Cybercrime Gang Robbed ATMs, Used Old School Mafia Security... Still Got Busted

September 8, 2016


Other than criminal history buffs and cops, few know much of the pizzino, a slip of paper containing messages meant only for the upper echelons of the Sicilian Mafia.


One gang, however, decided to use the pizzino to share secret messages over Skype about their ATM theft and prostitution racket, FORBES has been told. And yet, despite its supposed security, the crooked operation was blown wide open this week, thanks to old-fashioned policing techniques: wiretapping and physical surveillance.


Their tactics appeared sensible. Whilst not considered the most secure comms app, Skype is difficult to wiretap (possibly impossible, Microsoft has claimed in the past). And as video conversations aren’t recorded by the tech giant, any subpoena may prove unfruitful. Just in case the police were watching, gang members also used a code language, with words only shown via a pizzino held up to the camera, according to Europol. For instance, the word “shirt” meant “skimming” – where devices were planted on ATMs for stealing credit card data. The word “cookies” related to the production of counterfeit payment cards.


But the alleged crooks were guilty of some rookie errors, according to what police agencies told FORBES. Though their Skype techniques may have succeeded in avoiding any wiretapping, the cops were snooping on standard telephone lines, tracking suspects on the streets of Milan and gathering open source intelligence from online profiles.


Without the need for any risky spyware, and using those old school techniques, the police were able to gather information on the gang’s use of the pizzino, their “secret” language and other aspects of their enterprise, according to Salvatore La Barbere, head of the Milan Polizia Postale e delle Communicazioni, one of Italy’s major cybercrime investigative agencies. The suspects, it appeared, were talking a little too openly about their security measures.


The investigation led to the arrest of four individuals in Italy and another 10 in Romania, FORBES understands, the result of a coordinated investigation led by Europol, the Italian agency and Romania’s DIICOT agency. The latter yesterday named a Mihai Nazare as one of those arrested, claiming he was one of, if not the main coordinator. His nickname was “Mosu”, which translates to either “Santa” or “old man”. He was said to have “connections in the most important groups of underworld.”


Searches across Italy and Romania turned up plenty of tech: card readers, magnetic strip readers and writers, and thousands of plastic cards ready to be encoded with stolen credit card data. Thousands of euros and Romanian leu in cash were also seized, as seen in the official DIICOT video below.


As for the prostitution, the crew trafficked young women in from across Europe. They’d pimp them out in clubs in Milan, Monza and Switzerland, a Europol spokesperson confirmed to FORBES. La Barbere told me the crew had made around €70,000 from their ATM thefts, whilst they sold prostituted women for as much as €300 a night.


Europol estimated the losses caused by the group in the hundreds of thousands of euros.

The group were also said to be phishing people, tricking them into handing over bank details via email so they could clone cards. As well as withdrawing stolen money from cash machines, the crooks also purchased shoes and clothes with victims’ funds, Romanian police said.


Shimmer and steal

Since 2013, the gang were using an increasingly problematic form of ATM theft device: the shimmer. Unlike a skimmer, which is hidden on the facet of the machine, the shimmer is hidden right inside the card slot, making it much harder to detect.


Coincidentally, FORBES recently obtained a video showing a Romanian putting together a particularly crafty shimmer, which could be slotted into an ATM with an altered credit card.


Here’s the translation of what the narrator is saying, kindly provided by Catalin Cosoi from Romanian cybersecurity firm BitDefender:


We have to use an original credit card with a chip, to be able to insert our device in the ATM machine.

We stick double-side adhesive tape on the credit card, and we cut out a small part of the credit card in the right side and the left side.

We carefully stick the device on the credit card and bend it over the corners starting from the top.

We insert the card in the ATM machine while holding the front side with our fingers to avoid detaching the device from the card.

We test the ATM machine to check if it works normally or if it detects any suspicious activity. If the ATM machine asks for the PIN code, then the device will not be detected. We cancel the transaction and remove the card with the device on it. We apply super glue adhesive to the device, over the part where we initially placed the double-side adhesive tape and insert the card again.

We press the credit card up while holding it from its back side to make sure that the device sticks and remains inside the ATM machine, then wait for 10-15 seconds. After it gets stuck, we remove the card and the device will be successfully inserted in the machine.

In the second scenario, we have to cut a small piece of the card to make sure the credit card won’t get stuck in the machine. Cut a rectangular-shaped hole in the middle side of the credit card.


The video was sent to me from Alex Holden, who has spent years earning his keep by keeping an eye on fraudsters operating in the murkier areas of the web. Though one shimming crew has been taken down, with so many tutorials doing the rounds expect the techniques of ATM hackers to only improve. With any luck banks will be keeping up too.

Previous Article
Are all IoT vulnerabilities easily avoidable?
Are all IoT vulnerabilities easily avoidable?

Next Article
How one of the biggest data thefts in US history could have been stopped by basic security
How one of the biggest data thefts in US history could have been stopped by basic security

Security Gaps, Network Intrusions. IoT, The Unusual Suspect.

Watch the Video