Operation Phish Phry

If a phish phry is a social gathering, early Wednesday the FBI, US Attorney’s Office, the LA Electronic Crimes Task Force, and Egyptian authorities started working towards arranging the largest gathering of suspects indicted in connection with a single phishing scam to date. Dubbed “Operation Phish Phry”, this two year inter-agency inter-country investigation is rounding up 100 suspects including 53 from North Carolina, Las Vegas, and Los Angeles as well as 47 in Egypt accused of stealing more than a million dollars from two U.S. banks. At time of writing at least 33 suspects are in custody in the United States.

“This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands, of bank customers,”

Acting US Attorney George Cardona

Hackers in Egypt perpetuated the phishing scam itself and recruited money mules in the U.S. to assist in transferring money to bank accounts opened to receive the fraudulent money transfers. Through this method at least $1.5mm dollars from a few thousand bank customers was siphoned from accounts at Bank of America and Wells Fargo, a portion of which was then wired back to Egypt. Some of this money was stopped from being withdrawn after the banks involved started working with law enforcement.

The FBI in Los Angeles has outlined the details in a statement released today:

According to the indictment that was unsealed this morning, Egyptian-based hackers obtained bank account numbers and related personal identification information from an unknown number of bank customers through phishing—a technique that involves sending e-mail messages that appear to be official correspondence from banks or credit card vendors. In illegal phishing schemes, bank customers are directed to fake websites purporting to be linked to financial institutions, where the customers are asked to enter their account numbers, passwords and other personal identification information. Because the websites appear to be legitimate—complete with bank logos and legal disclaimers—the customers do not realize that the websites do not belong to legitimate financial institutions.

The indictment alleges that co-conspirators in Egypt collected victims’ bank account information by using information obtained from their phishing activities. Armed with the bank account information, members of the conspiracy hacked into accounts at two banks. Once they accessed the accounts, the individuals operating in Egypt communicated via text messages, telephone calls and Internet chat groups with co-conspirators in the United States. Through these communications, members of the criminal ring coordinated the illicit online transfer of funds from compromised accounts to newly created fraudulent accounts.

U.S. Connection

The U.S. ringleaders in this scam were named as Kenneth Joseph Lucas 25, Nichole Michelle Merzi 24, and Jonathan Preston Clark 25 all residents of California. Their role was directing the efforts of the more then forty U.S. runners setting up fraudulent bank accounts to receive the transfers and initiating the withdrawals.

“Criminally savvy groups recruit here and abroad to pool tactics and skills necessary to commit organized theft.”

Acting Assistant FBI Director Keith Bolcar

They communicated with their Egyptian counterparts through text messaging, phone calls, and Internet chat rooms. Other runners have been named by local authorities including Shontovia Debose, 21, Trarnond Davis, 20, and Raymond Valentino Mancillas III, 21, of Las Vegas.

Phishing

Phishing is a form of fraud carried out over the Internet, commonly but not always associated with e-mail, where a sender masquerades as another party and attempts to persuade the receiver to turn over sensitive information, such as access credentials for online banking web sites. The term phishing itself dates back to at least 1996 and was described in detail in a 1987 paper delivered to an HP users group called Interex.

In this scenario, users received an e-mail purportedly from one of the two banks affected indicating a reason they should log into their online banking account, and providing a link that appears to be for the banking web site but in fact is a counterfeit site hosted elsewhere that simply collects the customer’s id and password. After gaining online access to the user’s bank account, a money transfer was initiated to a fraudulent account, and the money withdrawn.

The scams themselves can be very difficult to detect. In fact Robert Mueller, the Director of the FBI, admitted that his wife forbade him from doing banking online after he nearly fell prey to an e-mail phishing scam. He noted that he received an e-mail requesting verification of account details, had started filling out information before realizing his error and then had to log into his account and change his password.

We’ll let him explain it:

Examples of E-mail Text

The following are examples of phishing style e-mails from previously reported scams:

Subject: Notification for Customer of e-mail address change 

E-MAIL CHANGE NOTIFICATION

Dear Customer! 

Thank you for banking online at wellsfargo.com. Our records indicate that you recently added or made a
change to one of your email address(es). This notification is to confirm that you initiated this change.

If you feel you have received this email in error and did not add or change your email address(es), 
please click here.

Sincerely, 
Online Banking Team

Subject: Regarding Your Wells Fargo Account 

Dear Wells Fargo customer, 

We have noticed that you experienced trouble logging into Wells Fargo Online Banking. 

After three unsuccessful attempts to access your account, your Wells Fargo Online Profile has been locked.
This has been done to secure your accounts and to protect your private information. Wells Fargo is
committed to making sure that your online transactions are secure. 

To unlock your account, and verify your identity please follow this link and sign in 

Sincerely, 
Wells Fargo
Online Customer Service

Example E-mail Presentations:

Example Counterfeit Website:

Penalties

Suspects in the United States face possible conviction based on a 51 count indictment including accusations of conspiracy to commit wire fraud and bank fraud. The more involved suspects face additional charges including aggravated identify theft, money laundering, and unauthorized access to protected computers. The addition of § 1028A. Aggravated identity theft is interesting in that it adds an automatic two years to each sentence if successfully prosecuted. Sentences of up to 20 years are possible though unlikely.

In Conclusion

The size and scale of this investigation, the sophistication of the criminal enterprise targeting large U.S. financial institutions, and the inter-agency inter-country cooperation in this investigation are remarkable. As Keith Bolcar, acting assistant director in charge of the L.A. FBI stated: “The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed”.

References

• One Hundred Linked to International Computer Hacking Ring Charged by United States and Egypt in Operation Phish Phry
• Indictment
• 33 Arrested as FBI Busts Global ‘Phishing’ Ring
• Vista woman accused of leading international bank-fraud ring
• Las Vegans Arrested In ‘Phish Phry’ Bust
• Feds net 100 phishers in biggest cybercrime case ever
• Operation Phish Phry Nets 100 Suspects
• FBI director banned from online banking

Related Posts:

• Information Security’s Winners and Losers
• The “Aurora” IE Exploit Used Against Google in Action
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash
• Forensics: Beverages Aside, A Look at Incident Response Tools

Filed Under: Phishing • featured

Tags: banks, FBI, money mule, Phishing