Thank you! Your request has been sent.
We will get back to you soon.
We provide legal representation in the areas of civil rights, criminal law, family law, divorce, & child custody disputes in New Jersey & New York and Federal courts.
click here to return to home page

Tel.: (718) 376-6466
Fax: (718) 376-3033

1123 Avenue Z Brooklyn, NY 11235
08 Thursday

Identity theft of more than 40 million credit/debit card numbers.

The U.S. Attorney and Secret Service claim an international crime syndicate was behind the identity theft of more than 40 million credit and debit card numbers from TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The Department of Justice and Secret Service allege that the hackers used wardriving to hack networks and sniffer programs to capture card numbers and customer data.

In what is believed to the largest hacking and identity theft case ever prosecuted, the Department of Justice said Aug. 5 it has indicted 11 people for the theft and sale of more than 40 million credit and debit card numbers.

According to the DOJ, the card numbers were obtained by "wardriving" and hacking into the wireless computer networks of major retailers including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Wardriving involves locating Wi-Fi networks from a moving vehicle with a laptop or PDA.

Once inside the networks, the DOJ said, the hackers installed "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers' credit and debit processing networks. After the thieves collected the data, they concealed it in encrypted computer servers that they controlled in Eastern Europe and the United States.

The DOJ indictment claims the hackers sold some of the credit and debit card numbers over the Internet to other criminals in the United States and Eastern Europe. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards. The thieves then used these cards to withdraw tens of thousands of dollars at a time from ATMs.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," Attorney General Michael Mukasey said at a Boston news conference. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers."

In an indictment returned on Aug. 5 by a federal grand jury in Boston, Albert "Segvec" Gonzalez, of Miami, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy for a role in the scheme. Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud.

During the course of the current investigation, the Secret Service discovered that Gonzalez, who was working as a confidential informant for the agency, was criminally involved in the case. The DOJ said because of the size and scope of his criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted of all the charges alleged in the Boston indictment.

Criminal indictments were also released in Boston on related charges against Christopher Scott and Damon Patrick Toey, both of Miami. In addition, indictments were unsealed in San Diego against alleged scheme participants Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia.


The San Diego grand jury also indicted Hung-Ming Chiu and Zhi Zhi Wang, both of the People's Republic of China, and a person known only by the online nickname "Delpiero."

The indictments charge the defendants with crimes related to the sale of credit card data that Gonzalez and others illegally obtained, as well as additional stolen credit card data. Suvorov is charged with conspiracy to possess unauthorized access devices, possession of unauthorized access devices, trafficking in unauthorized access devices, identity theft, aggravated identity theft, and aiding and abetting.

Yastremskiy faces charges of trafficking in unauthorized access devices, identity theft, aggravated identity theft and conspiracy to launder monetary instruments. The indictment also contains a forfeiture allegation. Chiu, Wang and Delpiero are charged with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting. All are believed to be foreign nationals residing outside of the United States.

In May, Gonzalez, Suvorov and Yastremskiy were charged in a related indictment in the Eastern District of New York. The New York charges allege that the trio was engaged in a scheme to hack into computer networks run by the Dave & Buster's restaurant chain. According to the indictment, they stole credit and debit card numbers from at least 11 locations.

The New York indictment claims the defendants gained unauthorized access to the cash register terminals and installed at each restaurant a packet sniffer. The packet sniffer was configured to capture credit and debit card numbers as the information was processed by the restaurants. At one Dave & Buster's location, the packet sniffer captured data for approximately 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards.

Gonzalez is currently in pretrial confinement on the New York charges. Based upon the San Diego charges, Turkish officials arrested Yastremskiy in July 2007 in Turkey when he traveled there on vacation. He has been in confinement since then in Turkey, pending the resolution of related Turkish charges, and the United States has made a formal request for his extradition.

Suvorov was apprehended by the German Federal Police in Frankfurt in March on the San Diego charges when he traveled there on vacation. He is currently in confinement pending the resolution of extradition proceedings.

"While technology has made our lives much easier, it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results," U.S. Attorney Michael J. Sullivan said. "Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain."

10 Tuesday

M86 Security Reveals How Zeus Trojan Targets U.K. Bankers

Researchers at M86 Security have uncovered yet another botnet built on the Zeus Trojan that is swiping bank information from people in the United Kingdom.

The attack is still ongoing, and is known to have stolen £675,000 (nearly $1.1 million) from customers between July 5 and Aug. 4. According to M86, the crew behind the scheme is using a combination of exploit toolkits and the Zeus v3 Trojan, and is responsible for stealing data from roughly 3,000 user accounts.

“While analyzing [information on malicious sites] we found patterns of U.K.-centric legitimate Websites that were infected with malware,” said Bradley Anstis, vice president of technical strategy for M86. “We purposely infected ourselves with this malware, the infected machine then started communicating back with its command and control servers. This is how we zeroed in on this particular attack.  The data was found on the command and control infrastructure operated by the attackers.”

In addition to Zeus, the attackers are using the Eleonore and Phoenix exploit kits, both of which are known for exploiting victims' browsers to install Trojans onto their PCs. The process often started with malicious banner ads placed on legitimate Websites. Users who clicked on the ads would be directed to an infected Website containing the exploit kits. The user would then be redirected to the exploit kit, and their PC would become infected, the researchers found.

With Zeus v3 on their PC, when the victim logged into their online bank account their login ID, date of birth and a security number would be transferred to the command and control server. Once the user entered the transaction portion of the site, the Trojan would report to the C&C and receive new JavaScript to replace the original JavaScript from the bank. When the user submitted the transaction form, more data was sent to the C&C system instead of the bank.

“After analyzing the data, the system determined whether the user had enough money in the account,” according the report. “It selected the most appropriate mule account to retrieve the money, wrapped all the data, and sent it back to the Trojan installed on the victim’s machine.”

Afterwards the Trojan would update the data in the form and send it to the bank to complete the transaction, with the bank’s response reported back to the C&C system by the malware.

This is far from the first time Zeus has been linked to theft of bank information. Last week, researchers at Trusteer reported finding a 100,000-strong botnet built on Zeus v2 that was targeting bankers in the U.K. as well. In that case, the malware pilfered all kinds of user data, including credit and debit card information and browser cookies.

According to Anstis, the botnet uncovered by M86 was only targeting customers of one institution, and the company is sharing its findings with law enforcement.

“The only link we have is the location of the command and control servers in Eastern Europe, but the actual operators could be anywhere,” he said.