Court documents allege that the initial entry was often gained using a "SQL injection attack." SQL, or Structured Query Language, is a type of programing language designed to manage data held in particular types of databases; the hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants allegedly placed malicious code, or malware, on the system. This malware created a "back door," leaving the system vulnerable and helping the defendants maintain access to the network. In some cases, the defendants lost access to the system due to companies' security efforts, but they were able to regain access through persistent attacks.
Communications obtained by law enforcement reveal the defendants often targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway. The defendants allegedly had malware implanted in multiple companies' servers for more than a year.
The defendants are alleged to have used their access to the networks to install "sniffers," which were programs designed to identify, collect and steal data from the victims' computer networks. The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.
Selling the Data
After acquiring the card numbers and associated data -- which they referred to as "dumps" -- the conspirators allegedly sold it to resellers around the world. The buyers then allegedly sold the dumps through online forums or directly to individuals and organizations. Smilianets was allegedly in charge of sales, vending the data only to trusted identity theft wholesalers. According to court documents, he charged approximately
Covering Their Tracks
The defendants used a number of methods to conceal the scheme. Unlike traditional Internet service providers, Rytikov allegedly allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement.
Over the course of the conspiracy, the defendants allegedly communicated through private and encrypted communications channels to avoid detection. Fearing law enforcement would intercept even those communications, some of the conspirators allegedly attempted to meet in person.
To protect against detection by the victim companies, the defendants allegedly altered the settings on victim company networks to disable security mechanisms from logging their actions. The defendants also worked to evade existing protections by security software.
Court documents allege that as a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including more than
If convicted, the maximum penalties for the charged counts are: five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud.
The charges and allegations contained in the indictment are merely accusations, and the defendants are considered innocent unless and until proven guilty.
The case was investigated by the USSS Criminal Investigations Division and the USSS Newark Division. Significant assistance was provided by the
The government is represented by
Most Popular Stories
- Boehner Lashes Out Against Ted Cruz, Far Right
- TFA Recruiting DACA Recipients
- Hawaii Official Who Release Obama Certificate Only Victim of Plane Crash
- Cheap Gas Drives Down U.S. Wholesale Prices Again
- Holiday Shopping Off to a Slow Start This Season
- Ford Plans New Cars, Jobs in 2014
- Gold, Silver Slide on Prospects of Fed Exit
- 'Rape Insurance' Bill Passes in Michigan
- Producer Price Index Dropped in November
- Beyonce Releases New Album With No Marketing