How Did "Soupnazi" Allegedly Steal 130 Million Credit Card Numbers?

By Eliza Strickland | August 18, 2009 1:38 pm

computer securityA 28-year-old hacker has been charged in what federal prosecutors are calling the largest case of identity theft ever seen. The man, Albert Gonzalez, worked with two unnamed Russian conspirators to run wild through the computer networks of a handful of prominent corporations, including 7-Eleven, the supermarket chain Hannaford Brothers, and the payment processor Heartland Payment Center. The size of the heist—130 million credit and debit card numbers, according to prosecutors—have many people wondering: How exactly is such a massive theft carried out?

The Justice Department’s indictment (pdf) describes how Gonzales (a.k.a. “segvec” and “soupnazi,” among other aliases) and his co-conspirators pulled it off. They began the job by scanning lists of Fortune 500 companies for likely targets, and then visited retail outlets to scope out the payment systems used at checkout counters and to look for vulnerabilities. Then they would write specific codes to corrupt their data systems and launch a virus from computers in the United States and Europe to pull hundreds and thousands of credit card numbers, and sort through them using a “sniffer,” which is basically a data analysis system that decodes big chunks of information [The Atlantic].

The hackers allegedly tested their malicious code, or “malware,” by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.” The methods used by Gonzalez and his team weren’t all that sophisticated, either; the long and short of it is that they were able to exploit end users that didn’t know how poor their security was, according to security experts [ChannelWeb]. It’s still unclear how many of the stolen credit card numbers were resold and used to make unauthorized purchases or bank withdrawals.

Gonzalez has an interesting record, and has worked on both sides of the legal line. In 2003, after being arrested in New Jersey in a computer crime, he helped the Secret Service and federal prosecutors in New Jersey identify his former conspirators in the online underworld where credit and debit card numbers are stolen, bought and sold. But Mr. Gonzalez secretly reconnected with his old associates, federal officials have said [The New York Times]. He’s currently in jail awaiting trial on two other cases of credit card data theft: the 2005 breach at T. J. Maxx stores, and the 2008 hack of the Dave & Busters restaurant chain and other companies.

Related Content:
80beats: Attack That Took Down Twitter May’ve Been Aimed at Just One Blogger
80beats: Cyber Attack Hits Government Web Sites; North Korea Is Blamed
80beats: Researchers Guess Social Security Numbers From Public Data
80beats: Mystery of the Conficker Worm Continues: Does It Want to Scam or Spam?

Image:

CATEGORIZED UNDER: Technology
  • http://www.thedebtgazette.com/ Frank Fitton

    Hopefully Mr. Gonzalez’s actions can have a beneficial effect. Companies can learn to better protect our sensitive information, and consumers can learn just how vigilant they need to be in regards to their finances. It might be a lot to ask, but I think some good can come from this.

    Of course its hard when it oftentimes seem like our best and brightest minds would rather go into the criminal side of the computing world, than the legitimate one.

    Check out my blog on Mr. Gonzalez and his actions at…. http://www.thedebtgazette.com/2009/08/miami-hacker-creditcards/

  • http://clubneko.net robot makes music

    I don’t know who’s writing for the Atlantic, but they have their terminology wrong. In network security, a sniffer is something that samples network traffic passing by your machine that isn’t intended for you, to discover vulnerabilities or steal information passing by in plain text.

    http://en.wikipedia.org/wiki/Sniffer

    A quick google of “wiki sniffer” would have set the Atlantic straight. It’s a shame to see journalism in the state it’s in today.

    Re: Frank: Why would they bother improving their security? That costs money, and legislating ridiculously tough laws on computer fraud is much cheaper, since Congress is full of undereducated people who have little clue about computers, as they grew up in the time of punch cards.

  • Jo

    Agree with #2. Why would they bother? Particularly when it’s the merchants who eventually accept these fraudulent forms of payment that are taking the hit. Where’s the incentive for those who are storing this data to keep it secure? Or for the credit card companies to make their product less vulnerable to theft, for that matter? Having someone’s credit card number should NOT be all that’s required to start using it fraudulently. Ridiculous.

  • Dave in Calif

    This guy and his cohorts need to go off a tall building…oops.

NEW ON DISCOVER
OPEN
CITIZEN SCIENCE
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

80beats

80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.
ADVERTISEMENT

See More

ADVERTISEMENT
Collapse bottom bar
+

Login to your Account

X
E-mail address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it e-mailed to you.

Not Registered Yet?

Register now for FREE. Registration only takes a few minutes to complete. Register now »