Spammers Net Over 1 Billion E-mail Addresses in Historically Massive Data Breach
Three men have been charged in what is being called the largest data breach in history, having breached marketing companies and garnered more than 1 billion e-mail addresses in the process.
The three men are David-Manuel Santos Da Silva, Viet Quoc Nguyen, and Giang Hoang Vu. None of the three were US citizens nor resided in the United States at the time of the incidents. Apparently Nguyen and Vu, both Vietnamese citizens, then residing in the Netherlands, were the technical side of the operation, while Canadian David-Manuel Santos Da Silva used his company 21 Celsius Inc. to launder the proceeds.
The way their operation worked was pretty simple: spam the e-mail addresses in question with a link to false Adobe Software. The addresses were garnered during at least eight penetrations between 2009 and 2012, and according to Reuters, at least one of the marketing firms that leaked was the mighty Epsilon, back in 2011.
While Giang Hoang Vu was extradited to the United States last year to face charges, Viet Quoc Nguyen has yet to be found or hauled into court. Giang Hoang Vu pleaded guilty to a charge of conspiracy to commit computer fraud, a crime that can carry between one and twenty years imprisonment. His sentence is pending.
Da Silva, who did not actively engage in the hacking which led to the procurement of the e-mail addresses used in the spam operation, faces a charge of conspiracy to commit money laundering, which can carry up to a ten-year prison sentence since it is over $10,000. It speaks to the evidence the prosecution has that the man is only facing one charge of money laundering since the story implies that he must have laundered the money through his business numerous times.
Also read: Want $3 Million? Catch Evgeniy Bogachev
Larger Breach Last Year
In August last year, security research firm Hold Security announced that the data of as many as 1.2 billion had been stolen from nearly half a million sources by a Russian cyber-criminal ring. Hold dubbed them “CyberVor,” because “Vor” is the Russian word for “thief.” This breach was more damaging than the one conducted by the two Vietnamese and one Canadian citizen because it contained countless credentials, some of which involved payment accounts and the like.
As Hold wrote on their blog at the time:
The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.
Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone.
Da Silva Arrested While in Florida
Attacks like this make the work of the spam artists, who netted roughly $2 million dollars over the course of roughly three years, seem like child’s play. Most of the people they scammed and spammed believed they were getting discounted Adobe software.
This view of the severity of their breach – stealing data from those who often get it in less-than-honest ways such as false giveaways – has likely played into the logic behind the charges levied and will also likely affect the sentencing of Da Silva and Nguyen.
Da Silva was only recently arrested while on US soil last month at a Florida airport. He will be arraigned and given the opportunity to enter a guilty plea in Atlanta on Friday.
Images from Shutterstock.