Victim companies include Heartland Payment Systems, Carrefour, NASDAQ, Dexia Bank Belgium and others.
Two of the accused are now in custody (Smilianets and Drinkman), and three remain at large. Unusually, these three suspects – Kalinin, Kotov and Rytikov, believed to be in Russia – have been named. This is thought to be a way of expressing displeasure at a lack of co-operation from the Russian authorities. "If the Russians aren't going to cooperate with us, fine, we're going to let everyone know", an unnamed law enforcement source told Reuters. Russia is constitutionally prevented from extraditing a Russian national.
Smilianets and Drinkman were arrested in The Netherlands. Smilianets was extradited to the US in September 2012; Drinkman has fought extradition and is currently held in The Netherlands pending an extradition hearing. Federal agents knew about Smilianets. As the conspiracy's 'salesman' he was well known on the underground chat circuits. They learnt that he would be traveling to The Netherlands with a companion called Drinkman.
Checks showed that Drinkman had been suspected of collaborating with another hacker, Albert Gonzales, currently serving multiple 20-year sentences in the US. The agents concluded that this was one of the two hackers they were seeking in connection with the Smilianets hacks. "Here's the world's biggest hacker," a person familiar with the case told Reuters. "We got lucky." The two were arrested by Dutch police as they prepared to board a tour bus.
The hacks were largely initiated with SQL injection attacks. Once the initial penetration had been achieved, backdoors would be be installed. This enabled the attackers to stay within the victims' networks – sometimes for months – seeking and exfiltrating the information they could sell on to the criminal underground. Smilianets was in charge of sales. "He would charge approximately $10 for each stolen American credit card number and associated data," says the New Jersey States Attorney's Office statement, "approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data." Bulk and repeat order discounts naturally applied.
Jeremiah Grossman, founder and CTO of WhiteHat Security, is not surprised that SQLi was used so successfully. "Coders have to push new features to customers that will drive future revenue. If they slow down, or work on anything else, like fixing vulnerabilities in their code, there is a certain monetary sacrifice." SQL flaws continually slip through and, he says, are the best and fastest way to breach a database. "There is nothing technical about SQL injection that we don't know. We know what it is, we know how to fix it, we know how to prevent it." We just don't seem very good at doing it.