[ISN] TJX credit card heist suspect, 2 others, accused of new scam

From: InfoSec News (alerts@private)
Date: Tue May 13 2008 - 01:25:55 PDT


By Dan Goodin in San Francisco
The Register
13th May 2008

Three men - one of them suspected of playing a role in the heist of 45.6 
million credit cards from retailer TJX Companies - have been accused of 
hacking into cash register terminals belonging to a restaurant chain and 
installing software that sniffed credit card numbers.

According to a 27-count indictment unsealed Monday, the scheme was 
carried out in part by Maksym Yastremskiy. In July, the Ukrainian was 
arrested in a Turkish resort town for allegedly selling large quantities 
of credit card numbers, many of which were siphoned out of TJX's rather 
porous network. He remains incarcerated in Turkey, where an application 
for extradition to the US is pending. Yastremskiy also went by the name 

The indictment also names Aleksandr Suvorov, aka JonnyHell, of Estonia, 
and a separate complaint names Albert Gonzales, who also went by the 
moniker Segvec. Together, they are accused of installing packet sniffers 
at 11 restaurants belonging to Dave & Buster's. The sniffers captured 
track 2 credit card data as it passed from the restaurants' 
point-of-sale terminals to servers at the chain's central headquarters.

Suvorov was arrested in March by German officials while visiting that 
country, and an extradition request is also pending. Gonzalez was 
arrested this month by Secret Service agents in Miami.

One packet sniffer alone netted data for about 5,000 customers who 
visited a Dave & Buster's in Islandia, New York, causing losses of at 
least $600,000 to the banks that issued the cards, according to the 

The scheme was not without its hitches. While the defendants 
successfully penetrated a terminal at an Arundel, Maryland, location in 
April 2007, their packet sniffer malfunctioned, so they were unable to 
gain access to any credit card data. Later versions of their program 
successfully logged the information, but a bug caused the software to be 
deactivated each time the point-of-sale servers were rebooted. That 
required the defendants to regularly log in to the machines.

The men managed to install the packet sniffers remotely by socially 
engineering individuals, according to the indictment, which didn't 
elaborate. Once in possession of the data, the defendants sold it to 
others who used it to make fraudulent credit card purchases.

Attempts to reach the three men for comment were not successful.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Tue May 13 2008 - 01:33:14 PDT