Feeds

'Ringleader' of retail hacking ring was Fed informant

Bust exposes retail security shortcomings

Using blade systems to cut costs and sharpen efficiencies

The alleged ringleader of a retail hacking ring was working for the Feds as an informant at the same time he was allegedly masterminding an even bigger racket.

Albert "Segvec" Gonzalez of Miami has been charged, along with ten other suspects, with hacking into nine of the networks of nine major US retailers and lifting 40 million credit and debit card numbers. Members of the retail hacking ring are charged with fraud and computer hacking offences involving raids on the networks of retailers named as TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

The TJX heist alone netted an estimated 45.7m payment cards. Either prosecutors are only charging the retail fraudsters with stealing the records there is evidence they nabbed, or another gang was also involved in the infamous cybercrime.

The attacks on the other eight retailers received little by way of publicity before the DoJ announced the unsealing of indictments in its biggest ever ID theft case on Tuesday. That so many retailers were hit using the same technique points to an underlying problem, widespread in the retailing industry.

In the case of the TJX hack, at least, the inability of older point-of-sales terminals to support anything more robust than the woefully inadequate Wired Equivalent Privacy protocol was blamed for the attack.

Wardriving and data siphoning

Gonzalez, along with fellow Miami residents and co-conspirators Christopher Scott and Damon Patrick Toey, are charged with obtaining credit card numbers by "wardriving" and hacking into the wireless computer networks of the retailers. According to court papers, the Florida-based members of a wider criminal conspiracy installed "sniffer" programs that captured card numbers along with password and account information.

The gang allegedly concealed their cache of stolen data on computer servers. Some of the stolen credit card numbers were sold online, while others were used to make counterfeit credit cards which were then used to make fraudulent cash withdrawals. Internet-based currencies and bank accounts in Eastern Europe were used to launder these funds. Investigators reckon the gang ran an international credit card theft ring with branches in Ukraine, Belarus, Estonia, China, the Philippines and Thailand.

Gonzalez was arrested by the Secret Service in 2003 for access device fraud, and was working as an informant for the feds at the time he was allegedly masterminding an even bigger racket. The extent of his alleged criminality (and double dealing) is such that prosecutors will seek a sentence of life imprisonment, if he's convicted.

Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia are charged with fencing the stolen credit card numbers obtained by the American gang, as well as aggravated identity theft and sundry hacking offences. Yastremskiy allegedly made $11m through his criminal activities.

A DoJ statement on the case can be found here.

Dave & Busted

Gonzalez, Suvorov and Yastremskiy were charged in May 2008 with hacking into the computer systems run by the Dave & Buster's restaurant chain in a separate case. The trio allegedly stole card numbers from at least 11 locations using the same packet sniffer and wireless hacking tactics. In one location alone 5,000 credit card records were lifted, resulting in losses to banks estimated at $600,000.

Gonzalez is currently in pre-trial confinement on these charges while Suvorov and Yastremskiy were each arrested on holiday in Germany and Turkey, respectively. Each is the subject of extradition proceedings.

Other suspects in the TJX retail hacking ring indictments include Hung-Ming Chiu and Zhi Zhi Wang, both of China, someone going by the online moniker "Delpiero", Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak, both of Ukraine. Each of the six are charged with various identity theft and trafficking in access devices offences.

These indictments are the result of a three-year undercover investigation led by the San Diego office of the US Secret Service.

More TJX suspects

These are not the first charges in the TJX case - six people were arrested in Florida in March 2007 on suspicion of using card details obtained in the TJX heist to buy gift cards at Wal-Mart and Sam's Club stores throughout Florida. The group allegedly used gift vouchers to buy high-value items including computers and widescreen TVs, taking banks for losses estimated at $8m.

Those arrested as part of the scam included Irving Escobar, then 18, Reinier Camaraza Alvarez (27), Julio Oscar Alberti (33) Dianelly Hernandez (19), Nair Zuleima Alvarez (40) and Zenia Mercedes Llorente (23). ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.