Four Russian nationals and a Ukrainian have been charged with breaking into US financial networks and stealing more than 160 million credit card numbers and more than $300 million.
According to the US Department of Justice statement, they broke into more than a dozen major American and international companies between 2005 and 2012, and ran a scheme to steal information from the cards. The men were named as Russians Vladimir Drinkman and Alexandr Kalinin who allegedly specialised in penetrating network security and gaining access to the corporate victims' systems. Russian Roman Kotov allegedly specialised in mining the networks that Drinkman and Kalinin compromised to steal valuable data.
Russian Dmitriy Smilianets allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants. Finally the activities were cloaked by using anonymous web-hosting services provided by Ukrainian Mikhail Rytikov.
The US Department of Justice also said that Kalinin and Drinkman were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez in connection with five corporate data breaches, including the breach of Heartland Payment Systems Inc. He is currently serving 20 years in federal prison for those offenses.
The access was achieved due to using SQL Injection vulnerabilities and malware to create a backdoor on to the network. The statement claimed that the victim companies were targeted for many months, waiting patiently as their efforts to bypass security were underway.
After acquiring the card numbers and associated data, the conspirators allegedly sold it to resellers around the world who then charged approximately $10 (£6) for each stolen American credit card number and associated data; approximately $50 (£32) for each European credit card number and associated data; and approximately $15 (£9) for each Canadian credit card number and associated data.
To protect against detection by the victim companies, the defendants allegedly altered the settings on the victim company networks to disable security mechanisms from logging their actions. The defendants also worked to evade existing protections by security software.
If convicted, the maximum penalties for the charged counts are: five years in prison for conspiracy to gain unauthorised access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorised access to computers; and 30 years in prison for wire fraud.
US Attorney Fishman, said: “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security.
“And this case shows, there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful.”
Acting assistant attorney General Raman, said: “The defendants charged today were allegedly responsible for spearheading a worldwide hacking conspiracy that victimised a wide array of consumers and entities, causing hundreds of millions of dollars in losses.
“Despite substantial efforts by the defendants to conceal their alleged crimes, the department and its law enforcement counterparts have cracked this extensive scheme and are seeking justice for its many victims. Today's indictment will no doubt serve as a serious warning to those who would utilise illegal and fraudulent means to steal sensitive information online.”