Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

FBI Busts Comcast Hacking Suspects

60 Million Individuals' Records Allegedly Targeted By Spammers
FBI Busts Comcast Hacking Suspects

The FBI has arrested three men on charges that they participated in a hacking and identity theft scheme that attempted to steal personal information for 60 million individuals. The FBI has also accused two of the men of using botnets and hacking corporate email servers to distribute spam on behalf of paying clients, generating illegal profits of more than $2 million.

See Also: The Anatomy of a Spear Phishing Attack: How Hackers Build Targeted Attacks (and why they're so effective)

Authorities say that one of the organizations allegedly targeted by the gang was mass media company Comcast, Reuters reports, although the company was not named in court documents.

The U.S. Department of Justice on Dec. 15 announced the arrest of three men at their residences on related charges, including alleged ringleader Timothy Edward Livingston, 30, of Boca Raton, Fla. He's been accused of running a business called "A Whole Lot of Nothing LCC," which since 2011 sold spamming services.

"Livingston's clients included legitimate businesses, such as insurance companies that wished to send bulk emails to advertise their businesses, as well as illegal entities, such as online pharmacies that sold narcotics without prescriptions," according to a federal grand jury indictment filed against the three men. "Typically, defendant Livingston charged between $5 and $9 for each spam email that resulted in a completed transaction for a client."

The FBI also arrested software developer Tomasz Chmielarz, 32, of Rutherford, N.J. on charges that he helped develop hacking software. According to the indictment, Livingston commissioned Chmielarz to write software designed to bypass malicious email and spam filters. Both men have also been charged with using proxy servers and botnets to disguise the origin of the spam, as well as to bypass organizations' cybersecurity defenses.

The third man arrested was Devin James McArthur, 27, of Ellicott City, Md., who apparently was formerly a Comcast salesman. He's been charged with giving the other two men insider access to the Comcast network, resulting in the theft of at least 24.5 million individuals' PII.

According to a LinkedIn profile for one Devin McArthur who worked for Comcast as an "Xfinity Direct Sales Represenative" (sic) from February 2014 to February 2015 - the same period as the suspect of the same name identified in the indictment - he began working as a recruiting manager for recruitment agency Robert Half Finance & Accounting. During his one-year tenure at Comcast, McArthur said that his personal mission was to "educate every customer I come in contact with what the best experience from top to bottom in the cable service industry should be and follow through on giving it to them."

Comcast did not immediately respond to a request for comment.

Robert Half spokeswoman Lisa Amstutz confirmed that McArthur formerly worked for the company, but declined to comment on the FBI's investigation. "It is our policy not to comment on legal or law enforcement matters. We were made aware of the situation by law enforcement," she tells Information Security Media Group. "What we can confirm is that the activities referenced in the indictment predate his employment with our company. An investigation determined that there was no evidence of our systems being compromised. Mr. McArthur worked for us briefly from March to September of this year. Beyond that, we cannot provide any additional information."

All three of the men have been charged with conspiracy to commit fraud, hacking and wire fraud. Both Livingston and Chmielarz have also been charged with conspiracy to commit fraud and related email-based activities. Reuters reports that Michael Koribanics, Chmielarz's lawyer, said his client would plead not guilty to all related charges at a Dec. 15 court hearing. Livingston's lawyer, Jeffrey L. Cox, did not immediately respond to a request for comment, and the Justice Department has not yet identified McArthur's attorney.

If convicted of all the charges filed against them, Livingston and Chmielarz face up to 30 years in prison and a $750,000 fine, while McArthur faces up to 25 years in prison and a $500,000 fine. Authorities say the related investigation was led by the FBI's cyber division in Newark, N.J.

Comcast: Alleged Insider Attack

One alleged scheme detailed in the indictment was against Comcast - named in court documents only as "Corporate Victim 4," according to Reuters. The indictment says that McArthur was working as a sales representative for the organization from February 2014 until February 2015, and discussed with the other two suspects how he might use his position to steal PII for the company's customers. In particular, he allegedly identified an internal database that contained PII for 50 million people that could be targeted.

On Aug. 11, 2014, McArthur provided Livingston with access to a remote-administration tool that was running on a computer that had access to his employer's network, according to the indictment. As a result, it says, Livingston and Chmielarz were able to access the network and exfiltrate "the names, addresses, phone numbers, and email addresses of potential customers, current customers, and former customers" of the business.

In an online chat between Livingston and McArthur, dated Sept. 3, 2014, and cited in the indictment, McArthur estimated that the alleged heist resulted in the theft of 24.5 million records. "The defendants and others could use that information to send spam to those individuals," the indictment says.

Comcast didn't immediately respond to a request for comment about the particulars of the alleged breach, as well as whether - and when - the company alerted affected customers. But the company appears to have not yet issued any data breach notifications this year to 24.5 million or more customers.

Scraping Scheme Detailed

Both Livingston and Chmielarz have been also charged with hacking into the email server of an unnamed organization - labeled "corporate victim 1" in the indictment - and creating multiple email accounts, using them to send spam, as well as accessing the business's mail servers via proxy servers to disguise their activities.

The indictment includes an online chat in which Livingston allegedly provided a URL to Chmielarz, plus an employee's legitimate login credentials, telling him: "Here is the site I need scrapped." Authorities note that the exchange most likely referred to scraping the website, meaning to extract a large amount of data.

Another alleged chat, meanwhile, involved Livingston telling Chmielarz that the database they were targeting contained 10 million records. Authorities said Livingston later paid Chmielarz to write code that was designed to steal the database.

This story has been updated with a comment from Robert Half.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.