Throughout history, the most successful criminals have been those clever and audacious enough to exploit a previously unknown vulnerability and steal loot in such a way that no one knew it was missing. When cybercriminals accomplish such a feat, their profits can be exponentially larger because they’re dealing in electronically transferred funds and not unwieldy bags of cash.
The five mostly Russian hackers whose indictments were just unsealed took it up a notch, essentially moving from the retail to wholesale theft levels. And by targeting a little-known linchpin of the global financial system—some of the world’s biggest payment processing companies—they are alleged to have accomplished the biggest known data breach ever. The five suspects “conservatively” stole more than 160 million credit card numbers and related personal identification (user names, passwords) that they then sold on the black market, federal prosecutors said. Three of their many alleged corporate victims reported losses of $300 million. But the true extent of the damages, especially to individuals who learned the hard way that someone had looted their ATM accounts and maxed out their credit cards, was “immeasurable,” federal prosecutors said.
“This type of crime is the cutting edge,” said US Attorney Paul J. Fishman the federal prosecutor for New Jersey, where the case was filed.
Here’s how it worked, according to prosecutors, and why it was so effective to hit these financial middle men.
In a scam that dated back to 2005, the suspects first targeted retailers, surreptitiously visiting their checkout counters and exploiting vulnerabilities in the payment systems they used. By 2007, they were hacking into the financial systems of Nasdaq, the largest US electronic stock market, and major corporations like 7-Eleven, France’s Carrefour SA, JCPenney and the Hannaford Brothers supermarket chain.
They hit the real paydirt, authorities allege, when they hacked directly into some of the biggest credit card payment processors themselves to steal literally oceans of personal financial data.
According to prosecutors:
The men used relatively a basic “SQL injection attack” to crack company servers, essentially feeding them bad Structured Query programming language to dupe them into giving them privileged access to internal databases.
Once inside the network, they used malware (malicious code) to create a “back door” that gave them return access, even after some companies identified breaches and thought they had fixed them. Then they installed “sniffers,” or programs to identify, collect and steal vast amounts of personal financial data, individually known as dumps, that they secreted in a network of computers around the world.
“Those dbs (databases) are hell big …” one of the suspects, Alexandr Kalinin wrote another back in 2007. Within months, they had figured out its value. “Nasdaq,” he wrote, “is owned.”
They sold the dumps to criminal bottom-feeders known as “dump resellers” for $10 for a US credit or debit card, and up to $50 for European ones. The resellers then carved up the data and resold it through a global network of “cashers,” who simply coded the information onto blank plastic credit cards and began their spending sprees.
The men were certainly audacious. Authorities said at least two of them, Alexandr Kalinin, age 26, and Vladimir Drinkman, 32, were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with corporate data breaches. Gonzalez is currently serving 20 years in prison, but authorities say the suspects continued this current scheme until mid-2012, when Drinkman and Dmitriy Smilianets, 29, were quietly arrested.
The others remain at large.