July 25, 2013

U.S. federal authorities have indicted five men — four Russians and a Ukrainian – for allegedly perpetrating many of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from major U.S. retailers, banks and card processors.

The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved nearly a million accounts and cost the company almost $100 million.

Federal prosecutors in New Jersey today called the case the largest hacking scheme ever prosecuted in the U.S. Justice Department officials said the men were part of a gang run by Albert “Soupnazi” Gonzalez, a hacker arrested in 2008 who is currently serving a 20-year-prison sentence for his role in many of the breaches, including the theft of some 90 million credit cards from retailer TJX.

One of the accused, 27-year-0ld Dmitriy Smilianets, is in U.S. custody. Vladimir Drinkman, 32 of Syktyvkar, Russia, is awaiting extradition to the United States. Three others named in the indictments remain at large, including Aleksandr Kalinin, 26 of St. Petersburg; 32-year-old Roman Kotov from Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.

According to the government’s indictment, other high-profile heists tied to this gang include compromises at:

Hannaford Brothers Co: 2007, 4.2 million card numbers

Carrefour S.A.: 2007, 2 million card numbers

Commidea Ltd.: 2008, 30 million card numbers

Euronet: 2010, 2 million card numbers

Visa, Inc.: 2011, 800,000 card numbers

Discover Financial Services: 500,000 Diners card numbers

In addition, the group is being blamed for breaking into and planting malware on the networks of NASDAQ, 7-Eleven, JetBlue, JCPenny, Wet Seal, Dexia, Dow Jones, and Ingenicard.

The hackers broke into their targets using SQL injection attacks, which take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Once inside, the attackers can upload software and siphon data.

The government’s indictment alleges that the thieves were at times overwhelmed by the sheer amount of data yielded by their SQL attacks.  On Aug. 12, 2007, Kalinin allegedly sent Gonzalez  an instant message that he’d just gained access to 30 SQL servers on NASDAQ’s network, but hadn’t yet cracked the administrator passwords that secured the data inside. “These [databases] are hell big and I think most of info is trading histories.” On Jan. 9, 2008, after Gonzalez offered to help attack the trading floor’s computer systems, Kalinin allegedly messaged back, “NASDAQ is owned.”

Court documents feature an alleged conversation between Kalinin and Gonzalez from March 18, 2008, months after the Hannaford Bros. attack:

Kalinin: haha they had hannaford issue on tv news?

Gonzalez: not here

Gonzalez: I have triggers set on google news for things like “data breach” “credit card fraud” “debit card fraud” “atm fraud” “hackers”

Gonzalez: I get emailed news articles immediately when they come out, you should do the same, it’s how I find out when my hacks are found 🙂

Just a few weeks later, news of a massive credit card breach at Hannaford started trickling out:

Gonzalez: hannaford lasted 3 months of sales before it was on news, im trying to figure out how much time its going to be alive for

Gonzalez: hannaford will spend millions to upgrade their security!! lol

Kalinin: haha

Kalinin: they would better pay us to not hack them again

According to prosecutors, the other members of the gang helped harvest data from the compromised systems, and managed the bulletproof hosting services from which the group launched its SQL attacks [the government alleges that Rytikov, for example, was none other than “Abdullah,” a well-known BP hosting provider]. The men allegedly sold the credit card data to third parties who routinely purchased them at prices between $10 and $50 apiece. The buyers were given PIN codes and magnetic stripe data that allowed them to create cloned cards for use at retailers and ATMs around the world.

A copy of the indictment is here (PDF).

Update: 3:39 p.m ET: Corrected state in which the accused were charged.


42 thoughts on “Hacker Ring Stole 160 Million Credit Cards

  1. G

    Geniuses, misguided but geniuses none the less.

    1. Credit Cards SA

      You, Sir, are correct. I wonder how different life would have been if such geniuses put their intelligence and talents to better use. What do you think?

  2. SkyLurker

    I realize that not all the crooks out there will get caught, but it’s REALLY amusing to hear someone brag about what they have done, will do, or won’t get caught for after they are caught. Brag away, Hackers! It only makes it funnier when you are extradited.

    I also enjoyed Kalinin’s comment about paying them not to hack. It mirrors what Butch Cassidy (famous American train robber, for those of you too lazy to use Google) said about robbing trains. They sent an entire infantry battalion after him and … well, watch the movie.

  3. DavidM

    These numbers are staggering and scary. But what scares me even more is the fact of how many companies are breached and pass it off as though it is minor and no one should worry.

    If it wasn’t for Brian and some of the others in the security community that put this information out there that this processor or institution was breached would these companies disclose it themselves and the seriousness of it?

    It has already been shown that most will not disclose it which I believe is wrong. I understand that they are worried about the fallout, but at least those they do business with and consumers would no to check things on their end to make sure they aren’t victims or about to become one.

    I recall when Brian reported some of these breaches, and some of the companies efforts to say all is well and not to worry, that to me is more worrying then not.

    So kudos Brian, I hope your efforts in letting people know the facts one day leads to the mandatory disclosures of breaches like these, so that the business and consumer communities can act accordingly.

    1. fhaaokck

      “These numbers are staggering and scary. But what scares me even more is the fact of how many companies are breached and pass it off as though it is minor and no one should worry.”

      @DavidM: For the larger companies these breaches make up a small amount of their revenue. The fines (unless it’s HIPPA) are usually not enough for them to worry about, and as long as they have “reasonable” security in place, they’re not going to risk more than the reputational impact which is to say they’re risking almost nothing. For example, I don’t think any of the companies in the article above are out of business because of this.

      It’s not right, but it’s how business is done.

      The only way this will ever change is if hackers somehow find a way to steal from the profits of corporate executives.

      1. meh

        What is ironic is if they did the people would be a lot more supportive of them, when they target anybody willy nilly they just look immature and a threat to everyone.

        I suspect 90% of the people after them would find other things to do if the top 1% started feeling the pain on a consistent basis.

      2. saucymugwump

        “The fines (unless it’s HIPPA) are usually not enough for them to worry about”

        I do not know why you think that HIPPA leaks are any different than non-HIPPA ones. A medical insurance company (Anthem Blue Cross / Blue Shield) allowed my personal data to be leaked, along with that of many others because they kept it on an http server. A class action suit resulted, involving state governments and the feds. The result? We were all given one year of a credit monitoring service. The company admitted no liability and paid no fines, and no precious executives were bothered.

        1. fhaaokck

          Having worked in both the medical and financial industry, I found that HIPAA was a greater concern to executives in the medical industry verses other industries with different regulatory interests. I suppose I only have anecdotal evidence supporting this assumption. To the consumer it’s all the same, and I certainly don’t think it’s harder to have a breach one place verses another.

          1. saucymugwump

            “I found that HIPAA was a greater concern to executives in the medical industry verses other industries with different regulatory interests.”

            Maybe, but my point was that in either case the penalty is a joke, i.e. they just give the victims a one-year subscription to a credit monitoring service. If the victim suffers identity theft, too bad, so sad.

            If CEOs and other corporate parasites were given personal fines and/or jail time for gross negligence, then the problem might actually be solved.

        2. CooloutAC

          was it lifelock? is that service worth it you think?

          1. fhaaokck

            Yeah I triple lifelocked myself. I’m thinking of buying a 4th account for my dog.

          2. saucymugwump

            No, it was Debix. They never found any nefarious activity, but as soon as I was notified of the data loss, I put a credit freeze on my account using all of the big three agencies. For your information, when you do that, the credit freeze is free, but every time you want to allow someone to check your credit, they will charge you $10.

            1. CooloutAC

              Ya i use to write letters to them when helping people fix their credit when I did subprime mtgs. Too many checks can even lower your rating.

              I think they all alos offer their own credit monitoring services for 20 dollars a month, I wonder how they compare. My grandfather started getting charged for that when he requested a supposedly free credit report from equifax.

              All 3 of them have headquarters overseas now. They are based in India, when you call foreigners are even asking for your full social over the phone, its crazy.

  4. Richard Steven Hack

    I would be interested in how these guys got caught. Did Gonzalez rat them out as part of negotiating for a sentence reduction?

    1. Adam

      Apparently chat logs were seized from Gonzales, which helped identify the others. Gonzales’ sentence does not indicate any level of cooperation 🙂

      1. Richard Steven Hack

        I was thinking in terms of post-conviction sentence reduction negotiations. It happens.

        Amazing that hackers allow chat logs to expose them. Bad opsec. Along with emails and other should-be-sanitized records.

        When one hacks, one should disperse the acquired booty to the anonymous cloud, then reformat the entire machine so no trace of one’s hacking remains. That way, only if caught in the act can one testify against oneself… Just common sense.

        1. voksalna

          If one assumes that Gonzalez had logs of his and Kalinin’s chats, that would only account for chat logs up until Gonzalez got arrested in 2008 (which make up the bulk of the ‘evidence’ in the ‘indictment’. One might want to ask how connections were made to the other cases (especially given the accused lack of access to RU and UH ‘cooperation’). Was it purely matching software signatures for these dll’s, and if so how are they supposing it is the same people performing the alleged crimes (especially in a world where now people are very cautious about binary crypting)? I would also argue that without matching chat transcripts on both sides of the exchange, there is no proof it ever happened, but so far this has not been the successful defense it should be (which surprises me — I do not understand how it is acceptable from an evidentiary perspective).

          I will not state the obvious conclusion, but you are intelligent enough to make it, Richard. One of those things are not like the others. And it is not [only] Gonzalez. A lot of things happened in the past year or so.

  5. Sue

    Heartland took this breach very seriously and is generally considered to have a good response.

    I regularly Google dork search my own company and check them with Shodan along with officially sanctioned scans. If your company doesn’t have regular perimeter scans you should at least do that. It should pick up SQL injection.

    I get systems that our lab people have forgotten about that way. It’s also a way to check business partners you don’t have the right to scan directly.

  6. Steve

    Aren’t we being told in the Snowden case that Russia doesn’t have an extradition treaty with the United States? So how is it this Vladimir Drinkman guy is waiting extradition to the U.S.? It’s funny how the big shots change the rules to suit the situation, actually it’s not that funny. Maybe they can only extradite Russians to the U.S. but they can’t extradite U.S. citizens to the U.S., now that is funny.

    1. BrianKrebs Post author

      I believe Drinkman (and the other guy awaiting extradition) were traveling in the Netherlands when they were arrested.

  7. Sergey Bobkov

    I grew up with Vladimir Drinkman (his parents lived on the 9th floor, mine lived on the 7th floor of the Soviet-style apartment building in Syktyvkar). He and his younger brother Boris have been involved in hacking since early teens. I cannot believe that after all these years Vladimir is still doing it, although I can’t say I am very surprised. What a pathetic use of truly elite programming skills, he could have done so much more if he channeled his energy into a more positive directions! What a damn shame!

      1. voksalna

        Rather a large extent, from what I can tell. But as of yet not a single case has managed to use it successfully as a defense, which strikes me as odd in a country where sugar intake is occasionally acceptable (twinkies?… Oh if there are smaller ‘twinkies’ now does this mean they are less culpable? :P).

  8. voksalna

    Brian, can you explain this discrepancy between varying reports? While the “official” story that just came out tonight is saying that Drinkman and Smilianets were arrested at a tour bus in Netherlands, other articles, including at WaPo (your previous ‘home’) state this:

    [quote]”Smilianets is in U.S. custody and was expected to appear in federal court next week. His New York-based lawyer, Bruce Provda, said Smilianets was in the U.S. “sightseeing” when he was arrested. “It’s a rather complex international charge of hacking,” Provda said. “If it goes to trial, it’s going to be a lengthy trial.””[/quote]

    I understand Drinkman is fighting extradition from Netherlands, but what is the story of Smilianets in the US, really? Something is ‘not right’ about what I am reading, and the federal agencies in charge have been less than forthcoming with regards to their methods here (although I can make guesses based on some of the ‘evidence’ presented in the ‘indictment’).

  9. Emmanuelle Filsjean

    Securing data is now at the forefront of many financial institutions minds, and as the methods by which hackers compromise our personal information becomes more sophisticated, so must our approach to security.

    Every time that a fraud hits the headlines there is naturally a huge focus on how the crooks got hold of all those personal banking details. But there is often less attention given to how they were then able to use the customer details to extract money from customer’s bank accounts.

    Unfortunately fraudsters will always find methods to compromise our personal data. While that in itself is a major concern the solution lies in ensuring the abuse of such data can be detected and prevented. The key lies in real-time detection, prevention and immediate resolution enabled by the empowered customer. Technology is available today to absolutely achieve this, in real-time, totally privacy sensitive, highly secure and yet totally intuitive from a customer standpoint. In fact, in many cases the customer is not even aware that security is being applied as many of the techniques used are completely invisible. The answer is robust customer authentication and transaction verification, relative to the bank’s perceived risk of the transaction. It must have speed (real-time), strong security, efficiency, good customer service and ease of use, while shutting down the scope for fraudsters to benefit from their crime. Similar stories (while on a smaller scale) have been publicised for over a decade, and invariably the issues remain the same, surely it is now time for financial institutions to step up and utilise effective security systems that can protect against such massive theft of payment credentials and the inevitable fraud fall-out that has already occurred and will continue for some time to come.

    1. voksalna

      Emmanuelle,

      Sort of bad form to come in as a vendor and not say so. 😉

      There are actually quite a lot of unusual transaction pattern-matching software being used, but in response to this a lot of people have adapted their methods. This is one reason that so many seek out for instance American money mules, or stay within more reasonable per-card limits, or in the case of some of these ‘hackers’ just go to the backend itself via the processor (and this is a very specialised and mostly far rarer thing — one thing you may be able to tell from these arrests); you cannot generally find a pattern until one is created, which is also why so many identity thieves “simply” create a separate line of credit or open a new account somewhere.

      Anybody that has ever had their bank card frozen (a common thing in the USA from what I understand) will know that these pattern-matching softwares such as that are used by banks and processors are not perfect. It is point and counterpoint, and creating more barriers will more or less have the more creative types finding ways around them within a few months, maybe a year — and then their methods will spread (even through blogs like this, or indictments, or the news, and trickle down to less and less ‘talented’ people through places like lower-level open “forums” populated by the rip, click, and run types of peoples).

      While things like you suggest may temporarily be a bandage on the problem, they will not fix the problem. If you want there to be less of these ‘creative’ crimes probably the best way to do this is to stop with all of the security reporting and things like Metasploit, open disclosure exploits, and the like, but this is a big business (and I mean no offense specifically at you Mr Krebs). At that point that information becomes more and more scarce, then only the talented will be able to bypass such security methods, and they will be far less likely to want to share openly — you may still have ‘spectacular’ crimes, but there will be far less spread, far fewer crimes, and far fewer individuals as victims trying to find the easiest targets (like non-profits and small businesses, who actually feel the most harm).

      1. CooloutAC

        I thought these “creative” criminals, lmao, were thieves because they have to feed their family?

        While I do blame the media for alot of propaganda and having too much power, you can’t be serious in this case? I wish they reported on these things more!

        As many have said, the fines and penalties are a joke, and these banks would rather take the losses. Millions of dollars is not even a drop in the bucket to them. And the other half of society just thinks it can’t ever happen to them. And if its only a small sum to people who are well off and they eventually get refunded who cares. But the people who get really hurt, poor people that live day by day to feed their family. That all of a sudden get their world rocked when their life savings of 1000 dollars disappears out of their checking account.

        1. CooloutAC

          And what about the whole notion that open sourced is always more secure?

          1. voksalna

            Also: Not always. In fact I have occasionally said that I believe in security by obscurity — provided other security measures are taken — for certain things. SCADA for example. Or I don’t know, super hadron collider controller software. Or software to control nuclear power plants, or such. Some things are secure partially BECAUSE they are not easy to get hands on to look and to ‘play’. But if you put emulators or source out there, you are just inviting trouble… and to what end?

            On the other hand, encryption algorithms, for instance, are one very good thing to have open-sourced, and in fact I would never advocate anybody using any encryption software that one cannot view and compile oneself. Even if you cannot understand it. You probably cannot but this is where ‘bugs’ best come out — when people who do have the skills find the attacks. I also use an open source operating system, but I am very paranoid about how I use it — but this is not only because I think open source is excellent — I just prefer to code things myself, and I am not a fan of Apple or Microsoft or these types of companies. And I probably shouldn’t be — because it goes back to security and encryption — I want the right to audit it myself if I want to since I am running it, but that does not mean I will go around telling 14 (or 24 or 34) year old members of this Anonymous crowd, or some security company that would sell it to your very own government for 50,000 USD.

            One nice thing about finding a bug in an open-source software is you can patch it yourself and it won’t affect you on the box you’ve patched. Obviously this is not for everybody but note I am not recommending not to tell the vendor — just not to tell the world, or anyone else that could capitalise on it in any way (money, fame, power, reputation) without a damned good reason. And sometimes those reasons might exist, but not at ALL the way they are presented now.

    2. voksalna

      But of course this will not happen because ‘security’ is big business and nobody wants to give up their bottom line. Iatrogenic.

      1. CooloutAC

        but what about the whole notion that open sourced is more secure?

        1. http://0.gravatar.com/avatar/48f0b9b35a277de93321a13b4e2ee460?s=36&d=path_to_url&r=PG

          Allows more eyes on the code. Also allows any hacker in the world to insert his hack into code. So….don’t know what that has to do with the thread.

          1. CooloutAC

            well i was replying to voksalna regarding his/her suggestion about not reporting on flaws or source codes, or security breaches and leaks. But then how they can they get community members to help them fix them or identify more flaws?

            I am always saying in game communities , or even about the whole pc industry thats dying right now, that they should always be outing hackers or talking about the problems on their forums. Not censoring them thinking that will drive people away. Being silent on those issues is even worse imo. Thats one thing I can partly agree on., but its hard to change 20 year old mentalities.

            But on the other side common sense does suggest having an open source code makes it vulnerable for the reasons you’ve stated. But that is still the talking points of so many “geeks” and non malicious hackers/developers in those communities? I guess linux because its a free O/S? but they ship with no firewalls or default iptables rules half of them, like ubuntu for example, the most popular one lol.

            In my opinion linux is only more secure on defaults because its less popular and not targeted much? and doesn’t broadcast every two seconds. Would you agree with that?

            I’m always on the fence on this issue, though I don’t have a developers or malicious hackers thinking. But I think security flaws should be exposed, and they should be talking about them and trying to find more, but then how do you do that without getting help from the community?

            1. https://i.imgur.com/N14wJzy.jpg

              Still a matter of faith, I’m looking into BSD but I have other things to do first. Simplify the system and laugh at anyone trying to attack it. Takes getting used to funny looks from people.

              1. voksalna

                Look into NetBSD maybe: very old very core people who are highly experienced at cross-platform. If you’re looking at FreeBSD you might want to consider the Dragonfly BSD fork.

            2. voksalna

              Simple. If you are auditing open-source software and you find a bug, you tell the security contact. You do not put an embargo on it. You do not blackmail. You do not give it out to all your friends or script it up or turn it into metasploit ruby module.

              Think about like a medical quarantine, maybe: if you are running around with plague you will give it to other people who will give it to other people etc, until everybody has the plague. People do not do the safe thing. Most people do not patch. So those ‘poor people’ you feel sorry for are the ones that actually suffer — ones who do not know better, do not follow things 24/7 (and this is not even enough time now!), do not know how to fix things, or just make things worse trying. Nobody is making this an arms race except for the ‘security community’. There would always be talented hackers (on both sides) but without the ‘big business’ and the desire for fame and blah blah blah, things could be more localised and controlled.

              Is simple.

              1. CooloutAC

                it doesn’t seem to be nearly as balanced as it used to be man.

  10. Technocrat

    http://investor.visa.com/phoenix.zhtml?c=215693&p=irol-newsArticle&ID=1841457&highlight=

    “Foster City – July 25, 2013 – Earlier this morning, the U.S. Department of Justice announced the indictment of a group of hackers that targeted dozens of companies, including an independent acquirer processor in Jordan that previously used the name Visa Jordan Card Services (VJCS). VJCS, now known as Emerging Markets Payments – Jordan, is an independent third-party processor and is a separate company from Visa Inc.”

Comments are closed.