In what’s being called the biggest cybercrime of the past decade, federal prosecutors indicted five men this week for hacking into the accounts of more than 160 million credit cards. They stole from banks and credit card processors. It was discovered later that some retailers were also hacked as part of this particular crime. Not only that, but these hackers have been at it for more than ten years.
160 Million Credit Cards
These are the same ones federal prosecutors believe pulled off the Heartland Payment Systems hack. In that instance, the 2007 credit card breach, they were able to net 130 million credit card accounts. They are also suspected in the hack at Global Payments in 2011. In that instance, more than 1 million accounts were hacked. Global Payments lost $100 million in reimbursements, security fees and upgrades in that instance.
The U.S. Justice Department released their names this week. The gang was run by a hacker who’s already serving a 20 year sentence for his long line of breaches in the past. Albert “Soupnazi” Gonzalez was behind the TJX hack that netted him the credit card information of more than 90 million credit card accounts. Others who were arrested include Dmitriy Smilianets, Vladimire Drinkman, Aleksandr Kalinin, Roman Kotov and Mikhail Rytikov. All are from Russia with the exception of Rytikov, who is Ukrainian. He, along with Kalinin and Kotov, are still at large. The men are all in their mid-20s or early-30s.
Seven Year Hack
Some of these crimes spanned seven years, between 2005 and 2012 with 2008 being an especially busy year for the thieves. It was easier because the U.S. was neck deep into the recession. More than 800,000 bank accounts were hacked as were the Nasdaq servers. While the U.S. was mostly targeted, they’ve committed hacks around the world, according to the indictment.
Bharara to Prosecute
It’s not surprising who’s overseeing the prosecution. Manhattan U.S. Attorney Preet Bharara, who has aggressively prosecuted other high profile cases in recent years, released a statement this week that reads, in part,
Cybercriminals are determined to prey not only on individual accounts, but on the financial system itself. But would-be cyberthieves should take note…our ability to unmask and prosecute the anonymous perpetrators of cybercrimes…has never been stronger.
Profitable Resell
The stolen data includes both credit card and debit card numbers as well as user names and passwords. They would then sell this information for $10 per credit card account. Turns out, Canadian accounts netted $15 each and for European credit card numbers, they were able to demand $50 each. Those who illegally bought the accounts would then use it to withdraw cash, sell the information again or use them online. Some people who bought the data were “cashers” who encoded the information onto blank cards to access funds.
The accused used hacker code names “Grig,” “G” and “Tempo” and it’s believed Kalinin was the one who hacked Nasdaq servers and then installed malicious software that allowed him to then delete, modify and then steal data, according to the indictment filed in Manhattan Both Kalinin and Nasenkov stole data from at least two banks, Citibank and PNC Bank, prosecutors said.
National News a Good Thing?
What’s especially frustrating is the non-plussed attitudes the thieves shared each time they made the news. When one attack was reported on the news, Kalinin called one of his cohorts and joked about it. That cohort was Albert Gonzalez, a Miami-based hacker, who is also serving a 20 year prison sentence. He’s been in prison since 2010. Before that, though, prosecutors were able to collect instant chat messages. In one instance, Gonzalez told Kalinin to set up Google alerts for phrases such as “data breach” and “hackers” in order to keep track of the news.
Sorting out the actual charges and who’s been charged will be a bit tricky as the case continues to unfold. For now, though, the six defendants are charged with a number of serious crimes ranging from computer hacking to bank fraud to wire fraud. The prison sentences for each crime vary, as well. Some carry maximum prison sentences of up to 30 years each. They’re being accused of also planting malware on the networks of Jet Blue, Wet Seal, 7 – 11, JCPenney, Dow Jones and Ingenicard.
The hackers broke into their targets using SQL injection attacks, which take advantage of weak server configurations. From there, it’s easy to plant malicious code into the database behind the public-facing web server. Once that’s been compromised, the attackers can upload software and siphon data.
A few of the companies that were compromised include:
- Hannaford Brothers Co: 2007, 4.2 million card numbers
- Carrefour S.A.: 2007, 2 million card numbers
- Commidea Ltd.: 2008, 30 million card numbers
- Euronet: 2010, 2 million card numbers
- Visa, Inc.: 2011, 800,000 card numbers
- Discover Financial Services: 500,000 Diners card numbers
Three months after the Hannaford hack, Kalinin and Gonzalez began instant messaging the events:
Kalinin: haha they had hannaford issue on tv news?
Gonzalez: not here
Gonzalez: I have triggers set on google news for things like “data breach”, “credit card fraud”, “debit card fraud”, “atm fraud”, “hackers”
Gonzalez: I get emailed news articles immediately when they come out, you should do the same, it’s how I find out when my hacks are found
A week later, the news began reporting what it called a “massive credit card breach” at Hannaford. The two men were proud they made the national news:
Gonzalez: hannaford lasted 3 months of sales before it was on news, I’m trying to figure out how much time its going to be alive for
Gonzalez: hannaford will spend millions to upgrade their security!! lol
Kalinin: haha
Kalinin: they would better pay us to not hack them again
When Drinkman’s arrest warrant came down on earlier charges, he immediately began a fight against the extradition. He remains in the Netherlands and his lawyer, Bruce Provda said,
It’s a rather complex international charge. If it goes to trial, it’s going to be a lengthy trial.
Some wondered why the federal prosecutor opted to release the names prior to the arrests actually being made. It was learned earlier this week that decisions was made to “signal displeasure with uncooperative Russian authorities” according to sources who remain unnamed.
Sorting out the actual charges and who’s been charged will be a bit tricky as the case continues to unfold. For now, though, the six defendants are charged with a number of serious crimes ranging from computer hacking to bank fraud to wire fraud. The prison sentences for each crime vary, as well. Some carry maximum prison sentences of up to 30 years each.
