Wednesday, November 11, 2009

The $9 Million World-Wide Bank Robbery

On November 7th and 8th, 2008 a group of Russian and Estonian hackers raised the balances on several ATM "prepaid payroll cards" belonging to RBS WorldPay, headquartered in Atlanta, Georgia. The hackers also modified the business logic regarding the limits on how much money could be withdrawn from a single account via ATM machines. At the pre-arranged time, a world-wide ATM spree began, with hackers using duplicates of 44 payroll cards to make withdrawals from 2,100 ATM machines in at least 280 cities around the world, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada.

When the adrenaline rush cleared, the gang had stolen Nine Million Dollars in twelve hours, and the hackers hit RBS WorldPay seeking to destroy all copies of the records of these withdrawals. The "cashiers", the people who actually used the ATM cards, were allowed to keep between 30% and 50% of the funds they withdrew, sending the rest back to the ring-leaders via Webmoney and Western Union.

The questions being asked by EVERYONE was "HOW IS THAT POSSIBLE?!?!?!" For instance, look at the comments on this Boing Boing article: Flashmob of ATM crooks scores $9 million. At that time the news was that "less than 100" cards were used in 30 minutes in 49 cities. Everyone was saying "That's like $90,000 per payroll card? Who has that kind of money on a payroll card?" or "Can you imagine trying to take 3,500 $20 bills out of an ATM?" Keep reading, because those questions are answered below.

On November 10th, 2009, just about one year later, Special Agent in Charge Greg Jones of the Atlanta FBI issued a press release entitled International Effort Defeats Major Hacking Ring: Elaborate Scheme Stole over $9.4 Million from Credit Card Processor.

VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chişinău, Moldova, along with an unidentified individual, have been indicted by a federal grand jury on charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and aggravated identity theft. IGOR GRUDIJEV, 31, RONALD TSOI, 31, EVELIN TSOI, 20, and MIHHAIL JEVGENOV, 33, each of Tallinn, Estonia, have been indicted by a federal grand jury on charges of access device fraud.


Congratulations to all the great investigators involved in this, from the FBI investigators, the RBS investigations team, and all the locals who got called to pull ATM video all around the world. Well done!

Singled out for praise in the press release were the Estonian Central Criminal Police and the Netherlands Police Agency. The Hong Kong Police worked closely with the FBI to separately charge the criminals who used ATM's based in Hong Kong as part of this scheme.

RBS WorldPay is headquartered in Atlanta, and is owned by Citizens Financial Group, which is itself owned by the Royal Bank of Scotland. Although prepaid debit cards from RBS WorldPay are issued by RBS Citizens of North America, Palm Desert National Bank, The Bankcorp, Inc, and First Bank of Delaware, in this case 42 of the 44 cards used in the scheme were from Palm Desert National Bank.

Let's look at the individuals involved.

SERGEI TŠURIKOV, 25, of Tallinn, Estonia performed reconnaissance and found a path of entry into the RBS WOrldPay computer network. Using unnamed hackers, they found a successful path of vulnerability into the network. TŠURIKOV then introduced these hackers to VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia who was the one to actually mastermind the hack, supported by OLEG COVELIN, 28, of Chişinău, Moldova, and an unknown hacker referred to in the indictment as "HACKER 3". TŠURIKOV also managed an existing ring of "cashiers" - criminals who brazenly take the risk of withdrawing money using counterfeit ATM cards, and then dutifully wire part of their proceeds back to the smarter criminals who don't take such risks themselves.

The key activity that let them get started was to reverse engineer the encryption of the PINs used by the RBS Worldpay computer network. Run by PLESHCHUK's superior hacking capabilities, TŠURIKOV, HACKER 3, and others are then said to have raised the limits on certain of the prepaid payroll cards. PLESHCHUK, TŠURIKOV were logged in to the RBS Worldpay computer network actively observing the world-wide withdrawals taking place on the cards they had distributed for use in this scam. When each card was done, they gave orders in the RBS network to lock that card.

HACKER 3 was primarily responsible for running the network of cashiers and coordinating the simultaneous world-wide withdrawal of what would end up being $9 Million. He was also the funds manager who received the funds from the cashiers and distributed the shares to the other members of the conspiracy.

OLEG COVELIN, 28, of Chişinău, Moldova is the hacker who first found the vulnerability in the RBS WorldPay system, and who shared it with TŠURIKOV so that it could be exploited. COVELIN received stripe data and pins from the hackers which he distributed to his own cashier network to participate in the ATM withdrawal spree.

From November 4th until November 8th, the 44 cards that would be used in the attack were created and distributed to the "lead cashers", who in turn spread the cards to their cashiers, both in the United States and around the world.

To test their scheme, the hackers, PLESHCHUK, TŠURIKOV, and HACKER 3, modified one card distributed to COVELIN and raised the available balance on that account number.

Then on November 8th, the three hackers did the same for the remained of the cards, and the ATM Blitz was on. Cashiers hit the 2,100 ATM terminals in at least 280 cities. At the agreed upon time limit, PLESCHUK and TŠURIKOV tried to begin their clean-up, deleting data in Atlanta Georgia from St. Petersburg, Russia and Tallin, Estonia, attempting to cover their tracks and conceal their unauthorized access and fraud.

The indictment contains "xxxxx"ed out versions of the actual commands issued by PLESHCHUK, such as:

UPDATE Card
SET
ATMxxxxxLimit = 500000, POSxxxxLimit = 500000, ATMxxxxxx=500000, ATMxxxxLimit2=500000 where xxxxPAN IN ('xxxxxxxxxxxx1627')

or

delete from xxxxLogs where xxxxLogID>2400000 and xxxxPAN in (''xxxxxxxxxxxx4809', 'xxxxxxxxxxxx3926', 'xxxxxxxxxxxx1041', 'xxxxxxxxxxxx5815', 'xxxxxxxxxxxx4912', 'xxxxxxxxxxxx9488', 'xxxxxxxxxxxx2840', 'xxxxxxxxxxxx3890)

delete from xxxxTransaction where xxxxxxxxID>820000000 and xxxxPAN in (''xxxxxxxxxxxx4809', 'xxxxxxxxxxxx3926', 'xxxxxxxxxxxx1041', 'xxxxxxxxxxxx5815', 'xxxxxxxxxxxx4912', 'xxxxxxxxxxxx9488', 'xxxxxxxxxxxx2840', 'xxxxxxxxxxxx3890)

Commands issued by TŠURIKOV are also listed in the indictment such as:

select xxxxxxxxxxxID, xxxxxxxxDateTime, xxxxxxxxAmount, xxxxxxxName, xxxxxMerchxxx, xxxxAddr, xxxxCity, xxxxState, xxxZip, xxxxCounty from xxxxxxxxxxxTransaction where xxxPAN = 'xxxxxxxxxxxx0336' and xxxxxxxxxxxxID > 82300000


Some of the specific counts include:

COUNT ONE: Conspiracy to Commit Wire Fraud 18 USC § 1349.

COUNTS TWO THROUGH TEN: Wire Fraud 18 USC §§ 1343

COUNT ELEVEN: Conspiracy to Commit Computer Fraud (see below)

COUNT TWELVE: Computer Intrusion Causing Damage 18 USC §§ 1030(a)(5)(A), 1030(b), 1030(c)(4)(B)

COUNT THIRTEEN: Computer Intrusion Obtaining Information 18 USC § 1349, 18 USC §§ 1030(a)(2), 1030(c)(2)(B)(i), 1030(c)(2)(B)(ii), 1030(c)(2)(B)(iii)

COUNT FOURTEEN: Computer Intrusion Furthering Fraud 18 USC §§ 1030(a)(4), 1030(c)(3)(A)

COUNT FIFTEEN: Aggravated Identity Theft 18 USC §§ 1028A(a)(1), 1028A(b), 1028A(c)(5)

COUNT SIXTEEN: Access Device Fraud 18 USC §§ 1029(a)(5), 1029(c)(1)(A)(ii)

Count Sixteen is where the other parties come into play. These are the guys doing the cashing.

SERGEI TSURIKOV gave card numbers and PIN codes to IGOR GRUDIJEV, who then gave the information to RONALD TSOI, EVELIN TSOI, MIHHAIL JEVGENOV, all of Estonia, who withdrew funds worth US$289,000 from ATMs in Tallin, Estonia.



The charges are much cooler than that really - they use this language that I love, because it makes so clear and easy to find in our laws EXACTLY what they were being charged with. As you read below, just picture bad guys going to jail, and smile with me:

knowingly and willfully conspire to: (a) knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage and attempt to cause damage without authorization to a protected computer, causing loss aggregating at least $5,000 in value to at least one person during a one-year period from a related course of conduct affecting a protected computer, in violation of 18 USC §§ 1030 (a)(5)(A) and 1030(b); (b) intentionally access a computer without authorization, and thereby obtain information contained in a financial record of a financial institution, and of a card issuer as defined in 15 USC § 1602(n), and from a protected computer, and the offense being committed for purposed of commercial advantage and private financial gain, and in furtherance of a criminal and tortious act in violation of the Constitution and the laws of the United States, specifically, conspiracy to commit wire fraud in violation of 18 USC § 1349 and wire fraud in violation of 18 USC § 1343, and the value of the information obtained exceeding $5,000, in violation of 18 USC § 1030(a)(2); and (c) access a protected computer without authorization and by means of such conduct further the intended fraud and obtain value, specifically, prepaid payroll card number and PIN codes, and withdrawals from such prepaid payroll card accounts exceeding US$9 million, in violation of 18 USC § 1030(a)(4), all in violation of 18 USC § 371.

No comments:

Post a Comment