Two US citizens have been arrested for allegedly conspiring with Russian hackers to hack the John F. Kennedy International Airport (JFK) taxi dispatch system to move specific taxis to the front of the queue in $10 exchange fee.

The taxi dispatch system is a computer-controlled system that ensures that taxis are dispatched from the airport waiting area to collect the next available fare at the appropriate terminal.

Usually, taxis have to wait several hours in the parking lot before the dispatch system calls them.

This system was put in place to maintain a fair operating environment for taxi drivers in an area where the demand for their services is high.

Hack Dispatch System

According to the unsealed indictment released yesterday by the US Department of Justice, two men, Daniel Abayev and Peter Leyman, with the help of Russian hackers, breached the JFK taxi dispatch system between September 2019 and September 2021.

Starting in 2019, ABAYEV and LEYMAN explored and attempted various mechanisms to gain access to the dispatch system, including bribing someone to insert a USB drive containing malware into computers connected to the dispatch system, gaining unauthorized access to the dispatch system via a Wi-Fi connection, and the theft of computer tablets connected to the Dispatch System.

Members of the Hacking Scheme also sent each other messages in which they explicitly discussed their intention to hack into the Dispatch System. For example, on or around November 10, 2019, ABAYEV sent the following to one of the Russian hackers in Russian: “I know the Pentagon is hacked[.]. So can’t we hack the taxi industry[?]”- US Department of Justice.

The DOJ says the hackers used their unauthorized access to create a paid service that allowed taxis waiting for a fare at JFK to go to the front of the line and be dispatched quickly.

Taxi drivers participating in the scheme had to pay the hackers $10 in cash or via mobile payment. Those who promote the service to their colleagues would be granted waivers allowing them to skip the queue for free.

Communication between the taxi drivers and the hackers took place via chat apps on private groups, where Abayev and Leyman made “Store open” and “Store closed” announcements.

“In order to avoid the taxi line, taxi drivers would send their taxi medallion numbers in group chat threads, and a member of the hacking system would then send a message to the terminal the taxi driver should go to to avoid the taxi line and get a ticket,” describes the indictment.

Spreadsheets viewed by law enforcement indicate that the hacking system illegally helped taxi drivers make around 2,500 rides a week. On peak days, like December 9, 2019, hackers helped with 600 trips.

The indictment also claims that Abayev and Leyman transferred at least $100,000 to hackers in Russia, with transaction rationales such as “payment for software development.”

The charges against both men carry a maximum sentence of 10 years in prison on two counts of conspiracy to commit computer intrusion.

If found guilty, the two hackers will also have to confiscate all property directly or indirectly related to the offenses committed in the United States.


Source link