Did Retailers Learn Any Lessons From Gonzalez?

Written by Evan Schuman
April 29th, 2010
Albert Gonzalez succeeded—for several years, at least—as arguably the world's most effective cyberthief, breaking into many of the largest retail chains (Target, 7-Eleven, TJX, JCPenney, Sports Authority, etc.). His methodologies for breaking in were clean, but his methods of avoiding detection for years (despite extensive network activity and huge file transfers) and of cleaning up his tracks forensically kept the world's top law enforcement agents stymied.

A post-conviction look at how Gonzalez was caught suggests a change in the type of retailers likely to be targeted and ways today's largest chains can better protect themselves. But it also raises questions about whether the very nature of such a large-scale cyber-attack could ever succeed, assuming success is defined as both getting the money and not getting caught. Retailers are worried about protecting against similar attacks, but it's not likely to be repeated—at least not in the same way.

According to the federal prosecutors who oversaw the cases, they got used to referring to Gonzalez as 201679996. That was his identification on the ICQ instant messaging service he used. For quite some time, authorities were convinced that 201679996 was behind the retail break-ins, but they had yet to identify that it was Gonzalez—their former paid, confidential informant.

As happens so often with elaborate, sophisticated criminal operations, the break in the case doesn't typically come from standard detective work. It's usually a matter of luck, coupled with one of the lower level people involved in the operation getting arrested for something. And then that person makes a deal. In a way, that's what happened with Gonzalez.

His multinational crew was actually quite strict about communication procedures, and most had no idea who their colleagues really were. This tactic minimizes the damage to the group if one member gets caught. But when one Gonzalez colleague, Maksym Ystremskiy of the Ukraine, was arrested in July 2007 by the Turkish National Police, the officers seized his laptop and password and shared an image of his hard-drive with the U.S. Secret Service.

It was there they found stored ICQ messages, including a huge number from their friend, 201679996. The messages included lots of references to the break-ins, and at least one message broke code and said "TJX." Another said "D&B," standing for Dave & Buster's, one of the first chains to be hit.

Another message spoke of a participant who was arrested the day before, so the Secret Service started pouring through their records of people who had been arrested on that date until they found a match. From there, the trail quickly led to various people and, ultimately, to Gonzalez.

The plans "were brilliantly executed. It was an incredible challenge to trace back and figure out" who was behind it, said Kim Peretti who, as senior counsel in the U.S. Department of Justice's Computer Crime Section, oversaw almost all of these cases.

Although Gonzalez did type letters that would ultimately destroy his operation, Peretti makes a good case that there really wasn't much of a choice for him. To hit as many chains as Gonzalez did, a lot of people—with various skillsets—were needed. And with the stolen data hidden in servers in multiple countries, communication among team members was essential.Had the group, for example, chosen to use codewords instead of the retailers' names, it would have had to share those codewords amongst its members. In that case, the codewords would have been irrelevant. The confiscated laptops and passwords would likely have revealed the codewords, making their use silly. It would be like encrypted data that is captured together with the encryption key: The encryption won't do much good.

Had the operation been much smaller—with just a couple of people and much less lofty goals in the number of payment card numbers to be stolen—it might have fared better, from a "not getting caught" perspective. But with the anti-fraud systems in place today at Visa and other brands, cyberthieves really need to grab huge quantities of card numbers to have enough survive to make a profit.

The trick, Peretti suggests, is to take few enough card numbers from any one victim to not make it worth the efforts of a major law enforcement agency. The Gonzalez investigations took a lot of Secret Service hours—along with untold time by at least three U.S. Attorney Offices, the Justice Department and quite a few overseas law enforcement groups.

If the number of card numbers stolen was much lower, it's unlikely anyone could have justified spending so much time chasing the thieves. To quote the title character from Butch Cassidy and the Sundance Kid, that law enforcement effort "has got to cost him more than we ever took. If he'd just pay me what he's spending to make me stop robbing him, I'd stop robbing him."

But what could retailers have done to prevent Gonzalez's crew from penetrating their systems? The SQL Injection attacks used were well known, and those holes could have been plugged. The bigger issue, though, was the lack of thorough event log monitoring.

Is that situation better or worse today? Frustratingly, it's probably both. The problem has always been that this type of monitoring is hard for some retail IT folk to justify when profit-oriented projects—such as getting new site functionality in place before the holidays hit—are backlogged. Do you start cutting back the time spent reviewing logs?

On the plus side, the Gonzalez attacks have given retailers a strict reminder of why such logs needs to be carefully examined every day, no matter what.

On the down side, part of what amazed prosecutors in this case was how the thieves could divert so much data out of a system without it being noticed. That particular problem is getting even more complicated by the soaring number of outsourced services that are constantly grabbing data off of retail servers.

The plethora of data departures include updated information leaving to fuel mobile sites and services that handle customer comments, product shipments and purchases being processed locally on social sites. One side effect of all of those communications is that improper data transfers are obscured. Administrators have chased down so many such data exchanges and learned of yet another partner altering its procedures that a clever piece of malware could easily escape detection, if it doesn't get too greedy.

Peretti fears, though, that the next generation of Gonzalezes will likely target smaller and midsize retailers, which ostensibly have less stringent security and probably watch their event logs even less often than their larger competitors. Still, with less going on, even a small errant data transmission might stand out more at a smaller merchant.