Anatomy of the RBS WorldPay Hack

The four men whom a federal grand jury indicted this week for their alleged roles in a scam that stole millions of dollars from RBS WorldPay were no fools. The small crew of hackers had a distinct division of labor, operated with skill and efficiency and left one of the world’s larger banks holding the bag.

The four men whom a federal grand jury indicted this week for their alleged roles in a scam that stole millions of dollars from RBS WorldPay were no fools. The small crew of hackers had a distinct division of labor, operated with skill and efficiency and left one of the world’s larger banks holding the bag.

Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and a fourth man, identified only as “Hacker 3,” pooled their talents, and with the help of a worldwide network of “cashers” in more than 280 cities, they were able to walk away with $9 million of RBS WorldPay’s money. The attack, detailed in a federal indictment announced Tuesday by the Department of Justice, illustrates clearly the level of organization and sophistication involved in ATM and payment-card fraud, as well as the difficulty banks face in guarding against these schemes.

The scam began simply and came together quickly. In early November 2008, prosecutors allege that Covelin discovered a vulnerability in the network of RBS WorldPay, a subsidiary of the Royal bank of Scotland that handles payroll and other payment-processing transactions for companies around the world. Covelin took his find to Tsurikov, who in turn brought in Pleshchuk, the man who had the technical skills to exploit the vulnerability. Tsurikov allegedly acted as a kind of social director throughout the scheme, bringing together various people, matching up a need with a skill set.

On Nov. 5, Covelin allegedly gave Pleshchuk a username and password for a server on the RBS network in Georgia. Once inside the RBS WorldPay network, the hackers, led by Pleshchuk, allegedly gained access to a database containing the account numbers and PINs of payroll debit cards that the company’s customers give to their employees in lieu of live paychecks or direct deposits. The cards allow employees to withdraw funds directly from ATMs, up to a pre-set limit, or buy merchandise from approved vendors.

See related story: U.S. Takes Down $9 million RBS WorldPay Hacking Ring

The indictment does not spell out the exact structure of the database that the hackers allegedly compromised and makes no mention of encryption of the data set. But, the attackers were able to get both the debit card account numbers and the PINs associated with those accounts. It’s unclear whether the account numbers and PINs were stored together.

After getting that data, Pleschchuk, Tsurikov and Hacker 3 allegedly went in and jacked up the amount of money available on the debit cards and raised the withdrawal limits on the cards, as well. The trio then sent 44 prepaid payroll card numbers and PINs to a pre-arranged network of “cashers.” Typically, someone in these networks takes the numbers and PINs and creates a fake card programmed with the data.

Then, just three days after the crew’s first foray into the bank’s network, on Nov. 8, cashers in 280 cities around the world began hitting ATM machines, withdrawing predetermined amounts at each one and then moving on to another terminal.  Within 12 hours, the crew had stolen more than $9 million from RBS WorldPay, a massive one-day loss even for a company the size of RBS.

Meanwhile, Pleschchuk and Tsurikov allegedly went back into RBS WorldPay’s network to monitor the activity while the cashers were making their rounds, ensuring that the mules did their jobs. The hackers were letting the cashers keep a sizable portion of their withdrawals–between 30 and 50 percent–so they wanted to know exactly how much money would be coming their way.

After the attack was over, Pleshchuk and Tsurikov allegedly went into the RBS WorldPay database logs and began deleting any information that would point to their scheme, according to the indictment. But the crew apparently didn’t do a very good job of covering its tracks.

Security officials at RBS WorldPay noticed the fraudulent transactions quickly and reported them to law enforcement. And now, Pleschchuk, Tsurikov, Colevin and Hacker 3, along with four alleged co-conspirators, Igor Grudijev, Ronald Tsoi, Evelin Tsoi, Mihhail Jevgenov, are facing federal charges and several years in prison for their trouble.

Suggested articles