Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

60-Second Cash Kiosk Hackers Steal $1 Million: FBI

Feds announce they've busted 14 members of a gang that used rapid withdrawals at cash-advance kiosks at casinos in California and Nevada to trick Citibank.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
The FBI has arrested more than a dozen people on charges that they participated in a gang that stole over $1 million via cash-advance kiosks at 11 casinos and resorts.

According to the FBI, the related indictment, unsealed Friday, said the gang "stole the money by exploiting a gap--which required multiple withdrawals all within 60 seconds--in Citibank's electronic transaction security protocols." The gang predominantly targeted casinos and resorts in Las Vegas and southern California.

The FBI last week arrested 13 of the accused gang members in the Los Angeles area. But one of the alleged gang members, Levon Karamyan, 58, remains at large.

According to court documents, accused ringleader Ara Keshishyan, 29, recruited other members of the gang to open multiple Citibank checking accounts, which he filled with seed money. "When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw -- all within 60 seconds -- several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered."

[ Read FBI Expands Cybercrime Division. ]

The gang reportedly also kept each individual withdrawal below $10,000, which is the threshold at which casinos must report the transaction to federal authorities. "After the cash was collected from the casino 'cages,' Keshishyan would typically give conspirators their 'cut' -- and keep the remainder of the stolen funds -- which were often used to gamble," according to the FBI. "The casinos frequently 'comped' the conspirators with free rooms due to their extensive gambling activity."

The facilities targeted were the Agua Caliente, Chukchansi, Morongo, Pechanga, San Manuel and Spa Resort casinos in California; Harrah's in Laughlin, Nev.; as well as Bicycle, Tropicana, Wynn, and Whiskey Pete's casinos in Las Vegas.

The cash-advance-kiosk attacks are notable for highlighting how motivated attackers might benefit from even the tiniest information security misstep. "While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes," said FBI special agent Daphne Hearn in a statement. The flaw exploited by attackers has reportedly now been fixed.

The fraud was spotted by Citibank. "Through our own security measures and the diligence of our people we identified the fraudulent account activity and immediately notified the authorities. No customer accounts were affected by the fraudulent activity," said Citibank spokeswoman Catherine Pulley, speaking by phone. "We will continue to work with the FBI on their investigation."

All accused members of the gang have been charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements, which carries a maximum jail sentence of five years, as well as a $250,000 fine. The alleged ringleader, Keshishyan, also has been charged with 14 counts of bank fraud, each of which carries a prison sentence of up to 30 years, as well as a $1 million fine. All of the accused could see any ill-gotten gains forfeited, if the charges against them are proven.

The defendants, who have been arraigned, are next due back in court Nov. 30.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd