Pentagon hacker Analyzer suspected of $10m cyberheist

Credit card scam exposed


Charges against notorious hacker-turned-suspected-cyber-fraudster Ehud Tenenbaum have expanded to include alleged fraud involving banks and credit card firms in both Canada and the US.

Ehud Tenenbaum (AKA The Analyzer), 29, was arrested in Canada last September on suspicion he conspired with others to hack into the systems of a financial service companies, before transferring funds into pre-paid debit card accounts under the control of a cyberfraud crew. The group subsequently cashed out these accounts, making an estimated $1.5m in the process.

Tenenbaum is now suspected of hacking into two US banks, a credit and debit card firm and a payment processor outfit as part of a global "cashout" conspiracy that resulted in losses of a least $10m, Wired reports.

Ten years ago and while still a teenager, Tenenbaum broke into unclassified computers run by NASA, the Pentagon, the Israeli parliament and Hamas. He was caught and convicted but managed to avoid jail, receiving only a suspended sentence and fine. Tenenbaum found work defending Israeli sites from cyber attack before dropping out of the public eye for several years.

He moved from France to Canada last year, spending five months in the country on a visitor's permit, before being arrested by police in Calgary along with three alleged accomplices. The group were suspected of hacking into the systems of Calgary-based Direct Cash Management, a distributor of prepaid debit and credit cards. The other suspects made bail but Tenenbaum was detained in custody after US authorities served notice that they were compiling a case that may result in extradition proceedings against him.

Details of the likely US case against Tenenbaum have emerged for the first time after Wired obtained an affidavit, filed with the Canadian court handling Tenenbaum's extradition case. The affidavit (PDF) details how a US Secret Service investigation into computer hacking covered early 2008 attacks against the websites of OmniAmerican Credit Union and Global Cash Card, a California distributor of prepaid debit cards.

In both cases SQL Server vulnerabilities were used to hack into database systems and steal credit and debit card records, resulting in losses of $1m after these details were used to create counterfeit cards that were used to withdraw money from bank ATMs. The same approach was used to inflict losses of $3m on 1st Source Bank in Indiana and Symmetrex, a prepaid debit card processor, following hacking attacks in April and May 2008.

Investigation traced these attacks back through servers at HopOne Internet to systems at Dutch web hosting company LeaseWeb, where the assault was thought to originate. A warrant was obtained to intercept traffic running through the suspected cybercrime server at LeaseWeb. Evidence obtained, including web chats between the suspected hackers, led police to suspect Tenenbaum of involvement in the case, Wired reports.

On April 18, 2008, authorities say Tenenbaum gave a co-conspirator the compromised debit and credit card account numbers of more than 150 accounts taken from Symmetrex as well as the computer commands he'd used to execute the attack. Then, throughout the night of April 20, he received updates from accomplices in Russia and Turkey as they successfully withdrew cash from ATMs, and from Pakistan and Italy where the cards apparently failed to work. The next day, more cards were used in Bulgaria, Canada, Germany, Sweden and the United States. By late afternoon that day, Tenenbaum told an accomplice he'd racked up about "350 - 400" in earnings. The affidavit notes that this likely referred to 350,000 to 400,000 dollars or euros.

According to investigators, intercepted communications show that Tenenbaum had admin access to systems at 1st Source Bank network that allowed him to view ATM outputs, as well as credit card numbers. The hacker identified as Tenenbaum went on to brag that he had broken into systems at Alpha Bank in Greece a month later, in May 2008.

Tenenbaum was director of a computer security consultancy called Internet Labs Secure, based in Montreal. IP addresses registered to the firm were used to access a Hotmail account - Analyzer22@hotmail.com - linked to the hacking sessions and recovered from the Dutch server. This account was registered using Tenenbaum's real name and birthday, as well as incorporating his infamous hacking handle.

Attempts to access the compromised network at Global Cash Card network to check, and in some cases attempt to increase, the available balances of compromised cards, were also traced back to the network at Internet Labs Secure. Tenenbaum was also caught on camera at an ATM attempting to withdraw funds from one of the compromised Canadian accounts, local detectives told Wired.

Investigators blame Tenenbaum for masterminding a hacking spree that resulted in fraudulent losses of more than $10m though, as Wired notes, the declared value of the attacks against OmniAmerican, Global Cash Card hacks, 1st Source Bank and Symmetrex comes to just $4m.

The case illustrates the growing incidents of attacks where hackers have gained access to prepaid payroll and gift card systems before creating counterfeit cards and withdrawing huge sums. A breach at payment processor RBS WorldPay last November, for example, resulted in losses of $9m. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021