Security Experts:

Brothers Who Attacked Nordstrom's eCommerce System Face Jail Time

Brothers Used Business Logic Attack to Trigger $1.4 Million in Fraudulent Payments, Plead Guilty to Wire Fraud

Two brothers who used a combination of fraudulent actions and business logic attacks against Nordstrom’s e-commerce system and defrauded the retail giant out of $1.4 million via commissions and rebates are now facing jail time.

According to the U.S. Attorney’s office, brothers Andrew S. Chiu, 29, of Anaheim, California; and Allen J. Chiu, 37, of Dallas, Texas, both pleaded guilty on Monday in U.S. District Court in Seattle, in connection with their scheme to defraud Nordstrom.

The U.S. Attorney’s office explained that the brothers devised a scheme to defraud Nordstrom after already being barred from placing orders in 2008 at the Nordstrom.com website because of excessive claims for refunds after saying merchandise had never been delivered.

According to court records, the brothers were members of FatWallet.com, an online coupon and shopping site that often offers cash back incentives for purchases, and paid cash back rewards to the Chiu brothers for purchases made on several sites, including Nordstrom.com.

In January 2010, the brothers found a way to exploit a flaw in Nordstrom’s online ordering system, by placing orders that would ultimately be blocked by Nordstrom, with no merchandise being shipped or charges being made to their credit card. However, Nordstrom unknowingly continued to compensate FatWallet for the order, and the brothers received the cash back credit from FatWallet.

In total, the U.S. Attorney’s office said that from January 2010 through October 2011, the Chiu brothers placed a whopping $23 million in fraudulent orders through Nordstrom.com, resulting in Nordstrom paying $1.4 million in rebates and commissions to the fraudsters. More $650,000 in fraudulent cash back payments were made directly to the brothers.

Nordstrom has since fixed error that permitted the fraudulent activity.

While the U.S. Attorney’s office did not provide technical details on how the brothers executed the fraud, this appears to be a business logic attack rather than a typical server breach or system hack. Business logic attacks abuse the functionality of a program, as opposed to an application vulnerability which is common for many attacks.

"As the former Director of Information Security for Sears, I can tell you with confidence that this type of criminal activity is definitely related to a business logic flaw with the system,” said Demetrios Lazarikos, Director of Strategy at Silver Tail Systems and former head of Information Security for the Sears Online Business Unit.

“Unfortunately, we are seeing an increase with cyber criminals taking advantage of different rebate programs, gift cards, and incentive/sweepstakes programs. Having visibility into the entire Web session of users' activities will assist organizations in identifying this type of behavior," Lazarikos added.

Because Nordstrom quickly notified law enforcement, The U.S. Attorney’s Office said it was able to seize more than $970,000 in-gotten gains that will be handed back to Nordstrom.

Under the terms of the plea agreement, prosecutors are recommending a sentence of no more than 30 months in prison, and the brothers can request no less than 24 months in prison. However, the Judge can still impose any sentence allowed by law up to the maximum 20 years in prison and a $250,000 fine.

The brothers are scheduled to be sentenced on July 13, 2012.

Related Reading: Detecting and Combating Business Logic Attacks

Subscribe to the SecurityWeek Email Briefing
view counter