Hacker faces 10 years in jail for credit card fraud
April 24, 2011
A U.S. resident has admitted to stealing information from more than 676,000 credit cards from various databases he hacked into, netting him over $100,000 by then selling the credit cards in illegal underground channels.
Rogelio Hackett of Lithonia, Georgia, has pleaded guilty to one count of access device fraud and one count of aggravated identity theft. He admitted to a computer-hacking crime that started in the late 1990s and turned criminal in 2002, when he began carrying out SQL injection attacks on vulnerable websites that accepted credit cards to transact purchases.
In 2007, Hackett also exploited the server of an unnamed online ticket seller and made off with data for some 360,000 additional credit cards, federal prosecutors said.
Hackett is 26 years old.
He sold the stolen information on websites and IRC channels frequented by similar would be credit card fraudsters, charging from $20 to $25 per account.
According to various court documents, he used his riches to buy luxury items, including a 2001 BMW X-5 and a pair of Louis Vuitton shoes.
Hackett's undoing started in June 2009 when he sold 40 counterfeit cards for $1,180 to an undercover U.S. Secret Service agent. A raid on his home uncovered the huge cache of stolen data, as well as equipment for making counterfeit cards.
The stolen data was used to make more than $36 million worth of fraudulent transactions, federal prosecutors added.
Hackett faces at least ten years in a federal penitentiary and fines of at least $500,000 or more. He also faces an additional mandatory two years in jail on the identity theft charge.
In other Internet security news
On April 11, Internet security provider Barracuda Networks announced that it sustained a serious attack on its servers that appears to have exposed sensitive data concerning the company's partners and employee login credentials.
Barracuda representatives didn't respond to emails seeking confirmation of the anonymous post, which claims the data was exposed as the result of a SQL injection attack. Screenshots showed what was purported to be names, email addresses and phone numbers for Barracuda partners from organizations including Fitchburg State University in Massachusetts and the U.K.'s Hartlepool College of Further Education.
But the anonymous post did appear to be authentic, according to some Internet security observers. The spilled contents also included what appeared to be the email addresses and hashed passwords of Barracuda employees authorized to log in to the company's CMS.
The passwords appeared to be hashed using the MD-5 algorithm method that is slowly being phased out in favor of algorithms that are considered more secure options. It was still unclear if the hashed passwords were salted to prevent them from being cracked using various free tools available on the Web.
Overall, SQL injections are the most common form of all Internet-based attacks and have been used as the starting point for an untold number of security breaches, including the one that exposed data for more than 130 million credit cards when confessed hacker Albert Gonzalez broke into credit card processor Heartland Payment Systems.
SQL injection techniques were also the cornerstone in a recent attack on HB Gary, the disgraced security firm that exposed tens of thousands of proprietary emails.
Overall, SQL injection attacks exploit poorly written Internet applications that fail to scrutinize user-supplied data entered into search boxes and other fields included on targeted Web sites. By passing database commands to the site's backend server, attackers can harness the vulnerabilities to view and even modify the confidential contents as much as they wish to.
In total, no less than twenty-two databases with full names including new_barracuda, information_schema and marketing_info were all exposed, according to the post, which was published today. The post indicated that the company's web apps ran on the ASP.net platform.
In other Internet security news
Microsoft said Friday that it is preparing itself for a new Patch Tuesday record with no less than 17 critical security bulletins to be posted tomorrow, nine rated very critical and eight classified as important, as part of the early April edition of its regular monthly updates that are always performed on Tuesdays.
Next Tuesday's security update batch for Windows computers and servers will collectively address a total of 64 security vulnerabilities. Security holes in Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework, Windows Server 2003 and Windows Server 2008 will all be patched.
Some of next Tuesday's security fixes will include a critical SMB Browser security flaw that affects all versions of Windows. Security vulnerability scanning firm Qualys warns that all supported versions of Office and Windows will both need updating, a task that is likely to result in plenty of overtime for sysadmins.
Source: The U.S. Dept. of Justice.
You can link to the Internet Security web site as much as you like.