Massive Fraud Scheme: How It Happened

Indictment Lays Out Details of Well-Orchestrated Operation

By , July 26, 2013.
Massive Fraud Scheme: How It Happened
 

Those involved in a massive fraud scheme that compromised more than 160 million payment cards used sophisticated, well-orchestrated methods over a seven-year period, federal authorities say (see: Fraud Indictment: 160 Million Cards).

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

According to an indictment unsealed July 25 by Paul J. Fishman, U.S. attorney in New Jersey, the four Russians and one Ukrainian indicted allegedly conducted a scheme that included attacks that occurred from August 2005 through July 2012.

Among the organizations victimized by the alleged fraudsters were the Hannaford grocery chain, as well as payments processors Heartland Payment Systems and Global Payments. Their alleged co-conspirator was Albert Gonzalez, currently imprisoned for his roles in the Hannaford and Heartland breaches.

Other organizations said to have been hacked by this group are: 7-Eleven, Carrefour S.A., Commidea Ltd., Dexia Bank Belgium, Diners Club Singapore, Dow Jones Inc., Euronet, Ingenicard US Inc., JCPenney Inc., JetBlue Airways, NASDAQ, Visa Jordan Card Services and Wet Seal Inc.

For more information about the victims, see Card Fraud Scheme: The Breached Victims. For more information about the impact of the indictments, see Will Indictments Curb Card Fraud?

Probing for Vulnerabilities

The indictment outlines a sophisticated scheme that unfolded over years.

According to the indictment, the alleged fraudsters often used "SQL injection attacks" to probe for vulnerabilities on the SQL databases of potential victims. Plus, they visited retail stores to review vulnerabilities in the payment processing systems, according to the indictment.

Once the defendants infiltrated a corporate network, they placed malware on them that created a "back door" leaving the system vulnerable, authorities say. Before extracting data, they conducted reconnaissance to locate the information they intended to steal, the indictment explains.

"Defendants often targeted the victim companies for many months, waiting patiently as their efforts to bypass security were under way," according to a release from the U.S. attorney in New Jersey.

The defendants installed "sniffer" programs on corporate networks to capture card numbers, log-in credentials, personal data and other valuable information, authorities say.

They also communicated using instant messaging services to "advise each other as to how to navigate the corporate victims' networks" to locate the sought-after data, the indictment says.

Further, the alleged attackers leased, controlled and used servers around the world to store malware, stage attacks on the corporate victims' networks and receive stolen data, the indictment reveals.

Covering Their Tracks

The indictment goes on to say the defendants attempted to conceal their efforts by disguising their IP addresses and leasing the servers they used under false names.

Stolen data was also placed on multiple servers, where the defendants would disable programs that log inbound and outbound traffic. They also frequently moved between different servers, according to the indictment.

The defendants communicated through private and encrypted channels or met in person, authorities say.

To protect against detection by the victim companies, the defendants allegedly altered the settings on company networks to disable security mechanisms from logging their actions, the release notes. They also worked to evade existing protections provided by security software, authorities say.

Selling the Stolen Data

One of the defendants sold the stolen information to resellers around the world, who, in turn, sold the data to individuals who encoded it onto magnetic strips of blank plastic cards, the indictment notes. Those cards were then used to make unauthorized ATM withdrawals and to incur unauthorized credit card charges.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Infosec Careers: Find Your Passion

Andy Ellis, chief security officer of Akamai Technologies, says that in today's burgeoning...

Latest Tweets and Mentions

ARTICLE Infosec Careers: Find Your Passion

Andy Ellis, chief security officer of Akamai Technologies, says that in today's burgeoning...

The ISMG Network