Sunday, January 20, 2019

Romanians on a Skimming Crime Spree?

When I posted last month about a Romanian skimming case (see: "Alert Traffic Patrolman Unveils Romanian Skimming Ring") I got two strong reactions.  One was from my Romanian Information Security friends who wanted to remind me that not all Romanians are criminals -- of course not! There are great researchers from Romania!  But the other was email after email telling me about other cases where the people being caught planting skimmers or using the cards stolen by them were also from Romania.

As we looked into this accusation more, it seems to be quite true that Romanians traveling to the United States for the purpose of planting skimmers and cashing out cloned cards seems to be in the news almost every week.

January 5, 2019 - San Luis Obispo, California - has a very nice video in the article  "These foreigners ran a credit card skimmer ring in the Tri-Cities" - in this case four Romanians were arrested with 268 gift cards, each with a separate skimmed mag stripe and PIN already burned onto them.  Emil Kabirov (21), Denis Legun (24), Ana Onici (22) and George Vasile (35) were arrested as they were seen at a Numerica Credit Union using cloned cards to withdraw funds.

Eric Vitale, fraud investigations specialist for San Luis Obispo PD, explains the scam
December 20, 2018 - Nashville, Tennessee - 159 gift cards with cloned stripe data recovered. In a jailhouse interview their American driver says they stole as much as $500,000.  George Zica and Madalin Palanga of Romania were arrested with him.

American Forrest Beard tells about his time with Romanian skimmers  in this WKRN exclusive
November 27, 2018 - Atlanta, Georgia - Romanian Gogut Serban (35) was sentenced for skimming and stealing at least $80,000 from at least 70 credit union customers in Atlanta, Lawrenceville, Norcross, and other locations in Georgia.  He'll serve 26 months in Federal prison.

November 2, 2018 - Springfield, Oregon - two Romanian teens were arrested, aged 15 and 17,  for planting skimmers on ATMs belonging to Northwest Community Credit Union.

October 31, 2018 - Boston, Massachusetts - 3 Romanian men plead guilty in federal court related to their ATM skimming operations.  Nicusor Bonculescu (24), Suedin Chiciu (28), and Florinel Vaduv (22) were actually indicted along with 12 others in 2017.

October 27, 2018 - Houston, Texas - 2 Romanian men have pleaded guilty to traveling to Houston to place card skimmers on ATMs and stealing money from bank accounts.  Crisian Viorel Ciobanu (30) and Bogdan Mirel Constantin (40) were arrested with Daniel Marius Muraretu.  The three used fake cards and stolen PINs to steal at least $390,495.

A nearly undetectable credit card skimming device was discovered at an ATM in Alameda. Photo: Alameda Police
A skimmer on an ATM in Alameda, Texas - Source:
October 9, 2018 - South Strabane - "Elvis Roman", (probably an alias), a 33 year old native of Romania, conducted 255 unauthorized withdrawals from Washington Financial Bank using cards that were cloned after being captured with an ATM skimmer.  After bank surveillance pulled his license plate number, he was pulled over by traffic police and arrested.

"Elvis Roman"

September 11, 2018 - Springfield, Massachusetts - Romanian Bogdan Viorel Rusu (38) living in Queens, New York, plead guilty to stealing $868,000 via cloned ATM cards from at least 530 individuals in three states via skimmers.  $364,419 stolen from Massachusetts, $75,715 from New York, and $428,581 from New Jersey residents.

August 22, 2018 - Louisiana - Alexandru-Nicusor Nita (27), Daniela-Stefani Ianev (31), both of Romania, planted skimmers around Baton Rouge, Louisiana at Neighbors Federal Credit Union ATMs.  Nita was arrested by the US Secret Service in a Memphis hotel room along with 5 other Romanians who were charged with possession of marijuana and manufacturing fake ids. He was sentenced in December 2018 to 24 months imprisonment and restitution of $149,802.44.

August 15, 2018 - Richmond, Virginia - 50 year old Antal Kancsal pleads guilty to stealing $1.2 Million via ATM skimming. He worked as the partner of Brazilian Roberto De Miranda-Martinez (43).  He entered the US on a tourist Visa which expired in March and never went home.  The pair planted skimmers in Virginia, Pennsylvania, Maryland, and elsewhere.

July 17, 2018 - Friendswood, Texas - 18 year old Romanian national Fabrizio Victor Slatineo was arrested after bank employees alerted the police to a vehicle associated with a series of suspicious ATM transactions.  Traveling with Fabricio was an eleven-year old girl who had $60,000 cash and dozens of blank debit cards that had skimmed stripes burned onto them hidden in her floor-length skirt.

<p>Recently, three Romanian men were sentenced to prison for using credit card skimmers to steal victims' personal information.</p>
A skimmer on a Texas Credit Union ATM - Source:
Jun 12, 2018 - Fond du Lac, Wisconsin - 26 year old Mihai-Alexandru Preda and 35 year old Catalin-Adrian Capanu were caught at a Marine Credit Union with 137 cloned debit cards and $7500 in cash.  The pair had been driving from California to Wisconsin, conducting crimes all along the way. See "Romanian nationals arrested in Fond du Lac for skimming, cash outs, organized crime ring"

Police release photos, info on skimming scam
Romanian suspect glues a PIN camera on a Kenosha, Wisconsin Educators Credit Union ATM 
Jun 6, 2018 - Richmond, Virginia - Romanians Florin Bersanu (31) and Viorel Naboiu (43) were charged with placing skimmers on ATMs in Virginia, West Virginia, and Florida.  Directly attributable losses are $42,756.80 stolen from BB&T Bank, Henrico Federal Credit Union, United Bank of West Virginia, and Pen Air and Eglin Federal Credit Unions in Florida.

Bersanu and Naboiu: Okaloosa County Sheriff's photo

May 14, 2018 - Boston, Massachusetts - The ring-leader of the gang, Constantin Denis Hornea (23) was sentenced to 65 months in prison and $242,141 restitution for ATM-skimming and racketeering.  The Hornea Crew did ATM-related crimes in at least seven states: Massachusetts, New Hampshire, Connecticut, New York, South Carolina, North Carolina, and Georgia.  At least 17 members of the Hornea Crew are now indicted, though some are still awaiting extradition from Germany and Hungary.  Their skimmers were found in Amherst, Bellingham, Billerica, Braintree, Chicopee, Quincy, Southwick, Waltham, Weymouth, and Whately, Mass.; Enfield, Conn.; Columbia, Greenville, Greenwood, Mauldin, and Saluda, S.C.; Savannah, Ga.; and Yadkinville, N.C.  They made ATM withdrawals in at least 44 different towns, 29 of them in Massachusetts.

Hornea crew with many aliases - often linked to their Facebook accounts

members of the Hornea crew used a "Fast and the Furious" frame on their Facebook profile pictures 

Denis Hornea's Porsche (from his Facebook page)

Ion Văduva - proud to be a gangster

April 13, 2018 - North Carolina - Valeri Gornet sentenced to 48 months for ATM Skimming in Troy, North Carolina. He entered the US on an H1B non-immigrant visa and was supposed to leave October 10, 2016.  He originally told the police he was Geani Vales from Lithuania when he was caught installing a skimmer at a North Carolina State Credit Union ATM.  

Feb 21, 2018 - Pittsburgh, PA -  Nicu Sorin Pantelica (28) was indicted after being caught with a mag stripe writer (MSR606) and an Acer laptop and $6100 in cash.  Nicu was arrested while "loitering suspiciously" in a van near an ATM in South Strabane township Pennsvylvania. As in some of the other cases we looked into, he was traveling with an underaged female who claimed to be his sister who was concealing more than 40 Vanilla Visa cards, many bearing stickers with four digit numbers on them, believed to be the PINs for the cards.

Sunday, December 23, 2018

Alert Traffic Patrolman Unveils Romanian Skimming Ring

Clinton, Mississippi doesn't sound like the kind of place where an international skimming operation would be operating.  With a population of barely 25,000, the town in southwest Mississippi does have one thing that helped - an alert police dispatcher.

Cheatham County, Tennessee, on the west side of Nashville, also doesn't seem like a cyber crime Metropolis.  But they also had something critical to this type of police work.  An alert traffic cop, Cheatham County Deputy Paul Ivy.

Clinton is more than a six hour drive from where a Cheatham County Sheriff's deputy pulled over a suspicious vehicle on December 12th as they were about to pull on to Interstate 40 headed west.  The deputy had seen the 2005 Chevy Trailblazer parked at a Shell gas station and noticed a temporary license tag displayed in an unreadable manner behind a tinted windshield.   The driver, Forrest Beard, showed the officer a Mississippi drivers license which came back as suspended.  Beard's story of the two other occupants of the car, "Mike" who had met at a party four months ago, and another man who he had only known for a couple weeks seemed odd.  He consented to a vehicle search, which revealed "a large amount of money", a credit card terminal, two laptops, credit card skimmers, and a stack of 159 Walmart gift cards.  Most of the materials were hidden in Nike shoe boxes.

Vehicle search items discovered
Labels added to the photo by Security Researcher Silas Cutler

The other two men in the car had unusual forms of identification for Kingston Springs, Tennessee.  George Zica was from Romania, according to his passport.

George Zica (Cheatham County Sheriff's Office)
Madalin Palanga (Cheatham County Sheriff's Office)
Madalin "Mike" Palanga was also from Romania, but the id he was carrying was a counterfeit Czech Republic identity card in the name of Vaclav Kubisov.

The officer contacted the Secret Service, and they ended up keeping the vehicle, the money, the computers, and all three men's cell phones.  On Wednesday, December 19th, a judge posted a bail order for the men, and Madalin bonded out for $74,999, although he is wearing a GPS-tracking ankle bracelet, before a hold order was received from Mississippi, preventing the other two men from doing the same.

Further investigation revealed that the men had been tied to skimming cases across middle Tennessee, but also in North Carolina and South Carolina, but Mississippi added one critical piece of evidence, courtesy of ATM footage from Regions Bank.  On Tuesday, Regions Bank employees contacted the Clinton, Mississippi police to let them know they had "trapped" some cards in the local Regions ATM.  When Regions receives fraud reports indicating one of their accounts has been compromised, their policy is to capture any ATM card put into one of their ATMs that uses that account information.

In this case, the captured cards were both Walmart gift cards.  In this case, the Skimmers were "Verifone" terminal overlays, commonly found in many gas stations and convenience stores at the counter.  After criminals modify the keypad by installing a skimmer, a device placed in front of the card slot makes a copy of the magnetic stripe, while the fake keypad overlay captures the PIN number when the customer puts in their four digit code.  The information can be retrieved wirelessly from a vehicle in the parking lot.

(Video from Andy Cordan, WKRN TV News)

In Clinton, Mississippi, over $13,000 in fraudulent ATM charges had been reported recently, with most of the stolen card data being tracked to customers in the Memphis, Tennessee area.

Regions Bank provided ATM Surveillance camera footage to the Clinton police.  An alert police dispatcher who was reviewing the material started comparing the image to other recent credit card crimes in the South East and determined that the man in the ATM footage was George Zica, who was arrested later that week in Tennessee as described above.  (The timestamp on the video is confusing.)

Saturday, December 22, 2018

126 Arrests: The Emergence of India's Cyber Crime Detectives Fighting Call Center Scams

The Times of India reports that police have raided a call center in Noida Sector 63 where hundreds of fraud calls were placed every day to Americans and Canadians resulting in the theft of $50,000 per day.

 The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

Times of India photo 

Noida police have been cooperating very well with international authorities, as well as Microsoft, leading to more than 200 people arrested in Noida and "scores" of fake call centers shut down, including four in Sector 63.  (In a case just last month, another call center was said to have stolen from 300 victims, after using online job sites and to recruit young money seekers by having them work conducting the scams. )

In the current scam, callers already had possession of the victim's Social Security Number and full name.  This information was used to add authority to their request, which got really shady really fast.  The victim was instructed to purchase Apple iTunes Gift Cards, or Google Play Gift Cards, scratch the numbers, and read them to the call center employee.  The money was laundered through a variety of businesses in China and India before cashing out to bank accounts belonging to Pahuja and Ashija.

 Go to Tweet
Noida police are advancing in their Cyber Crime skills!

As more and more cyber crime enterprises spring up in India, the assistance of their new Centers for Cyber Crime Investigation thtat are becoming more critical to stopping fraud against Americans:

We applaud the Center for Cyber Crime Investigation in Noida

The US Embassy was quick to acknowledge the support of the newest cyber crime partners of the United States after their action at the end of November:

US Embassy to India thanks the Noida and Gurgaon Police for their help!
Another recent Times of India story from November 30, 2018, "Bogus Call Centres and Pop-up Virus Alerts - a Global Cyber Con Spun up in NCR" [NCR = National Capital Region] had more details of this trend, including this graphic:

That's at least 50 call centers shutdown just in these two regions, but with this weeks' 126 arrests being the culmination of an on-going investigation, receiving data from both the FBI and Microsoft.

Local news of India reported the names of some of the gang members held in the November 29-30th action in their story नोएडा: बड़ी कंपनियों में नौकरी दिलाने के नाम पर करते थे धोखाधड़ी, 8 गिरफ्तार (Noida: Fraud, 8 arrested for giving fake jobs in the name of big companies).

Sontosh Gupta, who was the ring leader, was previously employed by an online job site, but then created his own site,  vintechjobs (dot) com, which he used to attract call center employees, many of whom were duped into serving as his scammer army without ever being compensated for their work!

Others arrested then included Mohan Kumar, Paritosh Kumar, Jitendra Kumar, Victor, Himanshu, Ashish Jawla, and Jaswinder.

During that same two day raid, police swept through at least sixteen other call centers, according to this New York Times story, "That Virus Alert on Your Computer? Scammers in India May Be Behind It"
Ajay Pal Sharma, the senior superintendent of police, told the NYT that 50 of his officers swept through eight different call centers in Gautam Budh Nagar as part of the case.  Microsoft's Digital Crimes Unit told the Times that with 1.2 million people generating $28 Billion in India working for call centers, it isn't hard to disguise the shady callers among the legitimate businesses.

The problem is not unique to Delhi and the National Capital Region suburbs that are the current focus.  Back in July, Mumbai was in the headlines, as a massive IRS-imitating Call Center ring was broken up with the help of more great cyber crime investigators from India:

Madan Ballal, Thane Crime Branch, outside Mumbai
Police Inspector Madan Ballal had his story told as the focus of an article in Narratively, "This Indian Cop Took Down a Massive IRS Call-Center Scam".

Much more investigating and arresting needs to be done, but it is a great sign that the problem is now receiving help from an emerging new generation of Indian Cybercrime Detectives!