Euro Security Watch with Mathew J. Schwartz

Fraud , ID Theft , Phishing

Dutch Coder Accused of Website Backdoor Fraud Spree As 20,000 Victims Notified by Police, Spear-Phishing Campaign Sows Confusion
Dutch Coder Accused of Website Backdoor Fraud Spree
Dutch police say a digital forensic investigation revealed 20,000 stolen email addresses and passwords. (Photo: Dutch police.)

An ongoing criminal investigation in the Netherlands demonstrates the importance of reporting crime to police as well as the lengthy timelines that law enforcement agencies can face when they attempt to bring suspects to justice.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

Unfortunately, it also demonstrates the challenges that police can encounter when they attempt to notify victims, via email, that their email addresses and passwords were compromised, given the continuing prevalence of look-alike spear-phishing attacks.

"The emails that the police sent this week have no link and nothing needs to be downloaded." 

In this case, Dutch police just revealed they arrested a 35-year-old suspect - his name has not been released - on July 11, 2016, at a hotel in Zwolle, in the Netherlands, on charges that included computer intrusion, fraud and identity theft. Police say that they confiscated the man's laptop when he was arrested, and then raided his house in Leeuwarden as well as a home in Sneek where he often stayed, where they seized additional computer equipment and storage devices.

Police say the suspect passed himself off as a legitimate developer and built websites that included e-commerce capabilities for numerous businesses. Secretly, however, he allegedly installed a script in the sites that captured customers' email addresses and passwords, which he then used to access those individuals' email and social media accounts. From there, police say, he would pose as the owner of a social media account and scam others - such as a real account holder's siblings - into buying goods for him or moving money. He'd then transfer those funds to "anonymous credit cards." Police say claim he also used other people's personal information to create accounts at online gambling sites.

The investigation began in November 2014 after police received a report that someone illegally tricked a victim into ordering goods. After that, police say they identified a suspect and traced his activities and found that related scams appeared to be getting "bigger and more complex," leading to police expanding the size of their investigation team in spring 2016 and bolstering it with digital forensic investigators.

High-Tech Theft, Low-Tech Scam

Much of the alleged fraud employed old-school tactics. Here's a generalized, anonymous account shared by police that illustrates how some of the alleged attacks proceeded (loosely translated from Dutch):

"One day I got a message on Facebook from a friend of mine. He asked me if I could make a payment for him. That question was not so strange, because I had recently borrowed money from him. I was sent a link so I ended up on a payment site. Then my friend asked me if I wanted to mail him the payment confirmation. Then I had a light-bulb moment. Namely, my friend namely gave me a different address than the one I had for him. But anyway, many people use multiple addresses. ... Two days later I received a Facebook message from my friend, in which he indicated that his Facebook account had been abused by someone who asked his friends to pay bills. That's when I knew I had been scammed. I am a businessman and travel all over the world. I am always alert to payments. This seemed so reliable and yet I too became a victim."

All told, the suspect amassed "hundreds of victims [including] both businesses and individuals," police allege, saying that they're trying to identify exactly how much money was stolen so that they can attempt to recover the funds. At least 140 related cases had been opened in October 2016, when police reported that they'd already approached affected companies and shared instructions for how to find and eradicate the offending script.

"Companies that allow users to log on to their website should be alert to this type of fraud - for example, by only doing business with reputable website builders and/or to verify the shop via a third party," police say.

Police Alert 20,000 Victims - via Email

On Jan. 17, police in the Netherlands said that thanks to a digital forensic investigation of the suspect's seized computer equipment, investigators had identified 20,000 email addresses that had been compromised by the attacker and that they had sent warning emails to all of the addresses. Police have warned individuals to never reuse passwords on different sites, saying that such behavior helped the suspect to access many victims' accounts (see Why Are We *Still* So Stupid About Passwords?).

The timing and manner of those notifications, however, has resulted in some hiccups. Coincidentally or not, a Dutch-language phishing email has been making the rounds, telling recipients that their complaint against police in Drachten - in the Dutch province of Friesland - has been received, and that they should click a link to download a reply from the chief of police. The fake message is branded to look like it was sent by Dutch national police.

Police say that they've received multiple inquires about the spam or phishing message, warn that the communication isn't legitimate and advise recipients that they should delete the email and avoid downloading any attachments.

"The emails that the police sent this week have no link and nothing needs to be downloaded," they say.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network