Attacks/Breaches
11/11/2009
11:41 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Four Indicted In $9 Million RBS WorldPay Hack

One of most sophisticated computer hacking rings in the world has been broken, claims Acting U.S. Attorney Sally Quillian Yates.

Four men were indicted on Tuesday for allegedly hacking into Atlanta, Ga.-based payment processor RBS WorldPay and stealing over $9 million from ATMs around the globe.

A federal grand jury returned indictments against Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person identified only as "Hacker 3."

A year ago, RBS WorldPay, owned by the Royal Bank of Scotland, was hacked in what Acting U.S. Attorney Sally Quillian Yates described as "perhaps the most sophisticated and organized computer fraud attack ever conducted."

On December 23, 2008, the company announced that on November 10 of that year, it had discovered "its computer system had been improperly accessed by an unauthorized party."

RBS WorldPay, which processes credit and debit transactions for other financial companies, said that certain personal information for 1.5 million cardholders and other individuals may have been affected and that as many as 1.1 million of these people may have had their social security numbers accessed.

According to the indictment, the alleged fraud arising from the incident involved far less information -- 44 payroll debit cards.

The indictment says that Covelin identified the vulnerability in RBS WorldPay's network that allowed the hackers to get in and that Pleshchuk and Tsurikov "developed a method by which the conspirators reverse engineered Personal Identification Numbers (PINs) from the encrypted data on the RBS WorldPay computer network."

The defendants were then able to raise the withdrawal limits on RBS WorldPay's prepaid payroll cards, which are linked to accounts that receive direct deposit payments for employees.

On or about November 8, 2008, the group allegedly coordinated a distributed series of ATM withdrawals during a twelve hour period "at over 2,100 ATMs located in at least 280 cities around the world, including in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada."

Over $9 million was stolen and the "cashers" -- associates who carried out the actual cash withdrawals -- were allowed to allowed to keep between 30% and 50% of the amount they withdrew, with the remainder being wired back to the hackers.

Having access to the RBS WorldPay network, Pleshchuk and Tsurikov allegedly monitored the withdrawals and then attempted to cover their tracks by destroying data on the network.

If convicted, the four men face up to 20 years in prison for wire fraud charges; up to five years in prison for conspiracy to commit computer fraud; as many as 10 years in prison for each count of computer fraud; a two-year mandatory minimum sentence for aggravated identity theft; and fines up to $3.5 million dollars, according to the U.S. Department of Justice.

How are you dealing with data-centric security? Answer our survey by Friday, Nov. 13, and be eligible to win an iPod Touch. Click here to take part.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.