Friday, June 19, 2009

TJX "Hackers 11" Story from Wired


I've followed the TJX Breach and posted many articles on it over the past 15 months, having dubbed it Hackers11.  Haven't heard much about the case lately until Kim Zetter, from Wired published this story last night. 

Here's an excerpt:  The full story can be read here.

TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison

By Kim Zetter | Wired


Accused TJX hacker kingpin Albert Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.”

He spent $75,000 on a birthday party for himself and once complained that he had to manually count $340,000 in pilfered $20 bills because his counting machine broke. But while Gonzalez apparently lived high off ill-gotten gains, a programmer who claims he earned nothing from the scheme sits broke and unemployed, his career in shambles, while awaiting sentencing for a piece of software he crafted for his friend.
 
These and other new details have emerged in court documents filed in the case of 25-year-old Stephen Watt, a minor participant in what the feds are calling “the largest identity theft in our Nation’s history.”

The documents include a sentencing memorandum filed by prosecutors seeking five years in prison and three years of court supervision for Watt, and a counter-argument from attorneys representing the New York man.

Watt, a 7-foot-tall software engineer who was working for Morgan Stanley at the time the hacks occurred, pleaded guilty in December to creating a sniffing program dubbed “blabla” that Gonzalez and others allegedly used to steal millions of credit and debit card numbers from TJX and other companies. He’s scheduled to be sentenced Monday, though his lawyer, Michael Farkas, told Threat Level this will likely be delayed.

“Stephen’s take on this is that he accepts responsibility for aiding people that he knew would commit wrongdoing,” Farkas tells Threat Level. “However, he is very disturbed by the government’s aggressive attempt to make him into more than what he is.”

Farkas asserts that Watt was merely a peripheral player in the scheme, driven by intellectual curiosity and friendship, not criminal gain. The lawyer is seeking a sentence of probation for the programmer, who is free on bail.

Watt was ignorant of the use to which his best friend would put the custom packet sniffer, and was the only one of Gonzalez’s co-conspirators who had “a budding career and a bright future,” Farkas writes in his filing. While Watt was finishing college and securing his first job, Gonzalez was advancing his criminal enterprise.

Prosecutors, though, beg to differ, wielding more than 300 pages of chat logs exchanged with Gonzalez during the year before TJX was breached in May 2006. The two talked daily through phone and instant messaging, authorities say, sharing “all their exploits: sexual, narcotic and hacking.”

“You have got to convince typedeaf to do some work for me,” Gonzalez wrote Watt at one point, referencing the handle of another hacker. ”If he was able to hack some euro dumps we can make a fortune. I hacked a place and took ~30k euro dumps and this last week I made ~11k from only selling ~968 dumps.” (Dumps are the underground’s term for credit or debit card magstripe data, including account numbers.)

During this time, Watt wrote customized code to help Gonzalez breach networks, including the “blabla” sniffer, which was stored on a server in Latvia and used to steal tens of millions of credit and debit cards from TJX in 2006 and from Dave & Buster’s in 2007. According to court documents, the Secret Service recovered 27.5 million stolen numbers from a server in Ukraine and 16.3 million numbers from a server in Latvia.

The breach cost TJX $200 million according to its 2009 SEC filing...

Continue Reading at Wired





Reblog this post [with Zemanta]

Disqus for ePayment News