Monday, August 25, 2008

Revealed: 8 million victims in the world's biggest cyber heist

Revealed: 8 million victims in the world's biggest cyber heist

Aug 25, 2008

EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
By Iain S Bruce

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

"They've pulled off a masterstroke here," said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx. "There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave."

Although the security breach was closed on Friday after Best Western was alerted by the Sunday Herald, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies.

These include: l Armed with the numbers and expiry dates of customers' credit cards, fraudsters are equipped to make multiple high-value purchases in their victims' names before selling on the goods.

l Bundled together with home addresses and other personal details, the stolen data can be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims' names.

l Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell "burglary packs", giving the home addresses of local victims and the dates on which they are expected to be away from their home.

Although the nature of internet crime makes it extremely difficult to track the precise details of the raid, the Sunday Herald understands that a hacker from India - new to the world of cyber-crime - succeeded in bypassing the system's security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a member of staff logged in, her username and password were collected and stored.

"Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60% of threats out there. In the right hands, viruses can easily bypass these programs, as was the case here," explained Erasmus.

The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run a software bot' - a simple computer programme - capable of harvesting every record on Best Western's European reservation system.

With eight million people staying in the hotel group's 86,375 continental rooms every year, gaining access to the system is a major coup for the cyber-criminals responsible. Given that criminals now have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center's reports that the average victim of internet crime loses £356, they are sitting on a potential haul of at least £2.84bn.

After thanking the Sunday Herald for exposing the raid on its systems, Best Western Hotels closed the breach at around 2pm on Friday afternoon. Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action.

"Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected," said a spokesman.

"We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."

Guests with concerns are advised to contact Best Western customer service at 0800 528-1238