Talk about a huge to-go order: Federal authorities arrested four Romanian nationals in connection with a sophisticated multimillion-dollar cybercrime scheme against Subway restaurants and other retailers.
The indictment, obtained by Wired, alleges that from about April 2008 until May 2011, the defendants remotely hacked into the point-of-sale checkout terminals at more than 150 Subway restaurants, including ones in Plaistow, N.H., East Northport, N.Y., Ocala, Fla., Tulare, Calif. and Fairborn, Ohio. The suspected crooks implanted keystroke loggers and Trojans on the point-of-sale machines, which were connected to the Internet, and used the hacking devices to steal more than 80,000 customers' credit-card details. The suspects allegedly tapped into the point-of-sale terminals of 50 other retailers as well.
The suspected cybercriminals harvested victims' payment information and stored it on several "dump sites" hosted by the domain-name company GoDaddy. They then transferred the swiped credit-card data to FTP sites, where they could share it with overseas computers they controlled. The suspects used the details to create fraudulent credit cards and make "unauthorized charges with various merchants, primarily located throughout Europe," the indictment reads.
The defendants, Adrian-Tiberiu Oprea (age 27), Iulian Dolan (27), Cezar Iulian Butu (26) and Florin Radu (23), were charged with conspiracy to commit computer fraud, wire fraud and access-device fraud. They face a maximum of five years in prison for each count of conspiracy to commit computer-related fraud, 30 years for each count of conspiracy to commit wire fraud and five years for each count of conspiracy to commit access-device fraud. Oprea, Dolan and Butu are all in custody; Radu is still at large.