Throughout history, the most successful criminals have been those clever and audacious enough to exploit a previously unknown vulnerability and steal loot in such a way that no one knew it was missing. When cybercriminals accomplish such a feat, their profits can be exponentially larger because they’re dealing in electronically transferred funds and not unwieldy bags of cash.
The five mostly Russian hackers whose indictments were just unsealed took it up a notch, essentially moving from the retail to wholesale theft levels. And by targeting a little-known linchpin of the global financial system—some of the world’s biggest payment processing companies—they are alleged to have accomplished the biggest known data breach ever. The five suspects “conservatively” stole more than 160 million credit card numbers and related personal identification (user names, passwords) that they then sold on the black market, federal prosecutors said. Three of their many alleged corporate victims reported losses of $300 million. But the true extent of the damages, especially to individuals who learned the hard way that someone had looted their ATM accounts and maxed out their credit cards, was “immeasurable,” federal prosecutors said.
“This type of crime is the cutting edge,” said US Attorney Paul J. Fishman the federal prosecutor for New Jersey, where the case was filed.
Here’s how it worked, according to prosecutors, and why it was so effective to hit these financial middle men.
In a scam that dated back to 2005, the suspects first targeted retailers, surreptitiously visiting their checkout counters and exploiting vulnerabilities in the payment systems they used. By 2007, they were hacking into the financial systems of Nasdaq, the largest US electronic stock market, and major corporations like 7-Eleven, France’s Carrefour SA, JCPenney and the Hannaford Brothers supermarket chain.