Target Breach considered in light of Drinkman / Gonzalez data breach gang

Everyone is talking about the Target data breach these days, but unfortunately our collective memory is sometimes too short to connect the dots.

Back in August of 2008 this blogger, like so many others, was focused on Albert Gonzalez after the TJX Arrests were made. Attorney General Michael Mukasey said that the message from the arrests was that if you do Data Breaches We Will Arrest You, and We Will Send You To Jail!. We followed up that post with a deeper look at two sets of indictments issued at the same time, TJX Update: The Boston Indictments and TJX Update: The San Diego Indictments. (The San Diego ones included the famous hackers Aleksander Suvorov, AKA JonnyHell from Estonia, and Maksym Yastremskiy, AKA Maksik). Maksik and JonnyHell were part of the Dave & Busters Point-of-Sale terminal hacks indicted in May 2008.( 23 page Dave & Busters Indictment against Maksik and JonnyHell)

In the Gonzalez case, it was mentioned that his gang had targeted "at least nine major retail corporations: including the TJX Corporation, whose stores include Marshalls and TJ Maxx; BJ's Wholesale Club; Barnes and Noble; Sports Authority; Boston Market; Office Max; Dave & Buster's restaurants; DSW shoe stores; and Forever 21."

But what is perhaps most important is that when it comes to gangs stealing millions of credit cards, there are no one-man operations, or even ten-man operations. These type of breaches are pulled off by crews. We learned much more about Gonzalez's crew in the recently unsealed documents from the case against Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets. The order to Unseal the Drinkman et. al. case was only given on December 17, 2013. Several items on the docket remain sealed to this day, but one of special interest was the Second Superseding Indictment, which has been unsealed, although several points remain redacted.

Here's what we learn in the Drinkman indictment.

• Drinkman resided in or near Syktyvkar and Moscow, Russia, and was "a sophisticated hacker, who specialized in penetrating and gaining access to the computer networks of multinational corporations, financial institutions, and payment processors; harvesting data, including, among other things, credit card, debit card, and other customer account information, from within the compromised networks; and exfiltrating that data out of the compromised networks.
• Kobov resided in or near Moscow, Russia, and "specialized in harvesting data from within the computer networks that Drinkman and Kalinin had penetrated, and exfiltrating that data.
• Co-conspirators named in the indictment include Albert Gonzalez (segvec), Damon Patrick Toey, and Vladislav Anatolievich Horohorin (BadB).
• The hacking conspiracy is described as "a prolific hacking organization" "responsible for several of the largest known data breaches" and that it operated "from August 2005 through at least July 2012."

Data breaches that were described as being part of this case, include:

• NASDAQ - (from at least May 2007 - SQL Injection lead to malware that extracted login credentials from databases)
• 7-Eleven - (at least August 2007 - SQL Injection lead to malware that extracted card data from databases)
• Carrefour S.A - (2 million credit cards - October 2007 - SQL injection lead to malware that extracted card data from databases)
• JCPenney - (October 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Hannaford Brothers - (4.2 million credit cards - November 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Heartland Payment Systems (130 million card numbers, estimated losses of $200 Million - December 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Wet Seal - (January 2008 - SQL Injection lead to malware placed on the network that extracted card data from databases)
• Commidea Ltd. - (30 million Credit cards - March-November 2008 - malware was used to extract card data and exfiltrate the data)
• Dexia Bank Belgium - ($1.7 Million loss - February 2008 to February 2009 - SQL Injection resulted in malware placed on the network that exfiltrated card data)
• JetBlue Airways - (Jan 2008 - February 2011 - malware placed on network exfiltrated Personal Data of employees)
• Dow Jones, Inc. - (2009 - at least 10,000 sets of Log-In Credentials stolen via malware placed on network)
• "Bank A" - (Dec 2010 to March 2011 - malware placed on an unnamed bank HQ'ed in Abu Dhabi, United Arab Emirates used to facilitated theft of Card Numbers.)
• Euronet - (2 million cards - July 2010 to October 2011 - SQL injection lead to malware that extracted login credentials from databases.)
• Visa Jordan Card Services - (800,000 cards - Feb 2011 to March 2011 - SQL Injection lead to malware placed on network that exfiltrated card data.)
• Global Payment Systems - (950,000 cards - $92.7 Million in losses - January 2011 to March 2012 - SQL Injection lead to malware placed on network that exfiltrated card data.)
• Diners Club International, Singapore - (500,000 Diners Credit cards - $312,000 in losses - June 2011 - SQL Injection lead to malware placed on network that exfiltrated card data)
• Ingenicard US, Inc. - ($9 million in 24 hours - March 2012 to December 2012 - SQL Injection resulted in malware placed on the network that was used to facilitate ATM withdrawals.)

Although it is true that several of the members named above are now in custody, it is also true that several are NOT in custody.

Given what is known about these previous attacks, might it be reasonable to consider that the Target breach may also be related?

Given the similarity in methods used in ALL of the cases above, what "Lessons Learned" might we hope other retailers and large network owners might be observing?

That's the focus of our latest Malcovery White Paper - "Target Hacker Tools Provide Breach Insight". I hope you'll take a chance to review it.

Target Database Breach "Phishing" Email leads to . . .

Several folks that also do security research called and texted and Facebook messaged today asking if we had seen "the New Target Phishing email"? We're normally pretty good folks to ask about that sort of thing, since Malcovery Security has both a Spam Data Mine, which is often a good source for such messages, and our PhishIQ system. I thought if it existed to the point that there was "buzz" about it, I should have hundreds of copies. But I didn't. I had three. Kinda.

Here's what the emails actually looked like.

I'll tell you what it does in just a minute.

By the way, if you find phishing sites and aren't sure what to do with them, we LOVE collecting phish! Use Malcovery's PhishIQ Report Phish page to send us any links!

Target Gift Card Spam

When I ran my search, I found all of the "normal" Target spam. People love to use Target to convince people to give up their personal contact information through the "Impossible to get Gift Card" scam.

We've blogged about Gift Card spam and related malware on several occasions including:

• Cyber Monday 2010 - when we warned about scams using Victoria Secrets and Oliver Garden gift cards. In that scam you have to complete a series of "tasks" in order to earn your gift card, after going through several steps where you think you have "won" something. The final tasks back then were things like "Stay three nights in a Red Horse Inn hotel's luxury suite" or "buy a new car from General Motors!" but LONG before you found out about those tasks, the criminals already had your email, home address, cell phone number, and your agreement to let them share that data with other marketing firms.

• A Day in the Life of Spam (2009) - in that blog I tried to fully categorize 10,583 spam messages received on October 4, 2009. 28 of the emails were "Giveaway gotchas" -- gift cards, plane tickets, cell phones, laptops that you had "won" if you would just perform some tasks.

• We also told you about the Member Source Media LLC case where the FTC fined Chris Sommer $200,000 for running his spam scam where he sent email for "Free Products that Weren't Free".

So, today, I wasn't surprised to see spam with subjects and senders like these:

Share Your Opinion. Do you Love Target	Shopping Opinion	ShoppingOpinion@ramblerose.info
Share Your Opinion. Do you Love Target	Target Shopping Survey	TargetShoppingSurvey@ramblerose.info
Shopped Target Lately	ShoppingOpinion	ShoppingOpinion@ramblerose.info
Special: Snag a $100 Target Gift Card!	SavingCenterUSA	Sours@frigidfiz.com
Complete the Target Shopping Survey	ShoppingOpinion	ShoppingOpinion@ramblerose.info
Chance to Get a $100 Target Reward! Complete Sponsor Offers	SavingCenterUSA	Bakewell@frigidfiz.com
Back to School Savings - get a $100 Target Gift Card	SavingsCenterUSA	Keels@coldfiz.com

Here's what these usually look like (or at least the more high end ones):

Target Phish? Not really ...!

All of those are normal, everyday occurrences. But these caught my eye!

Alert to Target Shoppers - your identity is at risk.

Local Alert

tps0128@yahoo.com

So what happens if you click on the links in the email? Let's find out!

Here's the Fiddler capture of the redirect stream: So, clicking on the link where it says "Has your identity been stolen - CLICK HERE to check the database" or where it says "CHECK TO SEE IF YOUR IDENTITY HAS BEEN STOLEN - CLICK HERE NOW!" takes you through a chain of "automatically redirected" websites:

• www.mb01.com
• www.maxbounty.com
• khvx.secoptim.com
• rewardzone.surveyblogonlne.com

All of those numbers out next to the URLs? Those are the Affiliate Codes and Redirect Codes, so the scammers can make sure to direct you to the correct scam and to make sure the right spammer gets credit for his hard work stealing your time, money, and possibly identity.

and then your "Political Opinion Survey" starts up . . .

The Fine Print

Before we go win our $1000 Shopping Voucher, make sure to read the fine print on that one . . .

rewardzone.surveyblogonlne.com is not sponsored by or affiliated with This Website. This Website has not authored, participated in, or in any way reviewed this advertisement or authorized it. The trial products offered on the last page pay this website for leads generated. *Free trial offers may require shipping and handling. See manufacturer's site for details as terms vary with offers.

You'll also want to pay special attention to

How Do We Use The Personal Information?

How Do We Use The Personal Information?

We may use the Personal Information for any legally permissible purpose in our sole discretion Ad Serving Companies

We may use third party ad networks or ad serving companies to serve advertisements on our websites. We may pass the Personal Information about you to these companies so that they can deliver targeted advertisements that they believe will be of interest to you. The information passed to these companies may include, but is not limited to, your IP address, e-mail address, name, mailing address, telephone number, date of birth, gender, and any other information you provide to us. Web pages that are served by these companies will be subject to their own applicable privacy policies, if any.

Marketing Partners

We may share, license or sell your Personal Information to third parties for various marketing purposes, including their online (e.g., e-mail marketing) and offline (e.g., telemarketing, cell phone text messaging, skip tracing, and direct mail) marketing programs.

That's just part of it, there are many additional things they can do with your data!

Back to the Survey

There was a third question, but you get the idea. I finish question 3, it congratulates me and then sends me to get my reward! Wait? Where is the Target Gift Card? Well, I guess $1,000 shopping voucher at Sears/JCPenney/Kohl's/Macy's will have to do for now. Oh! And there is only ONE remaining! I better snag that!

By our Fiddler trace, you can see that we've just been handed off from one Affiliate marketing program to another. We are leaving the "rewardzone" system, and headed to the "shopping-sweepstakes.com" system, with "t.afftrackr.com" making sure that everyone is going to get paid for their participation in scamming us.

So, here we go ... we said we wanted the $1,000 Sears/Macy's/Kohl's/JCPenney card, so we choose one and start our NEXT survey

After it "calculated my eligibility" it asked me for my email address. I accidentally hit "Back" then and now it is begging me not to go!

Oh goodie! More prizes! Hey? Wasn't I supposed to be getting $1,000 from JCPenney? I just got a big pay cut for all my hard work here. But that's cool, I shop at WalMart too. I'll take $150 Walmart card, I guess . . . Oh. Actually, our Fiddler tells us that we've swapped systems again...We're now on at www.marktflow.com.

But wait! We ALWAYS read the fine print!

Got that? You must complete 2 silver, 2 gold, and 8 platinum offers ... WITHIN ONE CALENDAR DAY! So, it's 6:00 PM for me now, so I have 6 hours to do all the offers, or I get NOTHING.

In case the website goes down later, here's a local copy of some of the "example offers" that you have to finish TODAY!

OK? Let the Privacy Rape Begin!

Here comes the personal information extract . . . first, we're going to need a PHONE NUMBER, EMAIL, BIRTHDATE, and GENDER. Why? Because $150 Walmart Gift Card, that's why!

OK, you get the point. . . I have 13 more questions to go . . . see the Progress Bar? We are SO CLOSE to getting our gift card! Let's skip through the rest of the questions for now, but ask yourself, "what is likely to happen now that I've told these people that I have a house, a car, I'm planning to move, I like to go on vacation, I have a pet, an active checking account, and at least $15,000 in debt, as well as the next 13 questions . . .

• Are you currently employed full time?
• Are you interested in continuing your education?
• Do you have health insurance?
• Do you ever pay out of pocket for prescription drugs?
• Do you smoke?
• Does anyone at your home suffer from Asthma?
• Back Pain?
• Diabetes?
• Joint Pain?
• Sleep Apnea?
• Anxiety or Depression?
• Have you had a colonoscopy?

Remember. This guy has your email address and your telephone number. Whew! At least our 20 questions are done, right?

And then we start getting all the pop-up offers!

Wait! My home address? My birthday? Oh yeah, I forgot...they have to ship me my Gift Card, so of COURSE they need my home address! Duh!

Just in case though, it might be worth noting in Fiddler that we are no longer talking to MarktFlow. Through T.AffTrackr.com (passing along the credit so the right scammers keep getting paid) we are now seeing offers from "www.offersfromqh.com" associated with "www.qualityhealth.com".

FINALLY! All I have to do is confirm my Email Address (I gave them a valid email: privacyrape@gmail.com wonder if it will start getting spam?) and now I will have my card! It says right there this is the Last Step, right?

Not quite. "YOU MUST INSTALL TO CONTINUE?" What am I installing?

My favorite part there, see the part where it says "I want to earn points for searching the web?" Make ShopAtHome.com my Default Search Provider. Make ShopAtHome.com my Default New Tab. (So, every time your browser opens a new tab, you reload the SearchAtHome.com website. How convenient!)

NOW, All I have to do it complete those 2 Silver, 2 Gold and 8 Platinum offers!

So, I have to EITHER buy a set of Santoku Cooking Knives, (which I can return and keep one $100 knife for FREE!) or sign up for CreditReport.com. I already have a Credit Report service, so I guess I'll buy the knives. That's one down!

Now I can either get Vitamins (don't believe in them), Dr. Seuss Book Club (don't have kids at home), Amora Coffee (I drink Starbucks and already have a local roaster's coffee delivered to the house), a Hunting Knife (I don't hunt), Disney Movie Club (no kids at home), or M-Go Movie Rentals (I already have NetFlix AND Hulu). Hmmm. $150 Walmart Gift Card though ... Shoot. I guess I'll buy some Dr. Seuss books for my nieces.

Wait ... The Gold Offers are mostly the Silver offers I didn't want! And I have to buy TWO of them! I can choose from M-Go movie rentals, a Non-stick ceramic skillet (only $79.95), Dr. Seuss book club sign-up, Disney Movie Club sign up, Sedona Beauty products sign up, or Amora Coffee sign up. Well, I don't have kids at home, and already have NetFlix, I'm already beautiful, and I already have coffee delivered to the house, so I guess I go for the Ceramic Skillet. Cool! It comes with free scissors! ($79.95 plus shipping) and . . . shoot I guess you can never have too much coffee!

Wait. I have to do EIGHT Platinum Offers?? Hmmm... I already bought the knives as my Silver, so I guess I buy the MuscleXLerator, because $150 Walmart Gift Card, and . . .

Oh heck. I'll take the Free Hunting Knife, Sign up from Freester.com, Get ProtectMyID by Experian (don't you wonder if these companies know so many of their referrals are from criminals? I wonder if they care?) Pimsleur Language Learning, because my Rosetta Stone has been on my shelf for two full years and I still can't speak Mandarin, (speaking of heavily spam-advertised products! Pimsleur! Shame on you!) How many is that . . . Shoot. I still need three more.

Well? I guess I'll get ActionProWhite teeth Whitener so I can have that inhuman glow in the dark smile, Join the Disney Movie Club (I can cancel at any time) and well, I do have a lot of wrinkles around my eyes, but that's because I smile so much. Come on Sedona Beauty Secrets!

NOW THAT, Ladies and Gentlemen, is How you get a Free $1000 Target Gift Card, except they actually plan to give me a $150 WalMart gift card instead . . . *IF* I complete 2 Silver, 2 Gold, and 8 Platinum tasks.

$1000 Target Gift Card? Tell the Spammers No Thank You!