A 28-year-old hacker has been charged in what federal prosecutors are calling the largest case of identity theft ever seen. The man, Albert Gonzalez, worked with two unnamed Russian conspirators to run wild through the computer networks of a handful of prominent corporations, including 7-Eleven, the supermarket chain Hannaford Brothers, and the payment processor Heartland Payment Center. The size of the heist—130 million credit and debit card numbers, according to prosecutors—have many people wondering: How exactly is such a massive theft carried out?
The Justice Department’s indictment (pdf) describes how Gonzales (a.k.a. “segvec” and “soupnazi,” among other aliases) and his co-conspirators pulled it off. They began the job by scanning lists of Fortune 500 companies for likely targets, and then visited retail outlets to scope out the payment systems used at checkout counters and to look for vulnerabilities. Then they would write specific codes to corrupt their data systems and launch a virus from computers in the United States and Europe to pull hundreds and thousands of credit card numbers, and sort through them using a “sniffer,” which is basically a data analysis system that decodes big chunks of information [The Atlantic].
The hackers allegedly tested their malicious code, or “malware,” by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.” The methods used by Gonzalez and his team weren’t all that sophisticated, either; the long and short of it is that they were able to exploit end users that didn’t know how poor their security was, according to security experts [ChannelWeb]. It’s still unclear how many of the stolen credit card numbers were resold and used to make unauthorized purchases or bank withdrawals.
Gonzalez has an interesting record, and has worked on both sides of the legal line. In 2003, after being arrested in New Jersey in a computer crime, he helped the Secret Service and federal prosecutors in New Jersey identify his former conspirators in the online underworld where credit and debit card numbers are stolen, bought and sold. But Mr. Gonzalez secretly reconnected with his old associates, federal officials have said [The New York Times]. He’s currently in jail awaiting trial on two other cases of credit card data theft: the 2005 breach at T. J. Maxx stores, and the 2008 hack of the Dave & Busters restaurant chain and other companies.
80beats: Attack That Took Down Twitter May’ve Been Aimed at Just One Blogger
80beats: Cyber Attack Hits Government Web Sites; North Korea Is Blamed
80beats: Researchers Guess Social Security Numbers From Public Data
80beats: Mystery of the Conficker Worm Continues: Does It Want to Scam or Spam?