July 26, 2021 |
As a recognized expert in cybersecurity and data breach response, Sherri has been called a “security badass” by the New York Times, and has conducted cybersecurity training for many distinguished organizations including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more.
She is a faculty member at the Pacific Coast Banking School, and an instructor for Black Hat, where she teaches her “Data Breaches” course.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
Hi, and welcome to Cybereaon’s Malicious Life. I’m Ran Levi.
This is the 3rd and final part of our mini series on Albert Gonzalez: the hacker who, while working as an informant and double agent for the Secret Service – was hacking into the networks of some of the largest retail chains in the US, stealing literally hundreds of millions of credit and debit cards.
WHY ALBERT DID IT
What would it take for you to do really bad things? To steal from others? Cheat on your spouse? Lie and deceive people who trust you?
In 2010, a reporter for the New York Times visited the Wyatt Detention Center in Central Falls, Rhode Island. He sat down. Across from him was a 28-year-old–a bit pale, bloodshot eyes behind wire frame glasses. His baggy khaki jumpsuit hid just how thin he’d gotten since his days as a Secret Service informant.
The reporter started his recorder, and Albert Gonzalez began to reflect on why, time and again, he chose to do such bad things. The things that landed him where he was today. Quote:
“I’ve been asking myself, why did I do it? At first I did it for monetary reasons. The service’s salary wasn’t enough, and I needed the money. By then I’d already created the snowball and had to keep doing it. I wanted to quit but couldn’t.”
End quote. In the opening episode in this series, we wondered what could have motivated Albert to make such bad decisions. Same for Jonathan James. It must have been pathological; some kind of obsession. Quote:
“I remember so many times having arguments with my mother when she’d try to take the computer power cord from me, or she’d find me up at 6 a.m. on the computer when I had to be at school at 7:30. Or when I’d be out with [my girlfriend] and not paying any attention to her because I’d be thinking about what I could do online.”
We have to be careful here. The instinct, with complicated stories, is to create some kind of theme–a neat, cohesive explanation so that everything makes sense and comes together nicely. Using obsession to justify Albert’s actions toes that line. But it’s worth noting that we’re not saying anything new here. While he was standing trial, a judge ordered that Albert receive a psychological evaluation. In the report that followed, the psychologist wrote, quote:
“He identified with his computer. It is hard, if not impossible, even at the present for Mr. Gonzalez to conceptualize human growth, development and evolution, other than in the language of building a machine.”
Albert’s entire world was filtered through his computer. He was capable of doing really bad things, because the consequences were out in the real world, for real people. The betrayal of friends and family, the threat of identity fraud for a middle class family, did not occur in machine language.
INTRO TO PATRICK TOEY
It was much different for Albert’s right hand man, Patrick Toey. Patrick wasn’t obsessive like Albert and Jon James. For him there were, arguably, even better reasons to do bad things.
Toey spent most of his childhood in limbo. Raised by a single mother but mostly unsupervised, he began experimenting with computers and drugs as early as age 11. He wasn’t a genius businessman like Albert, or a prolific coder like Jonathan James–computers were just a way of escaping an otherwise pretty unenviable situation at home.
His mother remarried and had two kids but, at age 15, Patrick dropped out of high school and his mother divorced, leaving him and his half-siblings in poverty. The family bounced from place to place, eviction to eviction. They ended up staying with family friends where, according to Wired, quote, “his mother spent much of her time partying, drinking and smoking pot.”
It’s not so surprising, then, that Patrick ended up with #feed-the-goats: the script kiddie IRC channel where guys like Albert, Jon, Chris Scott and Stephen Watt would hang out and coordinate attacks against websites.
But it was different with Patrick. He liked the other guys, and the fun of hacking, sure, but he’d ended up there for a fundamentally different reason. He wasn’t like Albert, with the self-made, entrepreneurial father, or Jon, who grew up with money.
By age 18 Patrick’s family was living at a residential hotel, but they didn’t have enough rent money. They were facing yet another eviction. So, one day in 2003, he told his mom what he was going to do. She listened, and gave him her blessing. So he took a bus into New York City, and began cashing out cards for the cybercriminal Albert Gonzalez.
The money he earned as Albert’s mule was enough to pay the rent, and more. Soon, the family was able to afford their own apartment.
Albert saved Patrick. On top of that, he was the father figure Patrick never had–a bit older, wiser, taking him under his wing. They began spending all kinds of time together. As Albert escalated to more and more serious crimes, he brought Patrick along the ride. He rented a condo and let Patrick live there, free of charge. More so than anyone else in the crew, Patrick really loved Albert.
It makes you think, if you were in his position. If you were facing yet another eviction from your home. If you looked into your family’s eyes and saw that they were struggling.
What would it take for you to do really bad things?
MONEY COMING IN
Curry, Klay, K.D., Draymond, Zaza. Kareem, Magic, James Worthy, A. C. Green, Byron Scott. If you watch basketball, you know that with an elite starting five you can do just about anything. Nobody could stop the 90s Bulls, or the 60s Celtics. By 2006 Albert Gonzalez had pulled off the greatest financial data breach in history to that point. But he didn’t do it on his own–he had Jonathan James, Chris Scott, Patrick Toey and Stephen Watt behind him. The 1997 Chicago Bulls of cybercrime.
He also had a bench full of role players.
[Sherri] at this time, Albert Gonzalez has built essentially an international syndicate.
Sherri Davidoff, CEO of LMG Security.
[Sherri] So they steal card numbers from these retailer networks and those are uploaded to servers that he hosts in Latvia and the Ukraine. And then he gives those card numbers to his business partners in order to get that in order to convert those to actual money.
The partners receive the card data, copy them onto blanks, and sell them at shady nightclubs around Europe for $300 a pop. Half the profits go back to Albert.
Even with only half the profits, it starts to add up. It gets to be so much, in fact, that even just getting the money to Albert becomes a logistical nightmare. This is before Bitcoin, remember.
[Sherri] Jonathan James, for example, set up a mail drop for him and that way his partners around the world could mail him cash to that mail drop that other people could pick up.
We’re talking about boxes full of straight-up cash. Exactly how much money Albert made during this period is unknown, but if you want a sense of it, consider this: On one occasion, Albert’s money counting machine actually broke from overuse. He complained to Stephen that he had to count $340,000 by hand.
[Sherri] At this time, he also bought a BMW. He threw himself a birthday party for $75,000.
Tables stacked up with drugs. Booze. Girls.
[Sherri] He’s staying in luxury hotels.
On one occasion, a $5,000 penthouse suite in a beachside resort in South Beach, Florida. According to NBC’s “American Dream,” on top of their normal drugs, Albert and his friends made special concoctions called “Magic Milkshakes”: cookies and cream ice cream, milk, shrooms, LSD and ecstasy, all thrown in a blender.
There were too many drugs and not enough mouths and noses to inhale them. There was nobody around to stop them. And too much money to spend, even if they tried. They were living the dream–at least, their version of it.
But you’ve seen crime movies before: what always happens right after the bad guys think they’ve won? When they pull off the job, they’re rich, they think they’re finally done? The movie never ends there! What’s the next scene?
On one afternoon, in the Spring of 2008, Albert and Patrick Toey were driving back from an ordinary recon mission, scouting the point of sale machines at Toys R Us. From the New York Times, quote:
“[A] sports car with tinted windows pulled up behind them at a red light. Gonzalez became suspicious and turned into a bus lane. The sports car followed. When the light turned green, Gonzalez didn’t move. The car didn’t move. After waiting for minutes, in a static game of chicken, car horns blaring, Gonzalez suddenly accelerated into oncoming traffic before doing a U-turn and turning into an alley. The pursuing car flew by, Gonzalez pulled out behind him, sped up alongside the car and peered inside. Gonzalez and Toey made out a police light on the dashboard. It was a surveillance car.”
It was just before Christmas, 2006, when TJX examined its servers and finally noticed what they’d completely missed for a year and a half: that they’d been fleeced. According to one accountant, the amount of stolen data represented, quote, “somewhere between approximately half to substantially all of the transactions at [TJX’s] U.S., Puerto Rican and Canadian stores.”
It’s hard to imagine what it must’ve felt like, to find that out for the first time. I figure most of you listeners out there haven’t ever been in the position where you exposed the personal and financial information of half the continent of North America.
Probably after a good bit of freaking out, TJX lawyers phoned the Massachusetts Attorney General’s office, and U.S. Justice Department, to report the worst data breach ever recorded.
But despite a mountain of data, there were no clear answers to be found. The U.S. government hadn’t a clue who was behind these breaches. One investigator recalled just how difficult it was to piece things together, quote:
“What did we know from the forensics, as to where it was going? Did it look like anybody else that we’d ever seen? All of these things were being carefully followed out, wholly, I’m embarrassed to say, unsuccessfully.”
One person on nobody’s list of suspects was the Secret Service’s best informant, Soup.
[Sherri] so now, it’s around 2007 and he’s bored at the Secret Service.
We’ve been emphasizing it all series, but it’s worth saying again: Albert is still working for the secret service. Even after TJX, the parties, the cash deliveries. But he’s no longer such a model employee.
[Sherri] He’s not showing up on time. They’re talking about HR issues.
They’re finally thinking of letting Albert go. For now, though…
[Sherri] He’s aware of all the investigations that the Secret Service has. He’s helping them bust carders and sometimes he would actually frame other hackers.
He even knows about one of the Service’s most fruitful leads–happening mostly in secret, half a world away.
In early 2007, a Secret Service agent operating out of San Diego takes a flight halfway across the world. He’s going to meet with Europe’s most prolific stolen card salesman.
[Sherri] a Secret Service undercover agent had been buying payment card dumps from Maksym Yastremskiy for two years and he traveled to Dubai to meet Maksym Yastremskiy who trusts him.
In Dubai, the agent manages to sneakily copy the hard drive off Yastremskiy’s computer. They bring it back to the U.S. for analysis.
[Sherri] So as the Secret Service is analyzing Yastremskiy’s laptop, they find there’s an anonymous person who is his number one biggest provider of credit card dumps but they can’t figure out who that person is.
There’s no personally-identifying information, other than an ID number: 201679996.
In the chat logs, though, there are a few interesting details to be found. Like, at one point, 9996 sent Yastremskiy a piece of software. They noted that it was something they’d modified for, quote, “use in TJX.”
In another instance, Yastremskiy and 9996 were coordinating a breach of Dave & Busters, the arcade chain. Yastremskiy asks his partner to send over sniffer code, to help capture the company’s stolen card data. It’s the same one that was used against TJX. Although the Secret Service didn’t yet know it by its given name: “blabla.”
In July, Yastremskiy is arrested in a Turkish nightclub.
[Sherri] And when he’s arrested, that anonymous person
[Sherri] had just asked him for a fake passport for one of his cashers who had been arrested.
CONNECTING THE DOTS
But he hadn’t indicated, in the chat, where the arrest actually occurred.
[Sherri] So the Secret Service rushes to figure out who is this casher that’s been arrested and they – it’s actually hard for them to find out. They end up combing arrest records throughout the United States
After weeks of calling police precincts and U.S. attorneys’ offices around the country, looking for any case similar to the one described, they find what they’re looking for: in a North Carolina prison, a man named Jonathan Williams.
[Sherri] And they find that he has $200,000 of cash, 80 blank cards, and a thumb drive on him.
Not to mention: a Glock-9 handgun with a silencer. But the thumb drive is the real weapon.
[Sherri] It had Albert’s photo, Albert’s credit report, and the address of his sister. And reportedly, the reason that he was carrying that around was in case Albert tried to rat him out, he had that information with him.
In their chat logs with Yastremskiy, 9996 was careful to disclose no personal information. But after months and months of waiting, Secret Service technicians managed to obtain the registration information behind the account.
One of the agents told the Times what happened next. It was an afternoon in December 2007. A few agents were sitting in an office, looking at a computer screen. Another agent was called in: she headed into the office, and they showed her the email address they’d pulled up for 201679996. From the New York Times, Quote:
“And they looked at me. They’ve got 10 agents looking at me. Three minutes passed by, I was sitting there like a dull person. And then I was like, ‘Oh, my God!’”
[Sherri] it turned out it was connected to the email address, dun dun dun… firstname.lastname@example.org.
May 6th, 2008. With a battering ram at the ready and weapons drawn, a SWAT team bursts into the home of Christopher Scott. They put him in handcuffs, and seize nine computers and 78 marijuana plants.
Stephen Watt returns to his apartment in Greenwich Village after a day out. He finds the feds waiting there for him.
A team of agents rush into Albert’s condo. Inside is Patrick Toey, half-asleep, and piles of computers, designer drugs, and cash.
A few miles away, they knock on the front door of the Gonzalez family home. They’re also at his girlfriend’s house. In total, around 150 agents of the United States government are looking for the most wanted cybercriminal in the country. But he’s nowhere to be found.
[Sherri] They didn’t get Albert and they knew they had to get a fast or he would flee the country.
Albert always knew the day might come, so he’s prepared. He has everything he needs to get out, including a fake passport.
The agents are panicking. One recalled, quote: “Albert had said during [Operation] Firewall how afraid he was of spending any time in prison. I knew he’d be gone the next day.”
If Albert makes it onto foreign soil, he’s gone forever. The day ends. Still no Albert.
May 7th. 7:00 A.M. On a tip, a team of agents arrives at a suite at the nearby National Hotel.
That day at the National Hotel, even just looking at him, it was obvious just how deep Albert had fallen.
Remember that kid that first joined the Secret Service? Scrawny, disheveled, addicted to drugs. But then he started to turn himself around–eating more, cutting his hair short, cleaning up his act. That was the kid Agent Michael knew. The one they called “Soup.”
On May 7th, 2008, his hair was long again. In the suite with him were laptops, 22,000 dollars in cash, a Croatian woman, and a Glock 27.
This wasn’t Soup. This was soupnazi.
Albert knew enough about how law enforcement worked not to tell them anything. But he wasn’t the only one in custody, so when his right hand man, Patrick Toey, started to talk, it was all over.
After months of interrogation, Albert finally pointed investigators to what they were looking for.
For the final time, a group of agents traveled to the home of Mr. and Mrs. Gonzalez. At 32nd Street and 64th Avenue, in a working class neighborhood south of downtown Miami. Small but pretty–with palm trees, flowers, a Spanish-tiled roof, and a driveway out front that awkwardly overlaps with what looks like a half-finished sidewalk. The agents headed to the backyard, pulled out shovels, and started digging. They hit something solid, and pulled it out.
It was a metal barrel, inside a black trash bag. They cracked open the top, and there it was, filled to the brim: 1.1 million dollars of cold, hard, vacuum-sealed cash.
And that was that. The Attorney General of the United States held a press conference, telling reporters, quote:
“So far as we know, this is the single largest and most complex identity-theft case ever charged in this country.”
On March 25th, 2010, Albert Gonzalez stood for his sentencing. From the New York Times, quote:
“Gonzalez, who pleaded guilty to all charges, sat almost motionless. As far as I saw, he didn’t once look back at the gallery in the federal courtroom in Boston, where his mother sat stoically while his father wept into a handkerchief as Gonzalez’s sister consoled him. Nor did he glance at [. . .] his old colleagues from the Secret Service, who also sat in the gallery. Gonzalez just leaned forward and peered straight ahead at the judge, as though — the set of his head was unmistakable — staring intensely at a computer.”
He spoke just once, a few sentences at the end. “I blame nobody but myself,” he said. “I’m guilty of not only exploiting computer networks but exploiting personal relationships, particularly one that I had with a certain government agency who believed in me. This agency not only believed in me but gave me a second start in life, and I completely threw that away.”
[Sherri] Albert was tried and convicted, and sentenced to 20 years in prison.
20 years. With good behavior, he’s expected to get out in 2025.
[Sherri] Christopher Scott was sentenced to seven years in prison. Stephen Watt who wasn’t directly involved in the crimes also got two years in prison.
Patrick Toey, who pulled his family from poverty by cashing out credit cards, got five years.
And then there was the final member of the crew, Jonathan James. The only one who’d seen the inside of a prison cell before. He knew that, with everyone else in custody, it was only a matter of time before somebody ratted him out, and the feds would come again.
And so, on May 18th, 2008, he grabbed a pen and paper and wrote a letter. He titled it “Story Time.” In it he stated, quote, “I honestly, honestly had nothing to do with TJX.” End quote. But then he went on, quote:
“I have no faith in the ‘justice’ system. Perhaps my actions today, and this letter, will send a stronger message to the public. Either way, I have lost control over this situation, and this is my only way to regain control. [. . .] I die free.”