US court charges eight with global $45m ATM scam

13 May 2013

Eight people have been charged in the US with masterminding two cyber-attacks that stole card data from payment processors, which was subsequently used to fraudulently withdraw $45m from ATMs around the world.

The New York-based group of fraudsters were part of an international cyber-crime ring spread across 28 countries, alleges the US federal indictment. One of the eight defendants, Alberto Yusi Lajud-Peña, is reported to have been murdered in the Dominican Republic, but seven others are now facing trial in New York. The defendants are Jael Mejia Collado; Joan Luis Minier Lara; Evan Jose Peña; Jose Familia Reyes; Elvis Rafael Rodriguez; Emir Yasser Yeje; and Chung Yu-Holguin.

The New York-based element of the global cyber-crime collective managed to steal around $2.8m over the two operations, allege authorities, with the international element fraudulently grasping $45m.

Authorities are believed to have caught the US participants after nearly $150,000 in $20 bills was deposited at a bank branch in Miami, as part of an attempt to launder the ill-gotten gains. The lavish lifestyle and extravagant spending of the defendants is also thought to have attracted attention.

Global Scale and News Analysis

The identity theft and ATM fraud saw hackers spend several months working to gain access to the computer networks of unnamed credit card processors. The perpetrators in this latest instance stole pre-paid card details and increased the balance limits, according to the US court filings. The data was forwarded on to criminal cashiers around the world to make fake cards and use legitimate personal identification numbers (PINs) to make automated teller machine (ATM) withdrawals.

All card and payment processors are subject to such attacks, as the separate and totally unrelated attack against Global Payments last year proved when data was lost but swift action was taken to minimise any subsequent fraud. RSA one-time password (OTP) security token data was also notoriously stolen a few years ago after a breach. Data breaches are a fact of life and it is how you minimise the change of one and respond to any such attack that counts: it is this that will prevent any subsequent fraud. Maintaining adequate IT security provisions to battle this menace is of course paramount but as ever in the information security field it is an arms race between 'the poachers and the gamekeepers'.

The first cyber-attack in this latest incident, which is now coming to trial, occurred on 22 December 2011 targeting a processor that dealt with transactions for pre-paid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC in the United Arab Emriates. It resulted in a $5m loss from 45,000 fraudulent ATM withdrawals. A second attack in February last year was subsequently launched against another MasterCard pre-paid debit cards processor, this time affiliated with the Bank of Muscat in Oman, resulting in a $40m loss.

Subsequent press speculation is attributing the second attack as being against the EnStage payments processor, with Reuters subsequently revealing that rival Indian processor ElectraCard Services was the victom of the first attack, although the firm maintains it lost no PIN data.

The defendants face a 10 year jail term at most if convicted of the money laundering charges against them, and a possible additional seven and a half years for conspiracy to commit access device fraud.

Reaction

“The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the internet and stretched around the globe,” commented US Attorney, Loretta Lynch, who added that this was the largest theft of this type that had yet been detected. “In the place of guns and masks, this cybercrime organisation used laptops and the internet. Moving as swiftly as data over the internet, the organisation worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours."

As George Tubin, a senior security strategist with Trusteer, rightly points out many similar corporate breaches go unnoticed. “The only way to prevent these attacks is to stop advanced, information-stealing malware from compromising employee endpoints - often the weakest link in the security chain,” he says. “Corporate breaches can only be prevented by stopping malicious files from invisibly sneaking onto employee computers through both unknown and unfixed software flaws (aka vulnerabilities). Once malware infects the user's computer, it's game over.”

• For the latest coverage of data breaches and IT security please read the recent bobsguide Infosec Europe 2013 show report.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development