Romanian payment card crook gets 21 months in the US - $10M losses inflicted on 150,000 card holders

Filed Under: Featured, Law & order, Malware

doj-176Last year we wrote in some detail about the trials and tribulations of a gang of Romanian cybercrooks who inflicted losses of more than $10,000,000 on some 150,000 payment card holders.

They carried out their crimes in a way that we have, sadly, had to cover more than once on Naked Security: by interacting directly with their victims' own Point of Sale (POS) networks thanks to insecurely-configured remote access software designed to save sysadmins a trip to the server room.

The crooks could sit in front of screens and keyboards in Romania, yet manipulate PCs and servers on the premises of Subway and other businesses in the USA, installing data logging malware to get hold of keystrokes and magstripe data right at the source.

When you ran your card through one of the malware-infected POS systems (no pun intended), your payment data quite literally got swiped twice: once by the magstripe reader, and once by the crooks.

The crooks also installed their own remote access software, in the form of backdoor Trojans, to make doubly sure they could get into the compromised systems again, even if security on the the official remote access channels were tightened up.

The stolen card data was cashed out in three familiar ways: by making online payments for goods that were sold on for cash, by creating cloned credit cards for use by money mules, and by simply selling some of the stolen data onwards to other crooks.

→ We profiled a "carding goods" website last year which openly ran a series of spam campaigns to promote the sale of stolen data - FULLZ, DUMPS, CVVs, PLASTICS, and more. If you aren't familiar with the argot of the carding underworld, you may want to brush up on your vocabulary now.

Of course, the crooks who bought unused card data from the original gang of thieves probably did much the same thing in turn: used as many of the cards as they could (or dared) to buy real products, and then sold on the rest of the data to someone else at a "discount".

That's the reason why getting carded - streetspeak for having your payment card data stolen by crooks - is always a real concern, even if you are just one tiny part of a huge data breach.

It's tempting to assume that your card details will most likely end up lost in a swamp of stolen data that the crooks couldn't possibly have time to abuse in full.

Indeed, a gang that gets away with 150,000 cards' worth of magstripe data might only have the time to abuse, say, 1000 of those cards.

But that doesn't mean that there's only a 1-in-150 chance that you'll be one of the unlucky ones.

The crooks will probably sell on the other 140,000 magstripe dumps in job lots for use by fellow cybercriminals.

But that's just in passing. It isn't the point of this story.

What I really wanted to do was to notify you that Cezar Butu, whom we reported pleaded guilty last year in return for limiting his prison term to 21 months, had his sentence officially imposed by a judge in New Hampshire, USA, on Monday.

So he will serve those 21 months.

His co-conspirator, Iulian Dolan, went for a guilty plea on a much meatier prison term of seven years. Dolan's official sentencing hearing will take place in April. It seems a good bet he won't be getting out early, either.

A alleged third member of the gang, Adrian-Tiberu Oprea, is due to go to trial next month. Since he hasn't gone for a plea bargain deal, it looks as though he'll be facing an even longer stretch if he's convicted.

It may be hard going for investigators and prosecutors to bring cross-border cybercriminals to book. But it does happen, and this is a timely reminder.

, , , , , ,

You might like

4 Responses to Romanian payment card crook gets 21 months in the US - $10M losses inflicted on 150,000 card holders

  1. lee · 966 days ago

    21 months for 10 million?! Even a slice of that I think I'd do that time for that crime providing you even have a 1/10 of that when you get out lol.
    I'll do 21 months in my job now and get a very, very minute part of that amount :)

  2. shocked · 966 days ago

    What I find most shocking and surprising is that this guy serves only 21 months while the guy that hacked scarlett the holywood bimbo's phone get's 10 years .... OMFG

    US "justice" is so crooked.

  3. lclarkc · 966 days ago

    10 years or more would be better. These guys hurt everyone.

  4. Only 21 months for $10,000,000 theft? It sounds like he got off very easy.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog