RBS WorldPay: 8 Hackers Indicted in $9 Million ATM Theft

Expert: 'I Don't Think it Will Take a Big Bite Out of Crime'
RBS WorldPay: 8 Hackers Indicted in $9 Million ATM Theft

Eight members a hacker ring that made off with more than $9 million in a massive ATM fraud scheme last November were indicted in an Atlanta, GA courtroom this week.

See Also: Delving Deeper: 2023 Fraud Insights Second Edition

The eight men, all from eastern European counties, are accused of hacking into a computer system at RBS WorldPay, the U.S. payment-processing division of Royal Bank of Scotland Group. They then allegedly cloned prepaid ATM cards, which they used to draw out cash from 2,100 ATMs in 280 cities around the world within a couple of hours.

Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person known only as "Hacker 3" were charged in a federal grand jury indictment for hacking into a computer network operated by the Atlanta-based credit card processing company.

The 16-count indictment charges Tsurikov, Pleshchuk, Covelin and "Hacker 3" with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft. The indictment states the accused group used sophisticated hacking techniques to compromise the data encryption used by RBS WorldPay to protect customer data on payroll debit cards.

Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33, each of Tallinn, Estonia, were indicted for access device fraud.


The RBS WorldPay indictments may have stopped this small group of criminals, but the banking industry should not think that this is the end of this type of crime, say industry security and fraud experts.

"These hacking crimes are on par with bank robberies -- small groups of criminals running around looking for the next big heist," says Mike Urban, Senior Director Fraud Solutions at FICO. Urban notes the efforts of law enforcement to bring them to justice, saying we need more of that kind of international cooperation. "However, for every criminal who is picked up for prosecution, there are many more out there testing the industry's defenses."

Rick Howard, Director Security Intelligence at VeriSign's iDefense group, also gives a thumbs up to law enforcement's efforts to corner this group. "I think its great they got these guys. We don't applaud them (law enforcement) enough; they did a good job."

But he agrees that there are many more hackers out there trying to get in. "I don't think it will take a big bite out of crime," Howard says. "I don't think we can ever go back to 'normal.'"

In fact, says Gartner analyst Avivah Litan, "It can happen again, and it probably will." Litan sees no shortage of highly skilled and well educated criminals who have no legitimate work opportunities in their home countries and "therefore turn to what seems like 'harmless and bloodless' crime against the capitalist West as a way to leverage their skills and earn some money."

Internet Carding Operations Offline

The latest indictments may have caused at least three of the major underground carding websites to go dark, says Howard. Several high-profile carding communities have been inaccessible since late Monday and Tuesday as well. "Perhaps just coincidental? But the timing is odd," he says. The same thing happened when the Russian Business Network was taken down, he says. The carding sites and the criminals who operate on them may be regrouping and preparing to rebound, Howard notes.

Howard also says one of the men indicted on Tuesday, Oleg Covelin, was also indicted in September in connection with the New York-based "Western Express" cyber crime syndicate. Covelin could be linked to the same group with connections to the former Russian Business Network, Howard states. "We always speculated that members of that group would pop up somewhere else," he adds.

Howard describes the eight as being "typical cyber crime kings of the world. They are professional and way beyond the old model of 'script kiddies' hacking into a network for fun."

How Group Attacked RBS WorldPay

The group apparently studied the RBS network "for some time," says Gartner's Litan. "They understood exactly which tables they needed to access and which data they needed to modify to commit their crimes," she says. The RBS network configuration must have been relatively easy for them to navigate once they got in, and "It's likely they got in through malware or SQL Injection attacks," Litan notes. While she is not sure how they broke the encryption, but says what she is learning from forensic investigators, "Generally speaking, the criminals are taking over super-user accounts and gaining administrator privilege into these sensitive systems, in which case they have access to decrypted data," Litan says.

Who's Next?

The two latest, largest data breaches happened at RBS WorldPay and Heartland Payment Systems, so the obvious question is: Who will be next? The biggest bulls-eyes for hackers are painted on networks across the payments industry, says Gartner's Litan. She sees the bulls-eyes equally distributed across payment processors, Visa, MasterCard, AmEx and Discover, and the card issuing banks themselves. "The criminals will be relentless in finding, targeting and studying the network and database infrastructures and processes of those firms that have the most valuable data that can be turned into cash," she says. "Certainly, the ATM networks are a prime target."

Litan warns that the attacks are increasingly sophisticated, and there is no reason to think they will end soon. "I certainly don't see any reduction in the number and frequency of attacks," she says. "These attacks are not unbeatable however - with the right technology, policies and processes, most criminal activity can certainly be stopped. It's just a matter of bringing the right resources to bear in order to solve these thorny problems."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.