Thursday, October 08, 2009

The FBI's Biggest Domestic Phishing Bust Ever

Yesterday the FBI began performing arrests of more than 100 individuals involved in a phishing investigation announced in the Central District of California courts. The case, known as Operation Phish Phry was the top story on the FBI website yesterday. Robert Mueller announced the case during a speech to the Commonwealth Club of California, where he praised the cooperation with the Secret Service and their Los Angeles Electronic Crimes Task Force, as well as state and local law enforcement. He said this was the first joint cyber investigation with Egypt and that this cooperative effort illustrates "the power of our global partnerships." Mueller also used the speech to praise the 32,000 members of the FBI's InfraGard program, "experts on our critical infrastructure" who help the FBI prevent risks to that infrastructure from becoming a reality.

The official press release from the Los Angeles FBI office says the announcement of the case came from:
Keith B. Bolcar, Acting Assistant Director in Charge, FBI Los Angeles
George S. Cardona, Acting United States Attorney, Los Angeles
and
Kieran Ramsey, FBI Legal Attache in Cairo Egypt
along with Egyptian Law Enforcement Authorities.


The 85 page indictment, which was presented to a Grand Jury back in February was unsealed once the arrests began, and contains a wealth of information. WIRED Magazine's Threat Level blog was the first to have a copy of the indictment.

The basic charges are:
18 USC S 1349: Wire and Bank Fraud Conspiracy
18 USC $ 1344(1): Bank Fraud
18 USC $ 1028A: Aggravated Identity Theft
18 USC $ 371: Computer Fraud Conspiracy
18 USC $ 1030(a)(4): Computer Fraud
18 USC $ 1956(h): Money Laundering Conspiracy

I'm especially happy to see the Aggravated Identity Theft charge, as it provides an automatic and non-negotiable +2 years to each sentence, which guarantees none of these people will get a "slap on the wrist", unless the prosecution fails to show they used the identities of at least ten individuals.

Although the investigation is labelled "Operation Phish Phry" by the FBI, the US-based charges deal with the money-laundering aspects more than the actual phishing. The phishing portions of the scheme seem to have been run by a group of nearly fifty individuals primarily in Egypt, who would transfer bank account credentials to the US-based ring leaders, who would use their network to move the money through mule accounts, out to cash, and eventually to be wired back to Egypt (minus a commission for the US-based players). Mueller mentions that the funds came from "approximately 5,000 American citizens" who were presumably the victims of these phishing attacks.

This was a tiered operation involving three ring leaders, who used sixteen associates to enlist thirty-eight money mules to receive stolen funds and wire them primarily to Egypt. In order to establish that each of the defendants was definitely involved, the indictment lists 335 "Overt Acts", mostly taking the form of giving a date, place, defendant, and an amount of money transmitted from a stated account to another defendant or unindicted co-conspirator.




(click for larger image, created with i2 Analyst's Notebook by Gary Warner)

The three ring-leaders identified in the indictment were:

Kenneth Joseph Lucas of Los Angeles, California
Nichole Michelle Merzi of Oceanside, California
Jonathan Preston Clark

These three operated a ring of middlemen who recruited the actual money mules. The middlemen were:

Jarrod Michael Akers
Kyle Wendell Akers
Wayne Edwards Arbaugh
Demorris Brooks
Antonio Late Colson
Kenneth Crews
Manu T. Fifita
Jennifer Anabelle Lopez Gonzalez
Tinika Sabrina Gunn
Jason Marcellus Jenkins
Sylvia Johnson
Remar Ahmir Lawton
Kyle Brandon Martin
Frankline Anthony Ragsdale
Steven Aaron Saunders
Rynn Spencer
Raquel Raffi Varjabedian
Candace Marie Zie

Lastly, the actual money mules that were indicted:

Ashley A. Ager
Latina Shaneka Black
Michael Dominick Gunn Dacosta Jr.
Virgil Phillip Daniels
Tramond S. Davis
Shontovia D. Debose
Joshua Vincent Fauncher
Krystal Fontenot
Anthony Donnel Fuller
Michael Christopher Grier
Bryanna Harrington
Shawn K. Jordan
Billy Littlejohn Kelly
Reggie B. Logan, Jr.
Ikinasio Lousiale, Jr.
Raymond V. Mancillas
David P. Mullin
Vincent Nguyen
Ario Plogovii
Brandon R. Ross
Alan Elvis St. Pierre
Courtney Monet Sears
Me Arlene Settle
Paula W. Sims
Jamie Smith
Brandon Kyle Thomas
Christopher Uhamaka
James Michael Viorato
Jovon Darnell Weems
David D. Westbrooks
Bridget Deque Wilkins
Marcus Deshaun Williams

The ages of the defendants range from 19 to 44, with only two being older than 31. Kenneth Crews and Demorris Brooks recruited seven money mules from North Carolina, and one or more unindicted recruiters gathered seven additional mules from Nevada, including at least four from Las Vegas.

Overt Acts are broken into sections:

A. Defendants Lucas and Zie:
Zie opens a bank BOA account, communicates with Lucas by telephone five times, withdraws stolen funds that were tranferred to his bank account. He opens two more account, talks to Lucas 54 times by telephone, and withdraws more stolen funds. Opens more accounts, communicates with Lucas 24 times in a single day, withdraws more stolen funds. The first 14 acts are about these two.

F. Defendants Lucas, Crews, and Logan:
Crews text-messages account numbers opened by Logan to Lucas, who causes funds to move from a victim account to Logan's accounts. Logan withdraws the money.

G. Defendants Lucas and Mancillas:
(Unindicted coconspirator) text-messages Lucas with account numbers opened by Mancillas at BOA. Lucas transfers funds from a victim to the Mancillas account, and Mancillas withdraws the funds.

H. Defendants Lucas and Mullin:
(Unindicted coconspirator) text-messages Lucas the account numbers opened by Mullin at Bank of America. Lucas moves funds from a victim account to the Mullin account, and Mullin withdraws the funds.

They do that over and over and over. The first 200 "Overt Acts" listed all involve Lucas as the one who moves the money from the victim's account.

The credentials for the victim accounts were acquired by phishing, but at this time, we don't have enough details to really know WHICH phishing attacks we're dealing with. It should certainly be pointed out that the phishing attacks were NOT NECESSARILY against Bank of America and Wells Fargo. Funds from any bank can be sent to Mule accounts at any bank, as long as they are both part of the ACH network. Hopefully more details will come out as this case progresses.

The later activities in the indictment make it seem that at least one or more of the defendants had their phone tapped or was cooperating with investigators, such as:

On February 17, 2009, defendants Colson, Weems, and Lucas agreed via telephone that defendant Colson would deliver $1,200 to defendant Lucas

Beginning with Overt Act #201 in the indictment (page 54) the activities turn to Wire Transfers, such as:

On January 12, 2007 in Los Angeles County, defendant J. Akers transmitted $1,300 by Western Union to unindicted coconspirator E.A.

The next forty acts involve Jarrod Michael Akers wiring nearly $100,000 to various parties, mostly unnamed in this indictment. Rehmar Amir Lawton also does more than $30,000 in wire transfers in "Overt Acts". Jonathon Preston Clark, Nichole Michelle Merzi, Candace Marie Zie, Demorris Brooks, Jennifer Lopez Gonzalez and others are also involved in the Wires.

One of the key telephone conversations that was part of the indictment is "Overt Act No. 241":

On December 22, 2008, in Los Angeles County, defendants LUCAS and K. AKERS, in a telephone conversation, discussed the scheme to cause unauthorized transfers of funds into bank accounts for the purpose of allowing coconspirators to withdraw the transferred funds, and defendant LUCAS advised defendant K. AKERS to solicit individuals who need money to assist in the scheme.

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!