Dan Oakes and Ben Grubb August 17, 2012
Targets of the breaches were often stores in remote places. Photo: Michel OSullivan
Eastern European hackers have stolen half a million credit card numbers from Australians and racked up $25 million in fraudulent transactions, federal police have revealed.
Australian Federal Police were unable to provide details of their ongoing investigation, but they confirmed they were working with law enforcement bodies in other countries to tackle the organised hacking ring.
"The Australian Federal Police can confirm it is currently investigating a series of merchants whose individual computer systems have been compromised," a spokeswoman told The Age.
"The compromise is believed to have involved approximately 500,000 credit cards and resulted in more than $25 million in fraudulent transactions."
SC Magazine, which specialises in business intelligence, has reported that the same hacker group is believed to have been responsible for a hack of US Subway restaurants, which resulted in four Romanian nationals being charged over millions of dollars in credit card fraud affecting about 80,000 customers.
The magazine said the syndicate found its victims by scanning the internet for vulnerable point of sale terminals.
"The borderless nature of this crime type poses new and unique challenges for law enforcement. International and private sector co-operation is critical to the AFP's ability to target this type of compromise, which is a challenging and time-consuming process," the police spokeswoman said.
"This investigation demonstrates the importance of the AFP's close working relationship with its international law enforcement counterparts, private industry and the financial sector to combat this crime type and bring those responsible to justice."
In May, The Age reported that opportunistic hackers were stealing credit card information from small businesses, such as fish and chip shops, that failed to secure their computers and tellers.
According to consultant Marc Bown of the IT security firm Trustwave, which investigates data breaches on behalf of banks, hackers break into badly secured e-commerce websites via security holes in out-of-date shopping cart software, and into point of sale computers with weak passwords like ‘‘password1’’ via remote desktop software used for technical support.
Often the breached stores were in rural and remote regions, Bown said, and had fewer than 50 employees. ‘‘And they all had an IT guy who, of course, said everything was OK.’’
‘‘[Hackers are] not going to spend twice as long trying to compromise a supermarket chain when they can go and compromise 50 fish and chip shops that have much weaker levels of security and which will ultimately give them the same end goal,’’ Bown said.
‘‘It’s going to cost them a lot less to go after the weaker targets than to spend all of their effort going after a single high-security target.’’