Story about Israeli hacker Ehud Tenenbaum aka “The Analyzer”

Story about Israeli hacker Ehud Tenenbaum aka “The Analyzer”


Share


The Israeli hacker was arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks. But before Canadian authorities could prosecute him, U.S. officials filed an extradition request to bring him to the States.

ehud Story about Israeli hacker Ehud Tenenbaum aka “The Analyzer”

Prosecutors alleged in an extradition affidavit that Tenenbaum hacked into two U.S. banks, a credit- and debit-card distribution company and a payment processor, in what they called a global “cash-out” conspiracy. But he was only charged with one count of conspiracy to commit access-device fraud and one count of access-device fraud.

Tenenbaum is set to be sentenced Nov. 19, and he faces a maximum of 15 years in prison. Prosecutors declined to comment on the case or describe the details of his plea agreement. The second count in the indictment, charging conspiracy, appears to have been dropped.

The Analyzer’s mother, Malka Tenenbaum, told Threat Level from Israel that she had no idea her son had pleaded guilty. “I don’t know what to think,” she said. “I hope that all is OK.”

The hacker’s attorneys did not respond to a call for comment.

Authorities have previously said the scheme Tenenbaum allegedly masterminded resulted in at least $10 million in losses, according to court records obtained by Threat Level, and were just part of a larger international conspiracy to hack financial institutions in the United States and abroad.

The guilty plea brings to a close a long chapter in hacker history.

Tenenbaum, 29, made headlines a decade ago under his hacker handle “The Analyzer,” when he was arrested in 1998 at the age of 19, along with several other Israelis and two California teens in one of the first high-profile hacker cases that made international news.

The teens were accused of penetrating Pentagon computers and other networks. Israel’s then-prime minister Benjamin Netanyahu had called Tenenbaum “damn good” after learning of his deeds, but also “very dangerous, too.”

Israeli law enforcement opted to prosecute Tenenbaum instead of extraditing him to the United States to face charges. He was eventually sentenced in 2001 to six months of community service in Israel. By then, he was working as a computer-security consultant.

Malka Tenenbaum told Threat Level in a previous conversation that she believed the United States was harboring a decade-old grudge against her son, and was pursuing him now because authorities here weren’t able to prosecute him previously.

Tenenbaum had been living in France recently, and had only been in Canada about five months on a six-month visitor’s permit when police in Calgary arrested him last August. He and three alleged accomplices were charged with hacking into Direct Cash Management, a Calgary company that distributes prepaid debit and credit cards. A Canadian court set bail at CN$30,000 ($27,600), but before he could be released from jail, U.S. authorities swooped in with a provisional warrant to retain him in custody while they pursued an indictment and extradition.

“I think he’s probably been getting away with stuff for 10 years,” Darren Hafner, an acting detective with the Calgary police, said at the time. “We haven’t seen or heard from him since the Pentagon attack. But these guys tend to get this ‘cops can’t touch me attitude’ and then they get sloppy like any criminal in any type of crime.”

Documents in the U.S. case were sealed, but Threat Level obtained an affidavit filed with the Canadian court detailing the U.S. allegations.

According to the affidavit, in October 2007, the U.S. Secret Service began investigating “an international conspiracy” to hack into computer networks of U.S. financial institutions and other businesses. As part of that investigation, agents examined network intrusions that occurred in January and February 2008 at OmniAmerican Credit Union, based in Fort Worth, Texas, and Global Cash Card of Irvine, California, a distributor of prepaid debit cards used primarily for payroll payments.

In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company’s database software. The attacker grabbed credit- and debit-card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.

In April and May 2008, agents investigated two additional hacks at 1st Source Bank in Indiana, and at Symmetrex, a prepaid-debit-card processor based in Florida. The intruder again used a SQL injection attack, and losses added up to more than $3 million.

Investigators traced the intrusions to several servers belonging to HopOne Internet in McLean, Virginia, which turned out to be just a routing point for an attack that originated from servers at the Dutch web hosting company LeaseWeb — one of the largest hosting companies in Europe.

U.S. officials asked Dutch law-enforcement agents On April 7, 2008, to track “all computer traffic pertaining to three servers hosted by LeaseWeb” and intercept “the content of that traffic” for 30 days, according to the affidavit. The interception request was renewed for another 30 days on May 9.

Among the wiretapped traffic, authorities found communications that allegedly occurred between Tenenbaum — using the e-mail address Analyzer22@hotmail.com — and other known hackers discussing the breaches into the four U.S. institutions, “as well as many other U.S. and foreign financial institutions.”

In one instant message chat in April 2008, Tenenbaum allegedly discussed trying to hack into Global Cash Card. after system administrators at the company apparently locked him out from an initial intrusion.

“Yesterday I rechecked [Global Cash Card]. They are still blocking everything,” he allegedly wrote. “So we can’t hack them again.”

Authorities say Tenenbaum on April 18, 2008, gave a co-conspirator the compromised debit- and credit-card account numbers of more than 150 accounts taken from Symmetrex as well as the computer commands he’d used to execute the attack. Then, throughout the night of April 20, he received updates from accomplices in Russia and Turkey as they successfully withdrew cash from ATMs, and from Pakistan and Italy where the cards apparently failed to work.

The next day, more cards were used in Bulgaria, Canada, Germany, Sweden and the United States. By late afternoon that day, Tenenbaum told an accomplice he’d racked up about “350 – 400″ in earnings. The affidavit notes that this likely referred to thousands of dollars or thousands of euros.

Tenenbaum allegedly gave an accomplice additional cards in an April 20 chat and asked the accomplice to find a “casher” — the underground’s term for the low-level worker whose only job is to withdraw the loot.

“I am making a small operation, you have casher?” he allegedly wrote. “I been trying to get a hold of you. I saved for you 25 cards, each one $1,500 limit. Get casher as soon as possible. OK, I will load them.”

According to authorities, after Tenenbaum got into the 1st Source Bank network, he obtained administrator privileges that allowed him to view credit card numbers and ATM output. This latter activity apparently collided with other hackers who were in the system trying to execute shell commands.

“Is HUGE,” he allegedly wrote an accomplice. “I saw ATM outputs, tons of cards. I am admin there, and I already cracked some of the domain.”

His accomplice replied that there were already people inside the network and asked Tenenbaum to get out. Tenenbaum replied, “Dude, like I told ya. It’s [Microsoft] Windows network. I am happy I could help you to get shell there. Now it’s your guys’ job.”

About a month later, Tenenbaum allegedly disclosed that he’d hacked Alpha Bank in Greece, the country’s second largest commercial bank, where he said friends of his worked.

Despite Tenenbaum’s earlier notoriety as The Analyzer, he apparently made no attempt to hide his real identity, using an e-mail address with a name that was previously tied to him, as well as an IP address that was easily connected to him.

“He’s a really intelligent guy, but I think he’s just got this cocky attitude that ‘no one can get me,’” Hafner told Threat Level. As a result, he says, Tenenbaum made a lot of telling missteps.

According to the affidavit, the subscriber information for the Hotmail account that was used to discuss the hacks was registered under Tenenbaum’s real name and birth date. Hafner also told Threat Level that Tenenbaum was caught on an ATM surveillance camera withdrawing funds from one of the compromised Canadian accounts.

Tenenbaum was director of a computer security company called Internet Labs Secure that he ran out of Montreal. U.S. authorities found that someone using an IP address registered to his company accessed the Hotmail account, and also used it to access the Global Cash Card network to check the balances of compromised cards and attempt to increase the limits on the accounts. Someone used a second IP address associated with Tenenbaum to access Global Cash Card and “download a file containing all of that compromised computer’s data,” according to the affidavit. [Wired]

Blog Widget by LinkWithin

Post information:
This entry was posted on Wednesday, August 26th, 2009 at 4:10 pm and is filed under Internet Trends
blog comments powered by Disqus
           Sponsors: TechJump! l Kiten l Mahallo Media l Alen Mak l Politics
Go techWALL Homepage