Attacks/Breaches
5/9/2013
01:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

8 New Yorkers Indicted As Part of $45 Million Cyberheist Of Prepaid Debit Cards

Orchestrated massive global 'bank heist' by an international cybercrime organization targeted credit card processor for MasterCard prepaid debit cards, waged and coordinated mass ATM withdrawals

Seven New York City men have been arrested and indicted in New York City for their role in an international cybercrime ring that hacked an unnamed credit card processor for MasterCard, stole prepaid debit cards, and quickly cashed them out in a highly orchestrated operation that spanned the globe. The defendants comprised a New York ground operation that allegedly withdrew $2.8 million across ATMs across the city as part of a massive cybercrime campaign that resulted in $45 million in losses. The seven arrested defendants, all based in Yonkers, N.Y., are Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Pena, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje, and Chung Yu-Holguin. An eighth defendant named in the indictment, Alberto Yusi Lajud-Pena, was reportedly murdered in the Dominican Republic last month.

U.S. Justice Department officials say the men formed the New York cell of the international crime ring, which used "sophisticated intrusion" methods to break into the computers of the credit card processor for MasterCard to steal debit cards issued by the National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates, on Dec. 22, 2012, and then between Feb. 19 and 20, 2013, to pilfer debit cards issued by the Bank of Muscat in Oman. The ring stole and manipulated the value of prepaid debit cards and then cashed them out in massive ATM withdrawals worldwide after each computer break-in.

"As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe. In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours," said U.S. Attorney Loretta Lynch.

Law enforcement officials say the first of the two campaigns in late 2012 against RAKBANK resulted in $5 million in losses to the credit card processor and RAKBANK. The ring conducted more than 4,500 ATM withdrawals across 20 countries using the stolen RAKBANK accounts that were altered by the hackers to higher withdrawal limits. The New York City cell, including the defendants and co-conspirators, cashed out $400,000 in more than 140 ATMs.

The second campaign on February 19 and 20 of this year went after the same credit-card processor and stole MasterCard prepaid debit cards from the Bank of Muscat in an even bigger heist, with cells in 24 different countries withdrawing $40 million from ATMS with 10 hours via some 36,000 transactions. The New York cell cashed out $2.4 million from 3,000 ATM withdrawals in the city.

DOJ officials call this type of crime an "unlimited operation," where the hackers wipe out any account withdrawal limits to get as much cash as they can. These operations typically include targeted cyberattacks that span the globe, and quick, coordinated ground operations for cashing out at ATMs.

Cybercrime cases like these "demonstrate the importance of closely monitoring the internal corporate network for signs of a breach," says Gary Warner, director of research in computer forensics at the UAB Center for Information Assurance and Joint Forensics Research. "It takes time for the criminal to learn enough about your organization's internal workings to be able to take over and reset ATM balances. Quick detection of the breach is key to preventing" these problems, he wrote in a blog post today.

The indictment and other court filings in the case say Lajud-Pena was the head of the New York cell, and that he, Rodriguez, and Yeje laundered hundreds of thousands of dollars. The cell members also purchased Rolex watches, a Mercedes SUV, and a Porsche using money made in the scam. They could face 10 years of prison time on each money-laundering charge and 7.5 years on conspiracy to commit access device fraud, as well as up to $250,000 in fines.

The U.S. Secret Service investigated the cyberattacks and U.S.-based criminal activity, and law enforcement in Japan, Canada, Germany, and Romania all assisted in the investigation.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web