Sophos Cloud Optix
When you think of cybercrime, you probably imagine a hacker (or cracker, as many of our readers prefer) sitting far from his victims, breaking in digitally and making off with the valuables in similar fashion.
For many cybercrooks, that is, indeed, how it goes down.
If your goal is to get illicit remote access to a database, for example, and steal a bunch of bank card numbers, you can probably do it without leaving your apartment.
But when your final goal is to turn those bank cards into hard cash, cybercrime and old-fashioned street crime meet.
That’s because you can’t just click on a virtual on-screen ATM in your bedroom and watch banknotes spilling out of your DVD slot.
When it comes to cash withdrawals, you face the same problems that old-school bank robbers have for hundreds of years.
In the unforgettable words of 1930s Tommy-gun-wielding bank robber Willie Sutton:
Go where the money is...and go there often.
21st century cyber-robbery
So here’s how a modern-day ATM cyber-robbery usually works:
- Crooks acquire bank card magstripe details and associated withdrawal PINs.
- Crooks split up card details and distribute them to on-the-ground teams of “casher crews”, or “cashers”.
- Cashers prepare cloned cards using magstriped blanks such as gift cards, phone cards and old hotel keys.
When all the ducks are, so to speak, in a row, then:
- Crooks email PIN numbers to the cashers. (Holding these back until the last minute avoids early exposure.)
- Cashers take to the streets mob-handed and go on a looting spree.
Finally:
- The cashers return most of the money to their handlers, often in some already-laundered form such as easily-resold luxury goods.
- The cashers keep their cut, in money or in kind (supercars seem popular), and wait for a GOTO 4 instruction.
One thing that’s important is speed and volume. (Here’s an earlier example where WorldPay was hit for $9,000,000 in 12 hours.)
With each ATM typically restricting the amount of money it will dispense in one go (since they can only hold so much), you need to do a lot of transactions.
With a $500 maximum, you need 2000 withdrawals to hit a cool million; pick a bank with an $800 jackpot limit and you’re still looking at a workflow of 1250 repetitions of insert card – enter PIN – remove card – take money.
And you can’t hang around, because once a crew starts looting, alarm bells are going to start ringing back at bank HQ – much like they used to for Wille “The Actor” Sutton.
A bank that spots an out-of-the-ordinary sequence of transactions might not be able to scramble the cops, especially if the looting is happening in cities all around the world, but it can shut you out if it works out a pattern to your illicit withdrawals.
The good news: NY casher crew busted
Anyway, the good news in this is that the US Justice Department’s Eastern District of New York has just unsealed an indictment [charges in full here (PDF, 5.8MB)] against eight members of a New York based casher crew who are alleged to have made off with about $2,800,000 in two separate outings.
The alleged crew leader, Alberto Yusi Lajud-Peña, won’t stand trial for the rather unfortunate reason that he is dead, murdered in the Dominican Republic last month.
The other seven, if convicted, are looking down the barrel of 17.5 years inside, charged with “conspiracy to commit access device fraud” and money laundering.
They allegedly made large cash deposits, as well as buying luxury items such as a Mercedes Benz SUV, a Porche Panamera, and swanky watches.
The gang certainly paid attention to speed and volume.
The Justice Department has produced a fascinating “crime visualisation” map that makes it clear how systematically cashers go to work. (It also gives a whole new meaning to “On Broadway.”)
In the first looting run in December 2012, the crew allegedly hit more than 140 ATMs for an average of about five withdrawals each, pulling out close to $400,000 in under three hours – presumably working with a $500-per-transaction limit.
The second run took place in February 2013, where they seem to have gone for an $800-per-transaction value, netting some $2,400,000 over nine-and-a-half hours in 3000 separate withdrawals.
With eight cashers in action, 3000 transactions in under ten hours is an average of just over 90 seconds per withdrawal.
The bad news: rest of iceberg still at large
What made these cyberheists particularly interesting, aside from the speed with which the New York crew were nabbed, is what went on in Step One of the crime.
The crooks didn’t just jump on an Underweb forum and buy a bunch of FULLZ, or set up a load of ATM skimmers to accumulate cashcard data and PINs.
It seems that they indirectly targeted two banks in the Persian Gulf – the National Bank of Ras Al-Khaima (RAKBANK), UAE, and the Bank of Muscat, Oman.
They broke into the databases of the companies that handled those banks’ debit card business – an unnamed Indian outfit in the case of RAKBANK, and an unnamed US outfit in the case of Bank of Muscat.
Then they orchestrated what is known as an “unlimited operation.”
That means they didn’t just end up with a motley bunch of debit card account numbers worth an unknown amount each.
Instead, they removed the cards’ withdrawal limits and boosted their account balances to the point that the amount available was effectively limited only by the speed of the cashing crews, not by the wealth of the cardholders.
And Step Two didn’t just make use of our hapless New York casher crew.
According to prosecutors, the RAKBANK looting raids took place simultaneously in about 20 countries, for an illicit withdrawal total of $5,000,000.
And the Bank of Muscat operation was co-ordinated across some 24 countries, netting an astonishing $40,000,000 in under 24 hours.
The silver lining: swift international co-operation
Often, we read about bank-related cybercrime prosecuted years in arrears, mainly due to the complexities of working across many jurisdictions and with numerous financial institutions.
This time, the cops (technically, in this case, the US Secret Service) got their man, or at least their alleged men, pretty quickly.
Loretta E. Lynch, the United States Attorney for the Eastern District of New York who announced these arrests, was generous in her praise for the international co-operation received, formally thanking, amongst others:
MasterCard, RAKBANK, and the Bank of Muscat for their cooperation with this investigation, ... law enforcement authorities in Japan, Canada, Germany, and Romania, and ... authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia.
Quite a list.
Now we shall have to wait and see if any of the carder crews in the other 23 countries, or the cybercrooks behind the “unlimited operation” intrusions, will ever be caught.
Oh, and, if they’re caught, what will happen to them – in the WorldPay example above, the Russian hacker behind it all ended up with a suspended sentence.
Can you believe they go to the ATMs dressed like that with a robber’s cap on like that ? Makes me wonder why nobody got suspicious just looking at the guy standing next to the ATM.
I have a $200 max per day cash transaction limit on my account and would think most people limit the daily withdrawal amount to something along those lines. It would take a lot of transactions to get anywhere near 1 million at that rate.
Remember that in this case the crooks had been inside the card issuer's network reconfiguring the various operational limits (and the balance, if you don't mind) on the accounts they planned to loot.
That makes your per-transaction limit "whatever each individual ATM will spit out at a time."
If your bank offers configuration change notifications via SMS, that might help, as any unexpected attempt to boost your daily withdrawal limits would provoke a warning…
…unless the hacker were able to change your configuration change notification settings first 🙂
Really, you want a $200 max cash transaction limit per day? Where do you live, Ethiopia? Or do you just like having everything you do tracked and electronic at all times? Sigh.
Why on earth did the Worldpay / Russian hacker get only a suspended sentence?
If you have a look at Graham's article (link above), it seems that he co-operated with law enforcement (i.e. dobbed in the other guys), and that meant they cut him some slack.
Wouldn’t it have been ironic if the guy in the photos withdrawing money had been mugged in NYC and the bag of money stolen?
I haven't seen any of the journalists post a pdf of the indictment(s) or information(s) yet; I know you've occasionally linked to these in the past. Are you planning on doing this ,this time? Thanks.
Found it 🙂
http://s3.documentcloud.org/documents/698596/unse…
[PDF, 5.8MB]
Think I'll add this in the article. I thought the DoJ press release was good enough (it has plenty of detail) but the indictment itself is, after all, the Real Deal.
It's sad we have to share the planet with these punks. Because of them, life has become extremely complicated for the honest man on the street. I'm busy teaching my 9 year old kid about passwords, something we wouldn't have to do if mankind was honest.
> It seems that they indirectly targeted two banks in the Persian Gulf – the National Bank of Ras Al-Khaima (RAKBANK), UAE, and the Bank of Muscat, Oman.
That must not be a smart decision. One must wonder if the sheiks will manage to have those seven extradited…
I mean, in that part of the world they still chop off the thieves' hands for real! Often times they make that into a public spectacle in the main square, for popular educational purposes. I would guess it is hard to drive a Porsche Panamera one-handed, because most sportcars are stick-shifters.
Well in my opinion it's not just the crackers fault, same for the ATM network company and the banks they are guilty too, those networks most be more secure, here in my country the ATMs in some banks have fingerprint readers, no PIN, the fingerprint its have bugs too but it's more secure than just a 4 number PIN.
so true, 4 digit PINs are looking pretty dated right now.