The great $45m bank cyber-heist: Seven New Yorkers cuffed

Gang accused of turning gift cards into debit cards

Remote control for virtualized desktops

Crooks allegedly stole $45m in hours from ATMs after hacking into a database of prepaid debit cards.

The gang created counterfeit cards using the data swiped from two Middle Eastern banks, investigators claim, and emptied the compromised accounts of greenbacks as quickly as possible – thus minimising the possibility that the scam would be detected in time to block the cards and foil the plot. As well as lifting the data, the gang is said to have used other hacking techniques to boost their cash-withdrawal limits.

Eight people are accused of being members of the New York cell of the operation, which allegedly withdrew $2.8m in cash from hacked accounts. They were named as suspects in an indictment unsealed on Thursday. All of them, we're told, live in Yonkers, New York.

Seven of the defendants have been arrested and charged "variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering," according to the Feds.

The first to be cuffed tried to flee from the US to the Dominican Republic on March 27, according to a US Department of Justice statement on the case.

The indictment also charges an eighth defendant, Alberto Yusi Lajud-Peña (aka Prime and Albertico), 25, who was reportedly murdered late last month in the Dominican Republic. It is understood that Lajud-Peña was shot dead at his house while playing dominoes with friends about two weeks after returning home from the US. He was named by US investigators as the leader of the New York cell. Lajud-Peña's murder by two masked men was allegedly motivated by disputes over how to split the loot from the digital heist, according to local news outlet La Nacion Dominicana.

It is alleged that the e-robbery was known to denizens of the internet underworld as "Unlimited Operation" – prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates, and the Bank of Muscat, Oman, were drained of cash in the hack, according to prosecutors.

We're told the main hacking phase of the operation ran between October 2012 and April 2013. During this period, cybercrooks as said to have distributed stolen prepaid debit card numbers to trusted associates in 26 countries around the world.

These associates are said to have operated cells – or teams of "cashers" – encoding magnetic stripe cards, such as gift cards, with the compromised debit card data. The subsequent release of PINs for hacked accounts fired the starting gun for a coordinated, international cash out operation involving cash withdrawals from ATMs across the globe, investigators say.

Two separate cash-out operations occurred on December 22, 2012 against RAKBANK, and on 19 February into the early hours of 20 February against Bank of Muscat. Before the pull was spotted by RAKBANK and its unnamed Indian card processor, it had suffered $5m in losses through more than 4,500 ATM fraudulent transactions in 20 countries. Bank of Muscat was hit even harder with $40m in losses through 36,000 fraudulent ATM transactions in 24 countries.

"From 3pm on February 19 through 1.26am on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area," according to the Feds.

The fraud was carried out against just 12 no-limits compromised accounts at the Bank of Muscat, and prompted an official statement by the bank to the stock exchange in Oman in late February, as we reported at the time.

When the fraud was detected and the cards cancelled, the casher cells are said to have laundered the proceeds, often through the purchase of luxury goods such as expensive watches and sports cars, before keeping a proportion for themselves and kicking money back up to the cybercrime kingpins and hackers masterminding the scam. If the Feds know where the real masterminds of the scam are located, they aren't saying – at least for now.

US authorities have seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and are in the process of seizing a Porsche Panamera, all linked to the scam.

The investigation into the cyberfraud was led by the US Secret Service, which worked with MasterCard, RAKBANK, and the Bank of Muscat in unravelling the scam, as well as law enforcement agencies in Japan, Canada, Germany, and Romania, and authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, the United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

Prepaid debit cards are used by many employers to pay staff, and by charitable organizations to distribute disaster-assistance funds.

The Unlimited Operations mega-scam may have been the biggest of its type, but it's not the first time cybercrooks have looted prepaid debit card accounts after hacking into bank databases. Much the same methodology was employed in a ATM fraud against cards issued by RBS WorldPay in November 2009 that netted crooks $9m, for example, as cybercrime blogger Gary Warner noted.

Costin Raiu, director of global research & analysis team at Kaspersky Lab, commented: "This is no doubt one of the biggest and quickest thefts we have seen. So far, it seems no customers were affected, because the hackers targeted prepaid cards from certain banks, so the banks are the only victims. Nevertheless, it's a VERY serious incident and it raises a lot of questions about the security of the current payment systems."

Raiu added that the success of the attack relied on the use of mag-stripe technology instead of harder-to-forge plastic smartcards in many countries in the world.

"I'd like to draw the attention to the fact that in US, the insecure magnetic stripe is still used when performing payments with cards; this has been mostly abandoned everywhere in Europe and replaced by the more secure chips," Raiu said.

"The cybercriminals specialised in carding focus on replicating real cards on 'blank' cards by reprogramming the magnetic stripe," he added. "A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips. Even then, it's true that the attacks won't go away, but they will for sure decrease or become a lot harder. I believe it makes sense for the banks to invest into upgrading the cards in the US and worldwide." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story


10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.