Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

7/11/2014
03:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

International Hacker Pleads Guilty To 2011 Global Cyberattack

Conspirators Stole $14 Million Within 48 Hours

Earlier today at the federal courthouse in Brooklyn, Qendrim Dobruna, a member of an international cybercrime organization that was responsible for a cyberattack that inflicted millions of dollars in losses on the global financial system over the course of two days in 2011, pleaded guilty to bank fraud.

The defendant, who was extradited from Germany, and his co-conspirators hacked into the systems of a U.S.-based credit and debit card payment processor that processed debit card transactions for the American Red Cross in connection with disaster relief victims. The stolen card data was then disseminated worldwide and used in an “unlimited operation” that made $14 million in fraudulent withdrawals from ATMs across the globe.

The guilty plea was announced by Loretta E. Lynch, United States Attorney for the Eastern District of New York, and Robert J. Sica, Special Agent in Charge, United States Secret Service, New York Field Office.

“The defendant and his associates hacked into the global financial system and helped themselves to funds using prepaid debit cards meant for the needy and vulnerable,” stated United States Attorney Lynch. “We will continue to work with our private sector partners to solve these 21st century heists and bring the perpetrators, no matter where in the world they may hide, to justice.”

“Our success in this case and other similar investigations is a result of our close work with our law enforcement partners,” said Secret Service Special Agent in Charge Sica. “The Secret Service worked closely with the Department of Justice and INTERPOL to share information and resources that ultimately brought Qendrim Dobruna to justice. This case demonstrates there is no such thing as anonymity for those engaging in data theft and fraudulent schemes.”

As described in the indictment, court filings in related cases, and public court proceedings, the cyberattack employed by the defendant and his co-conspirators is known in the cyber underworld as an “Unlimited Operation” – through its hacking “operation,” the cybercrime organization can access virtually “unlimited” criminal proceeds.

The “Unlimited Operation” begins when the cybercrime organization hacks into the computer systems of a payment card processor, compromises prepaid debit card accounts, essentially eliminates the withdrawal limits of those accounts, and manipulates the security protocols that would alert the victim to the attack. The compromised card data is then distributed to cells worldwide that use the data to encode magnetic stripe cards to use at ATMs. These sophisticated techniques enable the participants to withdraw literally unlimited amounts of cash until the operation is finally detected and shut down. “Unlimited Operations” are marked by three key characteristics:

(1) the surgical precision of the hackers carrying out the cyberattack,

(2) the global nature of the cybercrime organization, and

(3) the speed and coordination with which the organization executes its operations on the ground.

These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible.

In February 2011 the defendant and his co-conspirators targeted a publicly traded credit and debit card processing company based in the United States that processed transactions for prepaid debit cards issued by the American Red Cross for disaster relief victims. After the hackers penetrated the payment card processor’s computer network, compromised the American Red Cross prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign. In total, more than 15,000 ATM transactions were conducted in approximately 18 countries using the compromised disaster relief prepaid cards, resulting in $14 million in financial loss worldwide.

The defendant, also known by the aliases “cl0sEd” and “cL0z,” participated in the cyber-attack from overseas by obtaining account information from co-conspirators who directly hacked into the payment card processor’s database and selling that account information to other co-conspirators over the Internet, including to an individual in Brooklyn, New York. The defendant was arrested in an apartment in Stuttgart, Germany in March 2012 by the German federal criminal police and subsequently extradited to the United States.

In announcing the guilty plea, United States Attorney Lynch praised the extraordinary efforts of the Secret Service in investigating this complex network intrusion. Ms. Lynch also thanked the Department of Justice’s Office of International Affairs, INTERPOL, and the authorities in Germany for their assistance in effecting the defendant’s extradition.

Today’s plea took place before Senior United States District Judge I. Leo Glasser. When sentenced on October 24, 2014, the defendant faces up to 30 years in prison, a fine of up to $1 million, and forfeiture of the proceeds of his crimes.

The government’s case is being prosecuted by Assistant United States Attorney Amir H. Toossi.
The Defendant:
QENDRIM DOBRUNA
Age: 27
E.D.N.Y. Docket No. 12 CR 300 (ILG)

 

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13934
PUBLISHED: 2020-07-14
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
CVE-2020-13935
PUBLISHED: 2020-07-14
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of ser...
CVE-2020-15721
PUBLISHED: 2020-07-14
RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php.
CVE-2020-7592
PUBLISHED: 2020-07-14
A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI KTP700F Mobile Arctic ...
CVE-2020-7593
PUBLISHED: 2020-07-14
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (V1.81.01 - V1.81.03), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.01), LOGO! 8 BM (incl. SIPLUS variants) (V1.82.02). A buffer overflow vulnerability exists in the Web Server functionality of the device. A remote unauthenticate...