Bob Sullivan NBC News
For nearly a decade, a band of cybercriminals rampaged through the
servers of a global business who's who: Among the victims were 7-Eleven,
Dow Jones, Nasdaq, JetBlue and JC Penney. Prosecutors say the hackers
stole "conservatively" 160 million credit card numbers, and the dollar
value of the crimes they helped facilitate is enormous — just four of
the victims are out $300 million. The suffering caused to identity theft
victims was "immeasurable," say prosecutors.
On Thursday, five of the gang's members were indicted. One is in custody
in the U.S., a second is awaiting extradition in the Netherlands, and
three more are still at large in what U.S. Attorney Paul Fishman said is
the largest data heist case ever prosecuted.
Dmitriy Smilianets, 29, of Moscow, is in custody, while Vladimir
Drinkman, 32, of Syktyykar, is awaiting an extradition hearing. The
other three — Aleksandr Kalinin, 26, Roman Kotov, 32, and Ukrainian
Mikhail Rytikov, 26, remain at large.
Originally part of a crime ring led by Albert Gonzalez, who was arrested
back in 2008, the five continued their data conquests even after
Gonzalez was sentenced to 20 years in prison.
The group kept security professionals and journalists busy for years,
causing embarrassing data leaks at grocery-store chain Hannaford
Brothers Co. (4.2 million cards), Discover (2 million cards), and Dow
Jones (10,000 corporate logins).
Often, one of the criminals would shop at the retailers to observe
checkout registers and deduce which systems were used, assessing their
vulnerability. Then, they'd gain access to credit card payment systems
and siphon off millions of victims' account numbers as they were
involved in transactions.
They even bragged to each other about the fame they were gaining by
picking prominent targets — and used Google alerts to learn when their
access might be cut off. The following chat transcript was included in
Thursday’s indictment:
Kalinin: haha they had hannaford issue on tv news?
Gonzalez: not here
Gonzalez: I have triggers set on google news for things like "data
breach" "credit card fraud" "debit card fraud" "atm fraud" "hackers
Gonzalez: I get emailed news articles immediately when they come out,
you should do the same, its how I find out when my hacks are found :)
Gonzalez: hannaford lasted 3 months of sales before it was in the news,
im trying to figure out how much time its gonig (sic) to be alive for
The group really hit paydirt when they turned away from brand-name
retailers and toward credit card payment processors. Hoards of stolen
card numbers — known as "dumps" — flowed through these little-known
financial firms that connect retailers and banks, leading to
record-breaking heists: Heartland Payment Systems (130 million cards);
Commidea, in Europe (30 million); Euronet (2 million); and
Global
Payment Systems (950,000).
Prosecutors say they took the "dumps" and turned to middle-men called
"dump resellers." They in turn split up the data into blocks, and resold
it through a worldwide network of "cashers." U.S. card numbers could
fetch $10, while European cards fetched up to $50.
Prosecutors say the five men used relatively simple "SQL Injection"
methods to break into company servers. That family of attacks has many
variations, but it essentially involves using website forms to feed bad
information into an underlying database and tricking it into giving
access to an attacker.
For example, a long string of unexpected characters entered into a blank
form used to enter an email address can confuse a misconfigured server
and dupe it into giving the user privileged access. In the Nasdaq hack,
attackers exploited a feature designed to help legitimate users recall
forgotten passwords.
The process could take time however. When the hackers first gained
access in August 2007, they talked about how overwhelming the data haul
was.
"Those dbs (databases) are hell big and I think most of info is trading
histories," Kalinin wrote at the time. But six months later, they'd
figured out how to get valuable information from Nasdaq servers. "Nasdaq
is owned," he wrote.
Three of the five men indicted remain at large. Smilianets and Drinkman
were arrested in the Netherlands in June 2012 while traveling.
Smilianets has been extradited to the U.S.; Drinkman is still in the
Netherlands awaiting an extradition hearing.
The indictment comes after a years-long investigation by federal
authorities into a massive credit card fraud operation that was first
identified back in 2008, when Gonzalez — also known as “soupnazi” — was
arrested. Gonzalez is probably the most notorious credit card hacker in
history.
Directing a group called Shadowcrew, Gonzalez simultaneously worked as a
cooperating witness for federal investigators, but continued to direct
Shadowcrew to steal millions of credit card numbers. In Gonzalez's 2009
indictment, Kalinin and Drinkman were previously charged as “Hacker 1”
and “Hacker 2.”
"This type of crime is the cutting edge," Fishman said in a press
release. "Those who have the expertise and the inclination to break into
our computer networks threaten our economic well-being, our privacy and
our national security. And this case shows there is a real practical
cost because these types of frauds increase the costs of doing business
for every American consumer, every day."
All five suspects face wire fraud charges which carry a maximum penalty
of 30 years in jail. Four of the five face 10 other counts of wire
fraud, conspiracy and unauthorized access to computers, with additional
penalties of up to 30 years in jail.
In a separate indictment, Kalinin was charged by the U.S. Attorney in
the Southern District of New York with hacking Nasdaq servers, and with
participating in a scheme to hack into U.S. financial institutions.