HACKER ADMITS TO ROLE IN $300 MILLION+ ATTACKS ON CORPORATE NETWORKS

FROM:  U.S. JUSTICE DEPARTMENT 

Tuesday, September 15, 2015

Russian National Admits Role in Largest Known Data Breach Conspiracy Ever Prosecuted

Hackers Targeted Major Payment Processors, Retailers and Financial Institutions Around the World

A Russian national today admitted his role in a worldwide hacking and data breach scheme that targeted major corporate networks, compromised more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses –  the largest such scheme ever prosecuted in the United States.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney Paul J. Fishman of the District of New Jersey and Director Joseph P. Clancy of the U.S. Secret Service made the announcement.

Vladimir Drinkman, 34, of Syktyvkar, Russia, and Moscow, pleaded guilty before Chief U.S. District Judge Jerome B. Simandle of the District of New Jersey to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud.  Drinkman was arrested in the Netherlands on June 28, 2012, and was extradited to the District of New Jersey on Feb. 17, 2015.  Sentencing is scheduled for Jan. 15, 2016.

“This hacking ring’s widespread attacks on American companies caused serious harm and more than $300 million in losses to people and businesses in the United States,” said Assistant Attorney General Caldwell.  “As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cyber criminals who attack America – wherever in the world they may be.  As law enforcement around the world responds to the cyber threat that affects us all, I am confident that this type of international cooperation that led to this result will be the new normal.”

“Defendants like Vladimir Drinkman, who have the skills to break into our computer networks and the inclination to do so, pose a cutting edge threat to our economic well-being, our privacy and our national security,” said U.S. Attorney Fishman.  “The crimes to which he admitted his guilt have a real, practical cost to our privacy and our pocketbooks.  Today’s guilty plea is a tribute to the skill and perseverance of the agents and prosecutors who brought him to justice.”

“This cyber case highlights the effectiveness of global law enforcement partnerships in the detection and dismantling of criminal enterprises targeting U.S. citizens,” said Director Clancy.  “The support of U.S. Attorney’s offices and the resulting plea enhances the Secret Service’s commitment to vigorously pursue transnational threats to the U.S. financial infrastructure.”

According to documents filed in this case and statements made in court, Drinkman and four co-defendants allegedly hacked into the networks of corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information that the conspirators could exploit for profit, including the computer networks of NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

According to the indictment in this case and statements made in court, the five defendants each played specific roles in the scheme.  Drinkman and Alexandr Kalinin, 28, of St. Petersburg, Russia, allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems.  Drinkman and Roman Kotov, 34, of Moscow, allegedly specialized in mining the networks to steal valuable data.  The hackers hid their activities using anonymous web-hosting services allegedly provided by Mikhail Rytikov, 28, of Odessa, Ukraine.  Dmitriy Smilianets, 32, of Moscow, allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.

Drinkman and Kalinin were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 34, of Miami, in connection with five corporate data breaches, including the breach of Heartland Payment Systems Inc., which at the time was the largest ever reported.  Gonzalez is currently serving 20 years in federal prison for those offenses.  Kalinin is also charged in two federal indictments in the Southern District of New York: the first charges Kalinin in connection with hacking certain computer servers used by NASDAQ and the second charges him and another Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information from U.S.-based financial institutions.  Rytikov was previously charged in the Eastern District of Virginia in an unrelated scheme.

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012.  Smilianets was extradited on Sept. 7, 2012, and remains in federal custody.  Kalinin, Kotov and Rytikov remain at large.

The Attacks

According to documents filed in this case and statements made in court, the five defendants penetrated the computer networks of several of the corporate victims and stole user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders.  The conspirators allegedly acquired more than 160 million card numbers through hacking.

The initial entry was often gained using a “SQL injection attack.”  SQL, or Structured Query Language, is a type of programming language designed to manage data held in particular types of databases; the hackers allegedly identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network.  Once the network was infiltrated, the defendants allegedly placed malicious code (malware) in the system.  This malware created a “back door,” leaving the system vulnerable and helping the defendants maintain access to the network.  In some cases, the defendants lost access to the system due to companies’ security efforts, but were allegedly able to regain access through persistent attacks.

Instant message chats obtained by law enforcement revealed that the defendants allegedly targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway, sometimes leaving malware implanted in multiple companies’ servers for more than a year.

The defendants allegedly used their access to the networks to install “sniffers,” which were programs designed to identify, collect and steal data from the victims’ computer networks.  The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.

Selling the Data

According to documents filed in this case and statements made in court, after acquiring the card numbers and associated data – which they referred to as “dumps” – the conspirators sold it to resellers around the world.  The buyers then sold the dumps through online forums or directly to individuals and organizations.  Smilianets was allegedly in charge of sales, selling the data only to trusted identity theft wholesalers.  He allegedly charged approximately $10 for each stolen American credit card number and associated data, approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data – offering discounted pricing to bulk and repeat customers.  Ultimately, the end users encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by withdrawing money from ATMs or making purchases with the cards.

Covering Their Tracks

According to documents filed in this case and statements made in court, the defendants allegedly used a number of methods to conceal the scheme.  Unlike traditional Internet service providers, Rytikov allegedly allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement.

Over the course of the conspiracy, the defendants allegedly communicated through private and encrypted communications channels to avoid detection.  Fearing law enforcement would intercept even those communications, some of the conspirators allegedly attempted to meet in person.

To protect against detection by the victim companies, the defendants allegedly altered the settings on victim company networks to disable security mechanisms from logging their actions.  The defendants also allegedly worked to evade existing protections by security software.

As a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions of dollars in losses – including more than $300 million in losses reported by just three of the corporate victims – and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.

The charges and allegations contained in indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty.

The case is being investigated by the U.S. Secret Service’s Criminal Investigations Division and Newark, New Jersey, Division.  The case is being prosecuted by Trial Attorney Richard Green of the Criminal Division’s Computer Crime and Intellectual Property Section, Chief Gurbir S. Grewal of the District of New Jersey’s Economic Crimes Unit and Assistant U.S. Attorney Andrew S. Pak of the District of New Jersey.  The Criminal Division’s Office of International Affairs, public prosecutors with the Dutch Ministry of Security and Justice and the National High Tech Crime Unit of the Dutch National Police also provided valuable assistance.

FORMER U.S. LONDON EMBASSY-STAFF MEMBER CHARGED FOR ALLEGED HACKING, CYBERSTALKING

FROM:  U.S. JUSTICE DEPARTMENT 

Wednesday, August 19, 2015

Former U.S. Government Employee Charged in Computer Hacking and Cyber Stalking Scheme

A former locally-employed staff member of the U.S. Embassy in London was charged with engaging in a hacking and cyberstalking scheme in which, using stolen passwords, he obtained sexually explicit photographs and other personal information from victims’ email and social media accounts, and threatened to share the photographs and personal information unless the victims ceded to certain demands.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney John A. Horn of the Northern District of Georgia, Director Bill A. Miller of the U.S. Department of State’s Diplomatic Security Service and Special Agent in Charge J. Britt Johnson of the FBI’s Atlanta Division made the announcement.

Michael C. Ford, 36, was charged by indictment on Aug. 18, 2015, with nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud.

“According to the indictment, Ford hacked into email accounts and extorted sexually explicit images from scores of victims,” said Assistant Attorney General Caldwell.  “As these allegations highlight, predators use the Internet to target innocent victims.  With the help of victims and our law enforcement partners, we will find those predators and hold them accountable.”

“Ford is alleged to have hacked into hundreds of email accounts and tormented women across the country, by threatening to humiliate them unless they provided him with sexually explicit photos and videos,” said U.S. Attorney John Horn.  “This sadistic conduct is all the more disturbing as Ford is alleged to have used the U.S. Embassy in London as a base for his cyberstalking campaign.”

“The Diplomatic Security Service is firmly committed to working with the Department of Justice and our other law enforcement partners to investigate allegations of crime and to bring those who commit these crimes to justice,” said Director Miller.  “When a public servant in a position of trust is alleged to have committed a federal felony such as cybercrime, we vigorously investigate such claims.”

“While the allegations in this case are disturbing, it does illustrate the willingness and commitment of the FBI and its federal partners to aggressively follow those allegations wherever they take us,” said Special Agent in Charge Johnson.  “The FBI will continue to provide significant resources and assets as we address complex cyber based investigations as seen here.”

According to allegations in the indictment, from January 2013 through May 2015, Ford, using various aliases that included “David Anderson” and “John Parsons,” engaged in a computer hacking and “sextortion” campaign to force numerous women to provide him with personal information and sexually explicit photographs and videos.  To do so, Ford allegedly posed as a member of the fictitious “account deletion team” for a well-known email service provider and sent notices to thousands of potential victims, including members of college sororities, warning them that their accounts would be deleted if they did not provide their passwords.

Using the passwords collected from this phishing scheme, Ford allegedly hacked into hundreds of email and social media accounts, stole sexually explicit photographs and personal identifying information (PII), and saved both the photographs and PII to his personal repository.

Ford then allegedly emailed the victims and threatened to release the photographs, which were attached to the emails, unless they obtained videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores, and then sent the videos to him.

The indictment alleges that, when the victims either refused to comply or begged Ford to leave them alone, Ford responded with additional threats, including by reminding the victims that he knew where they lived.  On several occasions, Ford allegedly followed through with his threats by sending sexually explicit photographs to victims’ family members and friends.

During the pendency of the alleged scheme, Ford was a civilian employee at the U.S. Embassy in London, England.  He allegedly used his government-issued computer at the U.S. Embassy to conduct the phishing, hacking and cyberstalking activities.

The charges and allegations contained in an indictment are merely accusations.  The defendant is presumed innocent unless and until proven guilty.

The case is being investigated by the U.S. Department of State’s Diplomatic Security Service and the FBI.  The Criminal Division’s Office of International Affairs and the U.S. Embassy in London provided assistance.  The case is being prosecuted by Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section, Trial Attorney Jamie Perry of the Criminal Division’s Human Rights and Special Prosecutions Section and Assistant U.S. Attorney Kamal Ghali of the Northern District of Georgia.

VIETNAMESE NATIONAL SENT TO PRISON FOR ROLE IN INTERNATIONAL HACKING AND IDENTITY THEFT SCHEME

FROM:  U.S. JUSTICE DEPARTMENT 

Tuesday, July 14, 2015

Vietnamese National Sentenced to 13 Years in Prison for Operating a Massive International Hacking and Identity Theft Scheme

A Vietnamese national was sentenced to 13 years in prison for hacking into U.S. businesses’ computers, stealing personally identifiably information (PII), and selling to other cybercriminals his fraudulently-obtained access to PII belonging to approximately 200 million U.S. citizens.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Acting U.S. Attorney Donald Feith of the District of New Hampshire and Director Joseph P. Clancy of the U.S. Secret Service made the announcement.

Hieu Minh Ngo, 25, was sentenced today by U.S. District Court Judge Paul J. Barbadoro of the District of New Hampshire.  Ngo previously pleaded guilty to federal charges brought in the District of New Hampshire and the District of New Jersey, including wire fraud, identity fraud, access device fraud and four counts of computer fraud and abuse.

“From his home in Vietnam, Ngo used Internet marketplaces to offer for sale millions of stolen identities of U.S. citizens to more than a thousand cyber criminals scattered throughout the world,” said Assistant Attorney General Caldwell.  “Criminals buy and sell stolen identity information because they see it as a low-risk, high-reward proposition.  Identifying and prosecuting cybercriminals like Ngo is one of the ways we're working to change that cost-benefit analysis.”

“This case demonstrates that identity theft is a worldwide threat that has the potential to touch every one of us,” said Acting U.S. Attorney Feith.  “I want to acknowledge the excellent work of the United States Secret Service in identifying and capturing Mr. Ngo.  This case proves that the United States Attorney’s Office for the District of New Hampshire will work with law enforcement to investigate and prosecute identity thieves, even if they are halfway around the world.”

“The sentencing of this transnational cybercriminal illustrates another example of Secret Service success in the disruption and dismantling of global criminal networks,” said Director Clancy.  “This investigation and the resulting prosecution and sentencing should serve as a warning to criminals that we will relentlessly investigate, detect, and defend the Nation’s financial infrastructure.  This sentencing joins a long list of successes in combating financial crimes over our 150 year history.”

According to admissions made in connection with his guilty plea, from 2007 to 2013, Ngo operated online marketplaces from his home in Vietnam, including “superget.info” and “findget.me,” to sell packages of stolen PII.  These packages, known as “fullz,” typically included a person’s name, date of birth, social security number, bank account number and bank routing number.  Ngo also admitted to acquiring and offering for sale stolen payment card data, which typically included the victim’s payment card number, expiration date, CVV number, name, address and phone number.  Ngo admitted that he obtained some of the stolen PII by hacking into a New Jersey-based business and stealing customer information.

In addition to selling the “fullz,” Ngo admitted to offering buyers the ability to query online databases for the stolen PII of specific individuals.  Specifically, Ngo admitted that he offered access to PII for 200 million U.S. citizens, and that more than 1,300 customers from around the world conducted more than three million “queries” through the third-party databases maintained on his websites.

Ngo made nearly $2 million from his scheme.  The Internal Revenue Service has confirmed that 13,673 U.S. citizens, whose stolen PII was sold on Ngo’s websites, have been victimized through the filing of $65 million in fraudulent individual income tax returns.

The case was investigated by the U.S. Secret Service’s Manchester Resident Office.  The case is being prosecuted by Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Arnold H. Huftalen of the District of New Hampshire.

The case out of the District of New Jersey was investigated by the FBI, and is being prosecuted by the U.S. Attorney’s Office of the District of New Jersey.

ALLEGED LAW ENFORCEMENT AGENCIES HACKER CHARGED WITH HACKING, CREDIT CARD THEFT

FROM:  U.S. JUSTICE DEPARTMENT 

Monday, June 2, 2014

Massachusetts Man Charged with Computer Hacking and Credit Card Theft

A Massachusetts man was charged with allegedly hacking into computer networks around the country – including networks belonging to law enforcement agencies, a local police department and a local college – to obtain highly sensitive law enforcement data and alter academic records.  He also obtained stolen credit, debit and payment card numbers.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, United States Attorney Carmen M. Ortiz of the District of Massachusetts, Special Agent in Charge Vincent Lisi of the FBI’s Boston Division and Colonel Timothy P. Alben of the Massachusetts State Police made the announcement.

Cameron Lacroix, 25, of New Bedford, Massachusetts, was charged by a criminal information with two counts of computer intrusion and one count of access device fraud.  In a written plea agreement filed with the information, Lacroix has agreed to plead guilty to these charges and to serve a four-year prison sentence.    No date for a change of plea hearing has yet been scheduled.

According to allegations in the information, b etween May 2011 and May 2013, Lacroix allegedly obtained and possessed payment card data for more than 14,000 unique account holders.   For some of these account holders, Lacroix also obtained other personally identifiable information, including the account holders’ full names, addresses, dates of births, social security account numbers, email addresses, bank account and routing numbers, as well as listings of merchandise the account holders had ordered.

In September 2012, Lacroix allegedly hacked into a computer server operated by a local Massachusetts police department and accessed an e-mail account belonging to the chief of police.   From August 2012 through November 2012, Lacroix is accused of repeatedly hacking into law enforcement computer servers containing sensitive information including police reports, intelligence reports, arrest warrants, and sex offender information.   Lacroix is also accused of using stolen credentials to access and change information in the servers of Bristol Community College on multiple occasions between September 2012 and December 2013.

The case was investigated by the FBI Boston Division Cyber Task Force.   The case is being prosecuted by Senior Trial Attorney Mona Sedky from the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Adam Bookbinder of the District of Massachusetts.   The Department of Justice and the U.S. Attorney’s Office would like to thank Bristol Community College for its cooperation during this investigation.