The great $45m bank cyber-heist: Seven New Yorkers cuffed

Gang accused of turning gift cards into debit cards

5 things you didn’t know about cloud backup

Crooks allegedly stole $45m in hours from ATMs after hacking into a database of prepaid debit cards.

The gang created counterfeit cards using the data swiped from two Middle Eastern banks, investigators claim, and emptied the compromised accounts of greenbacks as quickly as possible – thus minimising the possibility that the scam would be detected in time to block the cards and foil the plot. As well as lifting the data, the gang is said to have used other hacking techniques to boost their cash-withdrawal limits.

Eight people are accused of being members of the New York cell of the operation, which allegedly withdrew $2.8m in cash from hacked accounts. They were named as suspects in an indictment unsealed on Thursday. All of them, we're told, live in Yonkers, New York.

Seven of the defendants have been arrested and charged "variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering," according to the Feds.

The first to be cuffed tried to flee from the US to the Dominican Republic on March 27, according to a US Department of Justice statement on the case.

The indictment also charges an eighth defendant, Alberto Yusi Lajud-Peña (aka Prime and Albertico), 25, who was reportedly murdered late last month in the Dominican Republic. It is understood that Lajud-Peña was shot dead at his house while playing dominoes with friends about two weeks after returning home from the US. He was named by US investigators as the leader of the New York cell. Lajud-Peña's murder by two masked men was allegedly motivated by disputes over how to split the loot from the digital heist, according to local news outlet La Nacion Dominicana.

It is alleged that the e-robbery was known to denizens of the internet underworld as "Unlimited Operation" – prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates, and the Bank of Muscat, Oman, were drained of cash in the hack, according to prosecutors.

We're told the main hacking phase of the operation ran between October 2012 and April 2013. During this period, cybercrooks as said to have distributed stolen prepaid debit card numbers to trusted associates in 26 countries around the world.

These associates are said to have operated cells – or teams of "cashers" – encoding magnetic stripe cards, such as gift cards, with the compromised debit card data. The subsequent release of PINs for hacked accounts fired the starting gun for a coordinated, international cash out operation involving cash withdrawals from ATMs across the globe, investigators say.

Two separate cash-out operations occurred on December 22, 2012 against RAKBANK, and on 19 February into the early hours of 20 February against Bank of Muscat. Before the pull was spotted by RAKBANK and its unnamed Indian card processor, it had suffered $5m in losses through more than 4,500 ATM fraudulent transactions in 20 countries. Bank of Muscat was hit even harder with $40m in losses through 36,000 fraudulent ATM transactions in 24 countries.

"From 3pm on February 19 through 1.26am on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area," according to the Feds.

The fraud was carried out against just 12 no-limits compromised accounts at the Bank of Muscat, and prompted an official statement by the bank to the stock exchange in Oman in late February, as we reported at the time.

When the fraud was detected and the cards cancelled, the casher cells are said to have laundered the proceeds, often through the purchase of luxury goods such as expensive watches and sports cars, before keeping a proportion for themselves and kicking money back up to the cybercrime kingpins and hackers masterminding the scam. If the Feds know where the real masterminds of the scam are located, they aren't saying – at least for now.

US authorities have seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and are in the process of seizing a Porsche Panamera, all linked to the scam.

The investigation into the cyberfraud was led by the US Secret Service, which worked with MasterCard, RAKBANK, and the Bank of Muscat in unravelling the scam, as well as law enforcement agencies in Japan, Canada, Germany, and Romania, and authorities in the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, the United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

Prepaid debit cards are used by many employers to pay staff, and by charitable organizations to distribute disaster-assistance funds.

The Unlimited Operations mega-scam may have been the biggest of its type, but it's not the first time cybercrooks have looted prepaid debit card accounts after hacking into bank databases. Much the same methodology was employed in a ATM fraud against cards issued by RBS WorldPay in November 2009 that netted crooks $9m, for example, as cybercrime blogger Gary Warner noted.

Costin Raiu, director of global research & analysis team at Kaspersky Lab, commented: "This is no doubt one of the biggest and quickest thefts we have seen. So far, it seems no customers were affected, because the hackers targeted prepaid cards from certain banks, so the banks are the only victims. Nevertheless, it's a VERY serious incident and it raises a lot of questions about the security of the current payment systems."

Raiu added that the success of the attack relied on the use of mag-stripe technology instead of harder-to-forge plastic smartcards in many countries in the world.

"I'd like to draw the attention to the fact that in US, the insecure magnetic stripe is still used when performing payments with cards; this has been mostly abandoned everywhere in Europe and replaced by the more secure chips," Raiu said.

"The cybercriminals specialised in carding focus on replicating real cards on 'blank' cards by reprogramming the magnetic stripe," he added. "A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips. Even then, it's true that the attacks won't go away, but they will for sure decrease or become a lot harder. I believe it makes sense for the banks to invest into upgrading the cards in the US and worldwide." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.