Print

Print


August 6, 2008

11 Charged in Theft of 41 Million Card Numbers
By BRAD STONE

------------------------------------------
"Mr. Gonzalez and several in his cohort drove around and scanned the  
wireless networks of retailers to find security holes — known as “war  
driving,” according to prosecutors. Once the thieves identified  
technical weaknesses in the networks, they installed so-called sniffer  
programs, obtained from collaborators overseas."
------------------------------------------

Federal prosecutors have charged 11 people with stealing more than 41  
million credit and debit card numbers, cracking what officials said on  
Tuesday appeared to be the largest hacking and identity theft ring  
ever exposed.

The thieves focused on major national retail chains like OfficeMax,  
Barnes & Noble, BJ’s Wholesale Club, the Sports Authority and T. J.  
Maxx — the discount clothes retailer that first suggested the  
existence of the ring early last year, when it said its systems had  
been breached by hackers.

Underscoring the multinational, collaborative aspect of organized  
crime today, three of the defendants are United States citizens, one  
is from Estonia, three are from Ukraine, two are from China and one is  
from Belarus. The name and whereabouts of the final defendant are  
unknown.

Federal officials said a principal organizer of the ring was Albert  
Gonzalez, a man from Miami who was indicted on Tuesday by a federal  
grand jury in Boston on charges of computer fraud, wire fraud,  
aggravated identity theft, conspiracy and other charges. If convicted  
on all counts, Mr. Gonzalez would face life in prison.

Mr. Gonzalez and several in his cohort drove around and scanned the  
wireless networks of retailers to find security holes — known as “war  
driving,” according to prosecutors. Once the thieves identified  
technical weaknesses in the networks, they installed so-called sniffer  
programs, obtained from collaborators overseas.

Those programs tapped into the retailers’ networks for processing  
credit cards and intercepted customers’ PINs and debit and credit  
numbers that were stored there. The thieves then spirited that  
information away to computers in the United States, Latvia and Ukraine.

Officials say the conspirators sold credit card numbers online and  
imprinted other stolen numbers on the magnetic stripes of blank cards  
so that they could withdraw thousands of dollars from A.T.M.’s.

“Computer networks and the Internet are an indispensable part of the  
world economy. But even as they provide extraordinary opportunities  
for legitimate commerce and communication, they also provide  
extraordinary opportunities for criminals,” said Michael B. Mukasey,  
the United States attorney general, at a news conference in Boston to  
announce the indictments.

Mr. Gonzalez was first arrested by the Secret Service in 2003 on  
similar charges. He was subsequently placed on supervised pretrial  
release and became an informant to the agency in its campaign against  
organizers of ShadowCrew, a bulletin board where hackers traded stolen  
financial information.

But prosecutors said that Mr. Gonzalez continued his criminal  
activities and tried to warn one of his conspirators, Damon Patrick  
Toey, to ensure that Mr. Toey would not be identified or arrested in  
the operation against ShadowCrew. Mr. Toey was among those indicted on  
Tuesday in Massachusetts.

“As soon as we became aware that Mr. Gonzalez was also working with  
criminals and getting them information, we immediately took action,”  
said Mark Sullivan, director of the Secret Service.

A lawyer for Mr. Gonzalez could not be located.

To sell card numbers on the black market, the group turned to Maksym  
Yastremskiy of Ukraine and Aleksandr Suvorov of Estonia, who were also  
charged, according to prosecutors.

Mr. Yastremskiy, thought to be a major figure in the international  
sale of stolen credit card information, was apprehended in July 2007  
on vacation in Turkey and is in prison awaiting trial on charges  
including credit card theft. The United States has asked Turkey to  
extradite him.

The indictments shed more light on the breach into the stores of TJX,  
the owner of T. J. Maxx. In 2005, Christopher Scott, another man who  
was charged, compromised wireless access points at a Marshalls in  
Miami and used them to download payment information from computers at  
TJX headquarters in Framingham, Mass., prosecutors said.

The following year, prosecutors said, the conspirators established a  
virtual private network connection into TJX’s payment processing  
server and successfully uploaded a sniffer program.

In public financial filings, TJX said it had spent around $130 million  
on matters related to the break-in, including legal settlements, and  
it expected to spend an additional $23 million in the 2009 fiscal year.

Federal officials did not have an overall tally for the amount of  
money stolen by the ring, but they offered some glimpses into its  
profitability. In the indictment against Mr. Gonzalez, federal  
officials asked that he be forced to forfeit more than $1.6 million,  
among other assets.

“These guys were obviously sophisticated and organized,” said Toby  
Weiss, chief executive of Application Security, a database security  
firm. “In this economy, we can’t have people afraid to spend.”

==================================================================

August 6, 2008

Russian Gang Hijacking PCs in Vast Scheme
By JOHN MARKOFF

A criminal gang is using software tools normally reserved for computer  
network administrators to infect thousands of PCs in corporate and  
government networks with programs that steal passwords and other  
information, a security researcher has found.

The new form of attack indicates that little progress has been made in  
defusing the threat of botnets, networks of infected computers that  
criminals use to send spam, steal passwords and do other forms of  
damage, according to computer security investigators.

Several security experts say that although attacks against network  
administrators are not new, the systematic use of administrative  
software to spread malicious software has not been widely seen until  
now.

The gang was identified publicly in May by Joe Stewart, director of  
malware research at SecureWorks, a computer security firm in Atlanta.  
Mr. Stewart, who has determined that the gang is based in Russia, was  
able to locate a central program controlling as many as 100,000  
infected computers across the Internet. The program was running at a  
commercial Internet hosting computer center in Wisconsin.

Mr. Stewart alerted a federal law enforcement agency that he declined  
to identify, and he said that it was investigating the matter.  
Although the original command program was shut down, the gang  
immediately reconstituted the system, he said, moving the control  
program to another computer in the Ukraine, beyond the reach of law  
enforcement in the United States.

The system infects PCs with a program known as Coreflood that records  
keystrokes and steals other information. The network of infected  
computers collected as much as 500 gigabytes of data in a little more  
than a year and sent it back to the Wisconsin computer center, Mr.  
Stewart said.

One of the unique aspects of the malicious software is that it  
captures screen information in addition to passwords, according to  
Mark Seiden, a veteran computer security engineer. That makes it  
possible for gang members to see information like bank balances  
without having to log in to stolen accounts.

Mr. Stewart’s discoveries are evidence that while the botnet problem  
is now well understood, botnets are still a widespread threat.

“The rate of infection is still high, but concern among corporations  
is low,” said Rick Wesson, a botnet investigator at Support  
Intelligence, a security consulting firm in San Francisco. “Many  
corporations seem to think it’s O.K. to be infected several times a  
month.”

Mr. Stewart and other computer security investigators have previously  
described the activities of the gang that uses the Coreflood program.  
But Mr. Stewart plans to offer new details about the gang, which has  
operated with impunity for several years, at the Black Hat Briefings  
computer security conference that begins Thursday in Las Vegas.

As part of his investigation, Mr. Stewart charted the rate of computer  
infections at a state police agency and a large hotel chain. Both were  
victims of an outbreak that began after the gang obtained the password  
and login information of their network administrators. In both cases  
hundreds or thousands of computers were infected within minutes or  
hours.

Mr. Stewart would not name the organizations because of the continuing  
law enforcement investigation.

In these examples as well as a range of others, the gang infected a  
machine belonging to an administrator and then used Microsoft  
administrative tools to infect all the computers for which that person  
had responsibility, Mr. Stewart said.

The new attack is a byproduct of the way modern computer networks are  
administered, where authority is centralized and software updates for  
thousands of machines are automated.

“The great thing about this system is that from one computer it is  
possible to push out updates to all machines in a corporate network at  
once,” Mr. Stewart said. “This is a useful tool that Microsoft has  
provided. However, the bad guys said, ‘We’ll just use it to roll out  
our Trojan to every machine in the network.’ ”

A Microsoft spokesman declined to comment on the attacks.

Mr. Stewart said that the gang behind the Coreflood program was  
responsible for 378,000 infections over 16 months. In each case the  
infected computer would capture and transmit personal information to a  
centralized database that kept track of the “spies” in the network.

In his Black Hat presentation, Mr. Stewart plans to say that he  
believes the Russian gang was behind a successful theft of money from  
the bank account of a Miami businessman, Joe Lopez.

In April 2004, someone made an unauthorized wire transfer of $90,348  
from Mr. Lopez’s account with Bank of America to Parex Bank in Riga,  
Latvia. Of that amount, $20,000 was successfully withdrawn by a person  
using a false identity. The Coreflood program was found on Mr. Lopez’s  
computer.

After discovering the control program in Wisconsin, Mr. Stewart  
tracked the online activities of some gang members in a Russian city  
that he declined to identify because of the investigation.

He said translations of some entries on the blogging site LiveJournal  
had led him to believe that one member of the gang had died, but that  
others remained active. He said that he had provided investigators  
with a wealth of information about the group from members’ online  
discussions and other material he had collected.

“If the Russians are sincerely interested in tracking these guys down,  
I think it’s possible,” he said.











--------------------------------------------------
S E ANDERSON-
author of "The Black Holocaust for Beginners"
<http://sites.google.com/site/blackeducator>
blackeducator.blogspot.com