Russians indicted in giant hacking scheme
In the biggest cybercrime spree yet, Russian hackers stole 160 million credit card numbers to fleece hundreds of millions of dollars from a diverse group of financial firms, retailers and even the Nasdaq stock market, according to federal officials.
Indictments unsealed Thursday in New Jersey and New York accuse five Russians and a Ukrainian of victimizing targets that included arms of Visa, Diners Club, Citibank, PNC Bank and Heartland Payment Systems, a company that processes credit card transactions from hundreds of thousands of small businesses.
Most of the computer hacking, as detailed in the indictments, occurred several years ago. Cybersecurity experts said it could have been blocked then with better cautionary measures and would be especially easy to prevent now.
“These types of frauds increase the costs of doing business for every American consumer, every day,” said Paul J. Fishman, the U.S. attorney for New Jersey, calling it the biggest hacking scheme exposed to date.
Several companies fell victim to a Structured Query Language injection attack. SQL is a programming code that connects vast online databases, such as those containing credit card data, to the portion of websites that visitors see. Hackers can “inject” code to access the database if website owners fail to put up safeguards, such as preventing certain characters from being inserted into forms.
Retailers hit by SQL attacks included French giant Carrefour, 7-Eleven Inc., JCPenney Co. and Wet Seal. Dexia Bank Belgium, Euronet, Global Payments Systems, Diners Singapore, Ingenicard US Inc. also suffered such attacks sometime between 2007 and December 2012, the New Jersey indictment said.
“This is a garden-variety attack,” said Philip Lieberman, who added that his L.A. consulting firm was hired by several of the companies after the breaches became known. “It’s easy to fix and easy to detect, but it’s also easy to slip back in if you don’t test for it regularly.”
In a separate filing, federal prosecutors in Manhattan said PNC Bank let computerized hacking programs enter personal identification numbers for bank accounts thousands of times until they entered the right ones. Typically, applications should block users after a few unsuccessful attempts.
At Citibank, hackers got around a safeguard that limited users to three tries a day. In 2008, they entered 300,000 of the 900,000 customer accounts they tried to breach through Citibank’s website. They stole $3.6 million from those accounts, the indictment said.
Prosecutors said they were unsure exactly how many card numbers were stolen, but the largest known chunk came from credit-card processor Heartland. The company disclosed the breach in 2009, agreeing to pay Visa-card issuers $60 million to cover losses, the largest deal of its kind at the time.
Heartland said it fixed the problems four years ago. In a statement, it said it would continue to work with law enforcement to break up such schemes.
Banks and other financial companies have demonstrated improvements in their security practices, but experts said the latest revelations are likely to spur more discussions about whether these firms should be subject to federal cybersecurity standards.
“Most people assume banks have strong cybersecurity, but this certainly is a blow to their reputation,” said Peter Toren, a former U.S. Justice Department computer crimes prosecutor. “And who’s to say that security for electrical grids or other crucial infrastructure is any more protected?”
The indictments said the defendants each served particular roles in the schemes. Vladimir Drinkman, 32, of Moscow and Syktyykar, Russia, and Alexandr Kalinin, 26, of St. Petersburg are accused of hacking into the computer systems, while Roman Kotov, 32, of Moscow is accused of stealing valuable data from compromised networks.
According to prosecutors, the hackers hid their activities using anonymous Web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow is accused of selling the stolen information and distributing the proceeds of the scheme to the participants.
Authorities said Kalinin and Drinkman were previously charged in New Jersey as “Hacker 1" and “Hacker 2" in a 2009 data breach case, described at the time as the largest ever. Albert Gonzalez, 32, of Miami was sentenced to 20 years in prison for his role in those offenses.
The government said Drinkman and Smilianets were arrested in the Netherlands on June 28, 2012. Their attorneys could not be immediately reached for comment. Kalinin, Kotov and Rytikov remain at large.
In separate indictments unsealed in Manhattan, Kalinin and Nikolay Nazenkov, also of Russia, were accused of hacking Citibank, PNC and Nasdaq.