Authorities nab alleged Russian hacker

In mid-January, Russian law enforcement, with help from the U.S. Secret Service and U.S. Federal Bureau of Investigation (FBI), arrested a computer hacker who had attempted to extort US$10,000 from a U.S. bank, according to a Secret Service agent.

The hacker, whose name was not revealed, was arrested after breaking into a server owned by financial ASP (application service provider) Online Resources Corp. (ORCC) and attempting to extort money from one of ORCC’s client banks, said Ray Crosier, the company’s president and chief operating officer.

McLean, Va.-based ORCC offers online banking, electronic payment and other financial services over the Internet to 525 financial institutions in the U.S., Crosier said. ORCC uses a two-stage system by which it allows customers of its client financial institutions to use its services, he said. First, when registering for online accounts through their banks, users are sent to registration servers, with each financial institution that ORCC deals with having its own dedicated server. After registration is completed on the first server, all information and transactions are handled through a second server, Crosier said.

The hacker was able to break in to a registration server used by the client due to an unpatched security hole on the server, Crosier said, declining to release the name of the company whose data was stolen. Crosier also said that the situation with that client was unique among ORCC’s customers as the configuration used on the server was customized and not present elsewhere at ORCC.

By breaking into the registration server, the hacker was able to grab customer records that included names, addresses and bank account numbers, Crosier said. Because only registration was handled on the server, however, the hacker was unable to commit fraud, move funds or gain access to data from other banks served by ORCC, he said.

The intrusion into the server happened in early 2001, though the Russian did nothing for nearly eight months with the data he obtained, according to Crosier. In late 2001, the hacker began sending e-mail to ORCC’s client bank, saying that he would post the data he’d obtained from the server on the Internet if he was not paid US$10,000, according to Secret Service agent Brian Palma.

After the extortion demand, ORCC contacted the Secret Service and the bank to whom the demand was made contacted the FBI, Crosier said. The Secret Service New York field office then began a dialogue with the hacker, asking questions about how he wanted to receive the money, where to send it and the like, Palma said. Such negotiations are part of standard procedure when dealing with extortion cases, Palma said, and give agents the time used during the negotiations to try to track down the suspect.

In this case, those procedures worked, as the Secret Service was able to trace the hacker’s e-mail messages, Palma said. The FBI contacted Russian law enforcement and the hacker was arrested Jan. 16, he said. Although the Secret Service did pay the $10,000 the hacker demanded, what’s left of it was seized, as was the computer equipment purchased with the money, Palma said. The hacker, who has a history of similar crimes in Russia, will be prosecuted, according to Palma.

ORCC’s Crosier sent an e-mail to ORCC’s clients in late January explaining the situation to them and reassuring them that “none of them were ever at risk at any time,” he said. Only two of ORCC’s customers contacted Crosier after the e-mail was sent, he said.

“We feel good about having caught the guy,” Crosier said.

Online Resources Corp., in McLean, Va., is at