Romanians on a Skimming Crime Spree?

When I posted last month about a Romanian skimming case (see: "Alert Traffic Patrolman Unveils Romanian Skimming Ring") I got two strong reactions.  One was from my Romanian Information Security friends who wanted to remind me that not all Romanians are criminals -- of course not! There are great researchers from Romania!  But the other was email after email telling me about other cases where the people being caught planting skimmers or using the cards stolen by them were also from Romania.

As we looked into this accusation more, it seems to be quite true that Romanians traveling to the United States for the purpose of planting skimmers and cashing out cloned cards seems to be in the news almost every week.

January 5, 2019 - San Luis Obispo, California - has a very nice video in the article  "These foreigners ran a credit card skimmer ring in the Tri-Cities" - in this case four Romanians were arrested with 268 gift cards, each with a separate skimmed mag stripe and PIN already burned onto them.  Emil Kabirov (21), Denis Legun (24), Ana Onici (22) and George Vasile (35) were arrested as they were seen at a Numerica Credit Union using cloned cards to withdraw funds.

Eric Vitale, fraud investigations specialist for San Luis Obispo PD, explains the scam

December 20, 2018 - Nashville, Tennessee - 159 gift cards with cloned stripe data recovered. In a jailhouse interview their American driver says they stole as much as $500,000.  George Zica and Madalin Palanga of Romania were arrested with him.

American Forrest Beard tells about his time with Romanian skimmers  in this WKRN exclusive

November 27, 2018 - Atlanta, Georgia - Romanian Gogut Serban (35) was sentenced for skimming and stealing at least $80,000 from at least 70 credit union customers in Atlanta, Lawrenceville, Norcross, and other locations in Georgia.  He'll serve 26 months in Federal prison.

November 8, 2018 - Nixa, Missouri - Romanian woman Lordeana Baceanu is facing a 49-count felony for planting at least 15 skimming devices and making a large number of withdrawals, including from Southern Bank.  When arrested, she had 49 Visa and American Express gift cards with her that had been re-encoded with the magnetic data from skimmed cards.  She was previously arrested in 2012 as part of a five women three men team who traveled through Wales and the UK, committing at least 30 burglaries in five months.

November 2, 2018 - Springfield, Oregon - two Romanian teens were arrested, aged 15 and 17,  for planting skimmers on ATMs belonging to Northwest Community Credit Union.

October 31, 2018 - Boston, Massachusetts - 3 Romanian men plead guilty in federal court related to their ATM skimming operations.  Nicusor Bonculescu (24), Suedin Chiciu (28), and Florinel Vaduv (22) were actually indicted along with 12 others in 2017.

October 27, 2018 - Houston, Texas - 2 Romanian men have pleaded guilty to traveling to Houston to place card skimmers on ATMs and stealing money from bank accounts.  Crisian Viorel Ciobanu (30) and Bogdan Mirel Constantin (40) were arrested with Daniel Marius Muraretu.  The three used fake cards and stolen PINs to steal at least $390,495.

A skimmer on an ATM in Alameda, Texas - Source: https://www.facebook.com/AlamedaPD/posts/1761406967269034

October 9, 2018 - South Strabane - "Elvis Roman", (probably an alias), a 33 year old native of Romania, conducted 255 unauthorized withdrawals from Washington Financial Bank using cards that were cloned after being captured with an ATM skimmer.  After bank surveillance pulled his license plate number, he was pulled over by traffic police and arrested.

"Elvis Roman"

September 11, 2018 - Springfield, Massachusetts - Romanian Bogdan Viorel Rusu (38) living in Queens, New York, plead guilty to stealing $868,000 via cloned ATM cards from at least 530 individuals in three states via skimmers.  $364,419 stolen from Massachusetts, $75,715 from New York, and $428,581 from New Jersey residents.

August 22, 2018 - Louisiana - Alexandru-Nicusor Nita (27), Daniela-Stefani Ianev (31), both of Romania, planted skimmers around Baton Rouge, Louisiana at Neighbors Federal Credit Union ATMs.  Nita was arrested by the US Secret Service in a Memphis hotel room along with 5 other Romanians who were charged with possession of marijuana and manufacturing fake ids. He was sentenced in December 2018 to 24 months imprisonment and restitution of $149,802.44.

August 15, 2018 - Richmond, Virginia - 50 year old Antal Kancsal pleads guilty to stealing $1.2 Million via ATM skimming. He worked as the partner of Brazilian Roberto De Miranda-Martinez (43).  He entered the US on a tourist Visa which expired in March and never went home.  The pair planted skimmers in Virginia, Pennsylvania, Maryland, and elsewhere.

July 17, 2018 - Friendswood, Texas - 18 year old Romanian national Fabrizio Victor Slatineo was arrested after bank employees alerted the police to a vehicle associated with a series of suspicious ATM transactions.  Traveling with Fabricio was an eleven-year old girl who had $60,000 cash and dozens of blank debit cards that had skimmed stripes burned onto them hidden in her floor-length skirt.

A skimmer on a Texas Credit Union ATM - Source: LMTOnline.com

Jun 12, 2018 - Fond du Lac, Wisconsin - 26 year old Mihai-Alexandru Preda and 35 year old Catalin-Adrian Capanu were caught at a Marine Credit Union with 137 cloned debit cards and $7500 in cash.  The pair had been driving from California to Wisconsin, conducting crimes all along the way. See "Romanian nationals arrested in Fond du Lac for skimming, cash outs, organized crime ring"

Romanian suspect glues a PIN camera on a Kenosha, Wisconsin Educators Credit Union ATM 

Jun 6, 2018 - Richmond, Virginia - Romanians Florin Bersanu (31) and Viorel Naboiu (43) were charged with placing skimmers on ATMs in Virginia, West Virginia, and Florida.  Directly attributable losses are $42,756.80 stolen from BB&T Bank, Henrico Federal Credit Union, United Bank of West Virginia, and Pen Air and Eglin Federal Credit Unions in Florida.

Bersanu and Naboiu: Okaloosa County Sheriff's photo

May 14, 2018 - Boston, Massachusetts - The ring-leader of the gang, Constantin Denis Hornea (23) was sentenced to 65 months in prison and $242,141 restitution for ATM-skimming and racketeering.  The Hornea Crew did ATM-related crimes in at least seven states: Massachusetts, New Hampshire, Connecticut, New York, South Carolina, North Carolina, and Georgia.  At least 17 members of the Hornea Crew are now indicted, though some are still awaiting extradition from Germany and Hungary.  Their skimmers were found in Amherst, Bellingham, Billerica, Braintree, Chicopee, Quincy, Southwick, Waltham, Weymouth, and Whately, Mass.; Enfield, Conn.; Columbia, Greenville, Greenwood, Mauldin, and Saluda, S.C.; Savannah, Ga.; and Yadkinville, N.C.  They made ATM withdrawals in at least 44 different towns, 29 of them in Massachusetts.

Hornea crew with many aliases - often linked to their Facebook accounts

members of the Hornea crew used a "Fast and the Furious" frame on their Facebook profile pictures 

Denis Hornea's Porsche (from his Facebook page)

Ion Văduva - proud to be a gangster

May 11, 2018 - Henrico County, Virginia - Romanians Florin Bersanu and Viorel Naboiu were arrested for defrauding a huge number of accounts that they accessed after cloning ATM cards via skimming.  Their victims included 226 Pen Air Credit Union customers, 235 accounts in West Virginia, and 190 accounts from BB&T banks in Virginia.  The skimmers planted by the pair use Bluetooth technology to transmit the stolen card stripes.  

April 13, 2018 - North Carolina - Valeri Gornet sentenced to 48 months for ATM Skimming in Troy, North Carolina. He entered the US on an H1B non-immigrant visa and was supposed to leave October 10, 2016.  He originally told the police he was Geani Vales from Lithuania when he was caught installing a skimmer at a North Carolina State Credit Union ATM.  

Feb 21, 2018 - Pittsburgh, PA -  Nicu Sorin Pantelica (28) was indicted after being caught with a mag stripe writer (MSR606) and an Acer laptop and $6100 in cash.  Nicu was arrested while "loitering suspiciously" in a van near an ATM in South Strabane township Pennsvylvania. As in some of the other cases we looked into, he was traveling with an underaged female who claimed to be his sister who was concealing more than 40 Vanilla Visa cards, many bearing stickers with four digit numbers on them, believed to be the PINs for the cards.

Alert Traffic Patrolman Unveils Romanian Skimming Ring

Clinton, Mississippi doesn't sound like the kind of place where an international skimming operation would be operating.  With a population of barely 25,000, the town in southwest Mississippi does have one thing that helped - an alert police dispatcher.

Cheatham County, Tennessee, on the west side of Nashville, also doesn't seem like a cyber crime Metropolis.  But they also had something critical to this type of police work.  An alert traffic cop, Cheatham County Deputy Paul Ivy.

Clinton is more than a six hour drive from where a Cheatham County Sheriff's deputy pulled over a suspicious vehicle on December 12th as they were about to pull on to Interstate 40 headed west.  The deputy had seen the 2005 Chevy Trailblazer parked at a Shell gas station and noticed a temporary license tag displayed in an unreadable manner behind a tinted windshield.   The driver, Forrest Beard, showed the officer a Mississippi drivers license which came back as suspended.  Beard's story of the two other occupants of the car, "Mike" who had met at a party four months ago, and another man who he had only known for a couple weeks seemed odd.  He consented to a vehicle search, which revealed "a large amount of money", a credit card terminal, two laptops, credit card skimmers, and a stack of 159 Walmart gift cards.  Most of the materials were hidden in Nike shoe boxes.

Vehicle search items discovered
Labels added to the photo by Security Researcher Silas Cutler

The other two men in the car had unusual forms of identification for Kingston Springs, Tennessee.  George Zica was from Romania, according to his passport.

George Zica (Cheatham County Sheriff's Office)

Madalin Palanga (Cheatham County Sheriff's Office)

Madalin "Mike" Palanga was also from Romania, but the id he was carrying was a counterfeit Czech Republic identity card in the name of Vaclav Kubisov.

The officer contacted the Secret Service, and they ended up keeping the vehicle, the money, the computers, and all three men's cell phones.  On Wednesday, December 19th, a judge posted a bail order for the men, and Madalin bonded out for $74,999, although he is wearing a GPS-tracking ankle bracelet, before a hold order was received from Mississippi, preventing the other two men from doing the same.

Further investigation revealed that the men had been tied to skimming cases across middle Tennessee, but also in North Carolina and South Carolina, but Mississippi added one critical piece of evidence, courtesy of ATM footage from Regions Bank.  On Tuesday, Regions Bank employees contacted the Clinton, Mississippi police to let them know they had "trapped" some cards in the local Regions ATM.  When Regions receives fraud reports indicating one of their accounts has been compromised, their policy is to capture any ATM card put into one of their ATMs that uses that account information.

In this case, the captured cards were both Walmart gift cards.  In this case, the Skimmers were "Verifone" terminal overlays, commonly found in many gas stations and convenience stores at the counter.  After criminals modify the keypad by installing a skimmer, a device placed in front of the card slot makes a copy of the magnetic stripe, while the fake keypad overlay captures the PIN number when the customer puts in their four digit code.  The information can be retrieved wirelessly from a vehicle in the parking lot.



(Video from Andy Cordan, WKRN TV News)

In Clinton, Mississippi, over $13,000 in fraudulent ATM charges had been reported recently, with most of the stolen card data being tracked to customers in the Memphis, Tennessee area.

Regions Bank provided ATM Surveillance camera footage to the Clinton police.  An alert police dispatcher who was reviewing the material started comparing the image to other recent credit card crimes in the South East and determined that the man in the ATM footage was George Zica, who was arrested later that week in Tennessee as described above.  (The timestamp on the video is confusing.)

India's Cosmos Bank Suffers Unlimited ATM Attack

On August 10th, many American Financial Institutions received a warning from the FBI that the Bureau had found evidence that criminals were plotting an "Unlimited Operation."  We've written about these Unlimited Attacks a number of times in the past in this blog, but this is the first time that we know of where the FBI announced the attack before hand.  In these attacks, hackers compromise the internal systems of a bank and gain control of systems that allow them to bypass or reset ATM withdrawal limits.  Then, the magnetic stripe information for a selected number of cards is shared with trusted cash-out gangs around the world, who make physical ATM cards with the stripe information encoded and stand by for the pre-arranged attack to begin.  Once zero-hour arrives, hundreds of cash-out gang members begin draining every ATM machine they can find.  Literally emptying the machines, with the balance available for withdrawal being magically reset in real time by the hackers inside the systems of the targeted bank.

The most famous Unlimited Attack was also one of the earliest, when $9 Million in cash was withdrawn from at least 2100 ATM machines in 280 cities around the world on November 7th and 8th, 2008 in the RBS WorldPay attack.  That was far surpassed in 2013, when cash-out gangs in 26 Countries stole $40M.  More recently, Standard Bank was victimized in the first Japanese Unlimited Attack in 2016, involving at least 14,000 "maximum" ATM withdrawals.

In this case, the FBI's prediction came true almost immediately, even before our favorite security journalist, Brian Krebs, was able to get his story out: FBI Warns of Unlimited ATM Cashout Blitz.

The Times of India reported on August 14th "How hackers siphoned over Rs 94 crore off a co-operative bank in Pune", revealing that the 112 year old Cosmos Bank was the target of the attack.  During this attack hackers were able to cause the ATM Network to approve "Rupay" transactions by validating the requests against a fake payment gateway controlled by the hackers.  In 2.5 hours, from 3 pm to 5:30 pm, 12,000 Visa card transactions withdrew Rs 78 crore (approximately $10.9 Million USD) before Cosmos Bank terminated all ATM Visa Transactions, however Rupay transactions continued until at least 10PM.  RuPay is an India-only card system designed to allow national payments in India without reliance on Visa and Mastercard.  2,890 India-based RuPay transactions totaled an additional Rs 2.5 crore ($351,500 USD).  In addition to the ATM damages, on August 13th, the same hackers wired Rs 13.94 crore (almost $2M  USD) to Hong Kong via a fraudulent SWIFT transfer.  (Three separate MT103 transactions were sent to ALM Trading Limited at Hang Seng Bank in Hong Kong, according to Securonix analysis of the event.  Securonix believes the behavior of the attackers is consistent with the North Korean based APT group known as "Lazarus Group".  MITRE's ATT&CK program (Adversarial Tactics, Techniques & Common Knowledge) provides more information on the Lazarus Group.

As with many previous Unlimited attacks, Cosmos Bank chairman Milind Kale said that no customer accounts were impacted, as these were "dummy" accounts that were established for the attack.  If this attack is like historical ones, many of the follow-up arrests will come from using ATM video footage to identify individual cash-out gangs and try to follow their communications back to the criminals who recruited them for the scheme.

Europol Announces 27 ATM Black Box arrests

On 18MAY2017 Europol announced that 27 thieves have been arrested across Europe for participating in a ring that conducts ATM Black Box attacks.  The arrests were conducted in France (11), Estonia (4), Czech Republic (3), Norway (3), the Netherlands (2), Romania (2), and Spain (2) over the course of 2016 and 2017.  Much of the data about how the attacks are conducted is being shared between member countries and the institutions within those countries by a little-known group called E.A.S.T. and their Expert Group on ATM Fraud (EGAF).  When EAST holds their Financial Crime & Security Forum next month members will want to also attend the Expert Group on ATM Physical Attacks (EGAP).

What is an ATM Black Box attack?

In an ATM Black Box attack, criminals have identified access points in the physical architecture of the ATM that would grant them access to cables or ports allowing them to attach a laptop to the internal computer of the ATM.  Once attached, the laptop can issue commands to the ATM resulting in the ultimate payout, a full distribution of all of the cash in the machine!   

The technique of causing an ATM machine to dump all of its cash is called "Jackpotting."  Most of us first heard about jackpotting as a result of the Barnaby Jack presentation at BlackHat 2010 and repeated on two models of ATMs for DEF CON 18 (video link below):

Barnaby Jack at DEF CON 18

Last September, Kaspersky demonstrated an ATM Black Box, however in their proof of concept approach, the criminals physically open the computer using a maintenance workers key, and flip a physical switch in the ATM to cause it to enter Supervisor mode.   The Black Box is connected to the ATM through a simple USB port that was at that time available in most ATM machines.

Black box demo video from Kaspersky

The new Europol arrest report shows that the current evolution on ATM Black Box attacks is to physically cut in to the ATM with drills, saws, or acetylene torches, and gain physical access to cables to which the laptop or black box will be attached.  In the current round of Black Box attacks, the target is not the ATM Computer, but rather the cables that connect the ATM computer to the Banknote Dispenser.  By directly connecting to the Dispenser, the connected laptop's malware simply issues commands to the Dispenser that normally would come from the ATM Computer and gives the order to dispense bills.

Image from Europol

Image from Europol

Information shared in the EAST working groups has produced some uncharacteristic good news in this space!  Although the number of ATM Black Box attacks went up considerably, with 15 attacks in 2015 and 58 attacks in 2016, many of these attacks were unsuccessful.  In their 11APR2017 report, EAST explained:

[In 2016] a total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were down 39%, from €0.74 million to €0.45 million.

 and illustrated this information with the following chart:

from EAST Report on ATM Fraud

The mitigation guidelines issued by EAST should be significantly updated at the upcoming meeting with guidance on Logical Attacks, Black Box Attacks, and Explosive Attacks, as well as Regional ATM Crime trend reports from Europol, Russia, the US Secret Service, Latin America,and ASEANAPOL.

Other ATM Attacks Still Dominate 

While ATM Black Box attacks are interesting, as the chart above shows they aren't where most of the money is being stolen.  Traditional skimming and white-carding is still stealing over 300 Million Euros per year, while physical attacks of other sorts are claimed nearly 50 Million Euros in 2016 alone!

One other trend that is sweeping Europe is the technique of pumping an ATM full of an explosive gas to blow the front off the machine giving the criminals access to the full contents of the dispenser.   The Italian police shared this interesting video of the technique:

Italian police shared this video from Feb 2013

This technique was recently used by two British men to blow up at least thirteen ATMs along the Costa del Sol in Southern Spain.  In the first half of 2016, 492 ATM Explosive attacks occurred across Europe, yielding the criminals an average of $18,300 per attack!  For the full year-over-year comparison, in 2015 there were 673 ATM Explosive attacks in Europe, and in 2016 there were 988 such attacks.  This accounts for roughly 1/3rd of the Physical attacks on ATMs in the EAST reporting.

Skimming dominates arrests to date

While we aren't sure exactly which attacks are included in the statistics above, several major ATM attacking gangs have been previously arrested and disclosed. While jackpotting arrests are rare, there must be a hundred reports of arrests for implanting skimming devices and creating counterfeit ATM cards based on the results.

One rare Jackpotting arrest was in January 2016 when a Romanian ATM attack gang was arrested for attacks in Germany, France, Norway, Sweden, Poland, and Romania.  In that case, the Tyupkin trojan, targeting a particular model of NCR ATMs, was inserted by gaining physical access to the ATM and booting a malicious CD in the ATM computer.  (See www.zdnet.com/article/atm-malware-gang-behind-euro-attacks-targeted-in-police-swoops/ ).

In April 2016, the Italian police arrested 16 Romanians for running a large ATM skimming ring who stole at least €1.2 million. 

In May 2016, the French Gendarmerie of Pau, in cooperation with the Italian State Police and Europol, arrested nine for running an ATM Skimming Ring that stole more than 500,000 Euros.

In March 2017, a group of five Romanians were arrested for skimming in York County, Pennsylvania as well.

"Unlimited" ATM attack in Japan against South Africa's Standard Bank

We've written about Unlimited ATM attacks in this blog many times in the past, from 2008 until just a few months ago, but this newest attack is the first to feature Japanese ATM machines, to my knowledge.  In the early morning hours of 15MAY2016, at least 100 criminals visited at least 1,400 ATM machines and used a set of counterfeit ATM cards, cloned to correspond with accounts at Standard Bank in South Africa, to do the maximum 100,000 Yen withdraw ($913USD or £629) . . . about 14,000 times!

Standard Bank has confirmed the robbery to South African media that the event occurred, and has estimated the damage to the bank at around R200m (200 million South African Rand, or about $12.7M USD or about 1.4 billion Japanese Yen).  But is it truly an "Unlimited" attack?

The story was first reported in the 22MAY2016 Mainichi Daily News as "1.4 billion yen stolen from 1,400 convenience store ATMs across Japan".  The ATM machines are located in 7-Eleven convenience stores throughout Tokyo and 16 prefectures around the country.  The ATM machines in 7-Eleven stores in Japan are part of the bank network associated with Seven Bank.  Seven Bank's website invites international visitors to Japan to use their ATMs at 7-Eleven stores "Day or Night" which may be part of the appeal to these criminals.

www.sevenbank.co.jp/intlcard/index2.html

Several unique things happened in this account.  In previous "Unlimited" attacks, a very small number of accounts have had a related debit card "cloned" by making an exact copy of the magnetic stripe of the card.  In the past, an intruder onto the bank's network has been able to adjust the daily withdrawal limits of the cards, and reverse transactions, so that the same account could be used to perform hundreds or thousands of withdrawals.  The attacks are referred to as "Unlimited" attacks because a single account with a very small balance could be used to front millions of dollars worth of transactions, because each transaction is immediately reversed by the intruders who monitor the carefully orchestrated attack.  In the case of the most famous Unlimited attack, "The $9 Million World-Wide Bank Robbery", forty-four accounts were used to withdraw funds from 2,100 ATM machines in at least 280 cities around the world in a single evening.

In this case, it is not clear if this is what happened, primarily because the published reports say that at least 1,600 Standard Bank customers' accounts were used to perform the transactions. If this is true, with an estimate of 100 criminals involved in the "cash-out" portion of this robbery, that means on the average each criminal had access to 16 accounts that were unique to that criminal.  Also, with 1600 accounts in play, that means the average account holder's account would only have faced $7900 USD in charges.  This, however, contradicts the description of events that the BBC quotes, when it says that Standard Bank reported that "a small number" of fake cards were used in the event.  (The BBC article also places Standard Banks' estimated lossed at $19.25m, which, if you do the math, shows they chose the higher of the two contradictory values being reported in South Africa of either R200m or R300m.  R200m matches all of other figures being thrown about, while R300m is 50% higher.)

In my humble opinion, I believe that a journalist not versed in this type of cybercrime heard that 1600 counterfeit cards were used and assumed that they must belong to 1600 customers.  The key difference, and the most important with regards to Standard Bank, is that in a true "Unlimited" attack, the criminals would need to be controlling ATM accounts and logs INSIDE the Standard Bank network with administrator-level privileges. 

The Japan Times say "Japanese police have put suspects belonging to a Malaysian group on an international wanted list" relating to this event.  In reports from 2014, Japanese officials say that Chinese students are often used as money mules in Japan for withdrawing cash on behalf of organized cyber criminals, in much the same way that Russian money mules are used to withdraw cash from American banks.

"Unlimited" ATM Mastermind Ercan Findikoglu pleads guilty

One of the most fascinating types of cybercrime, in my opinion, is the Unlimited ATM attack.  There have been several such attacks over the years, as we've written about in this blog previously, including:

• 02JUL2008 - 7-11 ATM Hackers - More Details
• 07SEP2008 - Is the Analyzer Really Back? (The return of Ehud Tenenbaum) 
• (Tenenbaum was transferred to the US, pled guilty to two other cases, sentenced in July 2012 to Time Served and ordered to pay $503,129 restitution) 
• 11NOV2009 - The $9 Million World-Wide Bank Robbery
• 09MAY2013 - ATM Cashers in 26 Countries Steal $40   

In an "Unlimited" attack, hackers gain access to the internal systems of a bank or banking network and are either able to "reset" ATM withdrawal limits or eliminate the limits altogether for a card or group of cards.  The magnetic stripe data from these cards are then widely distributed to "cash-out crews" who take responsibility for draining as many ATM cards as possible in their area, while each time a card is used, the hackers "undo" the transaction so that the card appears to have not been used.

33-year old Turkish citizen Ercan Findikoglu was charged with conducting three such Unlimited campaigns.

In February 2011, $10M was withdrawn using the pre-paid debit cards distributed by the American Red Cross to disaster relief victims.  The cards were operated by JPMorgan Chase.  On February 27 and 28, 2011 a total of around 20 pre-paid debit cards were used in approximately 15,000 transactions to withdraw $10M from ATM machines in 18 countries, including ATMs in the Eastern District of New York.

In Findikoglu's second Unlimited attack, pre-paid debit cards for the India-based company ECS, operated by National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates were used.  On December 21 and 22, 2012, approximately 5,000 transactions in at least 20 countries resulted in withdrawal of $5M.

In the largest of his three documented Unlimited campaigns, enStage, a California-based payment processor, suffered an intrusion and had many cards stolen from its internal database.  A group of pre-paid debit cards for Bank Muscat in Oman were selected as the target, and on February 19 and 20, 2013, 36,000 transactions in 24 countries were used to steal $40M.

ERCAN FINDIKOGLU, who called himself "Segate" or "Predator" online, was arrested in December of 2013 while visiting Germany.

He was originally charged with 18 counts:

(1)   CONSPIRACY TO DEFRAUD THE UNITED STATES
(2-4) FRAUD ACTIVITY CONNECTED WITH COMPUTERS
(5-6) ATTEMPT AND CONSPIRACY TO COMMIT MAIL FRAUD
(7)   BANK FRAUD
(8)   ATTEMPTS TO COMMIT AN OFFENSE
(9-14) PRODUCES/TRAFFICS IN COUNTERFEIT DEVICE
(15) MONEY LAUNDERING CONSPIRACY
(16) MONEY LAUNDERING
(17) TAMPERING WITH WITNESS, VICTIM, OR AN INFORMANT
(18) INTIMIDATION OR FORCE AGAINST WITNESS

On June 24, 2015, Ercan was ordered into US detention, having been extradited from Germany.  The German courts in Frankfurt declared that Findikoglu was "the most-wanted computer hacker in the world and may face more than 247 years in prison if convicted of all U.S. charges" (as quoted in Bloomberg's story of 23JUN2015 - "Most-wanted cybercriminal extradited to U.S. from Germany."

As usual, the reality of sentencing varies dramatically from the overblown initial press release.  On March 1, 2016, All parties appeared before the honorable Judge Kiyo A. Matsumoto for a Change of Plea Hearing.    Sentencing is scheduled for July 12, 2016, but according to the BBC, prosecutors have agreed in a plea deal to limit his incarceration for "between 11 and 15 years."  (See "US bank hacker faces long jail time").

Many of the "Cash-out crews" from these operations have been separately arrested and charged, while many others (the vast majority really) remain at large.

ATM Cashers in 26 Countries steal $40M

CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist. Former FBI Assistant Director John Miller shares the story and says "We've learned how they carried out this cyber-attack, and it's unlike anything ever seen before."

Except it isn't. In fact, on Tuesday morning this week I was sharing a presentation about financial cyber crimes with Iberia Bank in New Orleans, LA. I mentioned that one of the things that banks still need to be on the lookout for is true "intrusions" into their system. By planting malware on internal bank systems, criminals can gain deep penetrating access to the internal workings of the bank and take their time, recruiting specialists to help them learn the inner workings of the bank to coordinate very elaborate schemes.

The attack described by Miller involves a group who had partnered together around the world calling themselves the "Unlimited Operation". In the scheme he describes, hackers gain internal access to a bank, or in the most recent case "a Visa/MasterCard processing Center," and gain the ability to manipulate the withdrawal limit on certain ATM Debit cards. These card numbers are then distributed around the world to "Cashing Gangs" that make local copies of the ATM cards and build a network of cashers who "work the machines."

One of the most notorious hacking operations in U.S. History was "Solar Sunrise" - a deep penetration into the Pentagon's computer operations that served as a wake up call for the U.S. Government and lead to the production of a video (now available on YouTube) called

(YouTube video: Solar Sunrise: Dawn of a New Threat.

The hacker mastermind behind Solar Sunrise was an Israeli hacker, Ehud Tenenbaum, who called himself The Analyzer. In September of 2008 we wrote about him on this blog in the story Is The Analyzer Really Back? (The return of Ehud Tenenbaum) because Tenenbaum was the mastermind behind an attack against a Calgary-based financial services company. In that case, Tenenbaum penetrated the company's internal systems and gained the ability to alter or remove the ATM withdrawal limits. Then, teams of cashers, armed with counterfeit ATM cards bearing the magnetic stripe information corresponding to those accounts, hit the streets withdrawing $2 Million dollars in a blitz of ATM-withdrawals.

But that's not the only time it happened. This blog also ran the story in November 2009 called The $9 Million World-Wide Bank Robbery that shared the details of exactly the same type of raid being performed against RBS WorldPay, headquartered in Atlanta, Georgia. In that case, Estonian hackers penetrated the financial services company, that specializes in "Payroll Debit Cards". After doing so, they contracted with fellow-criminals in Russia, Yevgeny Anikin and Viktor Pleschcuk, who have both confessed their crimes, and received suspended sentences in the Russian bribery-based version of Justice. (See article: Hacker3 escapes jail time in RBS WorldPay ATM heist.) Anikin and Pleschuk worked with the famous Credit Card trading criminal BadB (Vladislav Horohorin) to build a network of cashers operating in 280 cities. Over the course of 12 hours, 2100 ATM machines in 280 cities allowed more than $9 Million in withdrawals from those 44 accounts.

That doesn't mean Cyber Criminals can't go to jail though! Vladislav Horohorin was arrested in Nice, France as he prepared to return to Moscow. (See the Daily Mail story, One of world's most wanted cyber criminals caught on French Riviera.) Horohorin, or "BadB" was the founder of Carder Planet, and was actually returned to the US, where he was tried and in April 2013 Sentenced to 88 Months in Prison.

For a look at one of the US-based casher rings in the RBS WorldPay case, we could also consider the case of Sonya Martin, a Nigerian woman, who ran the Chicago casher gang used in that case. Sonya's ring only withdrew $89,120 in Chicago, but she still got a 30 month sentence back in August 2012. See: Cell leader in RBS WorldPay fraud scheme sentenced.

One other case that used this methodology, and also had New York City ties, was the case that charged Ukrainians Yuriy Ryabinin and Ivan Biltse with performing $750,000 in ATM withdrawals. BankInfoSecurity.com reported the story in 2008, which documented that $5 million was withdrawn in more than 9,000 withdrawals "all around the world" on September 30th and October 1st of that year. According to an affidavit shared by Wired Magazine, this case was tied to a breach of a Citibank server that processed ATM withdrawals at 7-Eleven convenience stores.

In the current case described this morning by CBS, it was described that later today New York U.S. Attorney's office prosecutor Loretta Lynch would announce the arrest of seven members of a New York casher gang that hit ATM's up and down Broadway for almost $2 million during the most recent "Unlimited Operation" case. "Unlimited" was involved in a similar $5 Million raid against a financial institution in India. CBS shared a graphic of the location of ATM machines that were used in the arrests that will be announced later today.

In the New York case, the arrested cashers were:

• ALBERTO YUSI LAJUD-PEÑA, 23 (deceased)
• JAEL MEJIA COLLADO, 23
• JOAN LUIS MINIER LARA, 22
• EVAN JOSE PEÑA, 35
• JOSE FAMILIA REYES, 24
• ELVIS RAFAEL RODRIGUEZ, 24
• EMIR YASSER YEJE, 24
• CHUNG YU-HOLGUIN, 22

The Eastern District of New York's Press Release, Eight Members of New York Cell of Cybercrime Organization Indicted in $45 Million Cybercrime Campaign, released today, May 09, 2013, explains the details of how the cashers above, who withdrew $2.8 Million in New York, fit in to the larger "Unlimited Operations." In the first operation, the New York crew withdrew $400,000 from 140 ATMs in New York City in two hours and 25 minutes. In the second operation, February 19-20, 2013, the crew performed 3,000 ATM withdrawals, scoring $2.4 Million in cash between 3 PM on the 19th and 1:26 AM on the 20th, stealing about $240,000 per hour!

The worldwide take on the Feb 19-20 raid included 36,000 transactions and $40 million!

Alberto Yusi Lajud-Peña, the leader of the New York casher ring, laundered the cash, in one case depositing 7,491 $20 bills in a single transaction in Miami, Florida. The crew bought and sold "portable luxury goods" with the cash, including luxury watches and cars, including a Mercedes SUV and a Porsche Panamera valued at $250,000 between the two. Alberto, also known as "Prime" online, was murdered in the Dominican Republic sometime after these robberies occurred.

U.S. Attorney Lynch says that law enforcement authorities in Japan, Canada, Germany, and Romania made great contributions in the case, but that they also received cooperation from the authorities in the UAE, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

What these cases are intended to demonstrate is the importance of closely monitoring the internal corporate network for signs of a breach. In a presentation at ITWeb Security Summit this week, "Formulating an attack-focused security plan", Mandiant CSO Richard Bejtlich shares that 75% of break-ins happen through someone clicking on or responding to a malicious email, and that in 2/3rds of incidents, the breach isn't discovered by the company but is reported by a third party organization. Bejlitch says that by the time the attacker is discovered "they will have been inside your company for around eight months."

That's what Malcovery's Today's Top Threats report is intended to address. What is that Top Threat email that is going to lead to criminals having control of one or more of your internal employees? It takes time for the criminal to learn enough about your organization's internal workings to be able to take over and reset ATM balances. Quick detection of the breach is key to preventing problems like those described above.