Alleged TJX hacker spun a wide web of cybercrime
Albert Gonzalez, 28, was the alleged ringleader of a cybercrime enterprise that swiped at least 170 million credit and debit card numbers in recent years.
The U.S. Department of Justice announced Monday that Gonzalez, already awaiting trial for the TJX data breach, along with two others were being indicted for five corporate data breaches (indictment, statement, Techmeme).
What's stunning is the laundry list of companies impacted by these breaches. The list from the indictment:
- Heartland Payment Systems
- 7-Eleven
- Hannaford Brothers Co.
- And two unidentified corporate victims
Add it up and Gonzalez is connected to the theft of 130 million credit and debit card numbers, according to the Department of Justice. The TJX data breach indictment from last year tosses in 40 million card numbers. The August 2008 indictment, which named Gonzalez and others, detailed how the attackers probed TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
The latest indictment illustrates how Gonzalez and his two unnamed coconspirators went about their business? They typically scanned a list of Fortune 500 companies looking for victims. Once identified, Gonzalez would identify vulnerabilities---both physical and virtual. Gonzalez would identify point of sale machines, which anyone can do with a store visit, and follow up with the upload of information to serve "as hacking platforms."
Once the attacks begun, Gonzalez would launch a SQL-injection attack. Gonzalez and his crew would add malware to find credit and debit card numbers. The gang would swap instant messages to relay their discoveries. Ultimately sniffers were set up to absorb the card data.
The indictment describes how Gonzalez was able to keep ahead of defenses. From the statement:
For example, they allegedly accessed the corporate websites only through intermediary, or “proxy,” computers, thereby disguising their own whereabouts. They also tested their malware by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.
There's nothing here that is that fancy. Gonzalez was able to get the point-of-sale and payment processing from corporate Web sites. SQL injection attacks aren't exactly cutting edge. Gonzalez was good at probing weak defenses and exploiting them. Another eye opener: It wasn't that difficult to stay ahead of antivirus defenses.
Makes you wonder next time you go shopping.