Boston Gang May Be Behind Car-Wash Credit-Card Thefts
At some car washes, it wasn't just the cars that were getting cleaned out: Members of a Boston street gang were allegedly logging into the computerized cash registers of car washes across the United States, stealing credit card data and using the cloned cards to transfer money to prepaid gift cards.
The dirt on this squeaky-clean case was unearthed last month, when a South Carolina sheriff's department contacted police in Everett, Massachusetts, because a South Carolinian's credit card had been fraudulently used several times at a Dollar Store in Everett.
MORE: Best Android Antivirus Software 2014
Detective Michael Lavey of the Everett police department found that a few people were visiting Dollar Stores in and around Everett, always in pairs. They would routinely purchase $500 in prepaid gift cards, paying with several different credit cards until one of the credit cards was approved, Lavey told independent security expert Brian Krebs.
Lavey posted store security footage online, but the suspected bandits behind this money-laundering scheme weren't caught until one ended up in a Boston hospital, having been stabbed in an unrelated robbery.
Police recognized the man, allegedly a member of a local Bloods gang, from the security tapes. When his bloody pants were confiscated as evidence, police found a large number of credit cards in the pockets.
Lavey found at least one card had been cloned from a card whose data had been stolen from a Splash Car Wash in Connecticut. This led Lavey to connect with Monroe, Connecticut police detective Michael Chaves.
Chaves had been investigating card-data thefts at 14 car washes in Connecticut. He discovered many of the car washes used an outdated version of a point-of-sale software system developed by Randolph, New Jersey-based Micrologic Associates — and which could be accessed via the aging pcAnywhere remote-desktop software, sold until last month by Symantec.
Micrologic had created default pcAnywhere login credentials for its products, but many clients never changed the defaults, which stayed the same for years, Chaves told Krebs.
Hacking the point of sale
Not all of the 40 or so car washes compromised nationwide were using Micrologic point-of-sale software, Micrologic President and CEO Miguel Gonzalez told Krebs. Gonzalez added that Micrologic had urged its customers to stop using pcAywhere and to use multi-factor authentication instead of a single password.
So did the crooks use these default credentials to break into the point-of-sale devices and steal the credit card data stored on them? Gonzalez claims the criminals were actually using a software flaw in unpatched versions of Symantec's pcAnywhere. (The source code for pcAnywhere was stolen in 2006 and subsequently exploited; Symantec patched the vulnerabilities in 2012.)
"Whether the crooks are exploiting software vulnerabilities or weak/default credentials in this case, security experts routinely advise companies to avoid using remote administration tools on point-of-sale devices," Krebs wrote in his report.
He added that remote-access software is frequently the backdoor through which criminals access point-of-sale devices.
A new kind of crime
Lavey told Krebs that this kind of multi-state credit card fraud is on the rise — and the those behind it are not Eastern European hackers, but home-grown petty criminals who've discovered less violent, more lucrative forms of theft.
"Honestly, the fact that we still have bank robberies is sort of perplexing," Lavey told Krebs. "Rob a bank, and you're lucky if you get away with $600. But you can rob a credit card company, and all the banks are afraid to have their name associated with a case like this, and they quickly reimburse the victims."
Email jscharr@tomsguide.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.
Copyright 2014 Toms Guides , a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
