A Russian national has been indicted for a series of cyber attacks against financial institutions (including Chase Bank, Capital One, Citibank and the Boeing Employees’ Credit Union) and retail POS in the U.S., as well as for running various carding forums that resold payment card data globally. Among the victims was The Phoenix Zoo. The sale of the stolen card data brought the cyberthief crew involved more than $2 million.
Roman Valerevich Seleznev, aka “Track2,” 30, of Vladivostok, Russia, is charged with 29 counts: five counts of bank fraud, eight counts of intentionally causing damage to a protected computer, eight counts of obtaining information from a protected computer without authorization, one count of possession with intent to defraud of 15 or more unauthorized access devices (stolen credit card numbers), two counts of trafficking in unauthorized access devices and five counts of aggravated identity theft.
“Cybercriminals should take heed: distance will not protect you from the reach of justice. We will investigate, we will locate, and we will bring foreign hackers to stand trial,” said U.S. Attorney Jenny A. Durkan of the Western District of Washington state. “This defendant is presumed innocent, and will be afforded the full protections of our system of justice. But he will do so in our courthouse, in the community where harm was done.”
The indictment said Seleznev’s crew installed malware to monitor communications between POS and other systems. “The malware would extract and copy the data that included (payment) card data and, every five minutes, compile the stolen card track data and transmit and upload” it to a server they controlled, the federal filing said.
Other victims included a wide range, such as Grand Central Baking Co., four Mad Pizza restaurants, Village Pizza, Casa Mia Italian restaurant, Schlotzsky’s Deli, Days Jewelry and the Grand Canyon Theater.
How much is card data worth? In this case, payment card data labeled with “a 95 percent guarantee for validity” cost between $20-$30 per card track. (Cyberthieves issued guarantees? Who knew?) Cards listed for a “guarantee of validity of 65 percent” sold for about $7 per track.