Key Phish Phry Player SentencedLast Figure in International Phishing Ring Gets Prison Term
A U.S. District Court in Los Angeles has sentenced Nichole Michelle Merzi, a key figure in an international cybercrime ring that between 2008 and 2009 drained thousands of dollars from U.S. bank accounts.
Merzi, who helped to orchestrate an elaborate phishing scheme that involved 53 co-conspirators in the U.S. and 47 in Egypt, on May 15 was sentenced to more than five years in prison. She was convicted last year on charges of bank and wire fraud conspiracy, aggravated identity theft, computer fraud conspiracy and money laundering conspiracy.
Merzi has been in custody since she was found guilty at trial in March 2011.
Merzi, along with Kenneth Joseph Lucas II, was a lead defendant in a 2009 case linked to Operation Phish Phry. In 2011, Lucas was sentenced to a total of 13 years in prison in two separate federal cases - one connected to Operation Phish Phry, the other to a marijuana operation.
At the time of Lucas' sentencing, a federal judge determined the total amount of intended loss in the Phish Phry case was more than $1 million.
So far, the Operation Phish Phry investigation, led in the U.S. by the Federal Bureau of Investigation, the Electronic Crimes Task Force in Los Angeles and the Social Security Administration's Office of Special Investigations, has resulted in the conviction of 47 of the 53 U.S. citizens who were charged.
Assistant U.S. Attorney Ronald Cheng, who prosecuted the case, says charges against one of the remaining six U.S. defendants were dismissed; another defendant was acquitted; and a third got off on a diversion agreement - meaning the charges were dismissed, contingent upon the defendant's ability to not be arrested on similar charges within a given period of time. Three of the co-conspirators remain at large.
As for the 47 who were charged in Egypt, federal authorities say they don't know how many were convicted.
Phish Phry Spans 2 Continents
Operation Phish Phry uncovered a phishing operation aimed at defrauding Wells Fargo and Bank of America customers. The scheme hinged on spam sent by Egyptian hackers to U.S. e-mail addresses.
Once hackers obtained the login credentials and account details, they hacked accounts at the two U.S. banks, federal authorities say.
"The harm done by (Merzi)'s activities is undisputed," the government's sentencing memo states. "Although BofA and Wells Fargo reimbursed the individual victims whose accounts were compromised, it is undeniable that the scheme affected a large number of victims."
The FBI found that bank customers who received the phishy e-mails were directed to spoofed websites feigning to be linked to U.S. financial institutions. Once users visited the spoofed sites, they were asked to account numbers, passwords and other personally identifiable information.
From October 2008 to early 2009, Merzi and Lucas hired money mules in Egypt to transfer funds from phished accounts to accounts they opened in Southern California and elsewhere. Lucas directed other members of the ring to recruit so-called "drops" in the U.S., brought on to set up and use bank accounts where stolen funds could be held. Some of the stolen funds also were transferred via wire to co-conspirators in Egypt.
The illegal transfers occurred in amounts of approximately $1,000 at a time.
"Records at trial show that, from February 2008 through September 2008, defendant [Merzi] opened numerous BofA [Bank of America] accounts in her name at a variety of branches, and the amount of unlawful 'phishing' transfers into those accounts alone was $14,000," according to court records.
The Phish Phry case includes the largest number of defendants ever charged in a cybercrime case. But industry experts such as Dave Jevans, head of online security firm IronKey and a member of the Anti-Phishing Working Group, said, even at the time, that the bust was a tiny catch, relative to the number of phishing schemes and groups targeting banks.
"It's really the largest law-enforcement action that we've ever seen around cybercrime and phishing," Jevans said in 2009, when Operation Phish Phry was announced, two years after federal authorities initiated their investigation. "As far as a dent in the number of phishers out there and the phishing gangs, it's probably not significant."