They carried out their crimes in a way that we have, sadly, had to cover more than once on Naked Security: by interacting directly with their victims’ own Point of Sale (POS) networks thanks to insecurely-configured remote access software designed to save sysadmins a trip to the server room.
The crooks could sit in front of screens and keyboards in Romania, yet manipulate PCs and servers on the premises of Subway and other businesses in the USA, installing data logging malware to get hold of keystrokes and magstripe data right at the source.
When you ran your card through one of the malware-infected POS systems (no pun intended), your payment data quite literally got swiped twice: once by the magstripe reader, and once by the crooks.
The crooks also installed their own remote access software, in the form of backdoor Trojans, to make doubly sure they could get into the compromised systems again, even if security on the the official remote access channels were tightened up.
The stolen card data was cashed out in three familiar ways: by making online payments for goods that were sold on for cash, by creating cloned credit cards for use by money mules, and by simply selling some of the stolen data onwards to other crooks.
→ We profiled a “carding goods” website last year which openly ran a series of spam campaigns to promote the sale of stolen data – FULLZ, DUMPS, CVVs, PLASTICS, and more. If you aren’t familiar with the argot of the carding underworld, you may want to brush up on your vocabulary now.
Of course, the crooks who bought unused card data from the original gang of thieves probably did much the same thing in turn: used as many of the cards as they could (or dared) to buy real products, and then sold on the rest of the data to someone else at a “discount”.
That’s the reason why getting carded – streetspeak for having your payment card data stolen by crooks – is always a real concern, even if you are just one tiny part of a huge data breach.
It’s tempting to assume that your card details will most likely end up lost in a swamp of stolen data that the crooks couldn’t possibly have time to abuse in full.
Indeed, a gang that gets away with 150,000 cards’ worth of magstripe data might only have the time to abuse, say, 1000 of those cards.
But that doesn’t mean that there’s only a 1-in-150 chance that you’ll be one of the unlucky ones.
The crooks will probably sell on the other 140,000 magstripe dumps in job lots for use by fellow cybercriminals.
But that’s just in passing. It isn’t the point of this story.
What I really wanted to do was to notify you that Cezar Butu, whom we reported pleaded guilty last year in return for limiting his prison term to 21 months, had his sentence officially imposed by a judge in New Hampshire, USA, on Monday.
So he will serve those 21 months.
His co-conspirator, Iulian Dolan, went for a guilty plea on a much meatier prison term of seven years. Dolan’s official sentencing hearing will take place in April. It seems a good bet he won’t be getting out early, either.
A alleged third member of the gang, Adrian-Tiberu Oprea, is due to go to trial next month. Since he hasn’t gone for a plea bargain deal, it looks as though he’ll be facing an even longer stretch if he’s convicted.
It may be hard going for investigators and prosecutors to bring cross-border cybercriminals to book. But it does happen, and this is a timely reminder.