Hackers accessed global banking with phony pet stores, lies

Criminals hoodwinked banks, credit-card networks and a payment-security firm while moving hundreds of millions of dollars, according to the U.S. government. It won’t be easy to stop it from happening again.

As U.S. prosecutors announced indictments Tuesday against a hacking ring linked to stock manipulation, gambling and fake pharmaceuticals, details emerged that made payments specialists wince. To move money through the global banking system, conspirators allegedly disguised recipients as pet-supply and dress stores. When financial firms raised alarms, the group feigned shock, paid fines and opened new accounts. And in a twist that turned heads, it even hacked a security company that was supposed to detect its ruse.

"Wow," said Julie Conroy, a security specialist at payments researcher Aite Group. "Shame on this firm for being a victim, because if you’re in that position you know the bad guys are coming after you."

The allegations illustrate the challenge facing banks and credit-card processors already under heightened pressure to detect suspicious transactions and thwart money laundering. Big banks around the world have pledged to step up their efforts, in some cases while paying billions of dollars in fines for past failings. Tuesday’s indictments show how quickly criminals are evolving to stay ahead.

Copying Tactics

“This is going to become much more common,"  said Al Pascual, director of fraud and security at Javelin Strategy & Research. “The level of complexity and sophistication here is very unique. But that being said, it’s not as though others aren’t trying to replicate it or are actively replicating these very steps."

The tactics for moving money were just one aspect of a larger crackdown Tuesday on cybersecurity breaches, including last year’s massive theft of JPMorgan Chase & Co. customer data. At the center of the indictments is Gery Shalon -- a 31-year-old Israeli from the Republic of Georgia. Prosecutors said he used hacking as the backbone of a criminal conglomerate that ran illegal Internet casinos and elaborate pump-and-dump stock schemes. After a July arrest, the U.S. is seeking his extradition to New York for trial. He couldn’t be reached Tuesday for comment.

Prosecutors didn’t identify any financial firms that unwittingly helped handle payments. Nor did they name the “merchant risk intelligence firm,” based in Bellevue, Washington, that was tasked with identifying whether recipients were sketchy. One Bellevue company fitting the description didn’t respond to phone calls and e-mails seeking comment.

Financial firms are supposed to be a bulwark against crime. Banks are required to know their customers and flag suspicious transactions to authorities. In this case, criminals wanted to accept money from credit and debit cards, then move the funds to accounts within their reach. But using cards requires clearance from a network such as Visa Inc. or MasterCard Inc. and the customer’s bank.

‘Squeezing a Balloon’

Prosecutors said Shalon and conspirators offered a solution. They allegedly set up a system that handled money for criminals while charging a fee on each transaction -- more than $18 million total. The group worked with "corrupt international bank officials," and developed other strategies that relied on dogged creativity, according to the indictment. No officials were identified.

For example, to collect money from U.S. gamblers, Shalon and conspirators coded transactions so that it looked like payments went to online stores selling pet supplies and wedding dresses, according to prosecutors. When card networks spotted illicit payments, they imposed millions of dollars in penalties on banks that let transactions slip through. Shalon and conspirators allegedly pretended they were unaware or surprised, reimbursed the banks, then set up more accounts.

“It’s like squeezing a balloon,” said Aite’s Conroy. “You squeeze them out of one part of the system but they will go and find opportunity somewhere else.”

The Bellevue security firm was supposed to flag merchants accepting payments for “unlawful goods or services," according to the indictment. Prosecutors said the defendants hacked into the company’s computer network to read e-mails and keep tabs on its efforts. The hackers figured out which credit and debit cards the company used to detect bogus merchants, then blacklisted those card numbers from Shalon’s network.

Knowing Customers

Security analysts said the case shows financial firms need to learn even more about their customers, including the merchants that accept their cards, and that regulators ought to consider changing rules to make it easier for firms to share information with each other about potential threats.

“You have to know who you’re doing business with," said Avivah Litan, a cybersecurity analyst at Gartner Inc. “Everyone is subject to sophisticated data breaches, none of us are immune. From the best banks to the worst to the watchdogs. Good criminals can break in anywhere."