Russian authorities have uncovered a massive fraud ring that installed malicious software at gas pumps making customers think they were getting more fuel than they were. In fact they were pumping up to 7% less than they were being charged for, according to Russian news source Rosbalt.
On Saturday, Russian Federal Security Service (FSB) arrested the alleged mastermind, Denis Zaev (alternatively identified as Denis Zayev by various outlets) in Stavropol, Russia on charges that he created several software programs designed to swindle gas customers.
An unidentified source in law enforcement told Rosbalt that this is one of the largest such frauds detected by the FSB. The malware was discovered at dozens of gas stations, where customers were getting ripped off without noticing a thing:
A giant scam covered almost the entire south of Russia, [where the malware was] found in dozens of gas stations in the Stavropol Territory, Adygea, Krasnodar Territory, Kalmykia, a number of republics of the North Caucasus, etc. A whole network was built to steal fuel from ordinary citizens.
The source said that Zaev is believed to have developed and created several of these programs. It was a unique product, the source said: the malware couldn’t be detected, be it by oil company control services that continually inspect filling stations or by employees of the Ministry of Internal Affairs.
At any rate, after creating his “perfect” malware, the FSB reportedly said that Zayev/Zaev began to offer it to employees of gas stations. Sometimes, he played the part of software salesman. Sometimes, he would also dip into the stolen funds to take his own share.
His alleged profits were worth hundreds of millions of rubles. 1m ruble is worth about USD $17,700.
The malware caused the gas pumps, cash registers and back-end systems to display false data. It was also able to cover its tracks.
It worked like so: every morning, employees would come up with a pretext to leave one of a station’s reservoirs empty – for example, under the pretense of cleaning. When a customer bought gas, the program automatically shortchanged the customer of between 3% and 7% of the gas purchased. But the gas pump itself would show that the entire volume of purchased gas had been pumped into the tank. The stolen gasoline was automatically sent to the tank that the attendants had left empty that morning.
This isn’t the first time we’ve seen crooks targeting gas stations.
A few years back, we saw a spate of Bluetooth-enabled, banking-data-gobbling skimmers installed at gas stations in the Southern US.
Eventually, 13 alleged thieves were charged with forging bank cards using details pinged via Bluetooth to nearby crooks from devices that were impossible for gas-buying customers to detect, given that the skimmers were installed internally.
We’ve also seen more analog skimmers attached to ATMs, such as the crudely glued-on card catchers that leave thieves hanging around the machine, pretending to look innocent, as they wait to snatch the cards after victims give up on ever getting them back.
True, the Bluetooth skimmer was installed internally, making it tougher to spot than the glued-on kludge of a card catcher. It still presented a problem for the thieves, though: using Bluetooth meant the skimmer still relied on the thieves hanging around nearby, given the limited range of this wireless technology. It also meant that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”
Last year, New York City police also started to see a new sort of skimmer on gas pumps that cuts the Bluetooth tie, instead relying on wireless GSM text messages to get card details to the crooks anywhere in the world.