7-Eleven Hack From Russia Led to ATM Looting in New York
Kevin Poulsen writes on Threat Level:
Flashback, early 2008: Citibank officials are witnessing a huge spike in fraudulent withdrawals from New York area ATMs — $180,000 is stolen from cash machines on the Upper East Side in just three days. After a stakeout, police arrest one man walking out of a bank with thousands of dollars in cash and 12 reprogrammed cards. A lucky traffic stop catches two more plunderers who’d driven in from Michigan. Another pair are arrested after trying to mug an undercover FBI agent on the street for a magstripe encoder. In the end, there are 10 arrests and at least $2 million dollars stolen.More here.
The wellspring of the dramatic megaheist turns out to be more prosaic than imagined: It started with a breach of the public website of America’s most famous convenience store chain: 7-Eleven.com.
In his most-recent plea agreement, filed in court Monday, confessed hacker Albert Gonzalez admitted conspiring in the 7-Eleven breach and fingered two Russian associates as the direct culprits. The Russians are identified as “Hacker 1″ and “Hacker 2″ in Gonzalez’s plea agreement, and as “Grigg” and “Annex” in an earlier document inadvertently made public by his attorney.
The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”