Feeds

'Ringleader' of retail hacking ring was Fed informant

Bust exposes retail security shortcomings

Top 5 reasons to deploy VMware with Tegile

The alleged ringleader of a retail hacking ring was working for the Feds as an informant at the same time he was allegedly masterminding an even bigger racket.

Albert "Segvec" Gonzalez of Miami has been charged, along with ten other suspects, with hacking into nine of the networks of nine major US retailers and lifting 40 million credit and debit card numbers. Members of the retail hacking ring are charged with fraud and computer hacking offences involving raids on the networks of retailers named as TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

The TJX heist alone netted an estimated 45.7m payment cards. Either prosecutors are only charging the retail fraudsters with stealing the records there is evidence they nabbed, or another gang was also involved in the infamous cybercrime.

The attacks on the other eight retailers received little by way of publicity before the DoJ announced the unsealing of indictments in its biggest ever ID theft case on Tuesday. That so many retailers were hit using the same technique points to an underlying problem, widespread in the retailing industry.

In the case of the TJX hack, at least, the inability of older point-of-sales terminals to support anything more robust than the woefully inadequate Wired Equivalent Privacy protocol was blamed for the attack.

Wardriving and data siphoning

Gonzalez, along with fellow Miami residents and co-conspirators Christopher Scott and Damon Patrick Toey, are charged with obtaining credit card numbers by "wardriving" and hacking into the wireless computer networks of the retailers. According to court papers, the Florida-based members of a wider criminal conspiracy installed "sniffer" programs that captured card numbers along with password and account information.

The gang allegedly concealed their cache of stolen data on computer servers. Some of the stolen credit card numbers were sold online, while others were used to make counterfeit credit cards which were then used to make fraudulent cash withdrawals. Internet-based currencies and bank accounts in Eastern Europe were used to launder these funds. Investigators reckon the gang ran an international credit card theft ring with branches in Ukraine, Belarus, Estonia, China, the Philippines and Thailand.

Gonzalez was arrested by the Secret Service in 2003 for access device fraud, and was working as an informant for the feds at the time he was allegedly masterminding an even bigger racket. The extent of his alleged criminality (and double dealing) is such that prosecutors will seek a sentence of life imprisonment, if he's convicted.

Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia are charged with fencing the stolen credit card numbers obtained by the American gang, as well as aggravated identity theft and sundry hacking offences. Yastremskiy allegedly made $11m through his criminal activities.

A DoJ statement on the case can be found here.

Dave & Busted

Gonzalez, Suvorov and Yastremskiy were charged in May 2008 with hacking into the computer systems run by the Dave & Buster's restaurant chain in a separate case. The trio allegedly stole card numbers from at least 11 locations using the same packet sniffer and wireless hacking tactics. In one location alone 5,000 credit card records were lifted, resulting in losses to banks estimated at $600,000.

Gonzalez is currently in pre-trial confinement on these charges while Suvorov and Yastremskiy were each arrested on holiday in Germany and Turkey, respectively. Each is the subject of extradition proceedings.

Other suspects in the TJX retail hacking ring indictments include Hung-Ming Chiu and Zhi Zhi Wang, both of China, someone going by the online moniker "Delpiero", Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine. Each of the six are charged with various identity theft and trafficking in access devices offences.

These indictments are the result of a three-year undercover investigation led by the San Diego office of the US Secret Service.

More TJX suspects

These are not the first charges in the TJX case - six people were arrested in Florida in March 2007 on suspicion of using card details obtained in the TJX heist to buy gift cards at Wal-Mart and Sam's Club stores throughout Florida. The group allegedly used gift vouchers to buy high-value items including computers and widescreen TVs, taking banks for losses estimated at $8m.

Those arrested as part of the scam included Irving Escobar, then 18, Reinier Camaraza Alvarez (27), Julio Oscar Alberti (33) Dianelly Hernandez (19), Nair Zuleima Alvarez (40) and Zenia Mercedes Llorente (23). ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.