Thursday, May 09, 2013

ATM Cashers in 26 Countries steal $40M

CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist. Former FBI Assistant Director John Miller shares the story and says "We've learned how they carried out this cyber-attack, and it's unlike anything ever seen before."

Except it isn't. In fact, on Tuesday morning this week I was sharing a presentation about financial cyber crimes with Iberia Bank in New Orleans, LA. I mentioned that one of the things that banks still need to be on the lookout for is true "intrusions" into their system. By planting malware on internal bank systems, criminals can gain deep penetrating access to the internal workings of the bank and take their time, recruiting specialists to help them learn the inner workings of the bank to coordinate very elaborate schemes.

The attack described by Miller involves a group who had partnered together around the world calling themselves the "Unlimited Operation". In the scheme he describes, hackers gain internal access to a bank, or in the most recent case "a Visa/MasterCard processing Center," and gain the ability to manipulate the withdrawal limit on certain ATM Debit cards. These card numbers are then distributed around the world to "Cashing Gangs" that make local copies of the ATM cards and build a network of cashers who "work the machines."

One of the most notorious hacking operations in U.S. History was "Solar Sunrise" - a deep penetration into the Pentagon's computer operations that served as a wake up call for the U.S. Government and lead to the production of a video (now available on YouTube) called

(YouTube video: Solar Sunrise: Dawn of a New Threat

The hacker mastermind behind Solar Sunrise was an Israeli hacker, Ehud Tenenbaum, who called himself The Analyzer. In September of 2008 we wrote about him on this blog in the story Is The Analyzer Really Back? (The return of Ehud Tenenbaum) because Tenenbaum was the mastermind behind an attack against a Calgary-based financial services company. In that case, Tenenbaum penetrated the company's internal systems and gained the ability to alter or remove the ATM withdrawal limits. Then, teams of cashers, armed with counterfeit ATM cards bearing the magnetic stripe information corresponding to those accounts, hit the streets withdrawing $2 Million dollars in a blitz of ATM-withdrawals.

But that's not the only time it happened. This blog also ran the story in November 2009 called The $9 Million World-Wide Bank Robbery that shared the details of exactly the same type of raid being performed against RBS WorldPay, headquartered in Atlanta, Georgia. In that case, Estonian hackers penetrated the financial services company, that specializes in "Payroll Debit Cards". After doing so, they contracted with fellow-criminals in Russia, Yevgeny Anikin and Viktor Pleschcuk, who have both confessed their crimes, and received suspended sentences in the Russian bribery-based version of Justice. (See article: Hacker3 escapes jail time in RBS WorldPay ATM heist.) Anikin and Pleschuk worked with the famous Credit Card trading criminal BadB (Vladislav Horohorin) to build a network of cashers operating in 280 cities. Over the course of 12 hours, 2100 ATM machines in 280 cities allowed more than $9 Million in withdrawals from those 44 accounts.

That doesn't mean Cyber Criminals can't go to jail though! Vladislav Horohorin was arrested in Nice, France as he prepared to return to Moscow. (See the Daily Mail story, One of world's most wanted cyber criminals caught on French Riviera.) Horohorin, or "BadB" was the founder of Carder Planet, and was actually returned to the US, where he was tried and in April 2013 Sentenced to 88 Months in Prison.

For a look at one of the US-based casher rings in the RBS WorldPay case, we could also consider the case of Sonya Martin, a Nigerian woman, who ran the Chicago casher gang used in that case. Sonya's ring only withdrew $89,120 in Chicago, but she still got a 30 month sentence back in August 2012. See: Cell leader in RBS WorldPay fraud scheme sentenced.

One other case that used this methodology, and also had New York City ties, was the case that charged Ukrainians Yuriy Ryabinin and Ivan Biltse with performing $750,000 in ATM withdrawals. reported the story in 2008, which documented that $5 million was withdrawn in more than 9,000 withdrawals "all around the world" on September 30th and October 1st of that year. According to an affidavit shared by Wired Magazine, this case was tied to a breach of a Citibank server that processed ATM withdrawals at 7-Eleven convenience stores.

In the current case described this morning by CBS, it was described that later today New York U.S. Attorney's office prosecutor Loretta Lynch would announce the arrest of seven members of a New York casher gang that hit ATM's up and down Broadway for almost $2 million during the most recent "Unlimited Operation" case. "Unlimited" was involved in a similar $5 Million raid against a financial institution in India. CBS shared a graphic of the location of ATM machines that were used in the arrests that will be announced later today.

In the New York case, the arrested cashers were:

  • ALBERTO YUSI LAJUD-PEÑA, 23 (deceased)

The Eastern District of New York's Press Release, Eight Members of New York Cell of Cybercrime Organization Indicted in $45 Million Cybercrime Campaign, released today, May 09, 2013, explains the details of how the cashers above, who withdrew $2.8 Million in New York, fit in to the larger "Unlimited Operations." In the first operation, the New York crew withdrew $400,000 from 140 ATMs in New York City in two hours and 25 minutes. In the second operation, February 19-20, 2013, the crew performed 3,000 ATM withdrawals, scoring $2.4 Million in cash between 3 PM on the 19th and 1:26 AM on the 20th, stealing about $240,000 per hour!

The worldwide take on the Feb 19-20 raid included 36,000 transactions and $40 million!

Alberto Yusi Lajud-Peña, the leader of the New York casher ring, laundered the cash, in one case depositing 7,491 $20 bills in a single transaction in Miami, Florida. The crew bought and sold "portable luxury goods" with the cash, including luxury watches and cars, including a Mercedes SUV and a Porsche Panamera valued at $250,000 between the two. Alberto, also known as "Prime" online, was murdered in the Dominican Republic sometime after these robberies occurred.

U.S. Attorney Lynch says that law enforcement authorities in Japan, Canada, Germany, and Romania made great contributions in the case, but that they also received cooperation from the authorities in the UAE, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

What these cases are intended to demonstrate is the importance of closely monitoring the internal corporate network for signs of a breach. In a presentation at ITWeb Security Summit this week, "Formulating an attack-focused security plan", Mandiant CSO Richard Bejtlich shares that 75% of break-ins happen through someone clicking on or responding to a malicious email, and that in 2/3rds of incidents, the breach isn't discovered by the company but is reported by a third party organization. Bejlitch says that by the time the attacker is discovered "they will have been inside your company for around eight months."

That's what Malcovery's Today's Top Threats report is intended to address. What is that Top Threat email that is going to lead to criminals having control of one or more of your internal employees? It takes time for the criminal to learn enough about your organization's internal workings to be able to take over and reset ATM balances. Quick detection of the breach is key to preventing problems like those described above.