A New York state man has been sentenced to five years for an elaborate ATM skimming conspiracy that allowed him to steal at least $390,141 from victims.
Bogdan Rusu, 39, of Queens, NY pleaded guilty to participating in the scheme, which used secret card-reading devices and pinhole cameras on various New Jersey, Massachusetts and New York bank locations.
“Rusu and others captured payment card account information from customers as they accessed their accounts through automatic teller machines (ATMs) and then used that information to steal money from the customers’ bank accounts,” according to a Tuesday Department of Justice press release.
After obtaining the customer account information, including account numbers and personal identification numbers, Rusu “and others” would then transfer the illegally obtained information to counterfeit payment cards. They then used those counterfeit cards to steal money from the accounts, according to DoJ.
Rusu, a Romanian national, was part of a larger ATM skimming scheme that ultimately drained more than $868,000 from accounts. Eleven other defendants charged in this scheme have also pleaded guilty.
ATM theft as an activity is nothing new – with attack vectors varying. In 2016, researchers discovered the Cobalt Group, a.k.a. Carbanak, which used phishing emails to infect the targeted banks’ networks, then pivoting to individual ATMs and planting malicious code on them. In this way, the group was able to siphon over $1 billion for the financial industry.
In 2017, the FBI caught three men visiting ATMs in Wyoming, Colorado and Utah, stealing tens of thousands of dollars, with $24,000 from one machine alone. Surveillance camera footage from one attack showed the men opening the top of an ATM in order to physically deploy Ploutus.D malware. And in February 2019, two men were arrested and charged in Connecticut with using malware for jackpotting. The Department of Justice said a search of their vehicle revealed “tools and electronic devices consistent with items needed to compromise an ATM machine to dispense its cash content.”
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.