NEWS FROM THE LAB - Thursday, March 3, 2011

Five Online Criminals Sentenced in UK Posted by Mikko @ 15:23 GMT

You might remember our blog post from last August, discussing an online criminal who posted his bail sheet to an online forum.

He has been convicted today in London and received four years in prison. In the same sentencing, two other males and two females were convicted to jail sentences ranging from 18 months to four years and to community service.

Scotland Yard's release follows:

A group of young internet fraudsters who set up an online 'criminal
forum' which traded unlawfully obtained credit card details and tools
to commit computer offences have today been jailed for a
total of 15.5 years.

[A] Gary Paul Kelly (14.04.89 - 21 yrs) unemployed of Clively Avenue,
Clifton, Swinton, Manchester;

[B] Nicholas Webber (10.10.91 - 19 yrs) a student of Cavendish Road,

[C] Ryan Thomas (8.7.92 - 18 yrs) a web designer of Howard Road, Seer
Green, Beaconsfield, Herts;

[D] Shakira Ricardo (14.11.89 - 21 yrs) unemployed of Flat 13, J Shed,
Kings Road, Swansea SA1;

were sentenced today (Wednesday 2 March) for computer misuse and fraud
offences following a two-day Newton Hearing at Southwark Crown Court.
All pleaded guilty at earlier hearings.

+ [E] Samantha Worley (30.09.88 - 22 yrs) unemployed of Flat 13, J
Shed, Kings Road, Swansea SA1 was sentenced on 14 December 2010 to 200
community service for acquiring criminal property.

The gang are believed to have been responsible for the largest
English-language online cyber crime forum and were all arrested on
various dates in 2009 and 2010, following a complex investigation by
officers the Metropolitan Police Service’s Police Central e-Crime Unit

During an eleven month investigation detectives uncovered evidence that
the defendants were directly involved in the global forum (used by over
8,000 members) which promoted and facilitated the electronic theft of
personal information; credit and debit card fraud; buying and selling
of personal information (including passwords and PIN numbers); the
creation and exchange of malicious computer programs (malware); the
establishment and maintenance of networks of infected personal
computers (BotNets);and tutorials offering advice on how to commit such
offences, including how to evade and frustrate law enforcement activity
and the exchange of details of vulnerable commercial sites and servers.

Founder of the forum was Webber. Having established a web site named
'www.GhostMarket.net', he acted as "administrator" and had overall
control of the site (meaning he was able to allow/ban members, remove
or edit their posts, and alter their status on the forum.)

An examination of the rebuilt forum and its database revealed many
thousands of data entries relating to individuals' personal details
including names, dates of birth, bank details, passwords, paypal
accounts and social security numbers. Site members are believed to have
traded in compromised databases containing thousands of personal
details including bank account numbers, PIN numbers, passwords and
malware including the Zeus Trojan and other types of criminal software,
including credit card verification programs.

The forum included such topics as: 'Phishing kits (post free phishing
kits and sell them)'; 'Show off (show us your skills here)'; 'Tutorials
(post some useful info here)'; and 'Cardable (post sites you've carded
here)'. There was also advice and tutorials on various methods of
evading law enforcement, how to encode blank plastic with credit card
data, and how to hack into sites, and even recipes for controlled drugs
(crystal meth) and a tutorial on bomb making.

Members of the site communicated anonymously by the use of screen
nicknames. They were able to post messages in various forum topics on
the website and send/receive private secure messages to/from other site

During the investigation detectives recovered from the defendants’
computers more than 130,000 compromised credit card numbers, which at
an estimated industry loss of £120 per card, is a potential £15.8
million financial loss in relation to card numbers alone.

On 3 November 2009 detectives arrested Kelly after executing a search
warrant at his home address. A full search of the property was
conducted, with a number of computers and mobile phones removed from
the address for examination.

It was established that Kelly had independently constructed and
distributed across the web a sophisticated Zeus malicious computer
programme which enabled him to infect and compromise over 15,000
computers in over 150 countries, harvesting from them over 4 million
lines of data including huge quantities of credit card numbers and
other confidential, personal information.

Having been provided with relevant passwords by Kelly, detectives were
able to rebuild the GhostMarket forum and its database using files from
his PC.

Prior to this, on 12 October Webber and Thomas were arrested at a five
star central London hotel for using stolen credit card details to pay
for accommodation in the penthouse suite. They claimed to have
responded to an online advert, saying they had paid money to an
anonymous individual.

Bailed to return whilst officers conducted further inquiries, items
including their laptops were seized. In addition they were found to be
in possession of business cards brandishing the 'GhostMarket' logo,
advertising it as "A new era in virtual marketing" with the byline
"I'm a carder, ask about me..."

The duo's involvement in the 'GhostMarket' criminal forum was soon
established and inquiries were made to trace them after they fail to
return on bail in relation to the stolen credit card offence.

It was later discovered that on 31 October the pair had flown out to
Palma, Majorca, where they had been living in a rented flat in Port

On 29 January 2010 they were arrested at Gatwick Airport as they flew
in from Palma.

The following day a search of Webber's home address revealed a computer
containing a series of files outlining a step-by-step guide to
committing various criminal offences.

Owing to the volume of evidence to be examined and the complexities of
the case, the pair were released on police bail to return at a later

Officers subsequently travelled to Spain and, accompanied by Spanish
Police, attended the flat Thomas and Webber had rented out. The
property was empty, but local enquiries established that the contents
had been posted back to their UK addresses.

Those items, as well as additional computer equipment, were
subsequently recovered.

Through the forensic examination of seized computers and other digital
storage devices, as well as evidence secured through the rebuilt
Ghostmarket site, officers identified Ricardo, a trusted member of the
forum, and she was traced to Swansea, South Wales. Initially joining
the site as a complete novice, over time Ricardo had progressed to
become directly engaged in card fraud and computer malware activity.

Financial enquiries identified a payment made from Ricardo into her
partner Worley's bank account, incriminating her in the fraud.

Detective Inspector Colin Wetherill, Police Central eCrime Unit said:
"These defendants were accomplished cyber criminals, engaged in the
systematic mass infection of computers in homes and businesses in the
UK and overseas.

"They unlawfully harvested personal and financial information from
their victims to be exploited for financial gain.

"The GhostMarket crime forum was used by thousands of computer
criminals and fraudsters operating worldwide.

"Through it the defendants built an extensive criminal network to
facilitate the wholesale trade of compromised credit card details,
confidential financial and personal information, malicious computer
programmes, and other sophisticated tools and criminal services.

"The arrest, prosecution and conviction of these individuals represents
a significant step forward in our efforts to tackle cyber crime and
reduce the harm it causes."

+ A full financial investigation into all four defendants is underway.