Feeds

'Ringleader' of retail hacking ring was Fed informant

Bust exposes retail security shortcomings

High performance access to file storage

The alleged ringleader of a retail hacking ring was working for the Feds as an informant at the same time he was allegedly masterminding an even bigger racket.

Albert "Segvec" Gonzalez of Miami has been charged, along with ten other suspects, with hacking into nine of the networks of nine major US retailers and lifting 40 million credit and debit card numbers. Members of the retail hacking ring are charged with fraud and computer hacking offences involving raids on the networks of retailers named as TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

The TJX heist alone netted an estimated 45.7m payment cards. Either prosecutors are only charging the retail fraudsters with stealing the records there is evidence they nabbed, or another gang was also involved in the infamous cybercrime.

The attacks on the other eight retailers received little by way of publicity before the DoJ announced the unsealing of indictments in its biggest ever ID theft case on Tuesday. That so many retailers were hit using the same technique points to an underlying problem, widespread in the retailing industry.

In the case of the TJX hack, at least, the inability of older point-of-sales terminals to support anything more robust than the woefully inadequate Wired Equivalent Privacy protocol was blamed for the attack.

Wardriving and data siphoning

Gonzalez, along with fellow Miami residents and co-conspirators Christopher Scott and Damon Patrick Toey, are charged with obtaining credit card numbers by "wardriving" and hacking into the wireless computer networks of the retailers. According to court papers, the Florida-based members of a wider criminal conspiracy installed "sniffer" programs that captured card numbers along with password and account information.

The gang allegedly concealed their cache of stolen data on computer servers. Some of the stolen credit card numbers were sold online, while others were used to make counterfeit credit cards which were then used to make fraudulent cash withdrawals. Internet-based currencies and bank accounts in Eastern Europe were used to launder these funds. Investigators reckon the gang ran an international credit card theft ring with branches in Ukraine, Belarus, Estonia, China, the Philippines and Thailand.

Gonzalez was arrested by the Secret Service in 2003 for access device fraud, and was working as an informant for the feds at the time he was allegedly masterminding an even bigger racket. The extent of his alleged criminality (and double dealing) is such that prosecutors will seek a sentence of life imprisonment, if he's convicted.

Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia are charged with fencing the stolen credit card numbers obtained by the American gang, as well as aggravated identity theft and sundry hacking offences. Yastremskiy allegedly made $11m through his criminal activities.

A DoJ statement on the case can be found here.

Dave & Busted

Gonzalez, Suvorov and Yastremskiy were charged in May 2008 with hacking into the computer systems run by the Dave & Buster's restaurant chain in a separate case. The trio allegedly stole card numbers from at least 11 locations using the same packet sniffer and wireless hacking tactics. In one location alone 5,000 credit card records were lifted, resulting in losses to banks estimated at $600,000.

Gonzalez is currently in pre-trial confinement on these charges while Suvorov and Yastremskiy were each arrested on holiday in Germany and Turkey, respectively. Each is the subject of extradition proceedings.

Other suspects in the TJX retail hacking ring indictments include Hung-Ming Chiu and Zhi Zhi Wang, both of China, someone going by the online moniker "Delpiero", Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine. Each of the six are charged with various identity theft and trafficking in access devices offences.

These indictments are the result of a three-year undercover investigation led by the San Diego office of the US Secret Service.

More TJX suspects

These are not the first charges in the TJX case - six people were arrested in Florida in March 2007 on suspicion of using card details obtained in the TJX heist to buy gift cards at Wal-Mart and Sam's Club stores throughout Florida. The group allegedly used gift vouchers to buy high-value items including computers and widescreen TVs, taking banks for losses estimated at $8m.

Those arrested as part of the scam included Irving Escobar, then 18, Reinier Camaraza Alvarez (27), Julio Oscar Alberti (33) Dianelly Hernandez (19), Nair Zuleima Alvarez (40) and Zenia Mercedes Llorente (23). ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.