Friday, August 08, 2008

TJX Update: The Boston Indictments

The Boston indictments are now public and have quite a few more facts for us, and I'm so excited that I've just received the first of the San Diego indictments from their most helpful press officer!

I'm going to run this in two parts. Boston first, and then San Diego.

An incomplete story was painted by the earliest press releases, which lead the media to quickly jump on the fact that Gonzalez was a wardriver, and TJX and the other victim companies had sloppy wireless security. True, but not a complete picture.

We'll start by looking at what else we can learn from the indictments that are now available in Boston.

What's in a name? We'll start with Albert Gonzalez's A/K/A's:

UIN 201679996
UIN 476747

Unfortunately, that genius of blackhat journalism, Kevin Poulson, has beat us to the punch with this one in his Wired Blog, but what a great story it is. You'll recall in our previous blog post on this subject, TJX Reminder: We Will Arrest You, and We Will Send You To Jail, we mentioned that Albert Gonzalez was a US Secret Service Informant. Now that we know his alias, CumbaJohny, we see that Albert was the snitch for Operation Firewall, the Secret Service case that lead to the arrests of 28 members of the ShadowCrew back in October of 2004. CumbaJohny, now re-handled as Segvec, now gets to feel what its like to be on the receiving end of one of these seizures.

The Violations that Segvec faces are:

18 USC section 371 Conspiracy
18 USC section 1030(a)(5)(A)(i)Damage to Computer Systems
18 USC section 1343 Wire Fraud
18 USC section 1029(a)(3) Access Device Fraud
18 USC section 1029(c)(1)(C), 982(a)(2)(B),981(a)(1)(C) Criminal Forfeiture
28 USC section 2461(c) Criminal Forfeiture

Here's the way the Conspiracy charges stack up. First we have to establish what they conspired to do. The indictments lists "the objects of the conspiracy" this way:

a. Exploit vulnerabilities in wireless computer networks used at retail store locations

b. Exploit vulnerabilities used to manage large business databases

c. Gain unauthorized access to computer networks processing and storing debit and credit card transactions and other valuable data for major corporate retailers.

d. Download and steal from computer networks operated by major corporate retailers over 40 million pieces of card holders' track 2 data - the information found on the magnetic stripes of credit and debit cards, which is read by ATMs and credit card readers - as well as internal accounts and proprietary files

e. Sell stolen track 2 data in Eastern Europe, the United States and elsewhere to others for fraudulent use

f. "Cash out" stolen track 2 data by encoding the data on the magnetic stripes of blank payment cards and using these cards to obtain tens of thousands of dollars at a time from banks' ATMs

g. Conceal and launder the illegal proceeds through anonymous web currencies in the United States and Russia, and offshore bank accounts in Latvia

h. Repatriate portions of the illegal proceeds through web currency converters and ATM cards linked to Eastern European banks.

The Gonzalez indictment tells quite a bit more about how they moved from WarDriving to much greater exploits.

First, Gonzalez, Toey, and Scott went wardriving around Miami, in commercial areas such as the area around U.S. 1, identifying vulnerable wireless networks. They targeted large retailers, "including, but not limited to" BJ's Wholesale Club, DSW, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and TJX.

After infiltrating their networks, they began locating and stealing sensitive files and data, including credit card numbers.

At this point, they are just punks. This type of break-in is a dime a dozen. But then they took it further. It says they went on to install sniffer programs, monitoring and stealing password and account information as well as track 2 data.

The conspiracy broadened as they had to bring in new associates to help with decrypting the encrypted PIN numbers on their tens of millions of Track 2 reads.

The stolen data was stored on servers in Latvia, the Ukraine, and the United States, and encrypted to prevent access by others. From there, the data was sold in "dumps", cashed out, and the money was redistributed, using webmoney, ATMs, and in some cases even mailing express packages full of cash to drop boxes!

Regarding their technical skills, custom SQL injection attacks were developed to take on particularly desirable web sites. The attacks were mounted against a variety of database-driven web sites to find additional track 2 data, internal accounts, and files of large businesses.

Regarding the level of Gonzalez' conspiracy -- he used sensitive law enforcement information, which he obtained by his "cooperation" with the US Secret Service, to alert his conspirators and make sure they would not be identified and arrested.

Some particular examples illustrate the dates and players:

In 2003, Gonzalez and Scott use wireless access to steal track 2 data at BJ's Wholesale Club.

In 2004, Scott and "J.J." gain unauthorized access to the wireless network of the OfficeMax on 109th Street and US 1 in Miami, locating and downloading encrypted PINs.

Scott and J.J., unable to decrypt the PINs, passed the data to Gonzalez, who located and engaged another co-conspirator who had the necessary decryption abilities.

On July 12 and 18th, 2005, Scott accessed TJX's Marshalls department stores in Miami, using the wireless network there to compromise servers at TJX's server farm in Framingham, Massachusetts.

On September 15-16, Scott accessed the Framingham servers and retrieved the data which their sniffers had been collecting.

Beginning on May 14-15, 2006, Scott installed and configured a VPN connection between one of the TJX card transaction servers and a server obtained by Gonzalez.

On May 15, 2006, Gonzalez used ICQ to ask Yastremskiy for help in obtaining an undetectable sniffer program. Beginning on May 15 and lasting through May 20th, they established their new undetectable sniffer.

The new sniffer's data was retrieved on many dates, including October 27 and December 18, 2006.

Beginning in August of 2007, Gonzalez invited Toey to move to Miami. In exchange for cash payments and free rent, Toey began to develop an Internet-based attack on the servers at "Forever 21", with the goal of obtaining financial data.

Prior to moving to Miami, Toey worked as a broker for Gonzalez, finding customers, who would be given login credentials to retrieve the credit cards from one of the many encrypted dump sites around the Internet.

From February to May of 2006, Gonzalez collaborated with Yastremskiy to distribute OfficeMax track 2 data.

On March 13, 2008, Gonzalez used his VPN connection to TJX from a computer in Latvia to store 16 million unique credit and debit card numbers. That same day he stored more than 25 million credit and debit cards on a Ukranian server as well.

Gonzalez faces forfeiture of $1,650,000 cash, a condo in Miami, a 2006 BMW 330I, some computers, a Glock 27, a "350C Currency Counter" (wow!),

As for the further act of Gonzalez, and all that he did, are they not written in the Book of the Chronicles of the Criminals of Massachusetts?

Christopher Scott's Indictment is much less sexy from the beginning, mostly because he has no cool hacker aliases at the beginning.

He is charged with most of the same charges, with the exception of Wire Fraud.

His forfeiture included, $400,000 in cash, eleven computers, some nice iPods, some nice monitors, and they even took his XBOX and PSPs!

Let this be a warning to you, children. If you hack into TJX, you will lose your XBOX privileges! (Oh, and go to jail for a long time, hopefully!)

As for the further acts of Scott, and all that he did, are they not written in the Book of the Chronicles of the Criminals of Massachusetts?

Damon Patrick Toey faced the same charges as Chris Scott. He also does not get Cool Points for having many AKAs, but let's face it, Damon Toey is a cooler name than Chris Scott.

Toey's "Overt Acts" section focuses on his selling of "dumps" of cards on behalf of Gonzalez and splitting the proceeds, and his leading role in the SQL injection and other Internet-based attacks used to access corporate databases and systems, including the Forever 21 attack, where he had the leading role.

I love the actual wording of Count Two, the Access Device Fraud:

In or about October, 2004, in the Eastern District of Virginia and elsewhere, Damon Patrick Toey, knowingly and with intent to defraud, possessed at least 15 unauthorized access devices, to wit: stolen credit and debit card numbers.

Yes, 40,000,000 is "at least" 15.

Based on the forfeiture, it looks like Damon was the Talented but Unimaginative member of the team. He forfeited only $9,500 and a few computers. But they got his XBOX too!

As for the further acts of Toey, and all that he did, are they not written in the Book of the Chronicles of the Criminals of Massachusetts?

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.