By Dan Goodin in San Francisco for The Register. This
story has been reproduced with permission.
Albert "Segvec" Gonzalez and two unnamed Russians were indicted
on Monday for attacks that hit credit card processor Heartland
Payment Systems, retailers 7-Eleven and Hannaford Brothers, and two
unidentified companies. The 28-year-old resident of Miami already
stood accused of perpetrating a breach on stores owned by TJX
Companies, which exposed more than 46.5 million card details. Other
companies, including Dave & Busters and Boston Market
restaurant chains, were also among the alleged victims.
Documents filed in US District Court in Newark, New Jersey claim
that Gonzalez and three unidentified individuals cased the latest
victims by visiting their storefronts and websites to identify the
point-of-sale programs and web applications they used. Armed with
this information, the trio used SQL injection attacks to install
sniffer software on the companies' servers to intercept credit card
data as it was being processed.
In November 2006, for instance, Gonzalez uploaded a file called
injector.exe to a server located in Ukraine. It was the same
program that was
later discovered to have infiltrated Heartland's card
processing system and servers belonging to one of the unidentified
companies, prosecutors said.
A month later, the two Russia-based suspects, who were
identified only as Hacker 1 and Hacker 2, accessed Heartland's
network from servers located in the Netherlands and California.
They used an SQL injection as the entry point.
The breach has proved to be a major embarrassment for Heartland,
which processes some 100 million transactions per month for about
250,000 merchants. More than 160 banks have been affected by the
breach, and Heartland has so far allocated $12.6m to cover costs
stemming from the loss of sensitive card holder data as it crossed
its network.
Monday's indictment is likely to revive criticism that so-called
PCI DSS, or payment card industry data security standards, are an
ineffective means of preventing modern attacks against servers
containing sensitive card data. Heartland executives have said
repeatedly that their systems were in full compliance with the
rules, and yet it would appear they were pierced using SQL
injection attacks. The decade-old technique exploits web
applications that fail to adequately scrutinize text that visitors
type into search boxes and similar website fields that accept
user-supplied input.
In May and August 2008, Gonzalez and 10 other suspects were
indicted for stealing more than 40 million credit and debit
card accounts from TJX and eight other retailers. The suspects in
those cases used wireless scanners to find stores with vulnerable
networks and then captured credit-card numbers, PINs, and other
account information.
The alleged perpetrators worked hard to cover their tracks,
according to the indictment. In addition to using proxy servers
that masked their real IP addresses, they used 20 different
anti-virus programs to make sure none of them detected the malware
used in the scheme, prosecutors said.
Once the perpetrators obtained credit card data, they tried to
sell it in underground forums to others to use in making fraudulent
purchases and withdrawals and to further identity theft
schemes.
Each defendant in Monday's indictment was charged with two
felony counts each for conspiracy to commit wire fraud; and
conspiracy to gain unauthorized access to computers, to commit
fraud in connection with computers, and to damage computers. If
convicted, each faces a maximum of 35 years in prison and $1.25m in
fines.
© The Register
2009
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
