Five Charged In Massive Hacking Ring That Bilked Millions

Five men have been charged for their role in what is believed to be a massive cybercrime ring responsible for causing millions of dollars in losses stemming from stolen credit card and account credentials.

The attacks, allegedly carried out by the men, targeted major corporate networks, pilfering more than 160 million credit card numbers. The targeted businesses include the Nasdaq, 7-Eleven, Visa Inc., Dow Jones Inc., J.C. Penney Co, and JetBlue Airways Corp, among others.

While their attacks were wildly successful, their methods of getting in and remaining on corporate systems were not, security experts told CRN. Companies are not properly carrying out security best practices, they say.

The federal indictment, made public today in New Jersey, charged the men for each of their roles in the hacking scheme. Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia and Alexandr Kalinin, 26, of St. Petersburg, Russia, each specialized in penetrating network security and gaining access to the corporate victims' systems, according to New Jersey U.S. Attorney Paul J. Fishman, who briefed reporters on the indictment Thursday.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches ]

Roman Kotov, 32, of Moscow, specialized in mining the networks for data, while Drinkman and Kalinin compromised the networks to steal the valuable data, Fishman said. The hackers hid their activities using anonymous Web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow, sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants, Fishman said.

The charges stem from data breaches at the organizations that go back seven years, Fishman said. The attackers targeted several of the largest payment processing companies, retailers and financial institutions in the world, stealing personal information on individuals, according to the statement issued Thursday by the U.S. Attorney's Office in New Jersey. Using SQL Injection, a common Web application attack technique, the attackers penetrated the corporate network and remained on the systems using a back door for remote access. "In some cases, the defendants lost access to the system due to companies' security efforts, but were able to regain access through persistent attacks," according to the statement.

The men allegedly targeted companies for months, and once they gained access, the systems were infected with malware for more than a year at some firms. To steal data, the men allegedly used sniffers to monitor network packets and identify sensitive data, which was later uploaded to remote servers where it was stored and sold on the black market. Once the stolen credit card data was sold to individuals through online forums, other people, known as money mules, would take blank plastic cards, encode them with the stolen data, and cash out the value of accounts either by withdrawing money from ATMs or making purchases.

NEXT: SQL Injection, The Preventable Culprit

The indictment serves as a reminder that age-old hacking techniques continue to cause damage to organizations, said Rob Kraus, director of security research at Solutionary, an Omaha, Neb.-based managed security services provider. SQL injection has long been ranked high on the Open Web Application Security Project (OWASP) Top 10 List and is frequently found listed in other secure software development frameworks. Educating software developers about secure coding best practices could help alleviate the problem, Kraus said.

"SQL injection is one of the most preventable flaws in web applications today; there's no shortage of information on how to prevent it," Kraus said. "Developers are either not aware of the threat of SQL injection or just not prepared to write code securely to prevent against it."

The attackers took advantage of a consistent failure at organizations to monitor logs and other system activities closely, said Chris Morales, research director at Austin, Texas-based security research and testing firm, NSS Labs. The trust model at most organizations is broken, Morales said. Fixing the problem may mean architecting a network that doesn't give full trust to machines. It no longer should be about malware detection and trying to eliminate the breach itself; it's about trying to eliminate the loss of information that stems from the breach, Morales said.

"What went on with these guys is text book, and we see it time and time again at firms of all maturity levels," Morales said, adding that firms need to consider how they are monitoring network activity. "The user population needs to be removed from the trust zone and treated as untrusted outsiders."

Two of the men charged Thursday, Kalinin and Drinkman, were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Albert Gonzalez as a co-conspirator in the attacks. He is serving a 20-year sentence in federal prison for being behind attacks that bilked more than 170 million credit cards from retailers and financial firms including the breach of Heartland Payment Systems Inc.

PUBLISHED JULY 25, 2013