Attacks/Breaches
10/31/2012
11:12 AM
50%
50%

60-Second Cash Kiosk Hackers Steal $1 Million: FBI

Feds announce they've busted 14 members of a gang that used rapid withdrawals at cash-advance kiosks at casinos in California and Nevada to trick Citibank.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
The FBI has arrested more than a dozen people on charges that they participated in a gang that stole over $1 million via cash-advance kiosks at 11 casinos and resorts.

According to the FBI, the related indictment, unsealed Friday, said the gang "stole the money by exploiting a gap--which required multiple withdrawals all within 60 seconds--in Citibank's electronic transaction security protocols." The gang predominantly targeted casinos and resorts in Las Vegas and southern California.

The FBI last week arrested 13 of the accused gang members in the Los Angeles area. But one of the alleged gang members, Levon Karamyan, 58, remains at large.

According to court documents, accused ringleader Ara Keshishyan, 29, recruited other members of the gang to open multiple Citibank checking accounts, which he filled with seed money. "When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw -- all within 60 seconds -- several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered."

[ Read FBI Expands Cybercrime Division. ]

The gang reportedly also kept each individual withdrawal below $10,000, which is the threshold at which casinos must report the transaction to federal authorities. "After the cash was collected from the casino 'cages,' Keshishyan would typically give conspirators their 'cut' -- and keep the remainder of the stolen funds -- which were often used to gamble," according to the FBI. "The casinos frequently 'comped' the conspirators with free rooms due to their extensive gambling activity."

The facilities targeted were the Agua Caliente, Chukchansi, Morongo, Pechanga, San Manuel and Spa Resort casinos in California; Harrah's in Laughlin, Nev.; as well as Bicycle, Tropicana, Wynn, and Whiskey Pete's casinos in Las Vegas.

The cash-advance-kiosk attacks are notable for highlighting how motivated attackers might benefit from even the tiniest information security misstep. "While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes," said FBI special agent Daphne Hearn in a statement. The flaw exploited by attackers has reportedly now been fixed.

The fraud was spotted by Citibank. "Through our own security measures and the diligence of our people we identified the fraudulent account activity and immediately notified the authorities. No customer accounts were affected by the fraudulent activity," said Citibank spokeswoman Catherine Pulley, speaking by phone. "We will continue to work with the FBI on their investigation."

All accused members of the gang have been charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements, which carries a maximum jail sentence of five years, as well as a $250,000 fine. The alleged ringleader, Keshishyan, also has been charged with 14 counts of bank fraud, each of which carries a prison sentence of up to 30 years, as well as a $1 million fine. All of the accused could see any ill-gotten gains forfeited, if the charges against them are proven.

The defendants, who have been arraigned, are next due back in court Nov. 30.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?