The group of hackers alleged to have broken into the networks of a string of companies, including TJX, Hannaford and Heartland Payment Systems, were in no hurry once they worked their way into the companies’ systems. In fact, they had plenty of time to do their dirty work, in some cases sitting inside the networks and stealing data for as long as a year.
In an excellent post detailing the methods and tactics allegedly used by Albert Gonzalez and his accomplices, Byron Acohido at The Last Watchdog shows just how easy the attacks were for the loosely organized crews that executed them.
Prosecutors in the TJX case say Gonzalez and several different accomplices did grunt work: they drove around and assessed the computer systems of major retailers to find security holes. Once they identified technical flaws, expert hackers were brought in. They used various techniques, including SQL injection attacks, to locate and crack into databases holding records of credit and debit card transactions.
SQL injection attacks have been around for years. They require time and skill. A SQL attack involves querying the databases underlying a company’s public-facing web page until the database hiccups and accepts an injection of malicious code. The intruder then gains full access to the database — and a foothold to probe deeper into the company’s systems.
In the attacks on Heartland, prosecutors say Gonzalez helped with the comparatively simple tasks of transferring malicious programs onto the company’s computer servers. Meanwhile, Hacker 1 and Hacker 2 conducted the more delicate SQL injection probes remotely across the Internet.
Gonzalez reached a plea agreement recently with prosecutors in Massachusetts and New York on the charges related to the TJX attack and others and is also awaiting trial on the charges stemming from the Heartland Payment Systems incident.
What’s concerning about the details emerging from these cases is the ease with which these relatively unskilled attackers were able to penetrate the networks of these huge organizations. This underscores the fact that it does not take a criminal mastermind with elite-level skills to execute these attacks. An attacker with a modicum of intelligence and the ability to use freely available network reconnaissance and mapping tools can often find a crack in the best-defended networks, given enough time and patience.