After a three-year under cover investigation conducted by the Secret Service, the Department of Justice (DOJ) has filed charges against an international cast of characters allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of over 40 million credit and debit card numbers.
“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said Attorney General Michael Mukasey in a press release issued Tuesday.
In an indictment handed down Tuesday by a federal grand jury in Boston, Albert “Segvec” Gonzalez was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft, and conspiracy for his role in the scheme. Related charges have been filed against Christopher Scott and Damon Patrick Toey. All three defendants are from Miami.
In addition to Gonzalez, Scott, and Toey—the only U.S. citizens named in the case—eight co-conspirators from Estonia, Ukraine, the People’s Republic of China, Belarus, and parts unknown are also charged.
By the numbers
The Boston indictment alleges that during the course of the complex conspiracy, Gonzalez and his co-conspirators obtained the credit and debit card numbers by hacking into the WLANs of major retailers—including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW.
Once inside the networks, the defendants are believed to have installed sniffer programs that would capture card numbers, as well as password and account information, as they moved through the retailers’ credit and debit processing networks.
The DOJ believes that after the hackers collected the data, it was concealed in encrypted computer servers in Eastern Europe and in the U.S. The stolen credit and debit card numbers were then encoded onto the magnetic strips of blank cards and sold to buyers in the United States and Eastern Europe. The defendants also used these cards to withdraw large sums of cash from ATMs.
The DOJ alleges that Gonzalez and his crew were able to conceal and launder their proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe.
The usual suspects
At the time of his arrest for this crime, Gonzalez, who had been arrested in 2003 for access device fraud, was working as a confidential informant for the U.S. Secret Service. During the course of its investigation, the Secret Service discovered that Gonzalez was criminally involved in the case.
“Because of the size and scope of his criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted of all the charges alleged in the Boston indictment,” said the Secret Service in a press release Tuesday.
On Tuesday, indictments were also unsealed in San Diego against Maksym “Maksik” Yastremskiy, of Kharkov, Ukraine; Aleksandr “Jonny Hell” Suvorov, of Sillamae, Estonia; Hung-Ming Chiu and Zhi Zhi Wang, both of the People’s Republic of China; and a person known only by the online handle “Delpiero.”
Also in San Diego, Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine, were charged in a criminal complaint with conspiracy to traffic in unauthorized access devices.
The laundry list of crimes with which the defendants are accused include unlawful access to computers, access device fraud, wire fraud, aggravated identity theft, money laundering, various conspiracy charges, and aiding and abetting.
Crime doesn’t pay?
The San Diego charges allege that Yastremskiy, Suvorov, Chiu, Wang, Delpiero, Pavolvich, Burak, and Storchak operated a highly profitable international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines, and Thailand. Yastremskiy alone allegedly made more than $11 million from his role in the crimes.
In May 2008, Gonzalez, Suvorov and Yastremskiy also were charged in a related indictment in the Eastern District of New York. The New York charges allege that the threesome hacked into computer networks run by the Dave & Buster’s restaurant chain, and stole credit and debit card numbers from at least 11 locations.
The defendants are believed to have gained unauthorized access to the cash register terminals and installed at each restaurant a packet sniffer configured to capture credit and debit card numbers as they were processed by the restaurants. At one restaurant location, the packet sniffer captured data for approximately 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the card issuers.
Permanent “stay-cations”
Gonzalez is currently in pre-trial confinement on the New York charges. Two of his cohorts are currently—we must assume—regretting their choices to travel on vacation.
The DOJ reports that last summer, Yastremskiy’s vacation to Turkey ended in his apprehension there. He has been in confinement since then in Turkey, pending the resolution of related Turkish charges. The U. S. has made a formal request for his extradition. At the request of the DOJ, Suvorov was apprehended by the German Federal Police in Frankfurt in March (on the San Diego charges) when he traveled there on vacation. He is currently being held pending the resolution of extradition proceedings.
It’s a small world
“While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies, and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain,” said U.S. Attorney Michael J. Sullivan in a written statement Tuesday.
“Computer hacking and identity theft pose serious risks to our commercial, personal and financial security,” said U.S. Attorney for the Eastern District of New York Benton J. Campbell in the same statement. “Hackers who reach into our country from abroad will find no refuge from the reach of U.S. criminal justice.”
Stemming the cyber-tide
In response to so-called “parking lot” attacks, like the ones allegedly committed by this group, Meru Networks released last week a new product called RF Barrier, designed to foil piggybackers and hackers who access networks from parking lots or other areas within range of a corporate WLAN’s signal.
“The biggest benefit of wireless is its biggest problem: the signal goes everywhere,” says Keyur Shah, Director of Product Management for Meru Networks. “Both wireless security and infrastructure vendors have so far focused on protecting the wireless connection and the back-end network, while the perimeter—where attacks cannot be detected—has remained undefended. This security hole has been highlighted in the recent by attacks at TJ MAXX and other retailers like Marshall’s and Lowe’s.
“RF Barrier mounts a strong defense by blocking signals from the designated wireless network from being effectively decoded outside the perimeter, keeping the data confined to the four walls of the enterprise. A retailer need no longer worry about the ‘bleeding’ of its financial data beyond the walls of the building. As the first solution to provide cost-effective perimeter wireless protection, RF Barrier can greatly expand the CIO’s confidence in the security of both legacy and modern wireless networks.”
As for the overall reliability of Wi-Fi as a secure medium for enterprise-grade networks, the Wi-Fi Alliance (WFA) reminds users that WPA2 is the key to maintaining safe data links. In an e-mail, the WFA said today, “Wi-Fi technology is widely used for mission-critical applications across all types of enterprise environments including healthcare, government, retail, and manufacturing. With government-grade Wi-Fi CERTIFIED WPA2 security protections in place, companies can be confident that their networks, and the data traveling over them, are protected by the latest generation of security protections. Like wired networks, WPA2 security includes strong mechanisms to prevent access to networks by unauthorized users. Moreover, WPA2-protected Wi-Fi networks have robust encryption mechanisms that safeguard the privacy of communications over the Wi-Fi link.”
For its part, the Secret Service plans to continue taking a hard line with cyber criminals.
“Technology has forever changed the way commerce is conducted, virtually erasing geographic boundaries,” said U.S. Secret Service Director Mark Sullivan in a press release Tuesday. “While these advances and the global nature of cyber crime continue to have a profound impact on our financial crimes investigations, this case demonstrates how combining law enforcement resources throughout the world sends a strong message to criminals that they will be pursued and prosecuted no matter where they reside.”
- For more on the TJX attack, read “WLAN Security Blamed for TJX Payment Card Breach.”
- For more on wardriving, read “Wardrivers: Pioneers or Pirates?”
- For more on parking lot attack prevention, read “RF Barrier Helps Deter Eavesdroppers.”
- For more on hackers using Wi-Fi, read “Wireless Hackers 101,” “Researchers Lure Wi-Fi Hackers,” and “Arrested Criminal Hackers Used Wi-Fi.”
- To read the full complaint against Christopher Scott (.pdf), click here.
Naomi Graychase is Managing Editor at Wi-Fi Planet.
This article was first published on WiFiPlanet.com.