Five Charged In Largest Hacking Scheme Ever Prosecuted In US

wiredmikey writes "US authorities have charged four Russians and a Ukrainian five on charges of running a global hacking operation that targeted major payment processors, retailers and financial institutions. The charges stem from hacking attacks dating back to 2005 against several global brands, including the NASDAQ exchange, 7-Eleven, JC Penney, Hannaford, Heartland, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. The men allegedly used SQL injection attacks as the initial entry point into the computer systems of global corporations. Once networks were breached, the defendants allegedly placed malware on the systems. According to the indictment (PDF), the malware used created a "back door," leaving the system vulnerable and helping the defendants maintain access to the network. The men face five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud."

Punishment out of proportions?

[PerformanceDude]

Even though the actions of these low-life, sewer-dwelling misfits angers me, I can't help but wonder why the punishment in the US is on a scale that you wouldn't even get for premeditated murder in most other countries. Aaron Swartz payed the ultimate price for such over the top threats of deprivation of liberty.

At what point does the punishment no longer fit the crime? Sure, confiscate all the profits, bankrupt them, take all their assets and lock them up for a couple of years. But 30-40 years? For real? Why not just send them to Mars or something? Locking them up for 5 years without access to computers would ensure that when they get out their hacking skills would be so redundant they could never do it again.

Isn't the justice system supposed to be about a balance between punishment and reformation - not about revenge?

Re:Punishment out of proportions?

[OhANameWhatName]

At what point does the punishment no longer fit the crime?

When the people controlling money are making the laws.

Re:Punishment out of proportions?

How much money did they _actually_ steal or cause to get stolen/lost anyway? Compare with how much MF Global stole:
http://en.wikipedia.org/wiki/MF_Global#October_2011:_MF_Global_transfers_client_account_funds_to_its_own_account

On October 31, 2011, MF Global reported the shortfall in customer accounts at $891,465,650 as of close of business on Friday, October 28, 2011.[19][20] According to the trustee overseeing liquidation the shortfall may be as large as $1.6 billion.[21][22][23]

As of August 16, 2012, criminal investigators had concluded charges against Corzine, or any other of MF Global's former executives or employees would be unlikely

Yeah I know 160 million credit cards works out to a lot of damage depending on how you count it, but the MF Global bunch are walking despite actually taking and losing the money.

Re:Punishment out of proportions?

[Thanshin]

What causes more economic loss to a corporation? Murder? Or attacking payment processors.

You expect crimes to be judged by humane reasons while they are judged by economic reasons.

You probably also believe that all people should be equal, but you live in a world that clearly disagrees and believes people are valued by their economic value (both possessions and influence in the economy).

In some centuries, humans will have stories about the dark ages where the humans were judged by their economic value, just as we do about the times where they were judged by birthright or, even before, by brute force.

And these humans will probably live in a society with its set of flaws, to be corrected in the further future.

The only important objectives, as a society, are to survive and to improve. As long as we're doing both, everything's fine.

Re:Punishment out of proportions?

[IamTheRealMike]

Yeah, that's what I thought on reading the summary too. 30 years for wire fraud?

I read an interesting article in the Economist the other week. It suggested that countries where children are spanked tend to have populations that support harsher prison sentences.

People who as children experienced the “powerlessness” of frequent spankings report a disproportionately greater interest later in life to own guns, Mr Pfeiffer says. They also demand more draconian prison sentences, including the death penalty, for convicted criminals. And they seem more prone to violence themselves. In a study of 45,000 ninth-graders Mr Pfeiffer conducted in 2007-08, those kids who had been beaten by their parents were five times as likely to commit repeated crimes or to use cannabis, and missed school four times more frequently for ten days a year or more.

Scandinavian countries, in part inspired by the children’s books of Astrid Lindgren, the author of the popular Pippi Longstocking (pictured) series, were the first to make spanking illegal for teachers in the 1950s and 60s. Between 1979 und 1983, they also outlawed spanking by parents. Crime rates, gun ownership and prison populations have been falling since.

By contrast, spanking is still common in large parts of America, especially in the Evangelical milieus of Southern states. This is also where crime remains relatively high, gun ownership common, and incarceration excessive. (America’s incarceration rate is between eight to ten times that of northern European countries.)

Correlation does not imply causation and all that, but it's still an interesting theory as to why the US is so far out of step with the rest of the world on crime and punishment.

Re:Punishment out of proportions?

[arth1]

That's then 30 +30 years for wire fraud and conspiracy for it.

Yes, and this is a problem with a system that allows consecutive sentencing. Obviously, the intent of setting the max to 30 years for wire fraud was to set the max to 30 years, not to set it to 60 years, but in reality, unless you operated alone, you can always be charged with conspiracy too.

And the prosecutors don't care one bit about what's "just" - they pile on anything that will stick. And the jury are in it to meter out revenge, not justice. So that leaves the judges, who are in the hand of whoever paid for their campaign.

The way prison sentences and incarceration rates increase here, it won't be long before we have to hire H1B workers to man the prisons, because we'll all be inmates.

On the other hand

The USA has a nasty habit of not submitting its own citizens to foreign laws but sanctions over Edward Snowden might result in Russia playing the same game. For some time Russia has been the cyber-criminal capital so sanctions would result in the USA shooting itself in the foot. Not that it would help these criminals; they were arrested in Holland.

Re:Typo?

[smittyoneeach]

No, this is a Ukrainian copy of the Fox News show, the Five.
"But, Commies have been passing themselves off as MSNBC for years," complained the Ukrainian show.

What about the bank leaks?

'Someone' broke into the banking system and leaked a selection of bank transactions for places like the British Virgin Islands with a story that these are tax-haven stuff, and then leaked a much larger file, many thousand times bigger direct to UK/Aus/NZ/Can full of *everyone's* bank transactions. Why aren't we hunting for these 'crooks' who broke in and stole all this financial info?

(April 2013 Leak of bank transaction data):
http://www.guardian.co.uk/uk/2013/apr/03/offshore-secrets-offshore-tax-haven
IMHO this was NSA or GCHQ leaking emails and SWIFT data it intercepted, I worked on a system known as SEPA which is due to take over from SWIFT by next year and will secure Euro transactions from US surveillance. As soon as this leak happened it was just before a G7 meeting with the agenda of clamping down on tax havens. So it looked like lobbying fodder to force the outcome of that meeting and try to get access to SEPA.

(May 2013, G7 Nations agree to fight tax havens):
http://articles.economictimes.indiatimes.com/2013-05-11/news/39186824_1_tax-havens-transfer-pricing-rules-tax-authorities

And the Canadian Feds (and presumably the spooks too), as a result got access to the bank data:
http://business.financialpost.com/2013/05/10/tax-havens-probe-canada/

I'm guessing the NSA got a feed as part of 5 eyes:

"OTTAWA — The federal government says it will get access to relevant Canadian information stemming from a sweeping offshore tax-evasion investigation being conducted by the United Kingdom, United States and Australia."

See how it works? Collect all the info, use it as leverage to get more, leak against opponents, put friendlies in power.

its just an excuse

[maliqua]

they just wanna go to Russia so they can grab snowden in the airport on there way through

Re:Largest Hacking Scheme

[Thanshin]

"Kill one man, and you are a murderer. Kill millions, and you are a conqueror. Kill everybody, and you are a god." - Jean Rostand.

Snowden Kickback?

[FriendlyLurker]

The indictment is from 2009. Two of the 5 men were arrested last year. The other three men are on the run most likely hiding out somewhere in Russia, and suddenly this is offered up as new "news" for the masses to contemplate. Could we be seeing some Snowden kickback - time to drag the words "Russia"/"Russian" through the dirt as much as possible for not handing over the US whisteblower Edward Snowden. The battle here is all about public opinion, after all - because they sure cant win against him based on morality, or even the law.

The nerve!

How DARE they steal all that money before the bankers could steal it!

Hacking is irrevelant when the global economy went to shit. And the people who did THAT will never see the inside of a jail cell.

And now we spent even more finding these 'hackers'.

We are not smart...

Re:I am not a lawyer

[Tyr07]

Conspiring can happen without doing wire fraud, you get charged for that.
Wire fraud itself, could happen without you conspiring with other people, therefore, is just wire fraud.

Plus they want to put as many charges on you as possible, and see which ones they're able to stick based on evidence.

we are all subjects

[velco]

It's not about the money, it's about sending a message: Do not compete with the government. ;)

Re:Charges Only if You're A Citizen

[Lumpy]

Your fault for Voting Republican/Democrat.

Honestly, Being in Congress should be by lottery and forced servitude. You cant get elected, it's a lottery and compulsory.. Dave Fox of 3124 Main Street, Chester,OH... YOU are the new congressional representative of your district for the next 2 years. An armed caravan will be there momentarily to pick you up.

It is the only way to keep it honest. Because voting for rich assholes is turning out to be a complete failure.

Re:Prepared statements

[Kal+Zekdor]

Given the wide range of companies targeted by this group, I'm inclined to believe that there was some bit of underlying software they all used that had a vulnerability for the hackers to exploit. Otherwise I'm not sure I believe that 5 hackers alone managed to compromise diverse systems developed independently from each other; finding SQL injection vulnerabilities is like probing for weak spots in armor, it's a very time consuming process that can't be automated (decently) and often ends in failure despite considerable effort. Sometimes some idiot doesn't bother sanitizing inputs and makes it easy, but considering these are major international companies, I doubt every single one of the listed failed basic security measures.

What probably happened is that one of the hackers through some channel got hold of the source for some common bit of internal web portal code used by employees of these companies (stuff that isn't intended for public access generally has less security). They examined said source, and found an obscure (one would hope obscure) SQL injection vulnerability. They then searched for companies using the software, and leveraged the known vulnerability to compromise machines, gaining footholds in their internal networks. From there it's just a matter of figuring out what valuables you can get using your access.

Can get less time for robing the 7-Eleven with gun

[Joe_Dragon]

Why hack 7-Eleven and get 30 years when you can do the easyer way of just going to one getting a gun out getting the cash and if you do go to lock it's likely to be state and less time.

interesting

[slashmydots]

A monkey could write code that's not vulnerable to SQL injections. You'd almost have to try to add that vulnerability to your software these days because even my intern knows how they work and how to use stored procedures or even regex filters. So all they really did was point out companies that are completely inept when it comes to security.

Plato's "Republic" tried to solve this

[ulatekh]

Not that anyone reads the classics any more...but Plato's "Republic" outlined a system where, the higher up one was in the political hierarchy, the more spartan their lifestyle was. The idea was to discourage people from entering politics unless their heart was truly in it.

Some of the aspects of the system were a bit totalitarian and heavy-handed, but still, it seems like it'd be a lot better than the god-awful mess we have now.