http://www.theregister.co.uk/2008/05/13/trio_accused_in_carding_scam/
By Dan Goodin in San Francisco
The Register
13th May 2008
Three men - one of them suspected of playing a role in the heist of 45.6
million credit cards from retailer TJX Companies - have been accused of
hacking into cash register terminals belonging to a restaurant chain and
installing software that sniffed credit card numbers.
According to a 27-count indictment unsealed Monday, the scheme was
carried out in part by Maksym Yastremskiy. In July, the Ukrainian was
arrested in a Turkish resort town for allegedly selling large quantities
of credit card numbers, many of which were siphoned out of TJX's rather
porous network. He remains incarcerated in Turkey, where an application
for extradition to the US is pending. Yastremskiy also went by the name
Maksik.
The indictment also names Aleksandr Suvorov, aka JonnyHell, of Estonia,
and a separate complaint names Albert Gonzales, who also went by the
moniker Segvec. Together, they are accused of installing packet sniffers
at 11 restaurants belonging to Dave & Buster's. The sniffers captured
track 2 credit card data as it passed from the restaurants'
point-of-sale terminals to servers at the chain's central headquarters.
Suvorov was arrested in March by German officials while visiting that
country, and an extradition request is also pending. Gonzalez was
arrested this month by Secret Service agents in Miami.
One packet sniffer alone netted data for about 5,000 customers who
visited a Dave & Buster's in Islandia, New York, causing losses of at
least $600,000 to the banks that issued the cards, according to the
indictment.
The scheme was not without its hitches. While the defendants
successfully penetrated a terminal at an Arundel, Maryland, location in
April 2007, their packet sniffer malfunctioned, so they were unable to
gain access to any credit card data. Later versions of their program
successfully logged the information, but a bug caused the software to be
deactivated each time the point-of-sale servers were rebooted. That
required the defendants to regularly log in to the machines.
The men managed to install the packet sniffers remotely by socially
engineering individuals, according to the indictment, which didn't
elaborate. Once in possession of the data, the defendants sold it to
others who used it to make fraudulent credit card purchases.
Attempts to reach the three men for comment were not successful.
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Comments