11 charged in largest-ever I.D. Theft case

In early August, the U.S. arrested 11 alleged hackers accused of stealing more than 40 million credit and debit card numbers from nine major U.S. retailers - including TJX. Their crimes include conspiracy, computer intrusion, fraud and identity theft, according to indictments unsealed by federal grand juries in Boston, MA and San Diego, CA.

Three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People's Republic of China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Attorney General Michael B. Mukasey. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."

The international law enforcement cooperation extended to making arrests.  One of the defendants was arrested in Germany, and one was arrested in Turkey.

Security researcher Gary Warner has been following this case closely and provided a helpful summary on his blog (http://garwarner.blogspot.com/2008/08/tjx-update-san-diego-indictments.html) of some of the group's exploits detailed in the indictments, which is excepted here:

First, (Albert) Gonzalez, (Damon Patrick) Toey, and (Christopher) Scott went wardriving around Miami, in commercial areas such as the area around U.S. 1, identifying vulnerable wireless networks. They targeted large retailers, "including, but not limited to" BJ's Wholesale Club, DSW, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and TJX.

After infiltrating their networks, they began locating and stealing sensitive files and data, including credit card numbers.

At this point, they are just punks. This type of break-in is a dime a dozen. But then they took it further. It says they went on to install sniffer programs, monitoring and stealing password and account information as well as track 2 data.

The conspiracy broadened as they had to bring in new associates to help with decrypting the encrypted PIN numbers on their tens of millions of Track 2 reads.

The stolen data was stored on servers in Latvia, the Ukraine, and the United States, and encrypted to prevent access by others. From there, the data was sold in "dumps", cashed out, and the money was redistributed, using webmoney, ATMs, and in some cases even mailing express packages full of cash to drop boxes!

Regarding their technical skills, custom SQL injection attacks were developed to take on particularly desirable web sites. The attacks were mounted against a variety of database-driven web sites to find additional track 2 data, internal accounts, and files of large businesses.

Fraud Intelligence Newsletter

August 2008

Table of Contents
© 2008 Internet Identity | Home | News | Solutions | About Us | 888-239-6932 | +1 253-590-4100