A California man pleaded guilty this week in federal court to charges related to hacking into point-of-sale systems in Subway restaurants around the country.
Shahin Abdollahi, aka Sean Holdt, 46, of Lake Elsinore, California, pleaded guilty before U.S. District Judge Richard G. Stearns in Massachusetts to one count of conspiracy to commit computer intrusion and wire fraud and one count of wire fraud. His co-conspirator, Jeffrey Wilkinson, 37, of Rialto, California, pleaded guilty on Feb. 27.
According to authorities, Abdollahi owned Subway franchises in southern California from 2005 to 2008. He later operated a company called ‘POS Doctor’ that sold and installed point-of-sale (PoS) systems for Subway franchises across the country.
Beginning in roughly 2011, Abdollahi and Wilkinson conspired to remotely hack into PoS systems at Subway restaurants. The two hit at least 13 Subway PoS systems that Abdollahi had sold through POS Doctor and fraudulently added at least $40,000 in value to Subway gift cards. Abdollahi and Wilkinson then used the fraudulent gift cards to make purchases at Subway. Wilkinson also sold fraudulent gift cards to others using eBay and Craigslist.
“Point of sale systems that process debit and credit cards are still being attacked with an increasing variety of malware,” Curt Wilson, ASERT analyst at Arbor Networks, blogged recently. “Over the last several years PoS attack campaigns have evolved from opportunistic attacks involving crude theft of card data with no centralized Command & Control, through memory scraping PoS botnets with centralized C&C [command and control] and most recently to highly targeted attacks that require a substantial amount of lateral movement and custom malware created to blend in with the target organization.”
The Retail Industry Leaders Association (RILA), which is composed of businesses such as Walmart and Target, recently announced the formation of the Retail Cyber Intelligence Sharing Center (R-CIS) to better identify and respond to cyber attacks.
“Point-of-sale malware operators have varying degrees of sophistication, and they are indiscriminately targeting retail organizations both large and small,” said Tom Cross, director of security research at Lancope. “All they want are credit card numbers and they’ll take them anywhere they can find them. If one retailer discovers attacks against its networks, it can be very important to share information about those attacks with other retailers. This sort of information sharing will uncover other attack activity.”
Abdollahi is scheduled to be sentenced Aug. 6. Wilkinson is scheduled for sentencing May 28.