August 29, 2008

Revealed: 8 Million Victims in the World’s Biggest Cyber Heist Sunday Herald Uncovers Theft of Data From Every Guest in 1300 Best Western Hotels in Past 12 Months

By EXCLUSIVE By Iain S Bruce

AN international criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than GBP2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.

Amounting to a complete identitytheft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

"They've pulled off a masterstroke here, " said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx.

"There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare. The Russian gangs who specialise in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there's enough data there to spark a major European crime wave."

Although the security breach was closed on Friday after Best Western was alerted by the Sunday Herald, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies.

These include:

Armed with the numbers and expiry dates of customers' credit cards, fraudsters are equipped to make multiple high-value purchases in their victims' names before selling on the goods.

Bundled together with home addresses and other personal details, the stolen data can be used by professional organised criminal gangs which specialise in identity theft to apply for loans, cards and credit agreements in the victims' names.

Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell "burglary packs", giving the home addresses of local victims and the dates on which they are expected to be away from their home.

Although the nature of internet crime makes it difficult to track the precise details of the raid, the Sunday Herald understands that a hacker from India - new to cyber-crime - succeeded in bypassing the security software and placing a Trojan virus on one of the Best Western Hotel machines used for reservations. The next time a staff member logged in, her username and password were collected and stored.

"Large corporate companies rely on anti-virus products to protect their infrastructure, but the problem with this approach is that these products only detect around 60per cent of threats out there. In the right hands, viruses can easily bypass these programs, as was the case here, " explained Erasmus.

The stolen login details were then put up for sale and shared on an underground website operated by a notorious branch of the Russian mafia, which specialises in internet crime and offers heavily guarded and untraceable hosting services with no questions asked for criminal activity. Once the information was online, experts estimate that it would take less than an hour to write and run a software 'bot' - a simple computer programme - capable of harvesting every record on Best Western's European reservation system.

With eight million people staying in the hotel group's 86,375 continental rooms every year, gaining access to the system is a major coup for the cybercriminals Given that criminals have access to all bookings from 2007-2008, and based on the FBI-sponsored Internet Crime Complaint Center's reports that the average victim of internet crime loses GBP356, they are sitting on a potential haul of at least GBP2.84bn.

After thanking the Sunday Herald for exposing the raid Best Western Hotels closed the breach at around 2pm on Friday . Stressing that staff are fully aware of the potential seriousness of the attack, the company reassured customers that it is now taking appropriate action.

"Best Western took immediate action to disable the compromised log-in account in question. We are currently in the process of working with our credit card partners to ensure that all relevant procedural standards are met, and that the interests of our guests are protected, " said a spokesman.

"We continue to investigate the root cause of the issue, including, but not limited to, the third-party website that has allegedly facilitated this illegal exchange of information."

Guests with concerns are advised to contact Best Western customer service at 0800 528 1238


1970s: Dawn of the phone hacker. US techno geek John Draper discovers that toy whistles given away with Cap'n Crunch cereals generate a 2600hertz sound which can be used to access AT&T's long- distance switching system. Going on to build a "blue box" device enabling hackers to make free calls, his career marked the beginning of cyber crime and electronic fraud.

1980s: Hacker groups begin to form, using electronic bulletin board systems to swap tips. In 1987, Robert Morris creates the first internet worm, which crashes 6000 net-linked computers.

1990s: The birth of the web sees cybercrime flourish as computer programmers begin hacking for kicks. In 1995, Kevin Mitnick is arrested, charged with stealing 20,000 credit card numbers and sentenced to four years in jail.

2000s: Hackers launch the biggest Denial of Service attack ever with a worm that knocks Yahoo! and Amazon offl ine. As the mainstream population and organised crime moves online, fraud cases begin to proliferate.

Originally published by Newsquest Media Group.

(c) 2008 Sunday Herald. Provided by ProQuest LLC. All rights Reserved.