Four Romanian nationals have been arrested in connection with a multimillion-dollar scheme to remotely steal payment card data from the point-of-sale systems of more than 150 Subway restaurants and other U.S. businesses, according to the U.S. Department of Justice.
The indictment, unsealed on Wednesday, charges the four with conspiracy to commit computer fraud, wire fraud and access device fraud.
Charged in U.S. District Court for the District of New Hampshire were Adrian-Tiberiu Oprea, 27, of Constanta, Romania; Iulian Dolan, 27, of Craiova; Cezar Iulian Butu, 26, of Ploiesti; and Florin Radu, 23, of Rimnicu Vilcea.
Authorities last week arrested Oprea in Romania, where he is still in custody. Dolan and Butu were arrested when they entered the U.S. in August and are still in custody.
Radu is still at large. There are more conspirators, but authorities appear to only know the online names of two of the missing conspirators: tonymontanamiami and marcos_grande6.
The DOJ claims that the thieves got their hands on the credit, gift and debit card data of more than 80,000 customers.
A POS system typically consists of a computer, monitor, and a debit/credit card reader. Most also include an integrated credit card processing system, a signature capture device and a customer pin pad device for entering passwords.
Although the indictment doesn’t identify the POS system used by Subway, Wired's Kim Zetter reports that the chain announced in January 2009 that it was deploying the Torex Quick Service POS in all of its 30,000 restaurants.
Between roughly April 2008 until at least May 2011, the DOJ says the suspects swiped credit card data from compromised Subway restaurant systems in New Hampshire, New York, California and elsewhere to charge millions of dollars worth of purchases.
According to the indictment, this is how they did it:
- They remotely scanned the Internet to identify vulnerable POS systems with certain remote desktop software applications installed.
- They then logged onto the targeted POS systems, either by guessing the passwords or with password-cracking software programs.
- The conspirators then installed keystroke loggers onto the POS systems to record and store data that was keyed into or swiped through the merchants’ POS systems, including credit card data.
- They then installed a back-door Trojan into the POS systems to enable them to easily access the compromised POS systems in the future, to install or re-install additional hacker tools. The indictment charges the four with repeatedly downloading one particular hacker tool designed to evade detection, “xp.exe,” from the “kitsite.info” dump site onto the victimized merchants' POS terminals.
- The credit card data was then transferred back to dump sites—i.e., servers used for storage, some of which were located in Europe, some in the U.S.
Read more >>
