Attacks/Breaches
10/31/2012
11:12 AM
50%
50%

60-Second Cash Kiosk Hackers Steal $1 Million: FBI

Feds announce they've busted 14 members of a gang that used rapid withdrawals at cash-advance kiosks at casinos in California and Nevada to trick Citibank.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
The FBI has arrested more than a dozen people on charges that they participated in a gang that stole over $1 million via cash-advance kiosks at 11 casinos and resorts.

According to the FBI, the related indictment, unsealed Friday, said the gang "stole the money by exploiting a gap--which required multiple withdrawals all within 60 seconds--in Citibank's electronic transaction security protocols." The gang predominantly targeted casinos and resorts in Las Vegas and southern California.

The FBI last week arrested 13 of the accused gang members in the Los Angeles area. But one of the alleged gang members, Levon Karamyan, 58, remains at large.

According to court documents, accused ringleader Ara Keshishyan, 29, recruited other members of the gang to open multiple Citibank checking accounts, which he filled with seed money. "When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw -- all within 60 seconds -- several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered."

[ Read FBI Expands Cybercrime Division. ]

The gang reportedly also kept each individual withdrawal below $10,000, which is the threshold at which casinos must report the transaction to federal authorities. "After the cash was collected from the casino 'cages,' Keshishyan would typically give conspirators their 'cut' -- and keep the remainder of the stolen funds -- which were often used to gamble," according to the FBI. "The casinos frequently 'comped' the conspirators with free rooms due to their extensive gambling activity."

The facilities targeted were the Agua Caliente, Chukchansi, Morongo, Pechanga, San Manuel and Spa Resort casinos in California; Harrah's in Laughlin, Nev.; as well as Bicycle, Tropicana, Wynn, and Whiskey Pete's casinos in Las Vegas.

The cash-advance-kiosk attacks are notable for highlighting how motivated attackers might benefit from even the tiniest information security misstep. "While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes," said FBI special agent Daphne Hearn in a statement. The flaw exploited by attackers has reportedly now been fixed.

The fraud was spotted by Citibank. "Through our own security measures and the diligence of our people we identified the fraudulent account activity and immediately notified the authorities. No customer accounts were affected by the fraudulent activity," said Citibank spokeswoman Catherine Pulley, speaking by phone. "We will continue to work with the FBI on their investigation."

All accused members of the gang have been charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements, which carries a maximum jail sentence of five years, as well as a $250,000 fine. The alleged ringleader, Keshishyan, also has been charged with 14 counts of bank fraud, each of which carries a prison sentence of up to 30 years, as well as a $1 million fine. All of the accused could see any ill-gotten gains forfeited, if the charges against them are proven.

The defendants, who have been arraigned, are next due back in court Nov. 30.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.