Buried in the federal indictments unsealed this week against four men accused of stealing tens of millions of consumer records from JPMorgan Chase and other brokerage firms are other unnamed companies that were similarly victimized by the accused. One of them, identified in the indictments only as “Victim #12,” is an entity that helps banks block transactions for dodgy goods advertised in spam. Turns out, the hackers targeted this company so that they could more easily push through payments for spam-advertised prescription drugs and fake antivirus schemes.
According to multiple sources, Victim #12 is none other than Bellevue, Wash. based G2 Web Services LLC, a company that helps banks figure out if a website is fraudulent or is selling contraband. G2 Web Services has not responded to multiple requests for comment.
In the final chapters of my book, Spam Nation: The Inside Story of Organized Cybercrime, I detailed the work of The International AntiCounterfeiting Coalition (IACC), a non-profit organization dedicated to combating product counterfeiting and piracy.
In 2011, G2 Web Services landed a contract to help the IACC conduct “test buys” at sites with products that were being advertised via spam. The company would identify which banks (mostly in Asia) were processing payments for these sites, and then Visa and MasterCard would rain down steep fines on the banks for violating their contracts with the credit card companies. The idea was to follow the money from schemes tied to cybercrime, deter banks from accepting funds from fraudulent transactions, and make it difficult for spammers to maintain stable credit card processing for those endeavors.
Prosecutors say the ringleader of the cybercrime gang accused of breaking into JPMC, Scottrade, E-Trade and others is 31-year-old Gery Shalon, a resident of Tel Aviv and Moscow. Investigators allege Shalon and his co-conspirators monitored credit card transactions processed through their payment processing business to attempt to discern which, if any, were undercover transactions made on behalf of credit card companies attempting to identify unlawful merchants. The government also charges that beginning in or about 2012, Shalon and his co-conspirators hacked into the computer networks of Victim-12 (G2 Web Services).
Shalon and his gang allegedly monitored Victim-12’s detection efforts, including reading emails of Victim-12 employees so they could take steps to evade detection.
“In particular, through their unlawful intrusion into Victim-12’s network, Shalon and his co-conspirators determined which credit and debit card numbers Victim-12 employees were using the make undercover purchases of illicit goods in the course of their effort to detect unlawful merchants,” Shalon’s indictment explains. “Upon identifying those credit and debit card numbers, Shalon and his co-conspirators blacklisted the numbers from their payment processing business, automatically declining any transaction for which payment was offered through one of those credit or debit card numbers.”
According to the U.S. government, Shalon ran idpay.com, a dodgy credit card processor that worked with dozens of banks to push through sales for fake antivirus and pharma-spam sites. Interestingly, in 2011, I wrote about a source who’d stumbled upon a portion of the customer database for idpay.com. As I wrote then:
“The idpay.com database indicates that a large number of fake AV Web sites were using idpay.com to process payments (a partial list is here). The idpay.com database revealed even bigger fish: Among the companies it processed was rx-partners.com, a major rogue pharmacy affiliate program that pays hackers and spammers to promote its pharmacy sites.”
“Another interesting client that processes payments through idpay.com was HzMedia Limited. That entity is owned by Igor Gusev, the founder of GlavMed, one of the world’s largest and spammiest rogue Internet pharmacy affiliate programs.”
Gusev would emerge as one of two major cybercrime kingpins I profiled in Spam Nation.
This story is interesting because it shows how money laundering is such a key component of cybercrime operations, and that anyone who has built such networks likely knows or works with a great many of the world’s top cybercrooks. It also illustrates the lengths to which organized cybercriminals will go to preserve their business models.
G2 was profiled in a New York Times story last month on firms that pit artificial intelligence against hacking threats. That piece cited G2 Web’s ability to spot “transaction laundering,” in which an illegal business tries to appear legitimate by processing transactions through a legal site. The story didn’t mention a breach, but it quoted a G2 employee on the challenges associated with fighting crooks who possess the means and the motive for hacking those who stand in their way.
“The guys who run these illicit sites are also into viruses and malware,” the Times quoted Alan Krumholz, principal data scientist at G2. “It’s a cat-and-mouse game. They go from one business into another.”
The full indictment against Shalon is here (PDF). The mention of Victim 12 (G2) is on page 23.