Alleged data breach kingpin had plenty of help

Computerworld - Albert Gonzalez, whom federal prosecutors are calling the mastermind behind the biggest data breaches in U.S history, had plenty of help in pulling off his spectacular heists.

Gonzalez was indicted yesterday, along with two unidentified Russian citizens on charges related to the massive data thefts at Heartland Payment Systems, Hannaford Bros. and three other companies.

Gonzalez, who used the online nicknames soupnazi and segvec, is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit cards from these companies.

He and 10 other individuals had already been previously indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Companies Inc. Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

It's unclear how much money exactly Gonzalez made from his "operation get rich or die tryin," but it was apparently enough to support a lavish lifestyle. Court documents filed in connection with his previous indictments talk about Gonzalez once throwing a $75,000 birthday party for his cohorts.

Another time he is alleged to have complained to one of accomplices about how his money counting machine had broken and how he needed to manually count more than $340,000 in $20 bills that had been withdrawn from ATMs using fraudulent debit cards.

At the time of his arrest last May, Gonzalez had $1.65 million in bank accounts, a Glock 27 pistol with several rounds of ammunition and numerous PCs, laptop computers and storage devices.

It's unclear whether any of the other individuals who were arrested with Gonzalez last year are involved in the data heists for which he was indicted yesterday. But each of them played a distinct and significant role in helping Gonzalez steal tens of millions of cards from major retailers. Here are a few of the main actors:

• Stephen Watt, 26, of New York. Watt developed and supplied many of the sophisticated packet-sniffer programs, including one called "blabla," that allowed Gonzalez and his accomplices to identify and capture credit and debit card data travelling over the retail networks they had broken into.

  Watt, described in some media reports as being a 7-foot tall former software engineer at Morgan Stanley, was also one of Gonzalez' closest friends, according to court papers. Watt was one of those who attended Gonzalez's $75,000 birthday party, exchanged IM messages with him constantly and once explores the possibility of Gonzalez investing money in a club he planned on starting.

  Watt was indicted last October on charges related to the break-ins at TJX and elsewhere. He pleaded guilty to one felony count of conspiracy. Prosecutors are seeking a three-year prison term for Watt. In a sentencing memorandum, they described him as having "designed, refined and provided the key computer hacking program in the largest identify theft in our nation's history."

• Christopher Scott, 26, of Miami. Scott was one of the key wireless hacking experts of the group. Between 2003 and up to his arrest in 2008, Scott played a key role in helping Gonzalez break into retailers, such as BJs Wholesale Club, DSW, OfficeMax, Boston Market and others, by exploiting weak wireless access points.

  On two separate occasions in July 2005, Scott compromised two wireless access points at a TJX-owned Marshall's store in Miami. He used the access to download various commands onto TJX servers containing payment card data. About a year after gaining access to the TJX network, Scott established a secure VPN connection between a TJX payment card transaction processing server and a malicious server owned by Gonzalez for uploading various sniffer programs to the server to capture transaction data as it was being processed.

  Scott collected about $400,000 for his part in the data theft and, at the time of his arrest, authorities seized about $6,000 in cash, a Rolex watch and nearly two dozen pieces of electronic equipment. Scott pleaded guilty last year and is scheduled to be sentenced in November 2009.

• Damon Patrick Toey, Miami. Toey's main role appears to have been in helping Gonzalez break into retail networks via SQL injection attacks. Prior to August 2007, Gonzalez' preferred method for breaking into retail networks was via weak wireless access points.

  About mid-2007, Gonzalez, largely with the help of Toey, started launching SQL injection attacks on Web servers and databases handling paymentcard data. Gonzalez is alleged to have invited Toey to move into his condominium in Miami, where he stayed for free and received periodic payments in return for collaborating on the Internet-based attacks.

  Once they broke into a network, they would locate and steal "Track 2" data from the magnetic stripe on the back of payment cards as well as PIN-block data associated with debit cards. Toey was also used as a conduit for selling stolen card data. Toey pleaded guilty to his involvement in TJX and other hackings last year and is scheduled to be sentenced in November.

• Maksym Yastremskiy, of Ukraine. In court documents, prosecutors described Yastremskiy as one of the biggest resellers of stolen payment card data to be ever targeted by the Secret Service. Yastremskiy helped Gonzalez and his friends fence stolen payment card data and use them to create counterfeit cards.

  Gonzalez is also alleged to have used Yasremskify as a conduit for passing on a packet-sniffer tool to yet another accomplice, who then installed the malware on a server of Dave & Buster's. Yasteremskiy was arrested in July 2007 by police in Turkey, at the request of the U.S. Secret Service. He was sentenced in January 2009 to 30 years in prison. The U.S. is currently seeking his extradition.

Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.