Cyber attacks rob $45m from Gulf Banks

Faked RAKBANK and Bank Muscat credit cards used to take cash from ATMs in 27 countries in two co-ordinated attacks

The gang used faked pre-paid MasterCard debit cards to withdraw cash from ATMs.

The gang used faked pre-paid MasterCard debit cards to withdraw cash from ATMs.

Published Friday, 10 May 2013
By Mark Sutton

Two banks in the Gulf have been robbed of more than $45m by an international credit card hacking gang.

The gang hacked into the systems of several unnamed credit card processing companies, and used stolen card data to create counterfeit cards to withdraw cash from ATMs in as many as 27 countries, according to authorities in the US.

The hackers increased the available balance and withdrawal limits on prepaid MasterCard debit cards issued by the Bank Muscat of Oman, and National Bank of Ras Al Khaimah (RAKBANK) of the United Arab Emirates. Card data was then distributed to gangs in target countries, who used faked cards to withdraw large volumes of cash in two co-ordinated attacks.

The first alleged attack, using RAKBANK card data, took place in December 2012, with the gang making 4,500 transactions worth $5m across about 20 countries.

The second attack against Bank Muscat took place in February this year, with $40m stolen from ATMs in 24 countries through 36,000 transactions that took place in just ten hours.

It is thought Middle Eastern banks were targeted because they tend to allow higher withdrawal limits on cards.

In New York alone, members of the gang using cloned cards for a single Bank of Muscat account number made 2,904 withdrawals  from ATMs across the city, netting $2.4m in all.

The US Justice Department said it had arrested seven members of the New York operations of the gang, while an eighth suspect, the leader of the New York cell, was reported to have been murdered in the Dominican Republic on 27th April. The scale of the attacks mean that hundreds of people are likely to have been involved in withdrawing the cash from the ATM networks.

Law enforcement agencies in Japan, Canada, the UK, Romania and 12 other countries have co-ordinated efforts to investigate the attacks, Arrests had been made in other countries, but no details have been released at present.

In a statement, Mastercard said it had cooperated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.

The New York cell had also taken steps to launder the stolen cash through a bank account in Miami, and buying luxury cars and watches.

"In the place of guns and masks, this cyber crime organisation used laptops and the Internet," US Attorney for the Eastern District of New York Loretta Lynch said at a news conference. "Moving as swiftly as data over the Internet, the organisation worked its way from the computer systems of international corporations to the streets of New York City."