Aug
31

Cyber Enemy No.1 Finally Offline

posted on August 31st 2009 in Tech Newz with 2 Comments

 

 

A 28-year-old Miami man  has been indicted for the largest credit and debit card theft ever prosecuted in the U.S., with data from more than 130 million credit and debit cards stolen, the U.S. Department of Justice said. Albert Gonzales, also known as segvec, soupnazi and j4guar17, was charged, along with two unnamed co-conspirators, with using SQL injection attacks to steal credit and debit card information. Among the corporate victims named in the two-count indictment are:

 

  • Heartland Payment Systems (a NJ card payment processor)
  • 7-Eleven (the Texas-based store chain)
  • Hannaford Brothers (Maine-based supermarket chain)

 

 

They each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater.

According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks, and receive the stolen numbers.

Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

Once on the networks, the hackers installed back doors to provide them with continued access at later dates. According to authorities, the hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.

“The fact that they were able to evade antivirus software that was running on the environment by testing it and programming the malware to erase itself suggests a degree of sophistication,” said Assistant U.S. Attorney Seth Kosto of the New Jersey office. “If it were just a case of getting onto the network, the card data would probably not have been exfiltrated.”

Heartland disclosed last January that hackers had installed sniffing software on its network that allowed them to capture unencrypted credit card data as transactions were being authorized in its system.

The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well. The company has never disclosed the number of cards compromised, although the company’s website indicates that it processes about 100 million transactions a month for about 250,000 businesses.

Attorneys for Gonzalez were not available for comment.

Web/Graphic instructor & designer, illustrator & recovering fontaholic.

currently there's 2 comment(s)

  • David in Sydney

    commented on September 16, 2009 at 2:54 am

    Well he’s pleaded guilty to the credit card theft – I expect he’ll get 20 years at sentencing.

    Reply
  • samsayshi

    commented on September 17, 2009 at 12:24 am

    Possibly. In Florida, they passed the Identity Theft and Assumption Deterrence Act back in 1998. Here’s how the State Attorney’s Office defines it:

     

    The Identity Theft and Assumption Deterrence Act makes it a federal crime when someone “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.”

     

    Under the Act, a name or Social Security Number is considered a “means of identification.” So is a credit card number, cellular telephone electronic serial number or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual.

     

    Violations of the Act are investigated by federal law enforcement agencies, including the U.S. Secret Service, the FBI, the U.S. Postal Inspection Service, and Social Security Administration’s Office of the Inspector General. Federal identity theft cases are prosecuted by the U.S. Department of Justice.

     

    In most instances, a conviction for identity theft carries a maximum penalty of 15 years imprisonment, a fine and forfeiture of any personal property used or intended to be used to commit the crime. Pursuant to the Act, the U.S. Sentencing Commission has developed federal sentencing guidelines to provide appropriate penalties for those persons convicted of identity theft.

     

    Schemes to commit identity theft or fraud also may involve violations of other statutes, such as credit card fraud, computer fraud, mail fraud, wire fraud, financial institution fraud, or Social Security fraud. Each of these federal offenses is a felony and carries substantial penalties – in some cases, as high as 30 years in prison as well as fines and criminal forfeiture.

     

    He may want to put his holiday travel plans on hold for a while.

    Reply

We would love to hear your comments