's spinning. Al-Daour and his keyloggers have nothing to do with Checkraised.com and RBCalc, nor the unnamed poker pro who reportedly lost hundreds of thousands. It's a smokescreen. Notice, too, how Hyppönen offered that 36,000 numbers were stolen, even though only 130 (which is under 0.4% of the larger number) suffered fraudulent credit-card hits. Chances are good that the vast majority of those 130 got their money back, too.

So what, then, is the purpose of the piece? It's really part of the new age of information. It's not quite advertorial, but more along the lines of agenda-driven news content. TechRadar gets to pump itself as providing cutting-edge stories of Internet-based crime and punishment, and gets to use the scare-tactic words of "terrorism" and such to really try to grab some cheap headlines and links. And F-Secure gets the free publicity, and hopefully lots more hits to and downloads from its anti-virus site.

But you know what? It's all bullshit.


Gnome said...

Fascinating report. Good work.

Anonymous said...
This comment has been removed by a blog administrator.