POS Hackers Sentenced for Multi-Million Dollar Payment Card Data Theft

Two Romanian nationals have plead guilty for participating in an international, multimillion-dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants’ computers, including a great number of Subway restaurants. Federal prosecutors noted that the conspiracies involved more than 146,000 compromised cards and more than $10 million in losses.
Iulian Dolan and Cezar Butu agreed to serve seven year and 21 month prison sentences respectively. Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, while Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud. A third co-conspirator, Adrian-Tiberiu Oprea, is currently awaiting trial in New Hampshire. The defendants admitted in their guilty pleas, that during a period roughly from in or about 2009-2011, they participated in Romanian-based conspiracies, to hack into hundreds of U.S.-based computers to steal credit, debit and payment account numbers and associated data. They then used the stolen payment card data to make unauthorized charges on, and/or transfers of funds from, those accounts (or alternatively to transfer the stolen payment card data to other co-conspirators who would do the same).       
The official judgment is a warning signal to all operators concerning POS security and describes how the hackers carried out the scheme. According to the official judgement, Dolan admitted that he, along with Oprea, remotely hacked into U.S. merchants’ point of sale (POS) where customers’ payment card data was electronically stored.
“Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, Dolan logged onto the targeted POS systems over the internet. These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access. He would then remotely install software programs called ‘keystroke loggers’ (or ‘sniffers’) onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data.”
The co-conspirators hacked into several hundred U.S. merchants’ POS systems. It was reported that Dolan stole payment card data belonging to approximately 6,000 cardholders and was aware that Oprea was engaged in similar conduct. Dolan would periodically remotely hack back into the compromised merchants’ POS system to retrieve the card data that he would transfer to electronic “dump sites,” where the data would then be used to make unauthorized chargers and transfers or sold to other conspirators.
“The Subway case is a clear indication that privileged and administrative accounts are increasingly targeted and used by criminals to steal sensitive information,” says Adam Bosnian, vice president of products, strategy and sales at Cyber-Ark Software www.cyber-ark.com.  “In this case, the attackers were able to simply do an Internet search for remote desktop applications that were used by the restaurants, and through simple password cracking techniques, they were able to gain administrative access to the systems.  This enabled them to easily steal sensitive financial information from unsuspecting customers.”
Bosnian contends that often sensitive accounts are protected by passwords that are too simple or default passwords that are rarely changed. This case is a warning to operators utilizing POS systems to shore up their security by taking steps to make their accounts more difficult to breach and therefore less attractive to hackers.
“These privileged and administrative accounts act as a gateway to any organization’s most sensitive information, which is why they’ve emerged as the primary target for attackers,” Bosnian continues, “The reality is that anyone with an Internet connection can search for, identify and target  remote applications that businesses rely on – the problem facing the industry is that there is not sufficient security and protection around the entry points to these applications. Once inside, attackers have free reign on the network. If you examine the list of the recent, high-profile data breaches that have plagued organizations, including Global Payments, the U.S. Chamber of Commerce, the Utah healthcare breach, etc…, the common denominator is that the attackers focused on gaining access to the privileged or administrative accounts.” 

This ad will auto-close in 10 seconds