a global cyber crime ring stole $45
million from two Middle Eastern banks
by hacking into credit card processing
firms and withdrawing money from
ATMs in 27 countries, U.S.
prosecutors said on Thursday.
The U.S. Justice Department accused
eight men of allegedly forming the
New York-based cell of the
organization, and said seven of them
have been arrested. The eighth,
allegedly a leader of the cell, was
reported to have been murdered in the
Dominican Republic on April 27.
The ringleaders are believed to be
outside the United States but
prosecutors declined to give details,
citing the ongoing investigation.
What's clear is the sheer scope and
speed of the crimes: in one of the
attacks, in just over 10 hours, $40
million was raided from ATMs in 24
countries involving 36,000
transactions.
"In the place of guns and masks, this
cyber crime organization used laptops
and the Internet," U.S. Attorney for
the Eastern District of New York
Loretta Lynch said at a news
conference. "Moving as swiftly as data
over the Internet, the organization
worked its way from the computer
systems of international corporations
to the streets of New York City."
The case demonstrates the major
threat that cyber crime poses to banks
around the world. It also shows how
increasingly international and
sophisticated criminal gangs have
become, particularly those using the
Internet.
Prosecutors highlighted the "surgical
precision" of these hackers, the global
nature of their organization, and the
speed and coordination with which
they executed operations in 27
countries.
According to the complaint, the gang
broke into the computers of two credit
card processors, one in India in
December 2012 and the other in the
United States this February. The
companies were not identified.
The hackers increased the available
balance and withdrawal limits on
prepaid MasterCard debit cards issued
by Bank of Muscat of Oman, and
National Bank of Ras Al Khaimah PSC
(RAKBANK) of the United Arab
Emirates, according to the complaint.
They then distributed counterfeit debit
cards to "cashers" around the world,
enabling them to siphon millions of
dollars from ATMs in a matter of
hours.
In New York, for example, members
of the cell fanned out into the city on
the afternoon of February 19, armed
with cards bearing a single Bank of
Muscat account number. Ten hours
later, they had completed 2,904
withdrawals for $2.4 million in all, the
final transaction coming around 1:26
a.m., prosecutors said.
Casher crews in other countries were
busy doing the same, pulling some
$40 million from Bank of Muscat to
add to the $5 million they stole from
RAKBANK in December, according to
the indictment. In total, cashers made
some 40,500 withdrawals in 27
countries during the two coordinated
incidents.
Prosecutors said the method of attack
was known as "Unlimited Operations"
in the cyber underworld.
Representatives for the two banks
could not be reached for comment
outside of regular business hours.
In a statement, Mastercard said it had
cooperated with law enforcement in
the investigation and stressed that its
systems were not involved or
compromised in the attacks.
In late February, Bank Muscat
disclosed that it would take an
impairment charge of up to 15 million
rials because it had been defrauded
overseas by 12 prepaid debit cards
used for travel. That charge was equal
to more than half of the 25 million
rials profit it posted in its first quarter
ended March 31.
Highly skilled hackers
Cyber experts said they believe the
operation likely required the work of
several hundred people, at least
several of whom were highly skilled
hackers capable of devising ways to
penetrate well-protected financial
systems.
"Hackers only need to find one
vulnerability to cause millions of
dollars of damage," said Mark Rasch,
a former federal cyber crimes
prosecutor, based in Bethesda,
Maryland.
The group may have targeted Middle
Eastern banks because they tend to
allow customers to put much larger
sums on cards and do not monitor
them as closely as banks in other
regions, said Shane Shook, global vice
president of consulting for the security
firm Cylance Inc.
"It's a target-rich environment in
terms of soft electronic security," said
Shook, an Arabic speaker who has
spent more than a decade
investigating cyber crimes.
The case is similar to one in 2009 that
targeted the prepaid debit-card unit of
Royal Bank of Scotland, which lost
more than $9 million in less than 12
hours, said Jason Weinstein, a former
federal prosecutor who supervised the
Justice Department's handling of that
case.
That case was considered a watershed
moment in cyber crime prosecutions
at the time. "This dwarfs that case,"
he said.
It is not clear if banks can seek to
recover losses from card processors,
legal experts said. Contracts usually
have specific language governing the
security protocols that must be in
place, said Frederick Rivera, an
attorney with Perkins Coie who
specializes in financial services
litigation.
If the processors failed to follow those
requirements, they could be liable for
the losses. If they had adequate
security, however, the banks "could be
left holding the bag," Rivera said.
The banks might also be able to seek
reimbursement under their insurance
policies, many of which now have
cyber crime provisions, or from the
processors' insurance carriers.
Weinstein also said that the
processors could face regulatory
scrutiny over whether they provided
proper security.
The eight defendants - all U.S. citizens
and residents of Yonkers, New York -
were charged with withdrawing cash
from the ATMs and transporting
money, not hacking into the credit
card processing firms or managing the
operation.
The seven arrested are: Jael Mejia
Collado, Joan Luis Minier Lara, Evan
Jose Pena, Jose Familia Reyes, Elvis
Rafael Rodriguez, Emir Yasser Yeje
and Chung Yu-Holguin (known as
"Chino El Abusador"). All except for
Rodriguez were arraigned on Thursday
and pleaded not guilty. Rodriguez's
attorney was unavailable. Only Pena
has been released on bail.
The defendant who reportedly had
been killed was Alberto Yusi Lajud-
Pena, also known as "Prime" and
"Albertico." Lynch said it was unclear
whether the murder was related to
this case.
Prosecutors said cashers often
laundered their proceeds by purchasing
luxury goods, and sending a portion of
the money back to the organization's
leaders.
Lynch said the New York gang kept
roughly 20 percent of their takes, and
sent the rest to the organizers.
Authorities said they seized hundreds
of thousands of dollars in cash and
bank accounts, as well as two Rolex
watches and a Mercedes SUV, from
the defendants.
Investigators said that they found an
email exchange with an account
associated with a criminal money
laundering operation in St. Petersburg,
Russia, describing wire transfers.
An investigation is ongoing to see if
other cells are operating in the
country, Lynch said, adding that U.S.
law enforcement had worked with
counterparts in Japan, Canada,
Germany, Romania, the United Arab
Emirates, Dominican Republic, Mexico,
Italy, Spain, Belgium, France, United
Kingdom, Latvia, Estonia, Thailand,
and Malaysia to uncover the ring.
No individual bank accounts were
compromised by the scheme, Lynch
said.
The case is U.S. v. Lajud-Pena et al.,
U.S. District Court, Eastern District of
New York, No. 13-cr-259.
© Thomson Reuters 2013
Post a Comment