Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/9/2013
01:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

8 New Yorkers Indicted As Part of $45 Million Cyberheist Of Prepaid Debit Cards

Orchestrated massive global 'bank heist' by an international cybercrime organization targeted credit card processor for MasterCard prepaid debit cards, waged and coordinated mass ATM withdrawals

Seven New York City men have been arrested and indicted in New York City for their role in an international cybercrime ring that hacked an unnamed credit card processor for MasterCard, stole prepaid debit cards, and quickly cashed them out in a highly orchestrated operation that spanned the globe. The defendants comprised a New York ground operation that allegedly withdrew $2.8 million across ATMs across the city as part of a massive cybercrime campaign that resulted in $45 million in losses. The seven arrested defendants, all based in Yonkers, N.Y., are Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Pena, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje, and Chung Yu-Holguin. An eighth defendant named in the indictment, Alberto Yusi Lajud-Pena, was reportedly murdered in the Dominican Republic last month.

U.S. Justice Department officials say the men formed the New York cell of the international crime ring, which used "sophisticated intrusion" methods to break into the computers of the credit card processor for MasterCard to steal debit cards issued by the National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates, on Dec. 22, 2012, and then between Feb. 19 and 20, 2013, to pilfer debit cards issued by the Bank of Muscat in Oman. The ring stole and manipulated the value of prepaid debit cards and then cashed them out in massive ATM withdrawals worldwide after each computer break-in.

"As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe. In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours," said U.S. Attorney Loretta Lynch.

Law enforcement officials say the first of the two campaigns in late 2012 against RAKBANK resulted in $5 million in losses to the credit card processor and RAKBANK. The ring conducted more than 4,500 ATM withdrawals across 20 countries using the stolen RAKBANK accounts that were altered by the hackers to higher withdrawal limits. The New York City cell, including the defendants and co-conspirators, cashed out $400,000 in more than 140 ATMs.

The second campaign on February 19 and 20 of this year went after the same credit-card processor and stole MasterCard prepaid debit cards from the Bank of Muscat in an even bigger heist, with cells in 24 different countries withdrawing $40 million from ATMS with 10 hours via some 36,000 transactions. The New York cell cashed out $2.4 million from 3,000 ATM withdrawals in the city.

DOJ officials call this type of crime an "unlimited operation," where the hackers wipe out any account withdrawal limits to get as much cash as they can. These operations typically include targeted cyberattacks that span the globe, and quick, coordinated ground operations for cashing out at ATMs.

Cybercrime cases like these "demonstrate the importance of closely monitoring the internal corporate network for signs of a breach," says Gary Warner, director of research in computer forensics at the UAB Center for Information Assurance and Joint Forensics Research. "It takes time for the criminal to learn enough about your organization's internal workings to be able to take over and reset ATM balances. Quick detection of the breach is key to preventing" these problems, he wrote in a blog post today.

The indictment and other court filings in the case say Lajud-Pena was the head of the New York cell, and that he, Rodriguez, and Yeje laundered hundreds of thousands of dollars. The cell members also purchased Rolex watches, a Mercedes SUV, and a Porsche using money made in the scam. They could face 10 years of prison time on each money-laundering charge and 7.5 years on conspiracy to commit access device fraud, as well as up to $250,000 in fines.

The U.S. Secret Service investigated the cyberattacks and U.S.-based criminal activity, and law enforcement in Japan, Canada, Germany, and Romania all assisted in the investigation.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.