Phisher Convicted in Massive SchemeAttacks Aimed at Chase, BofA Highlight Increasing Risks
An Atlanta man has been convicted for the role he played in a massive phishing and fraud scheme that targeted Chase Bank, Bank of America, Branch Bank & Trust Co. and payroll processor ADP. Authorities say the scheme defrauded the banks and ADP of $1.5 million (see Phisher Guilty of $1.3 Million Scam).
See Also: DevSecOps Community Survey 2019
On June 27, Osarhieme Uyi Obaygbona was convicted of conspiracy to commit wire fraud, identity theft, and conspiracy to gain unauthorized access to protected computers, according to a statement issued by the New Jersey U.S. Attorney's Office.
Obaygbona's could be sentenced to 50 years in prison and fines totaling $1 million, or twice the gross gain or loss from the offense. Sentencing is scheduled for Oct. 17.
Other defendants named in the case include Marvin Hill, Alphonsus Osuala, Waya Nwaki, Karlis Karklins and Charles Umeh Chidi. Nwaki and Hill have both pleaded guilty and await sentencing; Osuala is in federal custody on unrelated charges in Georgia; Jones is detained in Nigeria pending extradition; and Karklins and Chidi remain at large.
Obaygbona's phishing attacks directed unsuspecting users to spoofed or fake Web pages designed to mimic legitimate sites - in this case, sites run by the banks and ADP, according to court records. Once on the spoofed sites, consumers were conned into entering confidential personal and financial information, including their names, dates of birth, Social Security numbers, mothers' maiden names, and online account usernames and passwords.
Obaygbona and others used the stolen username and passwords to hack and compromise accounts, as well as initiate unauthorized transactions and withdrawals.
Why Phishing Works
The case illustrates how and why socially engineered schemes are succeeding, says Andreas Baumhof, chief technology officer for online security company ThreatMetrix. The core problem is the duping of consumers by increasingly sophisticated schemes.
"A few years ago, the phishing e-mails and spoofed websites were easy to spot," Baumhof says. "Today, it's not so easy. They look legitimate, and end-users are easily fooled."
Authorities say Obaygbona, Nwaki, Hill, Osuala, and others used stolen online credentials and personal information to make unauthorized withdrawals from victims' bank accounts, as well as to create fake driver's licenses, which the conspirators used to impersonate the victims at bank branches. The stolen online credentials also were used to access online accounts, where Obaygbona, Nwaki, and Hill viewed signatures on check images and then forged checks and withdrawal slips they used at bank branches.
The stolen online credentials also were allegedly used by Karklins to access payroll accounts at ADP. Once fake employee accounts were added to victim companies' payrolls, Karklins and others allegedly had paychecks issued to the fake employees. After the fake checks were sent, the funds were withdrawn by money mules, who authorities say were duped into thinking their acts were legitimate.
More than $300,000 in fraudulent payroll transactions were allegedly wired to Jones, a Nigerian national who impersonated a European woman interested in romantic relationships to convince mules to wire the proceeds of the scheme overseas.
The Roles of Education and Tech
Educating consumers and the financial-services industry about phishing is challenging. "We could have more collaboration and get more information out to the end-user and to the industry about emerging schemes and trends," Baumhof says. "But no one wants to talk about it openly."
Doug Johnson, vice president of risk management policy for the American Bankers Association, says education is critical, but technology also plays a role. The new Domain Naming System initiative, which the ABA and The Financial Services Roundtable are behind, could solve part of the problem, at least where spoofed websites are concerned.
The initiative calls for the replacement of .com URLs with so-called Top Level Domains, which would be approved by the Internet Corporation for Assigned Names and Numbers, better known as ICANN, and overseen and managed by specific industries. In the financial space, the ABA and the FS-ISAC are hoping ICANN will approve their oversight of .bank, a generic TLD that would be limited to domains used in the financial space.
"You've got consumers duped because they are visiting a site that they think is the bank's site," Johnson says. "With .bank, it would be more difficult to spoof a bank site, because we would be reviewing everything that is .bank, so it's a much more narrow community."