How did Albert Gonzalez and his alleged co-conspirators access all that credit and debit card data with so much ease?
Gonzalez and the two other men indicted Monday for their role in the thefts of more than 130 million credit and debit card numbers allegedly spun a web of cybercrime and deceit that affected, among other corporate entities, Heartland Payment Systems, Hannaford Bros. and 7-Eleven. And as further details emerge in what U.S. authorities are calling the largest known incident of hacking and identity theft in U.S. history, those details suggest that the simplicity of their means might be even more alarming than the scope of their crimes.
The alleged ringleader, 28-year-old Miami resident Gonzalez, and two unidentified Russian accomplices, are being indicted for five incidents of corporate data breach, including Heartland, Hannaford, 7-Eleven and two unnamed companies.
Gonzalez is already awaiting trial for the now-infamous data breach of TJX, whose indictment attributes another 40 million stolen card numbers to Gonzalez's efforts. That indictment, dated Aug. 5, 2008, alleges that Gonzalez and 10 other perpetrators -- three of them U.S. citizens, one from Estonia, two from Ukraine, two from China and one from Belarus -- broke into the networks of TJX Companies and other retailers like BJ's Wholesale Club, OfficeMax, Sports Authority and DSW.
The new indictment, filed in United States District Court in New Jersey, is more descriptive of Gonzalez and his cohorts' alleged methods.
According to U.S. investigators, Gonzalez and his ring would scan lists of Fortune 500 companies to assess potential victims, gain information about the types of point-of-sale systems used in those corporate entities' locations, and then launch "hacking platforms," which would precede a SQL-injection attack and the use of malware to extract credit and debit card numbers. The group communicated through instant message and also used sniffers to absorb card data rapidly. The computers they used were based in California, Illinois, New Jersey, Latvia, Ukraine and the Netherlands.
They were also able to stay ahead of corporate cybersecurity, as the indictment description indicates: "They allegedly accessed the corporate websites only through intermediary, or "proxy," computers, thereby disguising their own whereabouts. They also tested their malware by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware's presence from the corporate victims' networks."
The methods used by Gonzalez and his team weren't all that sophisticated, either; the long and short of it is that they were able to exploit end users that didn't know how poor their security was, according to security experts interviewed by ChannelWeb.com Monday night.
"When companies make the decision to work with law enforcement and disclose a data breach at the earliest possible opportunity, it provides the best chance at apprehending a hacker and demonstrates that those corporate victims will actively defend their systems," said Ralph J. Marra Jr., acting U.S. attorney, in the statement released with the indictment.
Does that make you feel any safer about swiping your credit card next time you're out shopping?