Those involved in a massive fraud scheme that compromised more than 160 million payment cards used sophisticated, well-orchestrated methods over a seven-year period, federal authorities say (see: Fraud Indictment: 160 Million Cards).
According to an indictment unsealed July 25 by Paul J. Fishman, U.S. attorney in New Jersey, the four Russians and one Ukrainian indicted allegedly conducted a scheme that included attacks that occurred from August 2005 through July 2012.
Among the organizations victimized by the alleged fraudsters were the Hannaford grocery chain, as well as payments processors Heartland Payment Systems and Global Payments. Their alleged co-conspirator was Albert Gonzalez, currently imprisoned for his roles in the Hannaford and Heartland breaches.
Other organizations said to have been hacked by this group are: 7-Eleven, Carrefour S.A., Commidea Ltd., Dexia Bank Belgium, Diners Club Singapore, Dow Jones Inc., Euronet, Ingenicard US Inc., JCPenney Inc., JetBlue Airways, NASDAQ, Visa Jordan Card Services and Wet Seal Inc.
Probing for Vulnerabilities
The indictment outlines a sophisticated scheme that unfolded over years.
According to the indictment, the alleged fraudsters often used "SQL injection attacks" to probe for vulnerabilities on the SQL databases of potential victims. Plus, they visited retail stores to review vulnerabilities in the payment processing systems, according to the indictment.
Once the defendants infiltrated a corporate network, they placed malware on them that created a "back door" leaving the system vulnerable, authorities say. Before extracting data, they conducted reconnaissance to locate the information they intended to steal, the indictment explains.
"Defendants often targeted the victim companies for many months, waiting patiently as their efforts to bypass security were under way," according to a release from the U.S. attorney in New Jersey.
The defendants installed "sniffer" programs on corporate networks to capture card numbers, log-in credentials, personal data and other valuable information, authorities say.
They also communicated using instant messaging services to "advise each other as to how to navigate the corporate victims' networks" to locate the sought-after data, the indictment says.
Further, the alleged attackers leased, controlled and used servers around the world to store malware, stage attacks on the corporate victims' networks and receive stolen data, the indictment reveals.
Covering Their Tracks
The indictment goes on to say the defendants attempted to conceal their efforts by disguising their IP addresses and leasing the servers they used under false names.
Stolen data was also placed on multiple servers, where the defendants would disable programs that log inbound and outbound traffic. They also frequently moved between different servers, according to the indictment.
The defendants communicated through private and encrypted channels or met in person, authorities say.
To protect against detection by the victim companies, the defendants allegedly altered the settings on company networks to disable security mechanisms from logging their actions, the release notes. They also worked to evade existing protections provided by security software, authorities say.
Selling the Stolen Data
One of the defendants sold the stolen information to resellers around the world, who, in turn, sold the data to individuals who encoded it onto magnetic strips of blank plastic cards, the indictment notes. Those cards were then used to make unauthorized ATM withdrawals and to incur unauthorized credit card charges.
The alleged fraudsters charged $10 for each stolen U.S. credit card number and associated data; about $50 for each European credit card number; and about $15 for each Canadian credit card number - with discounted pricing offered to bulk and repeat customers, the indictment says.