Dissecting the Big Data Breach

The nuts and bolts of how hackers attacked 7-Eleven, others

WASHINGTON -- A federal indictment made public Thursday in New Jersey charges five men with conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks and stole more than 160 million credit-card numbers.

Newly unsealed documents showing that hackers allegedly conspired to attack payment processors, retailers, financial institutions in what the U.S. Department of Justice is calling the largest such scheme ever prosecuted in the United States also reveal how the hackers perpetrated the cyber attack.

The defendants are charged with attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. It is not alleged that the NASDAQ hack affected its trading platform.

Click here to read the full story in CSP Daily News.

The five defendants allegedly conspired to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals. They allegedly took user names and passwords, means of identification, credit-card and debit-card numbers and other corresponding personal identification information of cardholders.

Court documents allege that the initial entry was often gained using a "SQL injection attack." SQL, or Structured Query Language, is a type of programming language designed to manage data held in particular types of databases; the hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants allegedly placed malicious code, or malware on the system. This malware created a "back door," leaving the system vulnerable and helping the defendants maintain access to the network. In some cases, the defendants lost access to the system due to companies' security efforts, but they were able to regain access through persistent attacks.

Communications obtained by law enforcement reveal the defendants often targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway. The defendants allegedly had malware implanted in multiple companies' servers for more than a year.

The defendants are alleged to have used their access to the networks to install "sniffers," which were programs designed to identify, collect and steal data from the victims' computer networks. The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.

After acquiring the card numbers and associated data--which they referred to as "dumps"--the conspirators allegedly sold it to resellers around the world. The buyers then allegedly sold the dumps through online forums or directly to individuals and organizations. Smilianets was allegedly in charge of sales, vending the data only to trusted identity theft wholesalers. According to court documents, he charged approximately $10 for each stolen American credit-card number and associated data, approximately $50 for each European credit-card number and associated data and approximately $15 for each Canadian credit-card number and associated data--offering discounted pricing to bulk and repeat customers. Ultimately, the end users encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by either withdrawing money from ATMs or making purchases with the cards.

The defendants used a number of methods to conceal the scheme. Unlike traditional Internet service providers, Rytikov allegedly allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement.

Over the course of the conspiracy, the defendants allegedly communicated through private and encrypted communications channels to avoid detection. Fearing law enforcement would intercept even those communications, some of the conspirators allegedly attempted to meet in person.

To protect against detection by the victim companies, the defendants allegedly altered the settings on victim company networks to disable security mechanisms from logging their actions. The defendants also worked to evade existing protections by security software.