Hackers stole $45 million in ATM card breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.usatoday.com/story/tech/2013/05/09/hackers-atm-branch/2148069/

NEW YORK — They didn't use guns, masks or even threatening notes
passed to bank tellers.

But an alleged international gang of cyberthieves managed to steal $45
million from thousands of ATMs in carefully coordinated attacks
conducted in a matter of hours, federal authorities charged Thursday.

A four-count indictment unsealed in Brooklyn charged that eight
members of the alleged gang's New York City crew alone stole
approximately $2.4 million from nearly 3,000 ATMs across the
metropolitan area in secret strikes carried out on two days in
February.

"In the place of guns and masks, this cybercrime organization used
laptops and the Internet," said Brooklyn U.S. Attorney Loretta Lynch
as federal authorities announced details of one of the largest 21st
century versions of cyber-robbery yet uncovered. "Moving as swiftly as
data over the Internet, the organization worked its way from the
computer systems of international corporations to the streets of New
York City, with the defendants fanning out across Manhattan to steal
millions of dollars from hundreds of ATMS."

Federal prosecutors and investigators said the alleged attacks are
known in the cyberunderworld as "Unlimited Operations" — because using
sophisticated computer-hacking techniques enable those involved to
gain access to virtually unlimited criminal proceeds.

The schemes involve hacking into the computer systems of credit card
processors, stealing information involving prepaid debit card accounts
and eliminating the withdrawal limits and balances of those accounts.
The moves enable international organized crime cells that work in
swift, surgically coordinated attacks to withdraw unlimited amounts of
cash from ATMs before the operations are shut down.

According to the indictment, the alleged gang carried out two
lucrative unlimited operations between October 2012 and last month. In
the initial attack, hackers working with the gang on Dec. 22 allegedly
targeted a credit card processor that handled prepaid MasterCard debit
cards issued by the National Bank of Ras Al-Khaimah, a United Arab
Emirates bank also known as Rakbank

After penetrating the processor's computer network, the hackers
fraudulently manipulated the balances and withdrawal limits on Rakbank
prepaid debit card accounts. Then, teams of so-called cashers
allegedly launched carefully timed attacks that caused more than $5
million in criminal losses from more than 4,500 ATMs in about 20
countries.

In just two hours and 25 minutes, the thieves allegedly conducted 750
fraudulent transactions that withdrew nearly $400,000 from
approximately 140 New York City ATM locations, according to
prosecutors and the indictment.

The alleged second unlimited operation unfolded between the afternoon
of Feb. 19 and the pre-dawn hours of the following day. This time, the
gang's hackers allegedly compromised computers of the processor of
prepaid debit cards for the Bank of Muscat, located in Oman.

In approximately 10 hours, casher cells in 24 countries conducted
approximately 36,000 ATM transactions worldwide, withdrawing an
estimated $40 million, the indictment charged. The haul included $2.4
million withdrawn by the alleged New York crew.

Authorities in more than a dozen countries around the world are
working with U.S. counterparts on the investigation. The allegations
announced Thursday did not identify the suspected mastermind leading
the cyberattacks or the suspected computer hackers.

However the indictment charged the gang's New York group was headed by
Alberto Yusi Lajud-Pena, 23, who was also known as "Prime" and
"Albertico." He and gang confederates Elvis Rafael Rodriguez, 24, and
Emir Yasser Yeje, 24, allegedly laundered hundreds of thousands of
dollars stolen from the ATMs by depositing the cash in bank accounts
and using the money to buy luxury cars and expensive watches.

In a single transaction, a total of nearly $150,000 in $20 bills was
deposited in a Miami account controlled by Lajud-Pena, the indictment
charged. He was found murdered in the Dominican Republic last month,
authorities said.

Federal authorities have so far seized hundreds of thousands of
dollars in cash and bank accounts, two Rolex watches and a Mercedes
SUV. They are also seeking forfeiture of a Porsche Panamera, which,
like the SUV, was allegedly bought with money stolen in the cyber
scheme.

In all, seven of the eight suspected members of the gang's New York
crew have been arrested and indicted on charges of conspiracy to
commit access device fraud, money laundering conspiracy and money
laundering. If convicted, they would face a maximum 10-year prison
terms on each money laundering charge, 7.5 years on the access device
fraud count and up to $250,000 in fines.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.