Computer Hacking

Collateral Monetary Damage in South Florida from Home Depot Security Breach

November 11, 2014 | Michael B. Cohen, P.A.

These days it seems that with far too much frequency there is continually breaking news about another retailer with online outlets being victimized by a security breach. The latest of these high tech break-ins was successfully aimed at Home Depot and turned out to be executed by a low-tech method; at least when first hijacking their network.

The well-known distributor of appliances and supplies for home and garden items released news that show that a breach which began in April of this year and went undetected through September allowed hackers to steal credit and debit card data of fifty-six million customers. The news got worse when the company announced last week that in addition to the credit data being compromised as many as fifty-three million email addresses were also revealed to the hackers through the attack.

The hackers didn’t have to break through any firewalls or tough encryption protocols or even find a flaw in their Website’s security code. They did it the old fashioned way by stealing a vendor’s login information to gain access to their network.

Once inside the system the online bandits were able to move around the network and plant malware known as “Backoff” which in this case was custom-built, accessing records of customer’s credit and debit card information at point of sale terminals that were located throughout the United States and Canada. This type of bug had been previously flagged by the Secret Service leading the Agency to issue an advisory that warned businesses of the threat before this latest attack took place.

According to Kaspersky Labs a well-regarded cyber security company, the amount of companies targeted by this method may easily have exceeded the more than one thousand companies thought to be affected by it based on estimates released by federal officials.

The technicians from Kaspersky found that during a period of only a few days of their investigation, in excess of one hundred networks from eighty-five separate IP addresses were attempting to link to what are technically known as malicious command-and-control servers.

Malicious command-and-control servers are used in cyber-attacks for the purpose of maintaining communication with systems that have been previously compromised within a network that has been breached. Ninety-seven of those infected systems were in the U.S and Canada with the other small group targeting Israel and the United Kingdom.

It appears that most of the systems were compromised quite a while ago, since this particular Backoff component had been identified as early as October of last year according to one of the senior security researchers at Kaspersky. “Looking at the bigger picture here, these companies were infected for a very long time, maybe even half a year or longer,” said Roel Schouwenberg, the senior security researcher that was interviewed and speculated that the companies under attack “should have detected and blocked any malicious activity related to the malware” and then added that “none of the companies appears to have even known they were infected.”

It appears that Home Depot did not learn from the massive data breach earlier this year against Target stores that affected more than 100 million customers. The company has been accused of not keeping up-to-date on necessary security measures that would have made them aware of the planted malware ultimately thwarting the break-in and subsequent data theft.

The implications of such a theft of data are usually not immediately felt but the threat continually exits without taking measures to protect the stolen data. That’s not to say that there aren’t immediate financial ramifications.

Before the breach was even publicized a consumer class action suit was filed in federal court by First Choice Federal Credit Union that listed an extensive listing of damages. The case was filed in Georgia which is Home Depot’s hub.

First Choice which is located in New Castle, Pennsylvania filed the suit on behalf of financial institutions including credit unions and banks anticipating that they will be suffering injuries as a result of a massive security breach which compromised the retailer’s customers’ names, and zip codes of the stores marked by the theft, debit and credit numbers along with their expiration dates, and verification codes. The suit also mentions the immediate costs of redistributing new cards and other costs involving the intensity of labor needed to achieve it. To sum it up, the complaint states that “Home Depot utilized weak password configurations and did not employ lockout security procedures at its remote access points.”

In Florida, the breach affected 434,000 members of credit unions. With the average cost of each card estimated to be just over eight dollars it will cost close to three and one half million dollars to replace and reissue the cards as well as sustaining additional costs for notifying their members by way of additional staffing. Charges will also be incurred for the monitoring of the affected accounts. These figures are according to the League of Southeastern Credit Unions and Affiliates.

To read more in detail about computer and Internet cases visit the following page on my Website: https://www.southflalaw.com/federal-computer-crimes.html

Computer Hacker Pleads Guilty to Conspiracy to Commit Securities Fraud

November 8, 2013 | Michael B. Cohen, P.A.

In the real world, it seems the more effort put into constructing locks and security systems to safeguard our possessions; lawbreakers develop abilities to build enhanced keys, and a superior illicit method to gain access to what is being guarded. Protecting the contents of our homes, cash and valuables is an ever-present, unending challenge. But in the Cyber world the level of sophistication reached by criminals responsible for computer incursions and hacking activities is constantly tested by our ability to thwart their entry.

The phenomena of modern technology has grown exponentially over the past have century. And most individuals use the Internet for a variety of purposes. For the most part when we visit our online banking or brokerage accounts the belief is that the transactions that are processed are secure, encrypted, and veiled from prying eyes.

But clever cyber-crooks are always out there, lurking in the shadows constantly attempting to find ways to cash in on activities in this virtual world.

Petr Murmylyuk, a.k.a. Dmitry Tokar, a Russian National who made his home in Brooklyn, NY is one of those shadow lurkers.

Murmylyuk’s cultivated knowledge in the workings of computers was substantiated by his arrest in November, 2011 when he was caught red-handed with a laptop in his possession containing more than enough evidence to implicate him in a substantial scam, along with his accomplices.

The Complaint against Murmylyuk asserts that he, along with an accomplice recruited Russian, as well as other foreign nationals in an online stock rigging scheme. The foreigners were either already living in the United States, or were visiting. Some were students. Three residents of Houston, Texas: Mikhail Shatov, Anton Mezentsev and Galina Korelina were among them as well as other unnamed participants. The group was instructed to open new bank accounts where illegal profits resultant from the proposed operation would be deposited.

Murmylyuk’s hacking abilities allowed him to gain illegal entry to online accounts of brokerage firm customer accounts at Fidelity, Scottrade, E-Trade, and Schwab among other brokerage firms not specifically listed. Telephone numbers and email addresses of the owners were then altered giving the group complete control of the hacked accounts. He and his connections then used identities that were originally illegally obtained or stolen to open new accounts at other brokerage houses. These accounts were termed “Profit Accounts” in the Information. After this method was introduced, they then made irrational and unprofitable trades using the victimized accounts leading to losses in the victims’ accounts and gains in the “Profit Accounts”.

An example of the swindle involved initiating trades that sold options contracts directly to the “Profit Accounts”. After the trade was offered the same contracts were specifically purchased back minutes later for “at times” almost ten times the original price. They also used “short selling” to achieve the same results. (Selling an issue short is a sale of stock that a shareholder doesn’t actually own, but instead borrows from an investor willing to do so with the hope of eventually returning it after the stock price drops resulting in a profit to the original shareholder who “sold it short”.)

This was done by using the “Profit Accounts” offering a short sale of a stock at a worth grossly inflated above the market price for that particular day for the given stock. Moments after the offering was proposed on the open market from the Hackers Accounts, the Hackers used their ability over the Victim Accounts to purchase the shares of the stock at the inflated price, which resulted in a profit for the owner of the “Profit Account” at the Victim Account’s expense. Murmylyuk and/or his associates then covered the falsified short sale by re-purchasing the security which was borrowed at the lower market price.

All proceeds were then transferred from the “Profit Accounts” into the new accounts and then transmitted to the bank accounts that were opened by Mezentsev, Korelina and Shatov as well as others involved in the scheme.

The profits received by Murmylyuk and his associates, generated by the scam, resulted in combined losses of roughly $1 million to the three named major brokerage houses as well as others.

Mikhail Shatov, Anton Mezentsev and Galina Korelina were previously charged in New Jersey and convicted for charges of conspiracy to commit wire fraud. U. S. District Judge Esther Salas sentenced Mezentsev to 27 months in federal prison. Korelina and Shatov were sentenced to14 months each, earlier in 2012.

Murmylyuk was formally charged in April, 2012, charged with unauthorized access to computers, one count of conspiracy to commit wire fraud, and securities fraud. The SEC is also filing a comparable civil action. He is currently in state custody looking at charges from a separate investigation directed by the Manhattan District Attorney’s Office where he is charged with identity theft of more than three-hundred individuals that were unemployed. He then allegedly collected bogus tax returns using their names and information.

Murmylyuk has pleaded guilty to the conspiracy to commit securities fraud charge. He pleaded guilty to identity theft and tax fraud charges earlier. He’ll face a $250,000 fine and a maximum penalty of five years in prison for the New Jersey case and fifteen years in prison for the case against him brought forward by the Manhattan district attorney. Sentencing is scheduled for November 12 for the securities fraud case.

Bronx Detective Arrested on Computer Hacking Charges

June 12, 2013 | Michael B. Cohen, P.A.

“Jealousy is a strange transformer of characters.” – Arthur Conan Doyle
Prosecutors didn’t suggest a motive for a New York City Detective being charged with Cyber-crimes but Police Commissioner Raymond Kelly and various other police sources said that it was done in order for him to grasp who was communicating with his ex-girlfriend. “I know that the allegations have to do with the fact that he went to a company to be able to hack into information that may have been related to a relationship he had with a young woman and I believe the mother of his child,” said Kelly.

Edwin Vargas, 42, a Detective from the Bronx and 20-year veteran of the New York City Police Department was arrested late last month for allegedly hacking into some of his colleague’s email accounts.

According to NBC New York, Vargas believed that his ex-girlfriend, also a police officer was having a relationship with a workmate and hacked into other officer’s email accounts to see if there was any incriminating information for his concerns therein. He is also accused of performing at least two illegal searches in the FBI’s database; the National Crime Information Center (NCIC), without consent.

By way of tapping into the NCIC database he apparently gained further information dealing with two police officers whose email addresses he had previously obtained through the results of the email hacking.

According to the complaint, it is charged that he paid an independent unspecified email hacking service based in Los Angeles, CA in excess of $4000 in exchange for passwords to his fellow officers email boxes. Another allegation charges that he scrutinized another cop’s cell phone records so he could see who that officer was receiving text message from.

An investigation of the “hacking” service showed that some NYPD employees’ email boxes had been compromised and it was that evidence that led back to Vargas. The Internal Affairs Division (IAD) first began questioning him in early April about cyber-stalking his ex-girlfriend. The investigation became a joint effort between the IAD and the FBI due to the assertions of the federal agency’s database being hacked.

The results of the investigation demonstrated that he snooped on more than 40 mailboxes, 21 of them maintained by those with NYPD affiliations. The activity took place over more than a 2-year period between 2010 and 2012.

Detective Vargas is now charged with one count of conspiracy to commit computer hacking and one count of computer hacking to be tried in federal court. Each of the charges carries a maximum sentence of 10 years in prison.

FBI Assistant Director in Charge George Venizelos was quoted as remarking.” Of all places, the police department is not a workplace where one should have to be concerned about an unscrupulous fellow employee.”

To read related federal cases concerning these types of allegations demonstrating the penalties for these charges, click here (FBI Press Release, March 06, 2012)