Cyber gang behind £1.25m 'KVM' bank fraud convicted

Members of a cyber crime gang that stole more than £1.25 million from Barclays Bank using a 'KVM' device have been convicted at Southwark Crown Court.

Arrests made by PCeU after phishing campaign investigation
Arrests made by PCeU after phishing campaign investigation

The gang gained notoriety last year when they launched three cyber attacks on Barclays and Santander bank branches, using a keyboard, video, mouse (KVM) switch device to try to access bank accounts remotely. Details of their attacks have now been revealed, including the police raid that caught gang members red-handed trying to access online bank accounts.

In verdicts returned on 13 March at the Southwark court, 25-year-old Lanre Mullins-Abudu (pictured) and Steven Hannah, 52, were convicted for their parts in the cyber crime. Mullins-Abudu was found guilty of conspiracy to commit fraud, two counts of conspiracy to steal, possession of articles for use in fraud, and concealing criminal property. Hannah was found guilty of conspiracy to commit fraud, and had previously pleaded guilty to possession of Crystal Meth Class A drugs with intent to supply.

A third man. Duane Jean-Jacques, 25, was found not guilty of conspiracy to steal and concealing criminal property.

A total of 11 other men have already pleaded guilty at earlier court hearings to their role in the crimes. And following the latest convictions, details have now emerged of how the attacks were carried out, and the arrests.

The first attack took place on 4 April 2013 when Darius Bolder, 34, got inside Barclays' back office, enabling the gang to access the IT system at the bank's Swiss Cottage branch. They used a KVM device to transfer out over £1.25 million. Barclays reported the attack the same day and recovered more than £600,000.

The Met Police's Central e-Crime Unit (PCeU) were called in and began investigating. But on 17 July, 32-year-old Dean Outram managed to access computers at a Lewisham branch of Barclays where £90,000 was stolen. Barclays again reported the attack and this time the MPS recovered the KVM switch.

Then, on 12 September last year, the gang were caught in the act of trying to steal from Santander Bank. Outram got into Santander's Surrey Quays branch and fitted a KVM switch. Meanwhile Mullins-Abudu and Asad Ali Qureshi, 26, tried to access the Santander banking system to transfer what police believe would have been substantial funds.

But Met Police detectives, supported by Territorial Support Group officers, raided a property in Hounslow and arrested Mullins-Abudu, Qureshi and eight other gang members, and recovered computers that were logged into the KVM and Santander bank accounts. No money was stolen and Outram was arrested nearby, having left the bank.

In earlier hearings, on 13 January Bolder pleaded guilty to fraud and conspiracy to steal and Qureshi pleaded guilty to conspiracy to money launder, while on 18 December 2013 Outram pleaded guilty to conspiracy to steal.

Mullins-Abudu and Hannah were also involved with seven other men in stealing more than £1 million in a fraud that involved using SIM cards to make automated ‘spoof caller-ID' calls to victims purporting to come from their bank's phone number, and fooling them into providing their personal details and PIN numbers.

Industry experts believe there are lessons to be learned from the convictions – including guarding against the social engineering aspect of cyber attacks that many organisations ignore.

PA Consulting information security expert Mark Stollery told SCMagazineUK.com: “It's a very important reminder that cyber security is not just about equipment - because crucial to this case was somebody conning their way in to have physical access to very important systems holding large amounts of critical data. There was an element of social engineering which is not something that many organisations automatically think of when they think about cyber security.”

Stollery added: “Computers don't go wrong by themselves and if the gang had not had direct access to plug their KVM device into the systems of the banks, this massive potential theft – quite big as it was – simply would not have happened.”

Adrian Culley, a former Met Police Computer Crime Unit detective and now a global security consultant with Damballa, also highlighted social engineering among the multi-pronged attack used by the gang.

He told SCMagazineUK.com via email: “It is interesting that this significant serious and organised crime gang deployed such a range of methods. The techniques they used included social engineering, backed up with caller-ID spoofing, hardware attacks and old-fashioned physical theft of post and credit cards.”

Culley added: “In this context, successful prosecutions represent an encouraging success for both the police and their industry partners. Both policing and commercial cyber security are evolving to match a multi-faceted threat posed by organised crime.”

In a media statement Alex Grant, managing director of fraud prevention at Barclays, said: “We are grateful to the Metropolitan Police for their support in bringing this matter to court and achieving a successful outcome. Barclays has no higher priority than the protection and security of our customers against the actions of would-be fraudsters. We identified the security breach and acted swiftly to recover funds on the same day, thereby ensuring no customers suffered financial loss as a result of this action.”