Wednesday, March 25, 2009

Bank Hacking Exposed: The Analyzer Affadavit

One of my favorite twitter friends, InfraGard member and PCI expert Michael Dahn (@sfoak), sent his tweets a link today to the Affidavit of Darren Hafnet, a Calgary Police officer working on the Commercial Crime unit, with regards to the arrest of Ehud Tenenbaum (via this excellent WIRED ThreatLevel story). As we wrote back in September (see: Is The Analyzer Really Back?), Tenenbaum became a world-famous hacker for breaching more than 400 systems at the Pentagon, but was most recently picked up in Canada for master-minding a major bank heist via ATM cards.

An indictment, issued by Assistant US Attorney Melissa Marrus from the Eastern District of New York back in October, was extremely short on details, charging Tenenbaum, AKA, with two counts - "Conspiracy to Commit Access Device Fraud" and "Access Device Fraud" "the aggregate value of which was equal to or greater than $1,000. (Title 18 Section 1029(a)(5), (b)(2), (c)(1)(A)(ii) and 3551) - although my PACER account shows there is a second "*Restricted*" document associated with case 1:2008cr00747.

The Canadian affidavit makes it clear how much greater than $1,000 we are talking about, and reveals quite a bit about the methods used by Tenenbaum and his gang.

The scam is referred to as a "PIN Cashout Conspiracy", and it works like this:

First, Tenenbaum uses SQL Injection techniques to break into a database-driven website which resides on a financial institution's network.

Then, he uses his access to the bank's systems to locate their ATM database.

If necessary, he alters the PIN for the cards he is planning to cash out.

Then he sells these card data to other criminals.

Those criminals create ATM cards using Tenenbaum's information, and drain the accounts. Tenenbaum receives a percentage of the proceeds - in this case "10-20%".

During January and February 2008, the US Secret Service has revealed that they were investigating two such breaches involving Tenenbaum - one against OmniAmerican Credit Union of Fort Worth, Texas, and the other against Global Cash Card in Irvine, California. In April and May of 2008, it is also known that there were breaches of this nature against Symmetrex, a transaction processor in Florida, and 1st Source Bank in Indiana. Symmetrex cards were used by MetaBank - with branches in Iowa and South Dakota. Actual losses of more than $4 Million were experienced just by those brands.

Those who follow computer crime will not be shocked at the location of the servers the criminals used to carry out their attacks. The affidavit says some of the servers were located at HopOne Internet Corp in McLean, Virginia while "much of the traffic going through the HopOne servers was originating from from the Dutch company LeaseWeb."

Through cooperative monitoring in the Netherlands and in the United States, Tenenbaum's MSN conversations have become part of the official court documents, including his confession to hacking the servers, and transactions where he sold many of the cards obtained. The cards were used by "cashiers" in Russia, Turkey, the United States, Canada, Sweden, Bulgaria, and Germany to drain the accounts. Tenenbaum charged between 10-20% of the total proceeds for his role, stating in one chat that he stood to earn between "350 - 400" - that's 400,000! (Unsure whether this was dollars or Euros).

On April 28, 2008 Tenenbaum chatted with another criminal boasting that he had made himself a Windows administrator on the 1st Source Bank network, and had granted himself the ability to modify PINs on debit cards used by the bank's customers. This solves an on-going problem for the criminals - as banks have locked down their Track 2 data on Debit cards, the criminals have had to find ways to break the encryption algorithms of the banks in order to modify the cards. With The Analyzer's method this is no longer necessary. While logged in to the Bank's system, Tenenbaum just set the PINs to whatever he desired and instructed his cohorts to burn cards that would use those PIN numbers.

In another chat, Tenenbaum boasts that he hacked the largest bank Greece ( and "has friends" working in their network.

Tenenbaum was located, according to the Affidavit, by using the IP address from his chats to locate his office in Montreal, where he was set up as the director of "Internet Labs Secure, Inc". The Montreal police confirmed that this was Tenenbaum's residence on July 25, 2008. The same IP address,, was also confirmed to have accessed Global Cash Card's network.

Based on this information, Tenenbaum was arrested on August 28, 2008 in Montreal, and charged with fraud by the Calgary Police Service. Tenenbaum had entered Canada legally on an Israeli passport on March 11, 2008, which granted him permission to visit for up to six months.

One of the challenges that I am frequently given by investigators is "surely the criminals would not hack from their own IP address!" In this case, we have evidence that one of the "super hackers" both chats and logs in to banks from an IP address originating at his residence.

Interesting . . .

I wonder how many other banks have criminals running their networks for them without their knowledge?

(The Affidavit, courtesy of WIRED)

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.