August 31, 2013

Russian hacker pleads not guilty


Dmitriy Smilianets, 29 accused hacker.
 
In August 2013, Dmitriy Smilianets, plead not guilty in federal court to charges of computer hacking conspiracy, wire fraud, and conspiracy to commit wire fraud. Mr. Smilianets is one of five men US federal authorities indicted for allegedly taking part in some of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from 17 major US retailers, banks and card processors. (2013, Krebs)  He is part of a team of hackers from Russia and the Ukraine. (2013, Jones & Menn) 

According to prosecutors, the losses for only three of the targeted retailers were at least $300 million. Smilianets and his Russian hacker group's cyberattacks occurred from 2005 to 2012. Unfortunately, he is the only one currently in custody facing prosecution.  If convicted of these crimes, he could possibly spend the next 65 years in prison. (2013, Kerr)

"Prosecutors said Smilianets trafficked in personal identifying information such as user names and passwords, means of identification, credit- and debit-card numbers, and personal ID information on cardholders. He sold that information...to resellers..." (Voreacos, 2013) Typically, resellers would pay for credit card information between $10 to $50 apiece, which included PIN codes and magnetic stripe data. They turn this information into cloned cards that they use at automated teller machines or retailers.(2013, Krebs)
 
The resellers in turn sold the information to others who encoded it onto magnetic strips on blank
Hackers exploited
system vulnerabilities
plastic cards that were used to make unauthorized withdrawals from automated teller machines or to buy goods..." 
Krebs on Security reports the hackers "broke into their targets using SQL injection attacks, which take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Once inside, the attackers can upload software and siphon data." (2013, Krebs) 
 
According to the federal indictment, high-profile heists tied to this group include:
Over 160 million cards stolen.
Hannaford Brothers Co: 2007, 4.2 million card numbers
Carrefour S.A.: 2007, 2 million card numbers
Commidea Ltd.: 2008, 30 million card numbers
Euronet: 2010, 2 million card numbers
Visa, Inc.: 2011, 800,000 card numbers
Discover Financial Services: 500,000 Diners card numbers
 
It's nice to see somebody actually get caught and face justice for their cybercrimes.
 
The case is U.S. v. Smilianets, 12-mj-03043, U.S. District Court, District of New Jersey (Newark). Indictment is available here.
References
Jones, D. and Menn, J. (2013 August 12). Russian pleads not guilty in biggest U.S. hacking case. Reuters. Retrieved from http://www.reuters.com/article/2013/08/13/us-usa-hackers-plea-idUSBRE97C00F20130813?feedType=RSS&feedName=technologyNews 
Kerr, D. (2013 August 12). Hacker pleads not guilty to stealing 160M credit cards. CNET. Retrieved from http://news.cnet.com/8301-1009_3-57598232-83/hacker-pleads-not-guilty-to-stealing-160m-credit-cards/ 
 
Krebs, B. (2013 July 25). Hacker ring stole 160 million credit cards. Krebs on Security. Retrieved from http://krebsonsecurity.com/2013/07/hacker-ring-stole-160-million-credit-cards/#more-21899.
  
Voreacos, D. (2013 Aug 12). Russian black-market data defendant pleads not guilty. Bloomberg. Retrieved from http://www.bloomberg.com/news/2013-08-12/russian-black-market-data-defendant-pleads-not-guilty.html