Attacks/Breaches
11/19/2013
05:10 PM
Connect Directly
RSS
E-Mail
50%
50%

iPhone Photo Leads To Cybercrime Arrest

The FBI uses an iPhone photo to nab six members of a cybercrime ring accused of stealing $45 million via ATMs.

The FBI Monday announced six more arrests as part of a wide-ranging investigation into an international cybercrime ring that's been accused of stealing $45 million via ATMs in more than 20 countries since December.

Five of the suspects -- Anthony Diaz, 24; Saul Franjul, 23; Saul Genao, 24; Jaindhi Polanco, 29; and Jose Angeley Valerio, 26 -- were arrested early Monday. A superseding indictment charged all of them -- except for Franjul -- with serving as money mules and withdrawing $2.8 million from ATMs. Franjul, meanwhile, was accused of packing $800,000 in stolen cash into a suitcase for the gang's alleged leader, 25-year-old Alberto Yusi Lajud-Pena (aka "Prime" and "Albertico"). Franjul's co-conspirators allegedly then took the suitcase to Lajud-Pena -- then in Miami -- via bus.

At a hearing in Brooklyn federal district court Monday, the five arrestees -- four men and one woman -- pleaded not guilty. A sixth suspect named in the indictment, Franklyn Ferreira, who was arrested later on Monday, was due to be arraigned Tuesday afternoon. All six of the arrestees hail from Yonkers, NY.

[ "Inj3ct0r Team" hackers strike vBulletin, MacRumors. Read vBulletin.com Hacked, Customer Data Stolen. ]

In a letter sent to federal district court in Brooklyn, federal prosecutors said Monday that investigators matched surveillance photographs captured by banks -- where the alleged illegal withdrawals took place -- with suspects' driver's license photographs and Facebook profile pictures, reported The Wall Street Journal. Prosecutors also said that the government had yet to locate $2 million of the stolen money, and that no individual bank accounts were compromised by attackers.

According to prosecutors, investigators recovered an iPhone photograph -- taken by one of the suspects on March 2, 2013, just days after card details stolen from Bank Muscat in Oman were used to steal millions of dollars via ATM withdrawals -- that showed cash being stuffed into a suitcase.

"After exploiting cyber-weaknesses in the financial system to steal millions from ATMs, these defendants were packing bags to the brim with stolen cash, destined for the cybercriminal organizers of these attacks," US Attorney Loretta E. Lynch alleged in a statement. The six people arrested Monday face up to seven and a half years in prison based on the charge of access device fraud conspiracy, and could be hit with forfeiture and a fine of up to $250,000.

In February, German police also arrested two Dutch citizens -- caught withdrawing money from ATMs in Dusseldorf -- with being part of the cybercrime gang. To date, Department of Justice officials have declined to specify where the cybercrime gang is based, saying that their investigation remains ongoing.

Per a preceding indictment in this case, unsealed in May, three men were already arrested and charged with being part of the cybercrime gang; all three pleaded not guilty. Four other defendants charged in the indictment, meanwhile, pleaded guilty.

An eighth man, the aforementioned Lajud-Pena, allegedly lead the gang's New York cell. He was murdered in the Dominican Republic in April while playing dominoes at his home, while his two brothers were wounded. Local media outlets tied the attack to a dispute over how the cybercrime gang's stolen funds should be apportioned, and suggested the hit men had been hired by Lajud-Pena's New York accomplices.

US prosecutors haven't charged anyone with that crime, but they have accused the gang members of running so-called "unlimited operations," which consist of hacking into a credit card processor's systems, stealing prepaid debit card account numbers and PINs, and removing the withdrawal limits on those prepaid accounts. In this case, prosecutors said the targeted financial organizations were the National Bank of Ras Al-Khaimah PSC (aka RAKBANK) in the United Arab Emirates, and the Bank of Muscat in Oman.

The hackers allegedly shared stolen card details with the leader of a "cashing crew," who would create fake credit cards encoded with stolen credit and debit card information and distribute them to a gang of money mules. At a predetermined time, the money mules would make as many withdrawals as possible using the cards, until banks' fraud departments spotted the theft and shut down the related card numbers.

In this case, prosecutors said the cashing crews conducted hundreds -- and in one case thousands -- of fraudulent transactions using different ATMs. According to prosecutors, when the gang hit ATMs in the New York City area, they withdrew approximately $2.8 million in a matter of hours. In another heist, the gang allegedly used cards encoded with just 12 stolen prepaid debit account numbers to quickly withdraw $40 million.

Authorities said this stolen cash was spent in high-end nightclubs and laundered, in part, by purchasing luxury goods, including Rolex watches and two cars -- a Mercedes G63 AMG and Porsche Panamera -- that were together valued at $250,000.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rradina
50%
50%
rradina,
User Rank: Apprentice
11/20/2013 | 1:04:25 PM
Re: Nowhere to Hide
I see your point but getting it without a warrant could still be interesting and might depend on whether or not it's reasonable for the suspect to assume device privacy even though it's being saved in iCloud.  There have been a few cases (discarded lottery tickets in trash cans) where the expectation of privacy has been raised.  As long as we're permitting what ifs... What if the suspect doesn't understand what iCloud is and what it does with the data?  What if they believe iCloud is something on their Mac or PC since that's where data was previously stored/synced?  To them it might just be a highly convenient wireless and automatic sync with their Mac or PC.  Ignorance of the law is no excuse but this isn't ignorance of law.  This is ignorance of tech and whether or not a judge thinks iCloud affects the reasonable expectation of privacy on a personal device.

Of course before someone brands me as a bleeding heart for criminals, if the evidence that establishes them as suspects was not obtained with due process, it has to be discarded.  Why?  I'm thinking of the person who is pulled over for speeding, gets belligerent and suddenly everything on their personal device is on Twitter.  Although it was stupid to make the police angry and get arrested, is it reasonable to assume everything on their smart phone is now discoverable?  No crime ends up being found but revealing that private information could forever alter their life.  It's not right if it's reasonable for a person in that situation to expect smart phone privacy as much as their own thoughts.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/20/2013 | 9:49:56 AM
Re: Nowhere to Hide
That's true. But it's also possible that the FBI subpoenaed Apple and gained access to the suspect's stored iCloud data. At that point, there's no need to worry (at least legally speaking) about the device itself at all.
rradina
50%
50%
rradina,
User Rank: Apprentice
11/20/2013 | 9:41:18 AM
Re: Nowhere to Hide
It might also be interesting regarding the various cases involving search and seizure and whether or not the iPhone was locked.  Most of the law enforcement community believe a suspect's locked digitial device is discoverable without a warrant.  Many believe a more conservative approach is required in that there must be judicial approval before a locked device is part of discovery.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/20/2013 | 8:07:10 AM
Re: Nowhere to Hide
Thank for the clarification, Mat. I too was scratching my head about the iPhone photo. I guess we'll have to wait until all the evidence is presented at the trial. Interesting story and yet another cautionary tale about the sophistication of organized criminals in credit card theft. Well, perhaps the iphone photo wasn't such a smart tactic. Keep us posted about how that fits into the case.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/20/2013 | 5:19:40 AM
Re: Nowhere to Hide
Very good point; the iPhone angle wasn't intended as linkbait. What I didn't detail in the story were the questions that the use of an iPhone raised.

To recap: The suspect allegedly snapped a photograph of a suitcase packed with $800,000 in cash gathered by money mules. That suggests it was a "before" picture for the recipient of said cash to compare with what was actually received (after co-conspirators allegedly transported the suitcase to Miami by bus). 

From an investigation standpoint, the fact that the Feds noted that one of the pieces of evidence they have is an iPhone photo is significant. It suggests -- and the indictment doesn't mention the phone, so this is all supposition -- that the alleged suspect emailed the photograph to the planned recipient of the suitcase, per the above. But what if the Feds tracked down the photo because it had been automatically sync'd to iCloud? Or looked at the EXIF data in the image and found that it was the suspect's house? 

Again, this is guesswork, but I wouldn't be surprised to see one or both of those angles come out at the trial.
rradina
50%
50%
rradina,
User Rank: Apprentice
11/20/2013 | 12:22:04 AM
Re: Nowhere to Hide
Did I miss something?  Did they use photo recognition software to match the license photos with the surveilance and Facebook photos?  The article isn't clear on that.

Also, the iPhone photo could have been any smart phone or even regular camera.  I'm puzzled by the article's title.  I assumed some new and significantly novel use of an iPhone to thwart crime.  The significance of the iPhone photo is nothing special and could have been accomplished with a quaint Polaroid found in one of their wallets.
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
11/19/2013 | 5:38:18 PM
Nowhere to Hide
The role of photo recognition software here makes it evident that it is getting increasingly difficult to hide once someone has your photo -- or once you're dumb enough to put it on Facebook and then get photographed by a bank surveillance camera.

But I also have to question why any car dealer would accept a pile of cash from someone in their mid-20s for a luxury car worth $100k or so.  Perhaps I'm expecting too much from car dealers, but shouldn't that send up a signal that the money just might stem from criminal activity?   I believe the car dealer should have to return the money, because it belongs to someone else.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.