Alleged TJX hacker spun a wide web of cybercrime

Alleged TJX hacker spun a wide web of cybercrime

Summary: Albert Gonzalez, 28, was the alleged ringleader of a cybercrime enterprise that swiped at least 170 million credit and debit card numbers in recent years.The U.


Albert Gonzalez, 28, was the alleged ringleader of a cybercrime enterprise that swiped at least 170 million credit and debit card numbers in recent years.

The U.S. Department of Justice announced Monday that Gonzalez, already awaiting trial for the TJX data breach, along with two others were being indicted for five corporate data breaches (indictment, statement, Techmeme).

What's stunning is the laundry list of companies impacted by these breaches. The list from the indictment:

  • Heartland Payment Systems
  • 7-Eleven
  • Hannaford Brothers Co.
  • And two unidentified corporate victims

Add it up and Gonzalez is connected to the theft of 130 million credit and debit card numbers, according to the Department of Justice. The TJX data breach indictment from last year tosses in 40 million card numbers. The August 2008 indictment, which named Gonzalez and others, detailed how the attackers probed TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

The latest indictment illustrates how Gonzalez and his two unnamed coconspirators went about their business? They typically scanned a list of Fortune 500 companies looking for victims. Once identified, Gonzalez would identify vulnerabilities---both physical and virtual. Gonzalez would identify point of sale machines, which anyone can do with a store visit, and follow up with the upload of information to serve "as hacking platforms."

Once the attacks begun, Gonzalez would launch a SQL-injection attack. Gonzalez and his crew would add malware to find credit and debit card numbers. The gang would swap instant messages to relay their discoveries. Ultimately sniffers were set up to absorb the card data.

The indictment describes how Gonzalez was able to keep ahead of defenses. From the statement:

For example, they allegedly accessed the corporate websites only through intermediary, or “proxy,” computers, thereby disguising their own whereabouts. They also tested their malware by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.

There's nothing here that is that fancy. Gonzalez was able to get the point-of-sale and payment processing from corporate Web sites. SQL injection attacks aren't exactly cutting edge. Gonzalez was good at probing weak defenses and exploiting them. Another eye opener: It wasn't that difficult to stay ahead of antivirus defenses.

Makes you wonder next time you go shopping.

Topics: Banking, Browser, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Just goes to show no one's doing their homework

    We keep pushing computerized systems out further and further into important aspects of our lives, and yet the security portion isn't baked in and is really an afterthought. Put a national security slant on all of this, and the possibilities are frightening. If 3 motivated clowns can do this, imagine what a foreign government with real assets can do.
    • Correction

      I think you mean "imagine what foreign governments with real assets
      ARE doing."
  • RE: Alleged TJX hacker spun a wide web of cybercrime

    Stories like this really influence me and my opinions of cloud computing. Right now many cloud vendors are kind of down playing security concerns on the cloud but as more and more valuble information is stored on the cloud the more hackers are going to target cloud based storage and services.

    Low cost IT might be driving cloud computing adoption but security issues like in this article will drive it over the cliff unless the industry can really come up with some innovative solutions.

    I also believe that security technology and corporate/private digital rights management will drive the actual cost of cloud adoption up and mitigate the cost advantage of cloud adoption.
  • 3 Clowns...

    This article makes we think about the PCI standards and how they address security concerns among retail businesses. As someone else has mentioned these 3 clowns were able to leverage relatively simple techniques to grab huge numbers of CC #'s. Do the really good hackers who steal CC #'s just never get mentioned, the costs are absorbed and they are never caught. We need to take a different angle to protecting cc data...
  • RE: Alleged TJX hacker spun a wide web of cybercrime

    Are debit cards any more secure? If not, what is the safest way to make a purchase besides cash?
    • Get a pre paid credit card

      If you go here:
      and have a look
  • Does anyone really believe anti-malware can possibly keep up?

    [i]Another eye opener: It wasn?t that difficult to stay ahead of antivirus defenses.[/i]

    You say this like you expect that anti-virus/anti-malware software can keep up with smart people who want to break into computer systems.

    Does anyone seriously believe that these systems keep anyone protected from real criminals?
  • RE: Alleged TJX hacker spun a wide web of cybercrime

    Given that I have had corporate counsel actually state they thought it was cheaper to endure a breach than implement decent Information security (at more than one client) I hope these Corps. get hammered a little.
    The PCI standards are another example of an accounting business being built around what should be a standard best practice. As long as information security is viewed as a Checklist of Addons to business practices it will remain behind the criminals.
  • This may be a good thing

    Hopefully Mr. Gonzalez's actions can have a beneficial effect. Companies can learn to better protect our sensitive information, and consumers can learn just how vigilant they need to be in regards to their finances. It might be a lot to ask, but I think some good can come from this.

    Of course its hard when it oftentimes seem like our best and brightest minds would rather go into the criminal side of the computing world, than the legitimate one.

    Check out my blog on Mr. Gonzalez and his actions at....
  • RE: Alleged TJX hacker spun a wide web of cybercrime

    Perhaps companies will now add proper security to their sites. This reminds me of an event last year here - someone warned a virus was coming - it was all over the security blogs - and a major bank here did NOT protect themselves and their ATM's shut down for four days - at the end of a month, over a weekend. Ever try to pay your bills when you can't access your accounts? I am an IT security dude, for mostly civilian machines - and I DO my homework - maybe now Corporate World will wake up and smell the bytes.
    Uncle Griff
  • This is why Visa & MasterCard want PIN based txns

    The article points to a vulnerability in the POS machines. This is the reason why MasterCard and Visa are going to convert banks to move to chip based debit and credit cards, wherein you have to enter a PIN at the POS terminal that will be known only to you before it can be authenticated.

    Yes, I know this is just an additional layer of security that does not guarantee additional security but it is very well known that when you hand over the card at a restaurant and if your waiter is into this then you can be rest assured that he can swipe your card in a card reader and can note your CVV number and this can be used to replicate your card for use at POS terminals. Chip based cards are aimed at preventing such low level thefts.
    • This is why Visa & MasterCard want PIN based txns

      We have Chip&PIN on our Visa & Mastercards in Ireland so there is no excuse for its absence stateside.
    • How secure is chip & PIN?

      In theory chip & PIN may be more secure than just the magnetic stripe & a signature (which is rarely checked) but countless times I've watched people type in their 4 digit PIN with no attempt at concealing it from watchers. What is needed is a password from which you're asked to enter the nth and mth characters (as in banking). Another option is a fingerprint scanner, but that can be overcome if the criminal chops off the victim's finger - nasty.
      What is most vital is educating people to be aware of security risks.
  • RE: Alleged TJX hacker spun a wide web of cybercrime

    just goes to show how ignorant computer companies can be on cybercrime. I just read an article in popular science about three of the top hacker ringleaders and their cohorts in china and how they got into US Navy computer files and some U.S. corporations computer files and they are pinging the White House computers also, so don't think your computer is safe unless you disconnnect the wire to the internet.
  • RE: Alleged TJX hacker spun a wide web of cybercrime

    That's scary. I'm lucky this has never happened to me at
    Marshall's (another TJX company)!
  • RE: Alleged TJX hacker spun a wide web of cybercrime

    Only agreed to be appeared to be getting [url=]chocolate ugg[/url] difficulties then flabbergasted aided by the guidance you may authored. Visit whatever I wanted great deal way too. This [url=]chestnut ugg[/url] approach is awes[url=]black ugg[/url] ome!