Four Romanians charged with multimillion-dollar hack of Subway, others

Free Subway gift card spam spreading on Facebook

Subway subFour Romanian nationals have been arrested in connection with a multimillion-dollar scheme to remotely steal payment card data from the point-of-sale systems of more than 150 Subway restaurants and other U.S. businesses, according to the U.S. Department of Justice.

The indictment, unsealed on Wednesday, charges the four with conspiracy to commit computer fraud, wire fraud and access device fraud.

Charged in U.S. District Court for the District of New Hampshire were Adrian-Tiberiu Oprea, 27, of Constanta, Romania; Iulian Dolan, 27, of Craiova; Cezar Iulian Butu, 26, of Ploiesti; and Florin Radu, 23, of Rimnicu Vilcea.

Authorities last week arrested Oprea in Romania, where he is still in custody. Dolan and Butu were arrested when they entered the U.S. in August and are still in custody.

Radu is still at large. There are more conspirators, but authorities appear to only know the online names of two of the missing conspirators: tonymontanamiami and marcos_grande6.

The DOJ claims that the thieves got their hands on the credit, gift and debit card data of more than 80,000 customers.

A POS system typically consists of a computer, monitor, and a debit/credit card reader. Most also include an integrated credit card processing system, a signature capture device and a customer pin pad device for entering passwords.

Although the indictment doesn’t identify the POS system used by Subway, Wired’s Kim Zetter reports that the chain announced in January 2009 that it was deploying the Torex Quick Service POS in all of its 30,000 restaurants.

Between roughly April 2008 until at least May 2011, the DOJ says the suspects swiped credit card data from compromised Subway restaurant systems in New Hampshire, New York, California and elsewhere to charge millions of dollars worth of purchases.

According to the indictment, this is how they did it:

  1. They remotely scanned the Internet to identify vulnerable POS systems with certain remote desktop software applications installed. They then logged onto the targeted POS systems, either by guessing the passwords or with password-cracking software programs.
  2. The conspirators then installed keystroke loggers onto the POS systems to record and store data that was keyed into or swiped through the merchants’ POS systems, including credit card data.
  3. They then installed a back-door Trojan into the POS systems to enable them to easily access the compromised POS systems in the future, to install or re-install additional hacker tools. The indictment charges the four with repeatedly downloading one particular hacker tool designed to evade detection, “xp.exe,” from the “” dump site onto the victimized merchants’ POS terminals.
  4. The credit card data was then transferred back to dump sites—i.e., servers used for storage, some of which were located in Europe, some in the U.S.

Some of the colorfully named dump sites:

These dump sites also included compromised computers belonging to unsuspecting small business owners or individuals, including one owned by a small business in Pennsylvania, according to the indictment.

The ill-gotten gains were monetized in various ways: by charging and then reselling goods, by selling the credit card data to other crooks, or by encoding the data onto phony credit cards.

JailThe defendants each face a maximum of five years in prison for each count of conspiracy to commit computer related fraud, 30 years for each count of conspiracy to commit wire fraud, and five years for each count of conspiracy to commit access device fraud. They could be looking at fines up to twice the amount for fraud loss and restitution, the DOJ said.

This pricey scam is proof positive of what Sophos’s John Stringer was talking about just today when he wrote about end-of-year security prediction lists: Gartner’s forecasting the financial impact of cybercrime to grow 10% per year through 2016, thanks to new vulnerabilities.

Here’s a fun factoid I found when I was researching POS security: The U.S. accounts for 47 percent of debit and credit card fraud despite only accounting for 27 percent of transactions, according to a recent report.

Here’s what the publisher of the report, as quoted by atm marketplace, had to say about why we in the States are so pickpocket-able:

"The U.S. has a disproportionate percentage of the global total losses for two reasons. U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don't want to alienate their cardholder," said David Robertson, publisher of The Nilson Report.

I don’t know if Subway had unpatched vulnerabilities on its POS systems or what. But whatever merchants have to do, yikes, please do it.

Hold the mayonnaise on that sandwich, Subway, and please do alienate us if it keeps cybercrime from skyrocketing.