Last week, Mary McCord – the acting assistant attorney general of the U.S – announced charges against 4 hackers. Three years ago, they stole more than 500 million Yahoo user accounts. This incident resulted in huge losses for the company and its users.
Yahoo almost lost $925 million on their acquisition deal with Verizon last summer. But, last month, Verizon agreed to cut $350 million from its original price. Reportedly, Marissa Mayer will lose her bonus and equity grants this year due to the 2014 incident.
How The Hackers Stole 500 million Yahoo User Accounts?
How hackers attack giant companies like Yahoo and steal more than 500 million user accounts? They must be very experienced and well-organized.
Back in 2014, four men were held responsible for this massive cybertheft incident. Two of them worked in Russia’s Federal Security Service (FSB). They supposed to help the foreign intelligence agencies to catch cybercriminals.
Let’s Meet the Defendants
- Dmitry Dokuchaev, a Russian citizen who worked in the FSB Center for Information Security (Center 18).
- The second defendant – Igor Anatolyevich Sushchin – also worked at FCB center and embedded as a purported employee and Head of Information Security in a Russian investment bank.
- Alexsey Alexseyevich Belan or “Magg” is not a new player in cybercrime world. In 2012 and 2013, he allegedly has stolen user database of three major U.S-based e-commerce companies in Nevada and California. Belan was born in Latvia 29 years ago but holds a Russian passport. FBI placed him on the “cyber most wanted”.
- The fourth player was the youngest amongst all. Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” was 22 y.o with two passports: Canadian and Kazakh, but lived in Canada.
The Chronology Of The Hackers Action:
The story began when Dokuchaev and Sushchin were planning to find the way to access user accounts.
So, they started to search the perfect candidate to join their team. At that time, in early 2014, Dokuchaev and Sushchin decided to embrace Alexsey Alexseyevich Belan who was an FBI fugitive because of his cyber crimes.
Previously, in June 2013, Belan was arrested in Europe, but he escaped to Russia. Instead of helping the government to arrest Belan, as FSB officers, Dokuchaev and Sushchin asked him to join the conspiracy under their direction. The goal of this conspiracy was getting personal email accounts of Russian journalists, Russian and U.S. government officials, employees of a prominent Russian cybersecurity company, and numerous employees of other providers whose networks the conspirators sought to exploit.
According to the indictment, some of their targets also were:
- Former officials from countries bordering Russia
- U.S. government officials working cyber security, diplomatic, military, and White House positions
- Employees of a U.S. cloud storage company
- A senior officer at a Russian webmail provider
- A Nevada gaming official
- The CTO of a French transportation company
- A Russian investment banking firm
- The managing director of a U.S. financial services and private equity firm
- 14 employees of a Swiss bitcoin wallet and banking firm
- A senior officer at a U.S. airline
- Employees of a Russian cyber security company
- An International Monetary Fund official
- An assistant to the deputy chairman of the Russian Federation
- An officer of the Russian Ministry of Internal Affairs
- A physical training expert working in the Ministry of Sports of a Russian republic
A Spear Phishing Emails
In doing his actions, Belan was provided by sensitive FSB law enforcement and intelligence information. These facilitations would help him to avoid detection by U.S. and other law enforcement agencies outside Russia.
Belan used spear phishing attacks to be able to enter Yahoo’s servers. A spear phishing emails might ask the victim to download or open an attachment which actually contains malware, or direct to a fake website.
The target of the spear phishing attacks were likely Yahoo employees. To cover their crime tracks, the conspirators used a special software that was designed to clean up the Server logs. Between November and December 2014, Belan succeeded stealing Yahoo’s User Database (UDB) which contained important information about its users, such as username, recovery email account, phone number, etc. Furthermore, he also got the unauthorized access to Yahoo’s Account Management Tool (AMT).
Minting Cookies Technique
Besides using a spear phishing attacks, the conspirators were also allegedly using “minting Cookies technique”. It’s a technique that allows users accessing their Yahoo accounts without entering username and password each time they log in.
So, once the conspirators access the victim’s email account they create cookies, thus the next time they wanted to access the same account they didn’t have to enter the username and password.
The conspirators subsequently found that their targets had another email accounts. Thus, they contacted the fourth defendant, Karim Baratov who lived in Canada. They asked him to get the unauthorized access to more than 80 accounts. But, he wasn’t so lucky as he was arrested in Canada on March 14.
Read also: They Make Apple Products Hard To Repair