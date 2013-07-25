* Prosecutors say men were associates of Albert Gonzales
* Say at least 160 mln credit card numbers stolen
* Nasdaq said to be victim of two-year breach
* Hackers could delete, change, steal Nasdaq data
-prosecutors
By David Jones and Jim Finkle
NEWARK, N.J./BOSTON, July 25 Federal prosecutors
said on Thursday they have charged five men responsible for a
hacking and credit card fraud spree that cost companies more
$300 million and two of the suspects are in custody, in the
biggest cyber crime case filed in U.S. history.
They also disclosed a new security breach against Nasdaq,
though they provided few details about the attack.
Other companies targeted by the hackers include a Visa Inc
licensee, J.C. Penney Co, JetBlue Airways Corp
and French retailer Carrefour SA, according
to an indictment unveiled in New Jersey.
Authorities have been pursing the hackers for years. Many of
the breaches were previously reported, though it appeared the
one involving Nasdaq OMX Group Inc was being disclosed
for the first time.
Prosecutors said they conservatively estimate that the group
of five men from Russia and Ukraine helped steal at least 160
million payment card numbers, resulting in losses in excess of
$300 million.
Authorities in New Jersey charged that each of the
defendants had specialized tasks: Russians Vladimir Drinkman,
32, and Alexandr Kalinin, 26, hacked into networks, while Roman
Kotov, 32, mined them for data. They allegedly hid their
activities using anonymous web-hosting services provided by
Mikhail Rytikov, 26, of Ukraine.
Russian Dmitriy Smilianets, 29, is accused of selling the
stolen data and distributing the profits. Prosecutors said he
charged $10 for U.S. cards, $15 for ones from Canada and $50 for
European cards, which are more expensive because they have
computer chips that make them more secure.
The five hid their efforts by disabling anti-virus software
of their victims and storing data on multiple hacking platforms,
prosecutors said. They sold payment card numbers to resellers,
who then sold them on online forums or to "cashers" who encode
the numbers onto blank plastic cards.
"This type of crime is the cutting edge," said New Jersey
U.S. Attorney Paul J. Fishman. "Those who have the expertise and
the inclination to break into our computer networks threaten our
economic wellbeing, our privacy and our national security."
The indictment cited Albert Gonzalez as a co-conspirator. He
is already serving 20 years in prison after pleading guilty to
helping mastermind one of the biggest hacking fraud schemes in
U.S. history, helping steal millions of credit and debit cards.
Prosecutors say the defendants worked with Gonzalez before
his arrest in Miami, then continued on a crime spree after his
capture.
Drinkman and Smilianets were arrested in June 2012, while
traveling in the Netherlands, at the request of U.S.
authorities. Smilianets was extradited last September and is
expected to appear in New Jersey Federal court next week.
Drinkman is awaiting an extradition hearing in the Netherlands.
Prosecutors declined comment on the whereabouts of the other
three defendants.
Tom Kellermann, a vice president with security software
maker Trend Micro, said he thinks the prospects are dim that
they will be caught because authorities in some countries turn a
blind eye to cyber criminals.
"There is an enormous shadow economy that exists in Eastern
Europe. In some countries, sophisticated hackers are seen as
national assets," he said.
Kalinin and Drinkman were previously charged in New Jersey
as "Hacker 1" and "Hacker 2" in a 2009 indictment charging
Gonzalez in connection with five breaches.
NASDAQ BREACH
The U.S. Attorney's Office in Manhattan announced two other
indictments against Kalinin, one charging he hacked servers used
by Nasdaq from November 2008 through October 2010. It said he
installed malicious software that enabled him and others to
execute commands to delete, change or steal data.
The infected servers did not include the trading platform
that allows Nasdaq customers to buy and sell securities,
prosecutors said. Officials with Nasdaq said they could not
immediately comment.
A source with knowledge of the breach said on Thursday the
indictment was not related to a 2010 attack that Nasdaq had
previously disclosed, which was targeted against Directors Desk,
a service used by corporate boards to share documents and
communicate with executives, among other things.
The source, who asked to remain anonymous due to the
sensitivity of the matter, said that hackers appear to have used
their access to the firm's network to create their own landing
page on a Nasdaq website, where users were directed when they
wanted to change their passwords.
The second indictment filed against Kalinin in Manhattan,
which was unsealed on Thursday, charged that he worked with a
sixth hacker, Russian Nikolay Nasenkov, 31, to steal bank
account information from thousands of customers at Citibank
and PNC Bank from 2005 to 2008, resulting in the
theft of millions of dollars.
MAKING PROGRESS
Mark Rasch, a former federal cyber crimes prosecutor, told
Reuters that the arrests show that law enforcement is making
progress in identifying those responsible for major cyber
crimes.
"They involve dozens or even hundreds of people huddled over
computer terminals all over the world in a common purpose of
stealing of disseminating credit card numbers," said Rasch, who
was not involved in bringing the case.
Among the breaches cited in the New Jersey indictment,
prosecutors charged that the group was responsible for the theft
of more than 130 million credit card numbers from U.S. payment
processor Heartland Payment Systems Inc beginning in
December 2007, resulting in approximately $200 million of
losses. That was the same case for which Gonzalez was convicted
and which was the largest case of its kind before the latest
indictments.
Heartland released a statement praising authorities for
their work: "We hope that this indictment further delivers the
message that prolific hacking organizations worldwide will be
pursued and charged for crimes such as this one."
The indictment charged that they took approximately 30
million payment card numbers from British payment processor
Commidea Ltd in 2008 and 800,000 card numbers from Visa Inc's
licensee Visa Jordan in 2011.
An attack on Global Payment Systems that begin in about
January 2011 resulted in the theft of more than 950,000 cards
and losses of about $93 million, according to the indictment.
It charged the ring with stealing approximately 2 million
credit card numbers from French retailer Carrefour SA, beginning
as early as October 2007 and said the theft of card numbers from
Dexia Bank Belgium resulted in $1.7 million in losses.
Other victims included Dow Jones, Wet Seal Inc and
7-Eleven Inc, according to prosecutors.
Dow Jones said in a statement that there was "no evidence"
that information of Dow Jones or Wall Street Journal customers
information was compromised as a result of the breaches.
Officials with Carrefour, Global Payments and JCPenney
declined comment.