According to an affidavit filed by U.S. authorities in Canada, the U.S. Secret Service began investigating “an international conspiracy” to hack into computer networks of U.S. financial institutions and other businesses in October 2007. As part of that investigation, agents examined network intrusions that occurred in January and February 2008 at OmniAmerican Credit Union, based in Fort Worth, Texas, and Global Cash Card of Irvine, California, a distributor of prepaid debit cards used primarily for payroll payments.
In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company’s database software. The attacker grabbed credit- and debit-card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.
In April and May 2008, agents investigated two additional hacks at 1st Source Bank in Indiana, and at Symmetrex, a prepaid-debit-card processor based in Florida. The intruder again used SQL injection attacks, and losses added up to more than $3 million.
Investigators traced the intrusions to several servers belonging to HopOne Internet in McLean, Virginia, which turned out to be just a routing point for an attack that originated from servers at the Dutch web hosting company LeaseWeb — one of the largest hosting companies in Europe.
U.S. officials asked Dutch law-enforcement agents on April 7, 2008, to track “all computer traffic pertaining to three servers hosted by LeaseWeb” and intercept “the content of that traffic” for 30 days, according to the affidavit. The interception request was renewed for another 30 days on May 9.
Among the wiretapped traffic, authorities found communications that allegedly occurred between Tenenbaum — using the e-mail address Analyzer22@hotmail.com — and other known hackers, discussing the breaches into the four U.S. institutions, “as well as many other U.S. and foreign financial institutions.”
In one instant message chat in April 2008, Tenenbaum allegedly discussed trying to hack into Global Cash Card after system administrators at the company apparently locked him out from an initial intrusion.
“Yesterday I rechecked [Global Cash Card]. They are still blocking everything,” he allegedly wrote. “So we can’t hack them again.”
Authorities say Tenenbaum gave a co-conspirator the compromised debit- and credit-card account numbers of more than 150 accounts taken from Symmetrex as well as the computer commands he’d used to execute the attack. Then, throughout the night of April 20, 2008, he received updates from accomplices in Russia and Turkey as they successfully withdrew cash from ATMs, and from Pakistan and Italy where the cards apparently failed to work.
The next day, more cards were used in Bulgaria, Canada, Germany, Sweden and the United States. By late afternoon that day, Tenenbaum told an accomplice he’d racked up about “350 – 400″ in earnings. The affidavit notes that this likely referred to thousands of dollars or thousands of euros.
Tenenbaum allegedly gave an accomplice additional cards in an April 20 chat and asked the accomplice to find a “casher” — the underground’s term for the low-level worker whose only job is to withdraw loot.
“I am making a small operation, you have casher?” he allegedly wrote. “I been trying to get a hold of you. I saved for you 25 cards, each one $1,500 limit. Get casher as soon as possible. OK, I will load them.”
According to authorities, after Tenenbaum got into the 1st Source Bank network, he obtained administrator privileges that allowed him to view credit card numbers and ATM output. This latter activity apparently collided with other hackers who were in the system trying to execute shell commands.
“Is HUGE,” he allegedly wrote an accomplice. “I saw ATM outputs, tons of cards. I am admin there, and I already cracked some of the domain.”
His accomplice replied that there were already people inside the network and asked Tenenbaum to get out. Tenenbaum replied, “Dude, like I told ya. It’s [Microsoft] Windows network. I am happy I could help you to get shell there. Now it’s your guys’ job.”
About a month later, Tenenbaum allegedly disclosed that he’d hacked Alpha Bank in Greece, the country’s second largest commercial bank, where he said friends of his worked.
Despite Tenenbaum’s earlier notoriety as The Analyzer, he apparently made no attempt to hide his real identity, using an e-mail address with a name that was previously tied to him, as well as an IP address that was easily connected to him.