Unmasking the Cyber Underworld: A Tale of 130 Million Stolen Cards

9 min readJul 2, 2023

Overview of the Attack

Albert Gonzalez, also known as “segvec,” “soupnazi,” and “j4guar17,” has been charged with conspiracy to hack into computer networks supporting major American retail and financial organisations and stealing data from more than 130 million credit and debit cards. Gonzalez and two alleged co-conspirators used a sophisticated hacking technique known as a “SQL injection attack” to target network flaws and circumvent firewalls, allowing them to collect crucial card information. The indictment goes into depth about their research on targeted networks, the attacks themselves, and the transfer of stolen data to computers in various places. Gonzalez and his associates used sophisticated hacking techniques to conceal their activities and escape detection. Gonzalez could face severe prison time and fines if convicted.

Impact of the Attack

As we can see from the chart below, SQL Injection was the third most widespread web vulnerability in 2008, according to The Web Application Security Consortium (WASC).

The hackers can make unauthorized purchases from stolen card information or sell card details over the darknet. With your personal details, anyone can open new accounts in your name and make illegal transactions, landing you with a hefty bill and potentially impacting your credit score, too or in another words Cyber criminals can use this information to buy things without your permission and make illegal transactions. Fraudsters could use your personal information to set up a phishing attack and get you to give them more information, like your account or credit card information or Aadhaar number, so they can steal your money.

The reports of impact on the companies which become victim of Miami hacker attack of 2008 are

On March 17, 2008 Hannaford Brothers announced that it had been the victim of a malware attack it characterized as “new and sophisticated” which resulted in over 4.2 million credit and debit card numbers being compromised. In every one of its close to 300 grocery stores in Maine, Vermont, New Hampshire, Massachusetts, New York and Florida the malware had intercepted credit and debit card data after the customers swiped their card at the checkout counters. This stolen credit card data was fraudulently used in at least 1,800 cases in the U.S. as well as Mexico, Bulgaria and Italy.
Citibank officials are witnessing a huge spike in fraudulent withdrawals from New York area ATMs — $180,000 is stolen from cash machines on the Upper East Side in just three days. In the end, there are 10 arrests and at least $2 million dollars stolen. It started with a breach of the public website of America’s most famous convenience store chain: 7-Eleven.com. The Russians, evidently using an SQL injection vulnerability, “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.”
Back in 2008/2009, Heartland Payment Systems suffered a massive data breach at the hands of two Russian hackers who installed malware on their systems and exploited SQL vulnerabilities. They made off with 100 million debit and credit card numbers. Many customers lost names, email addresses, home addresses, social security numbers, and other personal banking details. Their boldness cost them $140 million in fines and penalties as a result.

Root causes and motives behind the attack

The root cause of such attacks often lurks within the dark corners of computer networks, where vulnerabilities await their moment to strike. Outdated software, neglected systems, shoddy network design, or flimsy security measures can create the perfect breeding ground for these digital mischief-makers. It’s like leaving the front door wide open while whispering, “Come on in, hackers!”

But let’s not forget the art of exploiting security flaws. Just like a skilled locksmith picking a lock, they employ techniques like the infamous SQL injection attack. They find that one chink in the armor, that one vulnerability in the firewall, and bam! They’re in, like a magician pulling a rabbit out of a digital hat.

Now, hold on to your wallets, because here comes the motive: cold, hard cash. Yes, ladies and gentlemen, financial gain is often the name of the game in these cybercrime sagas. By getting their hands on credit and debit card data, these digital bandits can turn a profit faster than you can say “identity theft.” They sell this precious loot on the black market or engage in unauthorized transactions, all in the pursuit of maximizing their ill-gotten gains.

While the precise details of this particular case may not be spelled out, it’s clear that taking precautions is essential in this digital age. So, my dear readers, remember to lock those virtual doors, update your software regularly, maintain your systems with care, and fortify your networks like the castles of old. By implementing these wise practices, you’ll stand a better chance against these cyber villains and keep your sensitive data out of their clutches.

Similar Incidents of Attack

There have been many incidents in the past few years ranging from targeting small unarmed bases to major MNCs. Here are listed below a few of such earth-shaking incidents.

Heartland Payment Systems in 2008. The largest SQL injection attack to date. The SQL injection attack was used to gain access to credit card processing systems. The attack began in March 2008, but was not discovered until January 2009.

HB Gary breach hackers related to the Anonymous activist group used SQL Injection to take down the IT security company’s website. The attack was a response to HB Gary’s CEO publicizing that he had the names of Anonymous organization members.

Estonian Central Health Database (2020): A massive SQL Injection attack potentially compromised the health records of nearly all of Estonia’s citizens.

Even the reign of these attacks has mortified security-based companies like Fortinet, who has fixed multiple severe vulnerabilities impacting its products. The vulnerabilities range from Remote Code Execution to SQL Injection. The infamous report that a Sony website was vulnerable to a time-based SQL injection. There were able to demonstrate the vulnerability by running a sleep() command on the underlying database.

Analyzing the Techniques and Method used in the Attack

SQL Injection — Injecting the juice manually

We will be using the OWASP Juice shop for the demonstration of this attack

SQL Injection is when an attacker enters a malicious or malformed query to either retrieve or tamper data from a database. And in some cases, log into accounts.

In this demonstration we will show how we can log into an admins’ or users’ account using SQL injection

Toh chaliye shuru krte hai!!

After we navigate to the login page, enter some data into the email and password fields.

Now, we will put the email and password as ⇒ ‘ or 1=1 — and boom we are logged in as an admin!

but why will this work?

The character ‘ will close the brackets in the SQL query
‘OR’ in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account.
The — character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and JavaScript respectively.

Being able to log in as an admin lets see if we can do the same with any user account

Browsing the site for a while, we can see a review from a user with its email id mentioned.

This time we will put the email as⇒ bender@juice-sh.op’ — and password anything random

But why don’t we put the 1=1?

Well, as the email address is valid (which will return true), we do not need to force it to be true. Thus we are able to use ‘ — to bypass the login system. Note the 1=1 can be used when the email or username is not known or invalid.

Boom!! we did it again, but this time as a user…

Now, If I put a random string in the search parameter and hit ENTER then it appears in the URL which means it is having GET method to request the server.

Now open your terminal or command prompt and type the following command

python3 **sqlmap.py** -r **/home/digmasuck/Desktop/request.txt** --dbs --level 5

And you can see we got database information and to know what inside database just type this command

python3 **sqlmap.py** -r **/home/kairaj5456/Desktop/request.txt** --tables --threads 10

As you can see I got 20 Tables but I’m only interested in the ‘Users’ table. So, to see what is inside that table you need to just type this command and hit ENTER.

**python3 sqlmap.py -r /home/kairaj5456/Desktop/request.txt  --threads 10 -T Users --columns**

This is a how a typical SQL injection attack is performed

Best Practices to Protect from Such Attacks

Alright, listen up folks! If you want to protect yourselves from those sneaky hackers trying to steal your credit and debit card data, here are some wickedly cool best practices:

Stay updated like a tech-savvy ninja: Keep your systems and software up to date with the latest security patches. Don’t give those hackers a chance to exploit outdated vulnerabilities. Upgrade, my friends!

Strong passwords, superhero style: Don’t be a password weakling! Use strong, unique passwords like a superhero with an unbreakable shield. And hey, consider adding multi-factor authentication for an extra layer of protection. You’ll be a security superstar!

Arm your brain with knowledge: Train your team to spot those cunning phishing emails and crafty social engineering tricks. Teach them to be skeptical of suspicious links and attachments. Knowledge is power, my cyber warriors!

Fire up those firewalls: Get your virtual fire-breathing dragons! Install firewalls and intrusion detection systems to keep the baddies out. Let them know your network is off-limits!

Remote work, VPN style: If you’re working remotely, put on your virtual invisibility cloak with a trusty VPN. It keeps your connections super secure, just like a secret agent on a mission.

Backup like a boss: Regularly backup your data as if you were guarding precious treasure. Keep it safe and sound, so you can defeat any villainous data loss attempts.

Be a detective of the digital world: Monitor your network like a cyber Sherlock Holmes. Use tools to spot any strange activities that could mean trouble. No hackers will escape your watchful eye!

Hunt down vulnerabilities: Conduct assessments and penetration testing like a cyber bounty hunter. Find those weaknesses, patch them up, and show those hackers who’s the boss!

Plan your counterattack: Have an incident response plan ready, like a superhero with a well-thought-out battle strategy. When the chaos ensues, you’ll be prepared to kick some cyber-butt!

Seek help from the cybersecurity Avengers: When in doubt, call in the experts! Get external security wizards to lend a hand. They’ll help you fortify your defenses and keep those hackers at bay.