The unnamed hacking ring’s resume is
as impressive as it is devastating, with its 11 members accused of stealing
card numbers from a wide variety of US retail stores, including OfficeMax,
Boston Market, Barnes & Noble, Sports Authority, Forever 21, Marshalls, and
The group appears to be responsible
for the massive data breach that began in 2005 against
clothing retailers T.J. Maxx and Marshalls, as well as other stores owned by
parent company TJX, that ended up costing close to $200 million in damages.
Group members, only three of which
are U.S. citizens, will appear before a Boston court facing a wide variety of
charges, including conspiracy, computer intrusion, fraud, and identity theft.
Despite the Justice Department’s
boasting, reports have described the security community’s response as muted, with
researchers unimpressed by the groups’ reportedly simple tactics – which
consisted, mainly, of wardriving for networks with open wireless access points
and security vulnerabilities, and exploiting those holes to install a packet
sniffer that spies on transactions as they occur.
“It’s not rocket science,” says
Department of Defense cybercrime investigator Jim Christy.
The issue of identity theft is so
big, say researchers, that the group’s arrest is unlikely to make a dent in the
overall “carding” scene. The size of their theft also
likely contributed to the group’s capture, as attempting to offload 41 million
card numbers is a considerably larger transaction – and a far more noticeable
one – than typical trades, where quantities are usually in the thousands.
“It’s almost an embarrassment of
riches – how do you move 41 million credit card numbers?” says Black Hat and
DefCon hacker conference founder Jeff Moss. “That’s like trying to rob Fort
Knox by yourself.”
Reports indicate that the group’s
ringleader, Miami-based Albert Gonzalez, was formerly an informant for the U.S.
Secret Service. The group’s other members hail from a “hodgepodge” of
countries, including Estonia, Belarus, Ukraine, and China. Their composition is
viewed as snapshot of the larger carding community, much of which consists of
groups from Eastern Europe.