International Hacking Scheme Aided by SQL Injections; 12 Major Companies, 160 Million Affected

Posted 7.29.13 by
wpadmin
Blog

In a press release from last week, a federal indictment announced that five men in Russia were charged with conspiring in the international hacking scheme which resulted in 160 million credit card numbers stolen. Issued by the U.S. Attorney’s Office, District of New Jersey, the scheme was described as the largest ever prosecuted in the United States.

Recently, Nasdaq.com reported on hackers that gained access to more than a dozen major global payment processor, retailer and financial institutions’ systems, including NASDAQ (trading platform unaffected), 7-Eleven, JC Penney, Heartland Payment Systems, Visa Jordan, Global Payment, JetBlue, Dow Jones and others.

In a press release from last week, a federal indictment announced that five men in Russia were charged with conspiring in the international hacking scheme which resulted in 160 million credit card numbers stolen. Issued by the U.S. Attorney’s Office, District of New Jersey, the scheme was described as the largest ever prosecuted in the United States.

So how did they do it? Justice.gov reports initial entry was gained using an SQL injection – SQL (Structured Query Language) is a programming language often used to manage databases. After finding vulnerabilities in SQL databases, the hackers would infiltrate the computer network and then use malware to create a backdoor that would maintain unauthorized access to the network. In some cases, their malware was on several companies’ servers for over a year.

After they stole credit card numbers and other personal data, they sold it to resellers worldwide through online forums or direct.

How did they get away with it undetected? The hackers used anonymous web hosting services provided by another conspirator that didn’t keep records of their activities or report to law enforcement. The hackers also communicated only through private/encrypted channels, and they were able to disable security settings on their targeted companies to keep from logging their actions on their networks.

How much was lost? About $300 million reported by the financial institutions, credit card companies and consumers.

As U.S. Attorney Paul J. Fishman stated in the press release, “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful.”

How can you protect your company against these types of attacks and decrease your risk of suffering from business loss? A web application firewall (WAF) can help protect your networks and servers more than a traditional IPS/IDS (Intrusion Protection/Detection System) by having the capability of detecting and preventing SQL injections.

Web Application Firewall

For companies that need to meet PCI DSS compliance (Payment Card Industry Data Security Standards), including those that were affected by this breach, requirement 6.6 states you must install a WAF in front of public-facing web applications to detect and prevent web-based attacks.

The same goes for healthcare organizations that need to meet HIPAA compliance – technical safeguards dictate they must implement technical security measures to guard against unauthorized access to ePHI (electronic protected health information) being transmitted over an electronic communications network.

PCI Compliant Hosting White PaperFor more information about other ways to secure your servers against a data breach, read about our Technical Security services.

Or, if you’re confused about how to meet technical security requirements of PCI DSS, read our PCI Compliant Hosting white paper. It discusses the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.

Related Articles:
Encrypting Backup Data for HIPAA and PCI Compliance
Stored data is a top target by hackers, especially the type of data that can be used for fraud and medical identity theft – within the healthcare industry in particular, encrypting stored data to meet HIPAA compliance is one way … Continue reading →

A Quick Tech Tutorial: Daily Log Review for PCI Compliance
A daily log review can detect patterns of normal use and provide insight into any abnormalities in the system network and servers instead of auditing devices after an event occurs. With consistent monitoring and analysis, data breaches can be pinpointed … Continue reading →

Offsite Backup and IT Disaster Recovery for PCI DSS Compliance
For companies that deal with credit cardholder data, including e-commerce, retail, franchise, etc., the Payment Card Industry Data Security Standards (PCI DSS) are the official security guidelines set by the major credit card brands. Of the 12 PCI DSS requirements … Continue reading →

References:
Five Indicted in New Jersey for Largest Known Data Breach Conspiracy
PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)
DOJ Charges Five Hackers in Data Breach Scheme

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.