Fraud Schemes Targeting Small MerchantsIndictments Point to Troubling Trends, Ex-Prosecutor Warns
Recent indictments of defendants allegedly linked to Heartland Payments hacker Albert Gonzalez and network breaches that affected Global Payments and others show a growing trend of payments fraud that's migrating down to smaller merchants, says former federal prosecutor Kim Peretti.
Peretti, who helped prosecute Gonzalez, says new indictments offer insights into the actors behind global fraud schemes that compromised 160 million cardholders. Of note in these indictments is that numerous smaller merchants were targeted for card data, a growing concern for law enforcement and the payments industry, she says.
"We're seeing a push down from the big targets to smaller and midsized mom-and-pop stores ... where they're able to hit smaller targets, but over time gather a significant number of stolen [payments] cards to resell," says Peretti, who's now a partner at the Washington-based law firm Alston & Bird LLP's white collar crime group, during an interview with Information Security Media Group [transcript below].
The indictments offers detailed insight into understanding the threat actors, how they operate and who they target, she explains.
"We've learned that they have an ability to target different types of entities and get access to [their] systems and exploit information from those systems," Peretti says.
During this interview, Peretti discusses:
- How the indictments will serve as a cybercrime deterrent;
- Global card fraud trends investigators are watching;
- Challenges investigators and prosecutors still face in bringing cybercriminals to justice.
Peretti is co-chair of Alston & Bird's security incident management and response team. She is also a former director of PricewaterhouseCoopers' cyberforensic service practice and a former senior litigator for the Department of Justice's computer crime and intellectual property section. While at the Department of Justice, Peretti led several benchmark cybercrime investigations and prosecutions.
TRACY KITTEN: Indictments against five alleged cyberthieves connected to Albert Gonzalez were recently unsealed in New Jersey, along with a separate indictment unsealed in Manhattan about a related card fraud scam. What new details do these indictments reveal about the breaches that you prosecuted?
KIM PERETTI: As an initial matter, I just want to take a step back and say that this is really a masterful effort on behalf of U.S. law enforcement putting an indictment together of this nature with this number of victims; relating the victims through common malware and common connections to servers that were located across the globe on just about every different continent; gathering the evidence from the different countries that were involved. Identifying these top-level, elite carding and hacking group individuals is really a colossal effort on behalf of U.S. law enforcement. I wanted to start with that.
As far as what these indictments reveal about the breaches that we've seen lately, it's really our first detailed insight into understanding more about the threat actors for this particular type of financial fraud. We've seen some new information about Gonzalez and his conspirators. Back in 2009, Gonzalez was indicted along with two individuals, Hacker 1 and Hacker 2, who were really leading some of the intrusions. Now we have better insight into those individuals. What these indictments revealed is that these top elite carding and hacking groups had deep knowledge about different types of systems, that they have a range of victims from electronic stock markets to processors to airlines, banks and merchants - and not only in the United States, but also globally. We've learned that they have an ability to target different types of entities and get access to [their] systems and exploit information from those systems.
KITTEN: How much about the breach details outlined in these indictments was news to you?
PERETTI: Some of the structure was familiar from the earlier indictments that we had seen, as far as the different roles that individuals would play, the individuals who are responsible for compromising the systems, those responsible for exploiting the system. Gonzalez had provided in the last round of indictments some of the infrastructure and the hacking platforms, and his role had been replaced by another individual. Then you have the reseller. The general structure of the group remains intact, as far as dividing the roles and delegating and using specialized skill sets. Some of that's familiar.
Something that came up through this indictment that wasn't familiar is that we see one of the named defendants, Drinkman, responsible not only for compromising systems for the purpose of obtaining large volumes of card numbers, but also accessing certain processors to obtain a small number of prepaid cards and exploit those through ATM fraud. Typically, we have seen different indictments brought for those two very separate types of activities, and now we're seeing at least one individual who has the skill set to be responsible for those different types of attacks. Seeing the range of capabilities that you see from this top-level hacking group really sheds more light about our adversary.
Length of Investigation
KITTEN: As you've noted, these indictments do track the trail of a number of different types of attacks, including some that date back to 2005. Why has it taken investigators so long to put all of the pieces together?
PERETTI: I'd like to say two things in that regard: No. 1, they were putting the pieces together all along and bringing indictments all along, including several indictments of Albert Gonzalez in different related conspiracies. They were developing the evidence along the way, and some of the U.S. domestic targets were indicted, arrested and prosecuted. Now, as they've continued to pursue the case, they've been able to identify the top of the food chain and several significant players in the online underground world of carding. It's a progression always.
If you look at the indictment where it talks about how they concealed their attacks, in some ways you might question how remarkable it is that they even were able to identify these individuals. They were using encrypted communication. ... Here it was all encrypted, behind the scenes. They used hacking platforms spread across the world and they would change locations frequently. They would erase the content and they would work with an individual who would not provide that information, even if requested, to law enforcement. They also had very advanced techniques around disabling any logging [and had a] number of things in place that concealed their effort and removed any trace of their activity. It's quite remarkable that they were even caught.
Evolution of Investigations
KITTEN: How would you say the payments industry and cybercrime investigations have evolved since 2005, or even since the time that you helped with the prosecution of Albert Gonzalez?
PERETTI: As we've seen from this indictment, U.S. law enforcement has continued to pursue these international global prosecutions where they have to rely on working with a number of agencies and countries outside the United States to gather the necessary evidence. Some of the victims are outside the United States; the witnesses are outside of the States; the target, the criminal and the evidence is outside the U.S. We've really seen a continuing trend of reaching the top of the food chain or cutting off the snake at its head by pursuing these international global criminal investigations.
KITTEN: What more do we need to know about financial fraud, or do we know more now than we did even two or three years ago?
PERETTI: I think there's additional incremental information that we can gather when we tap more information about the threat actors, their motives, their types of attacks, and just understanding more about the nature of their capabilities, the types of victims that they're after, and the types of fraud that they perpetrate - whether it's large volumes of tracked data or smaller volumes of prepaid cards with PIN numbers. This indictment allows us to piece a lot of that together to understand more in detail what the highest level of these carding organizations are really behind.
KITTEN: Do you see these newest indictments serving as a deterrent for future cybercrime?
PERETTI: Absolutely. The underground carding world is very prolific, with thousands of individuals worldwide. But when you have an indictment that shows that U.S. law enforcement can bring down, arrest, indict and identify the top of the food chain, the individuals who are responsible for some of the most sophisticated techniques and compromises that we've seen, it certainly has, at a minimum, a level of general and special deterrents and will have an effect on the community. Now, whether that effect will result in fewer carding websites and a fewer number of cards being provided, that sort of remains to be seen. But it should have an impact where the foreign criminals realize that U.S. law enforcement does have the ability to identify and capture them.
KITTEN: What really needs to happen to truly deter these types of crimes?
PERETTI: As an initial matter, [it's] law enforcement continuing to identify these foreign targets, indicting them, whether they remain at large or not, or whether they continue to pursue them as they travel from less favorable countries to the United States, from an extradition perspective, to more favorable countries, and continue to show the foreign criminals that the U.S. law enforcement has the capability and the resources to go after the foreign targets and bring them to justice in the United States.
Payment Fraud Trends
KITTEN: What can you tell us about payment fraud trends? Where are fraudsters going?
PERETTI: What we've seen, if we want to talk about payment card fraud in the past five or so years, is a trend where these top groups have pushed down to other groups in Eastern Europe, in particular, who aren't as sophisticated, but they've pushed down techniques that are available to these less sophisticated groups that still allow them remote access into systems, such as point-of-sale systems, to obtain card numbers. We're seeing a push down from the big target to smaller and mid-sized mom-and-pop stores, restaurants, food and beverage, where they're able to hit smaller targets, but over time gather a significant number of stolen cards to resell on the side.