160 million credit cards later “cutting edge” hacking ring cracked
For nearly a decade, a band of cybercriminals rampaged through the servers of a global business who’s who: Among the victims were 7-Eleven, Dow Jones, Nasdaq, JetBlue and JC Penney. Prosecutors say the hackers stole “conservatively” 160 million credit card numbers, and the dollar value of the crimes they helped facilitate is enormous — just four of the victims are out $300 million. The suffering caused to identity theft victims was “immeasurable,” say prosecutors.
On Thursday, five of the gang’s members were indicted. One is in custody in the U.S., a second is awaiting extradition in the Netherlands, and three more are still at large in what U.S. Attorney Paul Fishman said is the largest data heist case ever prosecuted.
Dmitriy Smilianets, 29, of Moscow, is in custody, while Vladimir Drinkman, 32, of Syktyykar, is awaiting an extradition hearing. The other three — Aleksandr Kalinin, 26, Roman Kotov, 32, and Ukrainian Mikhail Rytikov, 26, remain at large.
Originally part of a crime ring led by Albert Gonzalez, who was arrested back in 2008, the five continued their data conquests even after Gonzalez was sentenced to 20 years in prison.
The group kept security professionals and journalists busy for years, causing embarrassing data leaks at grocery-store chain Hannaford Brothers Co. (4.2 million cards), Discover (2 million cards), and Dow Jones (10,000 corporate logins).
Often, one of the criminals would shop at the retailers to observe checkout registers and deduce which systems were used, assessing their vulnerability. Then, they’d gain access to credit card payment systems and siphon off millions of victims’ account numbers as they were involved in transactions.
They even bragged to each other about the fame they were gaining by picking prominent targets — and used Google alerts to learn when their access might be cut off.
The group really hit paydirt when they turned away from brand-name retailers and toward credit card payment processors. Hoards of stolen card numbers — known as “dumps” — flowed through these little-known financial firms that connect retailers and banks, leading to record-breaking heists: Heartland Payment Systems (130 million cards); Commidea, in Europe (30 million); Euronet (2 million); and Global Payment Systems (950,000).
Prosecutors say they took the “dumps” and turned to middle-men called “dump resellers.” They in turn split up the data into blocks, and resold it through a worldwide network of “cashers.” U.S. card numbers could fetch $10, while European cards fetched up to $50.
Prosecutors say the five men used relatively simple “SQL Injection” methods to break into company servers. That family of attacks has many variations, but it essentially involves using website forms to feed bad information into an underlying database and tricking it into giving access to an attacker.
they make it look so easy!