US says ring stole 160 million credit card numbers

Saturday, 27 July 2013 00:17 - - {{hitsCtrl.values.hits}}

A prolific gang of foreign hackers stole and sold 160 million credit card numbers from more than a dozen companies, causing hundreds of millions of dollars in losses, federal prosecutors charged Thursday in what they described as the largest hacking and data breach case in the country. The scheme was run by four Russian nationals and a Ukrainian, said Paul J. Fishman, the US attorney for the District of New Jersey. He announced the indictments in Newark. The victims in the scheme, which prosecutors said ran from 2005 until last year, included J.C. Penney; 7-Eleven; JetBlue; Heartland Payment Systems, one of the world’s largest credit and debit processing companies; and French retailer Carrefour. Separate indictments involving some of the same men, accusing them of computer attacks on Citibank, PNC Bank and the Nasdaq stock exchange, were filed by federal prosecutors in Manhattan. Computer security experts said the scheme was notable for how long it lasted, how well coordinated it was and how it carefully singled out specific systems in the financial companies’ servers to steal from so many personal credit and debit card accounts. The attackers had a sophisticated division of labour, according to the indictment. One hosted an anonymous web server. Others broke into the targeted sites. Still another went inside and fetched the items of interest. The tactic is a signature of Russian organised crime syndicates. “It is a really potent reminder of what researchers have been saying: The bigger threat is coming from criminal gangs, most of which are coming from Russia,” said Fred H. Cate, Director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. “It’s far more immediately impactful than threats coming from China.” The defendants were identified as Vladimir Drinkman, Alexander Kalinin, Roman Kotov and Dmitry Smilianets of Russia and Mikhail Rytikov of Ukraine. Smilianets and Drinkman were arrested in the Netherlands last year. Smilianets has been extradited to the United States, where he is expected to make his first court appearance next week. The other three are at large. The defendants would use SQL injections, which infect a computer system with malicious software that in turn allows the attackers to steal or manipulate the contents of the system. Once they gained access to credit card numbers, some of the men would sell them to resellers. “They were very patient and relentless,” Fishman said at a news conference Thursday. When the men’s attack on the supermarket chain Hannaford was noticed, a Florida man who worked with the defendants wrote in an instant message to Kalinin that “Hannaford will spend millions to upgrade their security!! lol,” according to the indictment. Kalinin reportedly wrote back, “They would better pay us to not hack them again.” The defendants were generally able to sell US credit card numbers for $ 10 and European numbers for $ 50 because of the poorer security safeguards on US cards, Fishman said. Fishman said Heartland Payment Systems had suffered the biggest losses identified so far, about $ 200 million. Heartland said in a statement that its breach ended in 2008 and that it would “continue supporting” law enforcement organisations. In the indictment unsealed in Manhattan, Kalinin and another Russian, Nikolai Nasenkov, who is also at large, are accused of conducting a scheme to steal bank account information and use it to withdraw millions of dollars from the victims’ bank accounts. From December 2005 through November 2008, the two men hacked into computer systems and stole information from banks including Citibank and PNC Bank, according to the indictment. The cases are likely to buttress the arguments of those pushing for federal laws to promote greater sharing of information between private companies and law enforcement agencies. Legislation has been proposed and defeated, largely on the grounds that it would empower federal law enforcement authorities to snoop on private communications. (New York Times)