An unknown Indian hacker is being charged with the greatest cyber-heist in history, for allegedly helping a criminal gang steal identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8 billion in illegal funds.
An investigation by Scotland's Sunday Herald newspaper discovered, that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of UK's Best Western Hotel group's online booking system. He then sold details of how to access it through an underground network operated by the Russian mafia.
There are no details yet on how the hacker was identified to be an Indian, and if a probe is on to identify the person. It is also not known if the hotel chain has alerted the police about the heist.
The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007. Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.
"They've pulled off a masterstroke here. There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that has been stolen in the Best Western raid makes this particularly rare," said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx.
"The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave," Erasmus added.
Although the security breach was closed on Friday after Best Western was alerted by the Sunday Herald, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies.
These include:
- Armed with the numbers and expiry dates of customers' credit cards, fraudsters are equipped to make multiple high-value purchases in their victims' names before selling on the goods.
- Bundled together with home addresses and other personal details, the stolen data can be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims' names.
- Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell "burglary packs", giving the home addresses of local victims and the dates on which they are expected to be away from their home.
Although the nature of internet crime makes it extremely difficult to track the precise details of the raid, the Sunday Herald understands that a hacker from India - new to the world of cyber-crime - succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.
"Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60 per cent of threats out there. In the right hands, viruses can easily bypass these programs, as was the case here," explained Erasmus.
With eight million people staying in the hotel group's 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center's reports that the average victim of Internet crime loses £356, they are sitting on a potential haul of at least £2.84 billion.
Best Western Hotels closed the breach at around 2 pm on Friday afternoon. Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action, Sunday Herald said.
0 comments