The global gang that hacked 7-Eleven, JCPenny and other corporations to steal at least 160 million credit card numbers represents the “cutting edge” of computer crime, U.S. Attorney Paul Fishman said as he announced the indictment of five conspirators in July.
Last week, one of the five entered a not-guilty plea. Dmitry Smilianets, a Russian citizen who was extradited from the Netherlands, has decided to fight the hacking charges. A trial could mean more revelations about how digital black arts were able to hoodwink giant corporations.
The crackdown on the ring has already opened a window on advanced hacking methods — how the group tunneled into corporate databanks, installed “sniffer” code to filch millions of card numbers, then sold the numbers on a global market something like a criminal Craigslist. To cover their tracks, they used a fast-changing array of computer servers in Panama, the Bahamas and other far-flung locales, managing to evade authorities for years.
But the “cutting edge” of computer-assisted financial fraud has already advanced since the gang’s heyday in 2005 through mid-2012, according to security experts. As corporate networks fill their security holes — partly in response to the hackers’ exploits — digital wrongdoers are more likely to target another weak link in security: specifically, you and me.
“By and large, all those (corporate) environments have tightened up, which is why you see the customer being the more common point of compromise,” said Doug Johnson, vice president of risk management policy at the American Bankers Association. “It is good news in a way … I would like to be optimistic — the trend indicates less of a propensity in getting after larger databases.”
These days, large corporate networks are under attack from corporate secret-hunters, some of them supported by foreign governments, said Stu Sjouwerman, CEO of the data security firm KnowBe4. “Your average consumer is more likely to fall victim to the Russian cyber mafia, who make it their bread and butter to steal personally identifiable information,” he said. “Consumers call it identity theft.”
Lately, “phishing” attacks targeting individual account holders have been a more common threat to your credit card or bank account than big-data heists. These involve spoofed e-mails that seem to be from a trusted source such as a bank, but trick you into revealing sensitive information. Sometimes the phishing expeditions are carried out in conjunction with a “denial of service” attack on a bank’s computers, which are flooded with junk traffic in order to divert the institution’s attention while customer accounts are being accessed.
“Phishing in the last few years has gotten very sophisticated,” Sjouwerman said. “You might get a (communication) from your health insurance company, seemingly, which says you need to go to this website and confirm this new policy.”
Database attacks such as the one on South Carolina’s tax office in October 2012 yield personal identifying information that is sold on criminal underground networks, enabling phishing scams to bait their hook with tidbits about you that make the appeal for information seem legitimate. Such “spear phishing” appeals are difficult to resist, and visiting the website address is only natural. Once connected, the bogus site might solicit you to enter your information, or load malware onto your computer to steal login and password strings from you as you type.
The advice for fighting the intrusions remains familiar cyber safety: Change your passwords regularly, and don’t share them, or personally identifying information like Social Security numbers, on unknown sites. Keep anti-virus software and browsers up to date, and use encryption to protect your home Wi-Fi network. And when using public Wi-Fi or a computer that isn’t yours, avoid entering any sensitive information. There were about 118,000 phishing websites discovered in the first quarter of 2013, targeting more than 1,000 companies, according to the Anti-Phishing Working Group.
While the technology of the Smilianets gang may be from yesterday’s hacker toolkit, the organization and specialization the group displayed continues to make financial fraudsters dangerous. Sjouwerman describes it as a kind of criminal assembly line, where hackers steal personal data, fraudsters use it to scam you for passwords, which are then sold to still another group that unlocks your accounts. “The bad guys,” he says, “have gone pro.”