The son of a former Secret Service agent who investigated counterfeiting rings in Philadelphia, O’Neill joined the service in 1998 after a post-college stint at ESPN. He specialized in cyber crimes, except for four years on Vice President Dick Cheney’s security detail.
‘Subway Case’
In the agency’s four-agent Manchester, New Hampshire, office, he juggled five or six cases at a time. None were as big as what became known as the “Subway case.”
It began on a February afternoon in 2010 with calls from banks. American Express and Citibank reported fraudulent activity on accounts that had one thing in common -- purchases made at a Subway sandwich shop in Plaistow, New Hampshire, a town of 7,609 people about 25 miles southeast of Manchester. American Express reported that 36 compromised credit cards had been used at the Plaistow Subway; Citibank said it had suffered $80,000 in losses tied to cards swiped at the store.
Within days, O’Neill and a New Hampshire state trooper were inspecting the store’s computer. It was clear it had been hacked through the Internet, and the attacker had planted a “key logger” program onto its hard drive. Acting like a vacuum cleaner, the program sucked up the data from credit and debit cards swiped through the store’s magnetic reader.
The investigators determined the stolen data was only stored briefly on the computer before being uploaded to a website, ftp.tushtime.info.
Romanian Beetle
A password embedded in the software code -- Carabus05 -- provided a clue to its source. When O’Neill Googled the word, he discovered it was Romanian for beetle. Russia, Romania and other Eastern European countries are hotbeds for hackers.
“The important thing in these cases isn’t so much: How did they get in?” O’Neill said. “It’s: Where did the data go? It’s the destination that matters.”
Representatives of Subway Restaurants reported multiple hacks of other stores and the stolen data was flowing to several “dump sites” such as ftp.tushtime.info.