Russian hacking ring indicted over $300m credit and debit card fraud
Six-year spree facilitated theft of 160 million cards and $300m - used malware and SQL injection attacks
Four Russians and one Ukrainian have been charged with stealing 160 million credit and debit card numbers, facilitating the theft of at least $300m.
The hackers broke into the networks of more than a dozen companies to steal the data, which was described by US Attorney Paul Fishman as the largest-ever fraud of its kind.
Companies affected were typically payment processors based in the US, including Heartland Payment Systems and Global Payment Systems - based in the US - and Commidea, a European payment processor for retailers.
The Heartland hack was the biggest, with the company losing more than 130 million credit card numbers in 2007, resulting in losses of at least $200m. Global Payment Systems, meanwhile, lost just under one million card numbers, losing $93m, claimed prosecutors.
Commidea, meanwhile, said that it lost 30 million card numbers, while an attack on the Visa network resulted in 800,000 stolen card numbers. In addition, they attacked Belgium's Dexia Bank, Euronet, Diners Singapore and Ingenicard.
Customer login and password details were also stolen from US stock exchange Nasdaq and Dow Jones, the financial information services company.
However, not all the defendants are - yet - in the US to answer charges. Smilianets was arrested when he travelled to the US, while Drinkman is being held in the Netherlands, pending extradition. Kalinin, Kotov and Rytikov, though, remain at large.
The prosecutors claim that a number other co-conspirators were also involved.
The credit-card hacking ring was exposed after an accomplice, Albert Gonzalez, was arrested in Miami in 2009. Although sentenced to 20 years in prison, prosecutors claimed that the attacks lasted from 2006 until 2012.
According to reports, the hackers broke into networks in two main ways.
First, by mass emailing staff malware, which was activated if or when staff were tricked into clicking on malicious attachments.
Second, they also used SQL injection attacks, in which code is deliberately inserted into poorly secured online forms. This code is mis-interpreted as a command to the back-end database.
The attackers divided up their labour according to their skills: Kotov sifted through data gleaned from compromised networks to find the credit card numbers, while Rytikov provided anonymous web-hosting from which the attackers worked. Smilianets, meanwhile, sold the credit-card details to third-parties.
According to the indictment, US credit card numbers sold for about $10 each, Canadian numbers cost $15 and European ones - most of which are protected with more secure chip-and-pin technology - for $50.
Purchasers of the debit and credit card details would encode them on blank magnetic stripe cards and use them to withdraw money from cash machines.
Separately, Kalinin was also charged along with another Russian, Nikolay Nasenkov, of hacking into Citibank and PNC Bank systems, stealing card data used to withdraw $4.2m from customer accounts in 2006 and 2007.