Everyone in retail can breathe a little easier today knowing that federal authorities have charged David Benjamin Schrooten, or as he is known in cyber space “Foretezza,” with multiple counts of credit card theft. Allegedly, Schrooten, who is a Dutch national, and his U.S. accomplice, Christopher A. Schroebel, actively hacked retail computer systems in the Seattle area, specifically to obtain credit cards. Once they stole the desired data, Schrooten is suspected of selling the credit cards on black market Internet sites.
At the time of this posting, it is believed that more than 44,000 credit cards were illegally obtained resulting in millions of dollars of fraudulent charges. The method for the theft is similar to others that have recently been seen affecting retailers across the country. Everyone who owns a retail business should be familiar with this technique so that they can verify that their own security is sufficient to protect against this type of attack.
Basically the scenario goes something like this – First, a vulnerable POS system is remotely compromised using a variety of hacking methods, and then malware is uploaded that is tailored to the POS system to capture credit card data as it is received from the swipe. The hackers involved need to be sophisticated in order to be successful with this scheme, but with potentially millions of dollars at stake, there is no shortage of criminals willing to put forth the effort.
The reason this story is particularly rewarding is that one of the suspects was in Romania when he was captured by the Romanian National Police. In the past, Romania was one of the countries where cyber criminals had free reign to perform their illegal actions with little risk of reprisals. This arrest is a good sign that Romania may not be a safe haven for criminals anymore and that the U.S. Department of Justice may be more successful in arresting and prosecuting foreign criminals in the future. As U.S. Attorney Jenny A. Durkan stated in a press release earlier this week, “Cybercriminals need to know: We will find you and prosecute you.”
All we can say to that is good luck and keep up the good work!
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.