Dave & Buster’s Data Breach Indictment: Apps Crash For The Bad Guys, Too
Written by Evan SchumanIt was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.
The problems started when the pair—Maksym Yastrenskiy of Kharkov, Ukraine, who used the name Maksik, and Aleksandr Suvorov of Sillamae, Estonia, who used the name Johnny Hell—installed a packet sniffer on the chain’s network to try and capture Track 2 data as it moved from the POS server to the acquiring bank’s authentication system.
"The packet sniffer malfunctioned and (the pair) did not capture any Track 2 data," according to the indictment.
But the pair persisted and eventually got the software to work in about 11 restaurants, ultimately grabbing plenty of Track 2 data, such as information about some 5,000 credit and debit cards (with losses of "at least $600,000") from a single restaurant, including a 5-GByte log file that Yastrenskiy bragged about in an intercepted May 30, 2007, text message, according to federal documents.
But the pair’s tech difficulties didn’t end.
"As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers," the indictment said. "Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants Yastrenskiy and Suvorov had to regularly reactivate the packet sniffers." (Wonder if there’s any money in launching a Cyberthief Helpdesk?)
Authorities also indicted Albert Gonzalez of Miami—also known as Segvec and SoupNazi—for providing the packet sniffer, and he was charged with wire fraud. All three defendants are reportedly in custody, with Turkish officials having arrested Yastrenskiy in Turkey in July 2007, where a federal statement said he "remains in jail on potential violations of Turkish law. A formal request for extradition of Yastrenskiy to the United States has been made to the Turkish government."
Suvorov was arrested in March 2008 by German officials while he was visiting that country—he’s also reportedly still imprisoned in Germany, pending the outcome of a U.S. extradition request. The U.S. Secret Service arrested Gonzalez in Miami in May 2008, which is what allowed the indictments to be unsealed.
Based on what federal authorities said was a forensic examination of the restaurant chain’s server logs, the group began its data breach efforts when they tried to crack into a Dave & Buster’s POS server at a restaurant in Arundel, Maryland, in April 2007. That’s the incident where the software wouldn’t capture any data.
But a year ago, on May 18, 2007, the group instead accessed a corporate POS server at Dave & Buster’s headquarters in Dallas. "From there, (they) successfully installed the packet sniffer on POS servers at 11 D&B restaurants," according to a May 12 federal arrest warrant affidavit from U.S. Secret Service Agent Matthew Lynch. They tried again on Sept. 22, 2007, but the chain’s IT department was able to block the attempt.
"Investigation has revealed that approximately 5,100 MasterCard and Visa cards as well as 32 American Express cards were used" in the penetrated restaurants at the time, the affidavit said, adding that unauthorized purchases were later found to have been made on 675 of the cards.
When the Turkish National Police seized Yastrenskiy’s laptop, the affidavit said, it found many ICQ instant messages along with "millions of stolen credit card numbers and a folder that contained a packet sniffer used in the D&B intrusions."
The federal documents also said that this group apparently hit an unidentified "major retailer" back in 2005 and that the sniffer used in the Dave & Buster’s breach had been customized for the first retailer and was simply re-used for Dave & Buster’s.
The documents quote an analyst with the Computer Emergency Response Team Coordinating Center (CERT-CC) as having analyzed the sniffers found on in both incidents. The unnamed CERT analyst described both sniffers as "efficient, well-designed and [using] some algorithms and data structures that reflect college-level knowledge of computer programming skills, whether acquired through self-study or, as he believed more likely, through formal training."
The unspecified breach of the "major retailer" involved a 44-GByte transfer of credit-card information on Nov. 18-19, 2005. It’s not clear from the documents who the major retailer was, but the dates involved could be referring to TJX.
-Dan Stiel
May 16th, 2008 at 9:37 am
Finally! As Paul Harvey said, now for the rest of the story, which is yet to unfold, taking years, is what happens to these cyber criminals. Swift and meaningful punishment is necessary to send a message to those considering a life of cyber crime.
May 16th, 2008 at 9:56 am
Editor’s Note: That’s a nice sentiment, but I cynically doubt it would do any good. It’s like increasing the penalties for illegal narcotic distribution. There is SO much money to be made with these schemes–and the chances of being caught are so slight–that these punishments won’t do much good.
The deterrence of any punishment only exists if the one you’re trying to deter has any reasonable belief they’ll get caught and convicted.
These cyber thieves are generally confident, cocky and quite careful. Reality aside, they are likely to BELIEVE they’ll never get caught. Therefore, no punishment will likely any impact.
I hope I’m wrong, though.
May 17th, 2008 at 8:39 pm
Most people think that I’m strange, but as an InfoSec Professional, I have done away with my Credit Cards, and have gone back to a completely cash life. Purchasing goods online, or using a card in store clearly isn’t safe, and the retailers, credit card companies, and the banks really don’t care.
I get to see the PCI scans, and the amount of money that the PCI efforts cost companies, yet, we still have issues with simple security.
Organizations don’t really want to apply the correct methods of securing their systems, because they don’t have the talent, or the time to put the proper tracking, access controls, and testing into practice. Of course, if they did, they wouldn’t be making that extra $00.03 per transaction, costing them millions in the long run.
It’s cheaper to pay the fines, let the current practices “protect” them, making everyone feel safe.
It is a case where “Ignorance is Bliss!” is truly the status quo.
“In God we Trust, all others pay cash.” It’s one way to prevent credit card theft, identity theft, and loss of our hard earned money.
Try it, it’s freedom.