A stealthy hack into a financial system; clever manipulation of data by exploiting hidden vulnerabilities; an international cash-out operation of gargantuan proportions reminiscent of Al-Qaeda multiple-attack plan. FBI agents working internationally to trace
the criminals and bring them to justice. All the elements of a good Hollywood Heist film, except it happened for real.
The magnitude of the heist as revealed in the US Justice Department
indictment of eight foreign nationals involved in the break into Atlanta based processor RBS Worldpay, is nothing but staggering.
Breaking In
It started with a tip from Oleg Covelin, 28, a hacker from Moldova who identified a vulnerability in the processor’s network. The hacker shared the data with the main conspirators: Viktor Pleshchuk, 28, of St. Petersburg, Russia and Sergei Tsurikov, 25,
of Tallinn, Estonia.
Once inside, the hackers found a way to circumvent the encryption and gain access to prepaid payroll cards. These are used instead of pay checks: the company you work for will give you a payroll debit card, pre-paid with your salary, for you to cash in any
ATM (rather than go with a physical check to your bank).
The hackers had to get the full information on these cards – including PIN codes – in order to clone physical plastic cards that were later used for cash out.
In a typical fraud case, the idea is to get a huge amount of credit cards and then sell them online or clone the cards. But here the ploy was completely different.
The Russian and Estonian hackers found a way to raise the funding for each card: on average, each cloned card was linked to an account that was ‘topped up’ with over $200,000 of fake ‘salary’. They also raised the withdrawal limits per account to allow for
unlimited withdrawal of the available funds. They also effectively covered their tracks, deleting records and eliminating evidence. See a sample of the code they used, taken from the justice department's indictment.
Cashing out
Immediately after raising the available funds, 44 cards were sent for physical cloning where their magnetic stripes matched real payroll cards linked to the breached accounts.
The cards were given to an army of cashiers that were recruited in United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. They were instructed to take the cloned cards to a lightning fast ATM withdrawal spree that spanned 2100 cash
machines in 280 cities, all in 12 hours.
$9.4 million dollars were withdrawn from just 44 plastic cards in a single day.
The mastermind behind the unprecedented cash-out operation is kept unnamed. The indictment reads that “Hacker 3… was responsible for managing the network of cashers who used the fraudulently obtained payroll cards and PIN codes to obtain cash from ATMs on
a coordinated time schedule… distributed… [the cards] to casher networks around the world… He managed the dividing of the proceeds and the distribution of cash from the cashers to the other members of the scheme".
Hacker 3 is the only fraudster not named in the indictment and was the brain behind the coordinated cash out operation, which was truly mesmerizing. The level of international coordination of dozens of cashers in 280 cities across 8 global time zones in
2100 ATMs, all in 12 hour, is the most striking element of the heist. They knew they have a limited window of opportunity before the alarm bells within the processor will start ringing. It wasn’t very sophisticated from a technical perspective, but it did
require a remarkable coordination feat.
Happy Ending
Eventually, though, these people got caught.
And the same applies to
Gonzales who hacked into TJX and Heartland; the infamous
Chao from Turkey; and many of their international collaborators.
As an unbiased observation I’d say that law enforcement – which until six or seven years ago were nearly clueless about dealing with cybercrime and understanding the fraud ecosystem – have made huge strides and are focusing on the right things.
Well done, guys.