November 13, 2015

Buried in the federal indictments unsealed this week against four men accused of stealing tens of millions of consumer records from JPMorgan Chase and other brokerage firms are other unnamed companies that were similarly victimized by the accused. One of them, identified in the indictments only as “Victim #12,” is an entity that helps banks block transactions for dodgy goods advertised in spam. Turns out, the hackers targeted this company so that they could more easily push through payments for spam-advertised prescription drugs and fake antivirus schemes.

g2webAccording to multiple sources, Victim #12 is none other than Bellevue, Wash. based G2 Web Services LLC, a company that helps banks figure out if a website is fraudulent or is selling contraband. G2 Web Services has not responded to multiple requests for comment.

In the final chapters of my book, Spam Nation: The Inside Story of Organized Cybercrime, I detailed the work of The International AntiCounterfeiting Coalition (IACC), a non-profit organization dedicated to combating product counterfeiting and piracy.

In 2011, G2 Web Services landed a contract to help the IACC conduct “test buys” at sites with products that were being advertised via spam. The company would identify which banks (mostly in Asia) were processing payments for these sites, and then Visa and MasterCard would rain down steep fines on the banks for violating their contracts with the credit card companies. The idea was to follow the money from schemes tied to cybercrime, deter banks from accepting funds from fraudulent transactions, and make it difficult for spammers to maintain stable credit card processing for those endeavors.

Prosecutors say the ringleader of the cybercrime gang accused of breaking into JPMC, Scottrade, E-Trade and others is 31-year-old Gery Shalon, a resident of Tel Aviv and Moscow. Investigators allege Shalon and his co-conspirators monitored credit card transactions processed through their payment processing business to attempt to discern which, if any, were undercover transactions made on behalf of credit card companies attempting to identify unlawful merchants. The government also charges that beginning in or about 2012, Shalon and his co-conspirators hacked into the computer networks of Victim-12 (G2 Web Services).

Shalon and his gang allegedly monitored Victim-12’s detection efforts, including reading emails of Victim-12 employees so they could take steps to evade detection.

“In particular, through their unlawful intrusion into Victim-12’s network, Shalon and his co-conspirators determined which credit and debit card numbers Victim-12 employees were using the make undercover purchases of illicit goods in the course of their effort to detect unlawful merchants,” Shalon’s indictment explains. “Upon identifying those credit and debit card numbers, Shalon and his co-conspirators blacklisted the numbers from their payment processing business, automatically declining any transaction for which payment was offered through one of those credit or debit card numbers.”

According to the U.S. government, Shalon ran idpay.com, a dodgy credit card processor that worked with dozens of banks to push through sales for fake antivirus and pharma-spam sites. Interestingly, in 2011, I wrote about a source who’d stumbled upon a portion of the customer database for idpay.com. As I wrote then:

“The idpay.com database indicates that a large number of fake AV Web sites were using idpay.com to process payments (a partial list is here). The idpay.com database revealed even bigger fish: Among the companies it processed was rx-partners.com, a major rogue pharmacy affiliate program that pays hackers and spammers to promote its pharmacy sites.”

“Another interesting client that processes payments through idpay.com was HzMedia Limited. That entity is owned by Igor Gusev, the founder of GlavMed, one of the world’s largest and spammiest rogue Internet pharmacy affiliate programs.”

Gusev would emerge as one of two major cybercrime kingpins I profiled in Spam Nation.

This story is interesting because it shows how money laundering is such a key component of cybercrime operations, and that anyone who has built such networks likely knows or works with a great many of the world’s top cybercrooks. It also illustrates the lengths to which organized cybercriminals will go to preserve their business models.

G2 was profiled in a New York Times story last month on firms that pit artificial intelligence against hacking threats. That piece cited G2 Web’s ability to spot “transaction laundering,” in which an illegal business tries to appear legitimate by processing transactions through a legal site. The story didn’t mention a breach, but it quoted a G2 employee on the challenges associated with fighting crooks who possess the means and the motive for hacking those who stand in their way.

“The guys who run these illicit sites are also into viruses and malware,” the Times quoted Alan Krumholz, principal data scientist at G2. “It’s a cat-and-mouse game. They go from one business into another.”

The full indictment against Shalon is here (PDF). The mention of Victim 12 (G2) is on page 23.


17 thoughts on “JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services

  1. Richard Nelson

    Besides JPMorgan Chase what are the other brokerage firms?

    1. BrianKrebs Post author

      5th paragraph: Prosecutors say the ringleader of the cybercrime gang accused of breaking into JPMC, Scottrade, E-Trade and others is 31-year-old Gery Shalon, a resident of Tel Aviv and Moscow.

      1. Jonathan

        MVS has never been hacked. Any company that allows access to sensitive or valuable data via insecure operating systems like Windows and Linux should be sued out of existence.

        1. Charles

          By “MVS” I assume you mean z/OS?

          Are you unaware of the Logica breach?

        2. John

          lol. Should we just go back to paper and pencil then? Or maybe you’d prefer a typewriter?

          MVS receives far less scrutiny as a whole than any other major OS, which is why it’s so ‘unhackable.’

          Remember when OS X was so much more ‘secure’ than Windows? In 2014 they had almost 4x as many vulnerabilities reported as the highest Windows variant. Is it b/c their coding practices have gone down hill? No, it’s because their market share increased and hackers/researchers are focusing more attention on it now.

          Same thing would happen with MVS if it was more widely used… Instead, fewer people looking at it means there are potentially more undiscovered vulnerabilities than in more scrutinized code bases with similar numbers of lines of code; maybe even more low-hanging fruit.

          1. Anon.

            > Is it b/c their coding practices have gone down hill? No, it’s because their market share increased and hackers/researchers are focusing more attention on it now.

            I vote for a combination of both!

            Everything is a LOT more complex now to support fancy features. That doesn’t come without a price. I still think Apple hardware and software is superior for my needs, but I’ve gotten a lot less happy with it than I used to be.

            User since 2001 – replaced my Mac SE with a 933Mhz G4 : IMHO the software quality has decreased a lot. Much more frequent crashing these days. (mostly Apple-supplied apps, but kernel panics have increased some too) Where there are crashes, there are vulnerabilities.

  2. Clarence York

    Will Israel extradite Gery Shalon since we do not have an extradition treaty with them??? Presuming they will not extradite, why doesn’t the U.S. impose some sort of financial sanctions on Israel – full disclosure, I love Israel, but we have got to start forcing other countries to stamp out cybercrime. For example, I firmly believe we should impose sanctions on several other countries that harbor cyber criminals instead of allowing the U.S. to become “fair game” for international thugs.

    1. timeless

      Where do you get your information?
      There is a treaty [1], and while it was for a while unusable, that was fixed [2]:

      > … on April 19, 1999, the Knesset passed an Amendment (Number 6) to the Extradition Act, which permitted the extradition of Israeli citizens who had committed crimes abroad. It divided Israeli citizens into two categories: Israeli citizens who are residents of Israel at the time an extradition request is made and those who are not residents at the time of the extradition request. The former are to be extradited, but then returned to Israel for sentencing. The latter group may be extradited and serve sentences in either the state where the crime was committed or in Israel.

      [1] https://www.jewishvirtuallibrary.org/jsource/US-Israel/Treaties/extradition.pdf
      [2] http://www.jewishvirtuallibrary.org/jsource/History/extraditionpol.html

  3. Nikon1

    “Will Israel extradite Gery Shalon since we do not have an extradition treaty with them??? Presuming they will not extradite, why doesn’t the U.S. impose some sort of financial sanctions on Israel – full disclosure, I love Israel, but we have got to start forcing other countries to stamp out cybercrime. For example, I firmly believe we should impose sanctions on several other countries that harbor cyber criminals instead of allowing the U.S. to become “fair game” for international thugs.”

    I completely agree – Nationality / Race / Religion has nothing to do with these thieves who continue to cost all legitimate consumers and businesses huge losses.

    Extradite them of face economic sanctions. Money is the universal reward / punishment.

    Great Article, Brian. I always login to your site first thing to read what you’ve posted. Thank You!

    1. timeless

      First of all, the basis for your question is nonsense, there is a treaty, and it’s available (see my response to Clarence [1]).

      Second, members of Congress already tried to cut funding for Israel based on a much more serious case [2] — I’m sure @Brian recalls it, since he was a reporter for the Post at the time, and it was both a major local story and a major international story. Congress wasn’t able to then. Today, members of Congress can barely agree to tie their own shoelaces, although they are willing to threaten to ruin the “Full Faith and Credit of the USA”, but… It’s unlikely they’d focus their attention on this. They’re too busy not being constructive…

      [1] http://krebsonsecurity.com/2015/11/jpmorgan-hackers-breached-anti-fraud-vendor-g2-web-services/comment-page-1/#comment-395249
      [2] http://www.jta.org/1997/10/15/life-religion/features/congress-steps-up-pressure-on-israel-to-extradite-suspect

  4. Omar

    You have to excuse me because getting a window like this and saying things how they are is priceless. I don’t know whether to laugh or cry to just see things transpired the way there transpiring. Criminals and good cops and bad cops and and whatever else you can put together and call it the nature of human beings. The specific person comes into mind when I think of all of this the inventor of the black box who helped the Mafia pretty much hide the location while they’re doing their gambling bookkeeping. It’s a very interesting world the way I see it I can hardly keep up trying to learn all the jargon I can’t even believe Brian learn Russian. I’m at the beginning of all of this so I can’t wait to finish the book and just makes sense of all of this.

  5. Ray

    Major article at infoworld.com written by Roger Grimes on spearphishing. Brian’s book Spam Nation is mentioned in the article.

    http://www.infoworld.com/article/3000943/phishing/10-reasons-why-phishing-attacks-are-nastier-than-ever.html?phint=newt%3Dinfoworld_sec_rpt&phint=idg_eid%3D5abe9cb94f1b33f6c4e2b7429c7d652d#tk.IFWNLE_nlt_sec_2015-11-12

    The article describes how hacking into corporate sites has been taken over by organized crime instead of script kiddies to the tune of millions of dollars in losses regularly.

    I will be forever grateful to Roger for turning me on to Brian.

  6. AlphaCentauri

    Can G2 use their method to shut down scam telemarketers like Rachel at Cardmembers Services, or the people calling with vacations to the Bahamas? The telephone scammers calling with spoofed caller ID display numbers seem to be evading the FTC. But somewhere along the line, they have to contact a bank to get paid, so a credit card number could be the way to identify the perpetrators.

  7. jim

    On, so that is against the law. Funny, they pass those laws, and it takes years to find the first target. But, finally, someone big was hit, and then things get done. The local dimestore/grocery, use cash, but finally, JPM? We get enforcement? Bad law, should apply to the mom and pops also. They are just as needful of protection.

  8. Greg

    Mainframes were hacked back in the day, but mostly for fun by insiders. Example 1987 IBM XMASCARD EXEC There were various innocent hacks on Univac 1100s too.

Comments are closed.