August 19, 2009TJX Hacker Charged With Heartland, Hannaford BreachesAmazing story of Gonzalez and the hacks into TJMaxx, Hannaford, 7-Eleven, others. He cut his teeth on Dave & Busters, then worked for the Feds, then went back to hacking more corporations. This our government did for us? Two articles one from Wired and one WSJ. The Wired one by Zetter is great. Also reveals SQL-injection attack on web servers was route in...The Tiger Woods of Cyber Crimes. Content from Wired, WSJ and NewsHour. Here is the Wired report TJX Hacker Charged With Heartland, Hannaford Breaches The constellation of hacks connected to the TJX hacker is growing. Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack. According to the court document, the hackers allegedly stole more than 130 million credit and debit card numbers (.pdf) from Heartland and Hannaford combined. Prosecutors say they believe these breaches constitute the largest data-breach and identity-theft case ever prosecuted in the United States. They’re investigating other breaches and have not ruled out Gonzalez’s involvement in even more intrusions. “We’re not seeing a huge array of hackers capable of doing this, but rather a more select group, [and that] demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann of the Justice Department’s New Jersey district office. But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases. With regard to the Heartland-Hannaford cases, Gonzalez and the two unnamed Russian hackers have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud. They each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater. Attorneys for Gonzalez were not available for comment. According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks, and receive the stolen numbers. Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008. Liebermann declined to identify the two national retailers, or state the amount of data stolen from them, because he said they have not gone public with their breaches. Once on the networks, the hackers installed back doors to provide them with continued access at later dates. According to authorities, the hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection. “The fact that they were able to evade antivirus software that was running on the environment by testing it and programming the malware to erase itself suggests a degree of sophistication,” said Assistant U.S. Attorney Seth Kosto of the New Jersey office. “If it were just a case of getting onto the network, the card data would probably not have been exfiltrated.” Heartland disclosed last January that hackers had installed sniffing software on its network that allowed them to capture unencrypted credit card data as transactions were being authorized in its system. The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well. The company has never disclosed the number of cards compromised, although the company’s website indicates that it processes about 100 million transactions a month for about 250,000 businesses. According to Liebermann, Heartland accounts for the “vast majority” of the 130 million numbers mentioned in the New Jersey indictment. Heartland reported in May that the breach had cost it $12. 6 million so far, which includes legal costs and fines from Visa and MasterCard, who say the company was not compliant with payment-card–industry rules. Heartland’s CEO Robert Carr told Wired.com recently that the initial breach into the company’s network in December 2007 was confined to the company’s corporate network, which Carr said was separate from its card-processing network. But by May 2008, the hackers had jumped to the processing network. Carr wouldn’t say how they accomplished this. Heartland caught the breach of the corporate network, but was unaware the hackers were sitting on its system for months conducting reconnaissance. Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered. Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site, setting up a VPN for the carders to communicate, which was controlled out of the Secret Service’s New Jersey office. That undercover operation, known as “Operation Firewall,” led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami where he allegedly resumed his life of crime under the nose of authorities who were in pursuit of “Segvec,” while being ignorant of the fact that he was their old informant. Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Wired.com previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke. Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies and is facing sentencing this month. The indictment doesn’t charge Watt with writing the malware used in the Heartland and Hannaford breaches. Photo: Albert Gonzalez/Courtesy U.S. law enforcement
By SIOBHAN GORMAN A 28-year-old American, believed by prosecutors to be one of the nation's cybercrime kingpins, was indicted Monday along with two Russian accomplices on charges that they carried out the largest hacking and identity-theft caper in U.S. history. Federal prosecutors alleged the three masterminded a global scheme to steal data from more than 130 million credit and debit cards by hacking into the computer systems of five major companies, including Hannaford Bros. supermarkets, 7-Eleven and Heartland Payment Systems Inc., a credit-card processing company. Photo of Albert Gonzalez released to wired.com by Secret Service The indictment in federal district court in New Jersey marks the latest and largest in at least five years of crime that has brought its alleged orchestrator, Albert Gonzalez of Miami, in and out of federal grasp. Detained in 2003, Mr. Gonzalez was briefly an informant to the Secret Service before he allegedly returned to commit even bolder crimes. Authorities have previously alleged that Mr. Gonzalez was the ringleader of a data breach that siphoned off more than 40 million credit-card numbers from TJX Cos. and others in recent years, costing the parent company of the TJ Maxx retail chain about $200 million. Mr. Gonzalez is in federal custody in Brooklyn, N.Y., awaiting trial for alleged efforts to hack into the network of the national restaurant chain Dave & Buster's Inc. He also faces charges in Boston in the TJX matter. The alleged thefts in Monday's indictment took place from October 2006 to May 2008. Mr. Gonzalez is "a very important player in a sophisticated ring that has real results at the street level of bank, retail, debit- and credit-card fraud," said Seth Kosto, an assistant U.S. attorney in New Jersey who specializes in computer fraud. * Text: DOJ Indictment | Statement Journal Community * Discuss: How secure is credit card information? Have you been a victim of identity theft? The indictment, interviews and recent court documents in the cases pending against Mr. Gonzalez paint him as a rising star in the cyber underground. He launched what he called "operation get rich or die tryin," targeting Fortune 500 companies with his data-theft operations, according to a sentencing memo filed in federal district court in Massachusetts in the TJ Maxx matter. These documents say he threw himself a $75,000 birthday party and at one point lamented he had to count more than $340,000 by hand because his money counter had broken. Such large sums, primarily in $20 bills allegedly stolen from ATMs, proved tough to manage, the sentencing memo says. He was considering investing in a club, but told one of his co-conspirators in the TJX heist that he would only be able to pull together $300,000 in a "legitimate appearing form" like a check, according to the documents. Federal investigators say Mr. Gonzalez is a high-school graduate and self-taught programmer who cut his criminal teeth as a leader in the self-styled Shadowcrew, an online credit-card hacking ring. In 2004, 26 leaders of the 4,000-person ring were arrested and convicted. "He was one of the key leaders," said Scott Christie, a former U.S. prosecutor who worked on the case. Mr. Gonzalez wasn't charged when he was arrested in 2003 because he agreed to become an informant for the Secret Service following his arrest, say Justice Department officials. In November 2004, the government permitted him to move from New Jersey to Florida. Much of the subsequent hacking took place there, according to court records. He was arrested in conjunction with the Dave & Buster's hacking scheme in May 2008 and has been in detention since. Subsequent investigations into breaches at Heartland and others led investigators back to Mr. Gonzalez. They found that he and his co-conspirators in Russia, which the indictment does not name, staged their crime on a network of computers spanning New Jersey, California, Illinois, Latvia, the Netherlands and Ukraine that would infiltrate the computer networks of the victim companies. In computer attacks lasting more than a year, the trio allegedly scooped up credit- and debit-card numbers and installed so-called back doors in the victims' computer networks to enable them to steal more data in the future, the indictment said. They also installed "sniffer" programs to capture card data and send it to the hackers. The indictment didn't estimate the losses associated with the alleged activities, nor did it spell out how the alleged co-conspirators may have made money off the stolen numbers. Typically, hackers sell batches of credit-card data online -- the current asking price in online forums is $10 to more than $100 per account profile, depending on the account's limit. The trio made extensive efforts to conceal their activities, registering the computers they used under false names and communicating online under a variety of screen names, the indictment alleges. Mr. Gonzalez often used the online alias "soupnazi," an apparent reference to a character in the sitcom "Seinfeld." The three were charged with gaining unauthorized access to computers, computer fraud and conspiracy to commit wire fraud. Mr. Gonzalez faces up to 25 years in prison and $500,000 in fines. His lawyer did not return phone calls Monday. "We're pleased that the authorities have aggressively pursued this case to be in a position to bring an indictment against the alleged perpetrators," said Michael Norton, a spokesman for Hannaford Bros. Heartland commended the government's sleuthing in the case; 7-Eleven declined to comment. Wire fraud, conducted in cyberspace because wire transfers now use networks that connect to the Internet, has exploded in recent years. The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years. "The financial sector may be more secure than most, but it's hemorrhaging," said Tom Kellermann, a former cybersecurity official with the World Bank who is now a vice president with Core Security Technologies, a cybersecurity company. "For too long a time they have not paid enough respect to the sophistication and organization of the underground economy." Write to Siobhan Gorman at [email protected] Nice writeup on StorefrontBacktalk Interview on Newshour with Zetter of Wired and VISA Record-setting Cyber Theft Stirs Questions on Security The Justice Department indicted three men on Monday for stealing more than 130 million credit and debit card numbers by hacking into the computer systems of five major companies. Cyber-securiity experts discuss the case with Ray Suarez. The trio allegedly hacked around the firewalls of several companies' computer systems, including card payment processor Heartland Payment Systems, supermarket chain Hannaford Brothers, and convenience store chain 7-Eleven. It's a record-setting breach, breaking the previous mark held, federal prosecutors say, by the same Albert Gonzalez. The Miami man was already in federal custody. He previously had been charged in identity theft cases involving the restaurant chain Dave & Buster's and the retailer T.J. Maxx. With this latest cybersecurity breach, consumers are asking themselves, how safe is my financial information? For some answers, we turn to Kim Zetter. She's been covering this story for Wired.com. And Rosetta Jones, she's vice president for corporate relations at Visa. Kim Zetter, how does the government say Albert Gonzalez did what they're saying he did? KIM ZETTER, Wired.com: Well, he worked with some co-conspirators who -- they chose their targets by looking at Fortune 500 company lists. And once they found their target, they did sort of reconnaissance to find out what kind of processing system they used for processing their credit and debit cards. Once they knew that, they were able to look at what kind of vulnerabilities might exist in the system. In the case of Heartland and Hannaford and 7-Eleven, I think we know that they used a SQL injection attack on all of them. And a SQL injection attack is a pretty kind of standard attack that can be prevented if the server is configured correctly. And in these cases, it's showing up over and over again that many companies aren't configuring their servers correctly. RAY SUAREZ: So they did the digital equivalent of casing these places before trying the attack? KIM ZETTER: Yes, exactly. In some cases, they went onto the Web site of the company, and the Web sites gave them information that helped them infiltrate the companies. The Web sites can tell them what kind of processes they're using and that kind of thing. And in the case of Heartland, you know, Heartland is a credit card, debit card processor, so it's sort of the middleman between retailers and banks. And so if you hit a processor like that, then you're getting millions of cards, as they did in this case. RAY SUAREZ: Rosetta Jones, the program, according to the government, that these fellows were using burrowed into the systems and then started exporting the data they were finding there to places outside the United States, to some places inside the United States, but also to Latvia, Russia, the Netherlands. Why? ROSETTA JONES, Visa: Your question was why they were exporting data? RAY SUAREZ: Well, why to those places? Is it harder to investigate, harder to prosecute once you ship the data off to somewhere else in the world? ROSETTA JONES: We think there's ample opportunity for the government to be involved to help international cooperation in catching the criminals. We think that is an important opportunity and a significant area where the government can be involved. RAY SUAREZ: Have the two sides been learning from each other, the hackers and the institutions that are trying to fend off these attacks? Do they look for breaches and then exploit them and then your side tries to build new defenses? ROSETTA JONES: Well, I think, as long as card data remains valuable, criminals are going to continue to seek that information. What we have to do as an industry is to work with financial institutions and with merchants to protect that card information. And we have to make sure that they're adhering to strict industry data security standards. I think as an industry we also have to explore new ways to make that card data not valuable to criminals. And we're looking at things like the introduction of dynamic data into the transaction. We think that has a good opportunity to help prevent fraud.
And when they arrested him and found out that he was administrator, they flipped him to become an informant for them, and he worked out of the Secret Service New Jersey office from I think it was about late 2003, early 2004, until they brought down ShadowCrew in October 2004. And he convinced the carders on that forum to use a special virtual private network for communicating, and that network was controlled by the Secret Service, so they were able to read all the communications that was going through there. When the bust was over, he went back to his criminal ways, and he changed -- his online nick at that point was "Cumbajohnny," and he changed it to "Segvec," and he continued to commit crimes as "Segvec," and authorities were actually chasing this person named "Segvec" without knowing that he was the former informant for the Secret Service. And then he... RAY SUAREZ: While he was working as an informant, was he learning things that he could then turn around and use against places like card processing services and retailers? KIM ZETTER: He probably was. And of course, he was making connections during that point, as well, because also on ShadowCrew and other forums that were connected to it were, you know, Russian criminals from the Russian hackers. And those are, you know, pretty much the top ones in this field, are coming from Ukraine and Russia. And in this case, on the indictment that came down yesterday, there are two unnamed Russian co-conspirators who helped him hack into the systems. So those connections were probably made at that period and thereafter, as well.
So while criminals might be trying to seek this information, the industry, Visa, and financial institutions are able to reduce fraud through effective monitoring of fraudulent transactions in the system. And the fraud rate within Visa is actually at historic lows. It's just 6 cents out of every $100 transacted, and that's about half of what it was 10 years ago. So, yes, we have more work to do to protect card information, but we know as an industry we're doing a good job at keeping fraud at bay. RAY SUAREZ: So there's less fraud today than during the old days of running a card through one of those pressing machines and having carbon copies? ROSETTA JONES: Today, using credit and debit cards remain one of the safest way to pay, especially over cash and checks. It's just the reality. Zero liability today exists for cardholders, so if there is fraud on your account, that you do not have to pay for that fraud. That's a protection that exceeds cash and checks.
But, of course, consumers should always monitor their accounts. We encourage consumers to have online banking and check their accounts real time and check their statements for fraudulent activity, and if they notice anything suspicious, to call their financial institution right away. RAY SUAREZ: Kim Zetter, what do you think about the position of the consumer? Are people more vulnerable than they realize? Or, as you just heard Ms. Jones suggest, really the problem is with the credit card companies and they're the ones bearing the cost? KIM ZETTER: Yes, I mean, I should point out that consumers, at least in the case of credit cards, we know there's zero liability. What's happening to our debit is that debit cards are being taken, as well. And, of course, when a debit card is stolen and, in some cases, PIN numbers are being grabbed, as well, then, you know, it allows an attacker to basically drain your bank account. And in some cases, we're finding that consumers, it's not so easy for them to get that money back. They have to prove that they didn't use the card in many cases, and it can take months. In some cases, people aren't getting it back if it's, for instance, a business account instead of a personal account. But, you know, I want to point out that even if consumers have zero liability, retailers are the victims in this, as well as the banks, the card issuers who have to reissue, you know, millions of new cards to customers whose numbers have been breached. And there are lawsuits because of this, you know, against Heartland, TJX. You know, when they have unsecured systems that are breached, the cost, you know, is passed down to the retailers for the fraudulent transactions and then also for the people who have to reissue the cards. RAY SUAREZ: We'll have to end it there. Kim Zetter, Rosetta Jones, ladies, thank you both. ROSETTA JONES: Thank you. KIM ZETTER: Thank you. |