Socially Engineered Into Stealing $500,000 From a Casino
A cashier at a Colorado casino is accused of stealing half a million dollars in cash after allegedly being duped by phone calls and text messages from imposters posing as her bosses. She sits in a Colorado jail while the money is long gone. It appears to be a case of creative social engineering by miscreants who have disappeared into the wind.
The cashier, Sabrina Eddy, worked at the Monarch Casino Resort and Spa in Black Hawk, Colorado, which is located outside of Denver. Available evidence points to Eddy committing the crime—but was she a willing participant or the targeted individual of a well-orchestrated heist involving social engineering?
The operation was not exactly an Oceans 11-type escapade. Nonetheless, it required considerable reconnaissance into the money-handling processes and procedures at the casino, identification of the key individuals responsible for handling cash, and the schedules and whereabouts of personnel and when personnel coverage would be at a minimum. All of that would be difficult to accomplish without the help of an insider. Was that insider Eddy? Or was it another individual who identified Eddy as a target who could be manipulated?
The Crime
The Carson City Daily Record, quoting from the affidavit used to charge Eddy, detailed how the casino’s surveillance cameras captured images of Eddy putting $50,000 bricks of money into a box. As we all are aware, there isn’t a centimeter of turf within a casino that isn’t covered by a surveillance camera. The cameras also observed Eddy making multiple trips from the casino’s cash room to “[load] the money into a gold-colored minivan,” the affidavit said.
She then drove to St. Anthony’s Hospital in Denver where she was met by an unidentified man to whom she handed the money.
The Colorado media outlet News9 quoted Ron Kammerzell, a former head of the Colorado Division of Gaming who now works as a regulatory consultant, as saying, “For something like that to happen, it would’ve had to defeat a number of different levels of casino controls within the property.”
Manipulated by Social Engineering?
Eddy claimed she was contacted by text message from an individual she believed to be a trusted senior employee from within the casino. This person instructed her to gather the money and deliver it as instructed for payment to a lawyer assisting the casino. The time was 00:45 hours, or 12:45 a.m., when the number of casino personnel would be at a minimum and the ability to inquire up the chain of command reduced. The perps had done their homework.
The key elements of a good social engineering job were at play – vulnerability (Eddy was targeted specifically, why?); credibility and believability (by the target, Eddy); urgency (do it now), believability (pay a lawyer) and then handholding Eddy through the entire escapade from theft to delivery.
After successfully delivering the bag of money to the unidentified individuals, Eddy tried to reach out to these same individuals, but her phone calls went unanswered. It’s thought that the individuals used burner phones which they had configured to spoof people associated with the casino. She then contacted the casino to tell them that she was on her way back, adding she believed she may have done something wrong and was fearful of arrest.
Her fears were realized; she was arrested.
Lessons Learned
To those who deal with cybercrime on a regular basis, this feels like the same scenario used in business email compromise scams, except it is brought from the street and uses text and phone calls to engage the target instead of email. CSOs and CISOs, especially those that work for entities with a good deal of cash on hand, may wish to highlight this incident to employees and reinforce the process and procedures for dealing with cash. The casino no doubt has controls in place, as noted by Kammerzell, one of which is the two-party rule. Had there been two people signing off on the cash transfer, this operation would have been killed the moment Eddy put her hands on the cash blocks in the cashier room.
Image Source: dollars–nikolay-frolochkin–pixabay Pixabay License
