Feeds

TJX credit card heist suspect, 2 others, accused of new scam

Dave and Busted

Securing Web Applications Made Simple and Scalable

Three men - one of them suspected of playing a role in the heist of 45.6 million credit cards from retailer TJX Companies - have been accused of hacking into cash register terminals belonging to a restaurant chain and installing software that sniffed credit card numbers.

According to a 27-count indictment unsealed Monday, the scheme was carried out in part by Maksym Yastremskiy. In July, the Ukrainian was arrested in a Turkish resort town for allegedly selling large quantities of credit card numbers, many of which were siphoned out of TJX's rather porous network. He remains incarcerated in Turkey, where an application for extradition to the US is pending. Yastremskiy also went by the name Maksik.

The indictment also names Aleksandr Suvorov, aka JonnyHell, of Estonia, and a separate complaint names Albert Gonzales, who also went by the moniker Segvec. Together, they are accused of installing packet sniffers at 11 restaurants belonging to Dave & Buster's. The sniffers captured track 2 credit card data as it passed from the restaurants' point-of-sale terminals to servers at the chain's central headquarters.

Suvorov was arrested in March by German officials while visiting that country, and an extradition request is also pending. Gonzalez was arrested this month by Secret Service agents in Miami.

One packet sniffer alone netted data for about 5,000 customers who visited a Dave & Buster's in Islandia, New York, causing losses of at least $600,000 to the banks that issued the cards, according to the indictment.

The scheme was not without its hitches. While the defendants successfully penetrated a terminal at an Arundel, Maryland, location in April 2007, their packet sniffer malfunctioned, so they were unable to gain access to any credit card data. Later versions of their program successfully logged the information, but a bug caused the software to be deactivated each time the point-of-sale servers were rebooted. That required the defendants to regularly log in to the machines.

The men managed to install the packet sniffers remotely by socially engineering individuals, according to the indictment, which didn't elaborate. Once in possession of the data, the defendants sold it to others who used it to make fraudulent credit card purchases.

Attempts to reach the three men for comment were not successful. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Who cares about T&Cs when there's LIteCoin to mint?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.