Attacks/Breaches
11/13/2013
11:56 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Members Of New York Cell Of Cybercrime Organization Plead Guilty In $45 Million Cybercrime Campaign

Cyberattacks employed by the defendants and their co-conspirators known in the cyberunderworld as "Unlimited Operations"

BROOKLYN, NY – Earlier today, Evan Jose Peña pleaded guilty to participating in two worldwide cyberattacks that inflicted $45 million in losses on the global financial system in a matter of hours. Peña's plea followed two other guilty pleas in this case entered by defendants Emir Yasser Yeje and Elvis Rafael Rodriguez in October 2013. These three defendants were members of the New York-based cell of an international cybercrime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits. The stolen card data was then instantly disseminated worldwide and used in making fraudulent ATM withdrawals on a massive scale across the globe. The New York cell in which Pena, Yeje, and Rodriguez participated withdrew almost $2.8 million in a matter of hours.

The pleas were announced by Loretta E. Lynch, United States Attorney for the Eastern District of New York, and Steven Hughes, Special Agent in Charge, United States Secret Service, New York Field Office.

"These three defendants participated in a criminal flash mob, using data stolen through the most sophisticated hacking techniques to withdraw millions of dollars in mere hours in an unprecedented cyber heist," stated United States Attorney Lynch. "Their pleas demonstrate that the United States government will not relent in its efforts to investigate and prosecute the perpetrators of these financially devastating cyberattacks." Ms. Lynch expressed her grateful appreciation to the United States Secret Service, New York Field Office for their work on the investigation.

The "Unlimited Operation"

As alleged in the indictment and other court filings, the cyberattacks employed by the defendants and their co-conspirators in this case are known in the cyber underworld as "Unlimited Operations" -- through its hacking "operation," the cybercrime organization can access virtually "unlimited" criminal proceeds.

The "Unlimited Operation" begins when the cybercrime organization hacks into the computer systems of a payment card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts and also manipulates the security protocols that would alert the victim to the attack. The compromised card data is then distributed to cells worldwide who use the data to encode magnetic stripe cards to use at ATMs. These sophisticated techniques enable the participants to withdraw literally unlimited amounts of cash until the operation is finally detected and shut down. "Unlimited Operations" are marked by three key characteristics: (1) the surgical precision of the hackers carrying out the cyberattack, (2) the global nature of the cybercrime organization, and (3) the speed and coordination with which the organization executes its operations on the ground. These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible.

The Defendants' Roles in the Charged Cyberattacks

Evan Peña, Elvis Rafael Rodriguez, and Emir Yasser Yeje participated in two recent "Unlimited Operations" of staggering size. The first operation, on December 22, 2012, targeted a payment card processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates. After the hackers penetrated the credit card processor's computer network, compromised the RAKBANK prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign. In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised RAKBANK account data, resulting in approximately $5 million in losses to the credit card processor and RAKBANK.

The second, and even more damaging, of these Unlimited Operations occurred on the afternoon of February 19 and lasted into the early morning of February 20, 2013. This operation again breached the network of a payment card processor that serviced MasterCard prepaid debit cards, this time issued by Bank Muscat, located in Oman. Again, after the cybercrime organization's hackers compromised Bank of Muscat prepaid debit card accounts and distributed the data, the organization's casher cells engaged in a worldwide ATM withdrawal campaign. Over the course of approximately 10 hours, cyber cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs.

Peña, Rodriguez, and Yeje operated the New York cell of "cashers," who encoded magnetic stripe cards, such as gift cards, with the compromised card data. After receiving the compromised account information and personal identification numbers (PINs) for the hacked accounts, the defendants' cells sprang into action, immediately fanning out across the New York area making thousands of withdrawals from ATMs. During the RAKBANK Unlimited Operation, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000, at over 140 different ATM locations in New York City. The Bank Muscat Unlimited Operation was even more devastating. From 3 p.m. on February 19 through 1:26 a.m. on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area.

The defendants then passed portions of the proceeds back to the hackers organizing the attack and kept the rest for themselves. Notably, defendants Rodriguez and Yeje laundered hundreds of thousands of dollars in illicit cash proceeds. In one transaction alone, nearly $150,000 in the form of 7,491 $20 bills, was deposited at a bank branch in Miami, Florida, into an account controlled by defendant Alberto Yusi Lajud-Peña, who is now deceased. New York cell members also invested the criminal proceeds in portable luxury goods, such as expensive watches and cars. To date, the United States has seized hundreds of thousands of dollars in cash, bank accounts, and luxury merchandise, including two Rolex watches and a Mercedes SUV, and is in the process of forfeiting a Porsche Panamera. The Mercedes and Porsche were purchased with $250,000 in proceeds of this scheme.

In announcing the pleas, United States Attorney Lynch praised the extraordinary efforts of the Secret Service in responding to these attacks and investigating both the complex network intrusions that occurred overseas and the criminal activity occurring locally, and also expressed gratitude to U.S. Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI) in New York for their assistance in this investigation. Ms. Lynch also thanked MasterCard, RAKBANK, and Bank Muscat for their cooperation with this investigation.

Today's plea took place before United States District Judge Kiyo A. Matsumoto. When sentenced, the defendants face up to 7.5 years in prison, as well as forfeiture and a fine of up to $250,000.

The government's case is being prosecuted by Assistant United States Attorneys Cristina Posa, Hilary Jager, David Sarratt, and Brian Morris.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.