Hackers get rich at the car wash

Some might call it a card wash: Thieves obtain free gift cards by re-encoding data from credit card accounts compromised at merchants, including car washes nationwide.

Earlier in June, police in Everett, Massachusetts arrested a local man named Jean Pierre for possessing nine stolen credit card accounts. His case exemplifies the racket. 

In May, the Everett police department received a complaint from a sheriff’s department in South Carolina about a resident who’d had his credit card account used repeatedly for fraudulent transactions at a Family Dollar store in Everett.

Everett PD Detective Michael Lavey asked a retail clerk if he knew any of the individuals captured in store security camera footage at the date and time of the fraudulent transactions. The clerk said the suspects had been coming in for months — several times each week — always purchasing gift cards. 

"Not long after Lavey posted snapshots from the video footage on a state-wide police network, he heard from an officer in Boston who said a suspect resembling one of the men in the photos was recently questioned at a city hospital after being stabbed in the legs and buttocks in an unrelated robbery," Krebs writes. "The assailant in that attack was arrested, but his victim — Jean Pierre — refused to answer questions about the incident. The police seized Jean Pierre’s pants as evidence in the assault case, and discovered numerous prepaid cards in the pockets of the trousers."

Lavey then subpoenaed Pierre's credit card records. He was able to determine that at least one of the cards had been stolen from Splash Car Wash in Connecticut. 

"In effect, thieves were buying stolen cards to finance the purchase of gift cards, some of which would later serve as hosts for new stolen card data once their balance was exhausted," Krebs reports. "The cops call it money laundering, but in this case it might as well be called card washing."

Lavey teamed up with a detective from the police department in Monroe, Conn. Who had been investigating card breaches at 14 separate car washes, including the Splash case. 

It was determined that the local company was but one of at least 40 car washes across the country that had been hacked and relieved of customer credit and debit cards since at least February 2014. 

They were all using the same point-of-sale systems made by Micrologic Associates. "The devices had remote access via Symantec’s pcAnywhere enabled, access that was granted to anyone who knew the same set of default credentials," Krebs writes. 

Micrologic President and CEO Miguel Gonzalez said that only about one-third of the 40 or so car washes were running Micrologic point-of-sale software; the rest, he said, were using products made by other software vendors.

He said the attackers appear to have been targeting vulnerabilities in outdated versions of the software — not merely abusing default credentials.

In 2012, Symantec acknowledged that hackers had stolen the source code to the popular remote access software.

Card wash perps increasingly are U.S. street gang members. Pierre is a member of the Bloods.

“They’re starting to work smarter, not harder. Individually, this card fraud doesn’t meet the threshold where the federal government is going to say ‘Hey, let’s grab these guys.’ Locally, they’re doing it across broad jurisdictions and jumping from state to state and coming away with hundreds of thousands of dollars,” Lavey said.