Two Charged in Hacking Subway Restaurant Point-of-Sale Systems in Fraud Scheme

Federal authorities have charged two California men with remotely hacking into the computerized cash registers of various merchants to obtain fraudulent gift cards.

An indictment against Shahin Abdollahi, aka “Sean Holdt,” 46, of Lake Elsinore, Calif., and Jeffrey Thomas Wilkinson, 35, of Rialto, Calif., was unsealed March 15. It charged the men with one count each of conspiracy to commit computer intrusion, wire fraud and one count of wire fraud.

POS systems have increasingly come under attack of late. In December, researchers at Seculert noted that a piece of malware known as ‘Dexter’ has been used in hundreds of attacks in the last few months of 2012. In addition, two Romanian nationals pleaded guilty in September to participating in an international, multimillion dollar plot to hack into POS systems and steal payment card information.

According to the indictment in the recent case, Abdollahi owned Subway franchises in southern California between 2005 and 2008. He later created a California company called ‘POS Doctor’ that sold point-of-sale (POS) computer systems to Subway restaurant franchises around the country.  POS systems are a type of computerized checkout register that allows merchants to manage customer purchases made by credit, debit and gift cards, the U.S. Department of Justice noted in its announcement of the charges.

According to authorities, starting in roughly 2011, Abdollahi and Wilkinson worked together to remotely hack into POS systems in Subway franchises, accessing at least 13 of the POS systems Abdollahi sold through POS Doctor. Using the gift cards, the duo fraudulently added at least $40,000 in value to Subway gift cards and used them to make purchases at Subway. Wilkinson also allegedly sold fraudulent gift cards to others using eBay and Craigslist, according to the indictment.

 The case was investigated by the US Secret Service and is being prosecuted by Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Adam J. Bookbinder of the District of Massachusetts.