14 Indicted in Phishing SchemeFraudulent E-mails Targeted Consumers' Bank Accounts
The indictment claims that in June 2005, one or more of the accused sent an e-mail to consumers, including a resident of Madison, Conn., that appeared to come from Connecticut-based People's Bank. The generic e-mail said recipients' online banking accounts had been locked; in order to remedy the issue, the recipients were instructed to click on links and enter specific bank account details and personal information.
In addition to People's Bank, Citibank, Capital One, Bank of America, JPMorgan Chase, Comerica Bank, Regions Bank, LaSalle Bank, U.S. Bank, Wells Fargo, eBay and PayPal also were targeted.
According to court documents, the Web page to which the Connecticut e-mail recipient was directed appeared to originate from People's Bank'; in actuality, the site was hosted on a compromised computer.
In all of the cases of all of the fraudulent e-mails sent, once recipients entered personal or financial information, their entered information was routed to one or more of the defendants, or to a so-called collector account - an e-mail account used to receive and collect the stolen information. Several collector accounts containing thousands of e-mails with credit or debit card numbers, expiration dates, CVV codes, PINs and other personal information, such as names, addresses, telephone numbers, dates of birth and Social Security numbers, were discovered during the FBI's investigation.
The co-conspirators used the information to access bank accounts and lines of credit, as well as withdraw funds from ATMs, which most often were in Romania.
Charges linked to the scheme go back to January 2007, when a federal grand jury in New Haven indicted a handful of the 14 suspects for phishing offenses. In November 2010, a grand jury returned a superseding indictment, charging all 14 defendants. But the indictment was sealed, pending extradition.
On Dec. 12, following the extradition from Romania of three of the 14 suspects, a magistrate judge in Bridgeport unsealed the indictment. Each of the 14 defendants could face up to 35 years in prison. So far, two defendants have pleaded not guilty and are expected to go to trial in March.
Phishing: Growing Cyber ConcernIncidents of phishing attacks are increasing in number, and the schemes themselves are increasing in sophistication.
Earlier this month, the Federal Bureau of Investigation issued a warning about a new Zeus malware attack targeting commercial bank accounts via phishy e-mails feigning to be from NACHA - The Electronic Payments Association. Ultimately, the attacks resulted in corporate account takeover. The Zeus variant, a malware called Gameover, is able to defeat several forms of dual-factor authentication. [See FBI Warns of New Fraud Scam.]
Spear-phishing, or targeted e-mail attacks, also are growing problems. With public information gleaned from social networking sites such as LinkedIn and Facebook, fraudsters are able to cobble together enough personal data about executives and administrators to launch targeted attacks - personalized phishy e-mails that often raise little suspicion.
Bill Wansley, a consultant with Booz Allen Hamilton, says the link between social media and phishing cannot be ignored. "That is a concern that is now starting to get the attention of bank information security officers and bank risk officers," Wansley says. "They are all working to ensure that the training of their staff is up to a level where they can recognize when they are being targeted."