New york – In one of the biggest ever bank heists, a global cyber crime ring stole $45m from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries, US prosecutors have said.
New york – In one of the biggest ever bank heists, a global cyber crime ring stole $45m from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries, US prosecutors have said.The US Justice Department accused eight men of allegedly forming the New York-based cell of the organisation, and said seven of them have been arrested. The eighth, allegedly a leader of the cell, was reported to have been murdered in the Dominican Republic on April 27.The ringleaders are believed to be outside the United States but prosecutors declined to give details, citing the ongoing investigation. What’s clear is the sheer scope and speed of the crimes: in one of the attacks, in just over 10 hours, $40m was raided from ATMs in 24 countries, involving 36,000 transactions."In the place of guns and masks, this cyber crime organisation used laptops and the Internet,” Loretta Lynch, the US Attorney for the Eastern District of New York, said at a news conference. "Moving as swiftly as data over the Internet, the organisation worked its way from the computer systems of international corporations to the streets of New York City.”The case demonstrates the major threat that cyber crime poses to banks around the world. It also shows how increasingly international and sophisticated criminal gangs have become, particularly those using the Internet.Prosecutors highlighted the ‘surgical precision’ of these hackers, the global nature of their organisation, and the speed and co-ordination with which they executed operations in 27 countries.According to the complaint, the gang broke into the computers of two credit card processors, one in India in December 2012 and the other in the US this February. The companies were not identified.The hackers increased the available balance and withdrawal limits on prepaid MasterCard debit cards issued by Bank of Muscat of Oman, and National Bank of Ras Al Khaimah PSC of the United Arab Emirates, according to the complaint. They then distributed counterfeit debit cards to ‘cashers’ around the world, enabling them to siphon millions of dollars from ATMs in a matter of hours.In New York, for example, members of the cell fanned out into the city on the afternoon of February 19, armed with cards bearing a single Bank of Muscat account number. Ten hours later, they had completed 2,904 withdrawals for $2.4m in all, prosecutors said.Casher crews in other countries were busy doing the same, pulling some $40m from Bank of Muscat to add to the $5m they stole from RAKBANK in December, according to the indictment. In total, cashers made some 40,500 withdrawals in 27 countries during the two co-ordinated incidents.Prosecutors said the method of attack was known as ‘Unlimited Operations’ in the cyber underworld.Representatives for the two banks could not be reached for comment. In a statement, Mastercard said it had co-operated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.In late February, Bank Muscat disclosed that it would take an impairment charge of up to 15m rials (about $39m) because it had been defrauded overseas by 12 prepaid debit cards used for travel. That charge was equal to more than half of the 25m rials profit it posted in its first quarter ended March 31.HIGHLY SKILLED HACKERSCyber experts said they believe the operation likely required the work of several hundred people, at least several of whom were highly skilled hackers capable of devising ways to penetrate well-protected financial systems."Hackers only need to find one vulnerability to cause millions of dollars of damage,” said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland.The group may have targeted Middle Eastern banks because they tend to allow customers to put much larger sums on cards and do not monitor them as closely as banks in other regions, said Shane Shook, the global vice-president of consulting for the security firm Cylance Inc."It’s a target-rich environment in terms of soft electronic security,” said Shook, an Arabic speaker who has spent more than a decade investigating cyber crimes.The case is similar to one in 2009 that targeted the prepaid debit-card unit of Royal Bank of Scotland, which lost more than $9m in less than 12 hours, said Jason Weinstein, a former federal prosecutor who supervised the Justice Department’s handling of that case.