California duo charged with selling ready-to-hack Point-of-Sale systems to Subway branches

Filed Under: Featured, Law & order

An alleged Point-of-Sale cybercrime duo from California were confronted with criminal charges late last week in Boston, Massachusetts.

The US Justice Department (DoJ) reported that the pair, Shahin Abdollahi, 46, and Jeffrey Thomas Wilkinson, 35, were charged with one count of conspiracy to commit computer intrusion and wire fraud, and with one count of wire fraud.

The indictment alleges that they:

  • Hacked into at least 13 Subway Point-of-Sale (PoS) systems.
  • Fraudulently added at least $40,000 in value to Subway gift cards.
  • Used some of the hooky gift cards to make purchases at Subway.
  • Sold other fraudulent cards on eBay and Craigslist.

What makes this a bit different from the usual "alleged crooks steal 'digital money' from retailer through hacking" story is how the pair are said to have pulled off the cyber-break-and-enter part of the attack.

Abdollahi and Wilkinson, claims the DoJ, ran a number of Subway franchises in Southern California between 2005 and 2008.

During this time, it looks as though they didn't just make lots of sandwiches. They also learned enough about Subway operations to come up with a plan to make money out of the franchise on two fronts at the same time.

So they quit the sandwich supply business and started a business called POS Doctor, selling and installing point-of-sale systems into the Subway ecosystem.

Yep! You guessed it!

The POS Doctor systems came with a handy additional feature, at no extra charge: a preconfigured remote-access toolkit that allowed the crooks to connect in after hours.

They regularly added fraudulent credit onto Subway gift cards in at least 13 Subway outlets around the USA.

As mentioned above, they then spent some of the gift cards at Subway branches in California (they must have developed a taste for the product during their time as franchisees), and sold others of them on eBay and Craigslist.

Amusingly, it looks as though the alleged crooks went to the trouble of registering their fraudulent cards online with Subway, using email addresses from domains they owned themselves.

This precaution gave them the chance to reclaim unused funds if any of their bogus cards were lost or stolen.

Of course, this "dishonour amongst thieves" also ensured that the DoJ has been able to rack up additional evidence connecting the alleged perpetrators with the claimed criminal activities.

Hoist [*], if you don't mind me saying so, by their own petards!

[*] Allegedly.

, , , , ,

You might like

2 Responses to California duo charged with selling ready-to-hack Point-of-Sale systems to Subway branches

  1. Seriously, one has to wonder at the utter ineptitude of these two.

    They couldn't have laid a better trail to their door if they'd taken out ads...

    I suppose they thought they could rack up some money, then disappear. Obviously their exit strategy was not flawless... LOL

  2. Ronald · 933 days ago

    What initially led DoJ onto these guys?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog