Thursday, November 29, 2018

Two Iranian Hackers charged with $6 Million in SamSam Ransomware Attacks

Today the Department of Justice announced an indictment against two Iranian men: Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri for their roles in stealing more than $6 Million in Ransom payments from a 34 month long ransomware campaign known as SamSam.

They were charged with:

18 U.S.C. § 371 - Conspiracy to Defraud the United States

18 U.S.C. § 1030(a)(5)(A) - knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

18 U.S.C. § 1030(a)(7)(C) - demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion

18 U.S.C. § 1349 - Conspiracy

Victims were found in nearly every state:

Victim Locations from: https://www.justice.gov/opa/press-release/file/1114736/download


Piecing together the case involved gaining cooperation from two European VPN services, and apparently at least one search engine.   The indictment refers, for example, to the defendants using Bitcoin to pay for access to a European VPS, and then searching on May 15, 2016, for "kansasheart.com".  The same day, they accessed the public website of Kansas Heart Hospital, and on May 18th, encrypted many key computers on the network and sent their ransom note.

Another key part of the investigation was gaining the cooperation of a Bitcoin Exchanger, which was able to demonstrate that on July 21, 2016, the defendants cashed out at least some of their ransomed Bitcoin into Iranian Rials and deposited it into bank accounts controlled by MANSOURI and SAVANDI.

Chat logs were also available to the investigators, as the indictment mentions contents of chat consistently throughout their timeline.  Using the combination of events, some of the key dates were:

  • December 14, 2015 - Defendants chatting about the development and functionality of SamSam.
  • Jan 11, 2016 - Attack on Mercer County Business in New Jersey 
  • Feb 5, 2016 - Attack on Hollywood Presbyterian Medical Center 
  • March 27, 2016 - Attack on MedStar Health 
  • May 15, 2016 - Attack on Kansas Heart Hospital 
  • May 27, 2016 - Attack on University of Calgary 
  • July 27, 2016 - Attack on Nebraska Orthopedic Hospital 
  • April 25, 2017 - Attack on City of Newark, New Jersey 
  • January 18, 2018 - Attack on Allscripts Healthcare Solutions, Inc. 
  • February 19, 2018 - Attack on Colorado Department of Transportation 
  • March 22, 2018 - Attack on City of Atlanta, Georgia 
  • July 14, 2018 - Attack on LabCorp 
  • September 25, 2018 - Attack on the Port of San Diego 
FBI Wanted Poster from: https://www.justice.gov/opa/press-release/file/1114746/download

Tuesday, October 23, 2018

Business Email Compromise: Putting a Wisconsin Case Under the Microscope

Clement Onuama and Orefo Okeke were arrested on November 1, 2017 in the Western District of Texas after receiving a complaint and warrant from the District of Wisconsin, that the pair were involved in Romance Scams and Business Email Compromise Scams.

This week Okeke was sentenced to 45 months in prison.  Onuama was sentenced on October 30th to 40 months in prison.
Orefo Okeke (image from Dallas News
Clement Onuama, 53

According to the Criminal Complaint and Indictments from the case, from 2010 until at least December 2016, in the Western District of Wisconsin and elsewhere Clement Onuama and Orefo Okeke knowingly conspired with each other and persons known and unknown to the grand jury, to commit and cause to be committed offenses against the United States, namely: wire fraud, in violation of Title 18, United States Code, Section 1343.

They used Romance fraud scams, developing relations via email, chat apps, and telephonic conversations.  Eventually the person that posed as the victim's online partner requested each victim for financial assistance. They told the victims that they needed funds in order to release a much larger sum of money that was frozen by a foreign country.

They also used Business email compromise scams, primarily by sending email messages that altered wire instructions causing funds to be deposited into accounts controlled by the criminals.  Often these emails were "spoofed" to appear to come from an employee or officer of their company.  During several such scams, the real officer was traveling.

 The deposited funds went into bank accounts of "nominees and shell entities" and were quickly converted to cash and cashier's checks, with a portion of the funds wired overseas.  The criminals also failed to pay taxes on their proceeds.

 $3,259,892 in transfers were attempted and the actual fraud losses were $2,678,328.  The proceeds laundered by Onuama totalled $428,346.  The proceeds laundered by Okeke totalled $538,100.

 Details of the Wisconsin BEC Fraud Scam 

  On or about February 19, 2014 at 10:02 am, an email puporting to be from Sarah Smith from the email ssmith@title-pros.com  was sent in reply to real estate agent Terrell Outlay of Madison, Wisconsin asking him to update wire instructions that were sent a few days before.  The email had an attachment from Portage County Title, on Portage County Title letterhead, updating the details and indicating funds should be sent to a Wells Fargo Bank account in Bettendor, Iowa in the name of TJ Hausch.

 $123,747.54 was wired later that day.

 On the same day, a wire transfer from Tammy Hausch's Wells Fargo bank account ending in 9492 sent $80,000 to a Wells Fargo bank account ending in 6411 held by Clement C. Onuama of Grand Prairie, Texas.  Clement withdrew $10,000 in cash that day, $20,000 in cash the following day, and purchased a cashier's check for $28,885 from the account.  On March 11, 2014, a check for $10,000 was sent from Okeke to Onuama, who cashed it.

 An Affidavit from a Treasury Agent shares more details.  Terrell Outlay was a new real estate agent who had recently relocated from Chicago.  Outlay is believed to have had malware planted on his computer in relation to a home sale that he negotiated in January 2014.

 After receiving the email from ssmith@title-pros.com, instructing the agent to have his client, Dynasty Holdings, wire $123,747.54 to the TJ Hasuch Wells Fargo account. He was contacted by the REAL Sarah Smith on February 25, 2014 to inform him the funds were never received into the BMO Harris Account which had been agreed to at closing.  Outlay reported the situation to his boss, who contacted the Madison Police Department.

 Although the email of February 19, 2014 seemed to be from ssmith@title-pros.com, the headers revealed it was sent from 162.144.88.87 and the actual email was ssmith.title-pros@outlook.com.

 A second email, confirming to Mr. Outlay that the new account should be used:  "Yes!! TJ Hausch Wells Fargo" -- used the email server located at web1.sh3lls.net with IP address 64.32.14.162 and the same outlook account, "ssmith.title-pros@outlook.com"

 Four additional pieces of email correspondence used the same "sh3lls.net" IP and return address.  Legitimate emails from Sarah Smith were sent from a Charter Communications IP address, confirmed by subpoena to belong to Portage County Title in Stevens Point, Wisconsin.

 The sh3lls.net IP belongs to Sharktech in Chicago, Illinois, and that particular IP address was leased from August 13, 2013 to March 24, 2014 by a Singapore-based company called Surat IT Pte. Ltd. It was used to host hundreds of websites.  The other IP address, 162.144.88.87, was confirmed to be a Unified Layer IP address operated by Bluehost.  The customer of record at that time was Hind Jouini of Dubai, UAE.

 The additional funds from the Tammy Hausch account were sent to a Bank of America account ending in 9593 held by P.M. Voss of Costa Mesa, California.

 Tammy Hausch was interviewed by the US Secret Service in Madison, Wisconsin.  She was unaware of the source of the $123,000.  She had actually performed four similar transactions in the past, all at the bequest of her online boyfriend, Brian Ward, with whom she had communicated exclusively online.  Brian needed her help because he and his friends had funds that were locked up in Spain and he needed additional funds to pay to have those funds released.

 Hausch had previously received a $12,112 check from the IRS addressed to Brian and Patricia Downing.  "Brian Ward" said that Patricia Downing was the maiden name of his deceased wife.

 Brian Downing was interviewed and reported that when he attempted to file his 2013 taxes, he learned they had already been filed and that an unauthorized tax refund of $12,112 had already been paid to a Wells Fargo account ending in 9492.  He confirmed his wife Patricia was not deceased and introduced her to the agent.

  More BEC Fraud Linked to the Case 

  On August 23, 2016, Anessa Hazelle, the financial controller of Ocean Grove Development of Basseterre, Saint Kitts, West Indies told the Treasury investigator that on November 30, 2015, an email claiming to be from her supervisor, Nuri Katz, urged her to wire $84,100 to D&D Serv, Inc of Grand Prairie, Texas, to pay an invoice for the purchase of "VxWorks Proll" for $84,100.  Hazelle did as she was ordered, and sent the funds.  Katz was on a flight to Russia at that time.  After she landed, they had a telephone conversation and learned that this email had been fraudulent.

 Katz true email was "nkatz@apexcap.org" but the email with the wire transfer instructions was from "nkatz@adexec.com" - similar enough that Hazelle did not notice the difference.  The funds were sent to a Capital One Bank account ending in 8232.

 That Capital One acount was opened by Clement C. Onuama d/b/a D&D Serv, Inc, of 2621 Skyway Drive, Grand Prairie, Texas.  Onuama was the sole signatory of the account.

 On July 26, 2016, Daniel Yet, the owner of D&T Foods of Santa Clara, California, relayed a similar experience.  His personal investment account at TD Ameritrade was managed by Bao Vu.  On June 29, 2015, while Yet was traveling overseas on vacation, Vu attempted to contact him to verify a wire transfer request sending $22,000 to a Regions Bank account ending in 6870 for Sysco Serve.  Since Vu could not reach Yet, and the matter had been described as urgent, Vu went ahead with the wire.  A SECOND request came through asking for an additional $30,000 to be sent.

 The Regions Bank account ending in 6870 was opened by Orefo S. Okeke d/b/a Sysco Serve, with the same address as the Capital One account controlled by Onuama above, 2621 Skyway Drive, Grand Prairie, Texas!

 The 6870 Regions account made a payment of $15,000 on July 1, 2015 (two days after the deposit from Mr. Yet's TD Ameritrade account) to another Regions Bank account ending in 6452.

 The 6452 Regions account was opened by Clement C. Onuama d/b/a D&D Serv, of 2621 Skyway Drive, Grand Prairie, Texas.

  Letters from Okeke

  The defense entered seven letters to be considered during the sentencing hearing.  In the first, Orefo explains that when he first came to America, he made a business of buying used American cars and reselling them in Nigeria.  He ended up in financial hardship, which he blames partly on medical bills for his sick father and partly on caring for his wife and two step children.  He was approached by others in Nigeria who needed his assistance in converting US dollars to Nigerian Niara.

 The other letters explained how Orefo was kind enough to hire a convicted felon to work for him, and a disabled veteran.  One letter, from his Aunty, says he is kind and loves animals. His wife begs the mercy of the courts and explains how much her children miss him.  Okeke's brother in South Africa explains to the judge that his brother is an honest God-fearing man and that his pleading guilty demonstrates his honesty, and that this trial caused the death of their father and now their mother's health is also on the line. His uncle writes how sad it is that the judge has incarcerated his nephew for a non-violent first time offense causing him to miss his sister's wedding and his father's funeral.  A friend explains Okeke's very good moral character and how he always operates with integrity.

 On the other hand, the FBI says that Business Email Compromise has stolen $12 Billion dollars, and that just from June 2016 to May 2018 they have identified 30,787 victims, of which 19,335 of them were in the United States.  Records from October 2013 to May 2013 actually show at least 119,675 victims!  Hopefully the examples shared above will help us realize more about how these people come to be victims -- often losing their entire life savings, or funds that cause them to no longer be able to buy a house or continue the operation of a business!

Monday, October 22, 2018

Project Lakhta: Putin's Chef spends $35M on social media influence

Project Lakhta is the name of a Russian project that was further documented by the Department of Justice last Friday in the form of sharing a Criminal Complaint against Elena Alekseevna Khusyaynova, said to be the accountant in charge of running a massive organization designed to inject distrust and division into the American elections and American society in general.

https://www.justice.gov/opa/press-release/file/1102316/download
In a fairly unusual step, the 39 page Criminal Complaint against Khusyaynova, filed just last month in Alexandria, Virginia, has already been unsealed, prior to any indictment or specific criminal charges being brought against her before a grand jury.  US Attorney G. Zachary Terwilliger says "The strategic goal of this alleged conspiracy, which continues to this day, is to sow discord in the U.S. political system and to undermine faith in our democratic institutions."

The data shared below, intended to summarize the 39 page criminal complaint, contains many direct quotes from the document, which has been shared by the DOJ. ( Click for full Criminal Complaint against Elena Khusyaynova )

Since May 2014 the complaint shows that the following organizations were used as cover to spread distrust towards candidates for political office and the political system in general.

Internet Research Agency LLC ("IRA")
Internet Research LLC
MediaSintez LLC
GlavSet LLC
MixInfo LLC
Azimut LLC
NovInfo LLC
Nevskiy News LLC ("NevNov")
Economy Today LLC
National News LLC
Federal News Agency LLC ("FAN")
International News Agency LLC ("MAN")

These entities employed hundreds of individuals in support of Project Lakhta's operations with an annual global budget of millions of US dollars.  Only some of their activity was directed at the United States.

Prigozhin and Concord 

Concord Management and Consulting LLC and Concord Catering (collectively referred to as "Concord") are related Russian entities with various Russian government contracts.  Concord was the primary source of funding for Project Lakhta, controlling funding, recommending personnel, and overseeing activities through reporting and interaction with the management of various Project Lakhta entities.

Yevgeniy Viktorovich Prigozhin is a Russian oligarch closely identified with Russian President Vladimir Putin.  He began his career in the food and restaurant business and is sometimes referred to as "Putin's Chef."  Concord has Russian government contracts to feed school children and the military.

Prigozhin was previously indicted, along with twelve others and three Russian companies, with committing federal crimes while seeking to interfere with the US elections and political process, including the 2016 presidential election.

Project Lakhta internally referred to their work as "information warfare against the United States of America" which was conducted through fictitious US personas on social media platforms and other Internet-based media.

Lakhta has a management group which organized the project into departments, including a design and graphics department, an analysts department, a search-engine optimization ("SEO") department, an IT department and a finance department.

Khusyaynova has been the chief accountant of Project Lakhta's finance department since April of 2014, which included the budgets of most or all of the previously named organizations.  She submitted hundreds of financial vouchers, budgets, and payments requests for the Project Lakhta entities.  The money was managed through at least 14 bank accounts belonging to more Project Lakhta affiliates, including:

Glavnaya Liniya LLC
Merkuriy LLC
Obshchepit LLC
Potentsial LLC
RSP LLC
ASP LLC
MTTs LLC
Kompleksservis LLC
SPb Kulinariya LLC
Almira LLC
Pishchevik LLC
Galant LLC
Rayteks LLC
Standart LLC

Project Lakhta Spending 

Monthly reports were provided by Khusyaynova to Concord about the spendings for at least the period from January 2016 through July 2018.

A document sent in January 2017 including the projected budget for February 2017 (60 million rubles, or roughly $1 million USD), and an accounting of spending for all of calendar 2016 (720 million rubles, or $12 million USD).  Expenses included:

Registration of domain names
Purchasing proxy servers
Social media marketing expenses, including:
 - purchasing posts for social networks
 - advertisements on Facebook
 - advertisements on VKontakte
 - advertisements on Instagram
 - promoting posts on social networks

Other expenses were for Activists, Bloggers, and people who "developed accounts" on Twitter to promote online videos.

In January 2018, the "annual report" for 2017 showed 733 million Russian rubles of expenditure ($12.2M USD).

More recent expenses, between January 2018 and June 2018, included more than $60,000 in Facebook ads, and $6,000 in Instagram ads, as well as $18,000 for Bloggers and Twitter account developers.

Project Lakhta Messaging

From December 2016 through May 2018, Lakhta analysts and activist spread messages "to inflame passions on a wide variety of topics" including:
  • immigration
  • gun control and the Second Amendment 
  • the Confederate flag
  • race relations
  • LGBT issues 
  • the Women's March 
  • and the NFL national anthem debate.


Events in the United States were seized upon "to anchor their themes" including the Charleston church shootings, the Las Vegas concert shootings, the Charlottesville "Unite the Right" rally, police shootings of African-American men, and the personnel and policy decisions of the Trump administration.

Many of the graphics that were shared will be immediately recognizable to most social media users.

"Rachell Edison" Facebook profile
The graphic above was shared by a confirmed member of the conspiracy on December 5, 2016. "Rachell Edison" was a Facebook profile controlled by someone on payroll from Project Lakhta.  Their comment read  "Whatever happens, blacks are innocent. Whatever happens, it's all guns and cops. Whatever happens, it's all racists and homophobes. Mainstream Media..."

The Rachell Edison account was created in September 2016 and controlled the Facebook page "Defend the 2nd".  Between December 2016 and May 2017, "while concealing its true identity, location, and purpose" this account was used to share over 700 inflammatory posts related to gun control and the Second Amendment.

Other accounts specialized on other themes.  Another account, using the name "Bertha Malone", was created in June 2015, using fake information to claim that the account holder lived in New York City and attended a university in NYC.   In January 2016, the account created a Facebook page called "Stop All Invaders" (StopAI) which shared over 400 hateful anti-immigration and anti-Islam memes, implying that all immigrants were either terrorists or criminals.  Posts shared by this acount reached 1.3 million individuals and at least 130,851 people directly engaged with the content (for example, by liking, sharing, or commenting on materials that originated from this account.)

Some examples of the hateful posts shared by "Bertha Malone" that were included in the DOJ criminal complaint,  included these:




The latter image was accompanied by the comment:

"Instead this stupid witch hunt on Trump, media should investigate this traitor and his plane to Islamize our country. If you are true enemy of America, take a good look at Barack Hussein Obama and Muslim government officials appointed by him."

Directions to Project Lakhta Team Members


The directions shared to the propaganda spreaders gave very specific examples of how to influence American thought with guidance on what sources and techniques should be used to influence particular portions of our society.  For example, to further drive wedges in the Republican party, Republicans who spoke out against Trump were attacked in social media:
(all of these are marked in the Criminal Complaint as "preliminary translations of Russian text"):

"Brand McCain as an old geezer who has lost it and who long ago belonged in a home for the elderly. Emphasize that John McCain's pathological hatred towards Donald Trump and towards all his initiatives crosses all reasonable borders and limits.  State that dishonorable scoundrels, such as McCain, immediately aim to destroy all the conservative voters' hopes as soon as Trump tries to fulfill his election promises and tries to protect the American interests."

"Brand Paul Ryan a complete and absolute nobody incapable of any decisiveness.  Emphasize that while serving as Speaker, this two-faced loudmouth has not accomplished anything good for America or for American citizens.  State that the only way to get rid of Ryan from Congress, provided he wins in the 2018 primaries, is to vote in favor of Randy Brice, an American veteran and an iron worker and a Democrat."

Frequently the guidance was in relation to a particular news headline, where directions on how to use the headline to spread their message of division where shared. A couple examples of these:

After a news story "Trump: No Welfare To Migrants for Grants for First 5 Years" was shared, the conspiracy was directed to twist the messaging like this:

"Fully support Donald Trump and express the hope that this time around Congress will be forced to act as the president says it should. Emphasize that if Congress continues to act like the Colonial British government did before the War of Independence, this will call for another revolution.  Summarize that Trump once again proved that he stands for protecting the interests of the United States of America."

In response to an article about scandals in the Robert Mueller investigation, the direction was to use this messaging:

"Special prosecutor Mueller is a puppet of the establishment. List scandals that took place when Mueller headed the FBI.  Direct attention to the listed examples. State the following: It is a fact that the Special Prosector who leads the investigation against Trump represents the establishment: a politician with proven connections to the U.S. Democratic Party who says things that should either remove him from his position or disband the entire investigation commission. Summarize with a statement that Mueller is a very dependent and highly politicized figure; therefore, there will be no honest and open results from his investigation. Emphasize that the work of this commission is damaging to the country and is aimed to declare impeachement of Trump. Emphasize that it cannot be allowed, no matter what."

Many more examples are given, some targeted at particular concepts, such as this direction regarding "Sanctuary Cities":

"Characterize the position of the Californian sanctuary cities along with the position of the entire California administration as absolutely and completely treacherous and disgusting. Stress that protecting an illegal rapist who raped an American child is the peak of wickedness and hypocrisy. Summarize in a statement that "sanctuary city" politicians should surrender their American citizenship, for they behave as true enemies of the United States of America"

Some more basic guidance shared by Project Lakhta was about how to target conservatives vs. liberals, such as "if you write posts in a liberal group, you must not use Breitbart titles.  On the contrary, if you write posts in a conservative group, do not use Washington Post or BuzzFeed's titles."

We see the "headline theft" implied by this in some of their memes.  For example, this Breitbart headline:


Became this Project Lakhta meme (shared by Stop All Immigrants):


Similarly this meme originally shared as a quote from the Heritage Foundation, was adopted and rebranded by Lakhta-funded "Stop All Immigrants": 



Twitter Messaging and Specific Political Races

Many Twitter accounts shown to be controlled by paid members of the conspiracy were making very specific posts in support of or in opposition to particular candidates for Congress or Senate.  Some examples listed in the Criminal Complaint include:

@CovfefeNationUS posting:

Tell us who you want to defeat!  Donate $1.00 to defeat @daveloebsack Donate $2.00 to defeat @SenatorBaldwin Donate $3.00 to defeat @clairecmc Donate $4.00 to defeat @NancyPelosi Donate $5.00 to defeat @RepMaxineWaters Donate $6.00 to defeat @SenWarren

Several of the Project Lakhta Twitter accounts got involved in the Alabama Senate race, but to point out that the objective of Lakhta is CREATE DISSENT AND DISTRUST, they actually tweeted on opposite sides of the campaign:

One Project Lakhta Twitter account, @KaniJJackson, posted on December 12, 2017: 

"Dear Alabama, You have a choice today. Doug Jones put the KKK in prison for murdering 4 young black girls.  Roy Moore wants to sleep with your teenage daughters. This isn't hard. #AlabamaSenate"

while on the same day @JohnCopper16, also a confirmed Project Lakhta Twitter account, tweeted:

"People living in Alabama have different values than people living in NYC. They will vote for someone who represents them, for someone who they can trust. Not you.  Dear Alabama, vote for Roy Moore."

@KaniJJackson was a very active voice for Lakhta.  Here are some additional tweets for that account:

"If Trump fires Robert Mueller, we have to take to the streets in protest.  Our democracy is at stake." (December 16, 2017)

"Who ended DACA? Who put off funding CHIP for 4 months? Who rejected a deal to restore DACA? It's not #SchumerShutdown. It's #GOPShutdown." (January 19, 2018)

@JohnCopper16 also tweeted on that topic: 
"Anyone who believes that President Trump is responsible for #shutdown2018 is either an outright liar or horribly ignorant. #SchumerShutdown for illegals. #DemocratShutdown #DemocratLosers #DemocratsDefundMilitary #AlternativeFacts"   (January 20, 2018)

@KaniJJackson on Parkland, Florida and the 2018 Midterm election: 
"Reminder: the same GOP that is offering thoughts and prayers today are the same ones that voted to allow loosening gun laws for the mentally ill last February.  If you're outraged today, VOTE THEM OUT IN 2018. #guncontrol #Parkland"

They even tweet about themselves, as shown in this pair of tweets!

@JemiSHaaaZzz (February 16, 2018):
"Dear @realDonaldTrump: The DOJ indicted 13 Russian nationals at the Internet Research Agency for violating federal criminal law to help your campaign and hurt other campaigns. Still think this Russia thing is a hoax and a witch hunt? Because a lot of witches just got indicted."

@JohnCopper16 (February 16, 2018): 
"Russians indicted today: 13  Illegal immigrants crossing Mexican border indicted today: 0  Anyway, I hope all those Internet Research Agency f*ckers will be sent to gitmo." 

The Russians are also involved in "getting out the vote" - especially of those who hold strongly divisive views:

@JohnCopper16 (February 27, 2018):
"Dem2018 platform - We want women raped by the jihadists - We want children killed - We want higher gas prices - We want more illegal aliens - We want more Mexican drugs And they are wondering why @realDonaldTrump became the President"

@KaniJJackson (February 19, 2018): 
"Midterms are 261 days, use this time to: - Promote your candidate on social media - Volunteer for a campaign - Donate to a campaign - Register to vote - Help others register to vote - Spread the word We have only 261 days to guarantee survival of democracy. Get to work! 

More recent tweets have been on a wide variety of topics, with other accounts expressing strong views around racial tensions, and then speaking to the Midterm elections: 

@wokeluisa (another confirmed Project Lakhta account): 
"Just a reminder that: - Majority black Flint, Michigan still has drinking water that will give you brain damage if consumed - Republicans are still trying to keep black people from voting - A terrorist has been targeting black families for assassination in Austin, Texas" 

and then, also @wokeluisa: (March 19, 2018): 
"Make sure to pre-register to vote if you are 16 y.o. or older. Don't just sit back, do something about everything that's going on because November 6, 2018 is the date that 33 senate seats, 436 seats in the House of Representatives and 36 governorships will be up for re-election." 

And from @johncopper16 (March 22, 2018):
"Just a friendly reminder to get involved in the 2018 Midterms. They are motivated They hate you They hate your morals They hate your 1A and 2A rights They hate the Police They hate the Military They hate YOUR President" 

Some of the many additional Twitter accounts controlled by the conspiracy mentioned in the Criminal Complaint: 

@UsaUsafortrump, @USAForDTrump, @TrumpWithUSA, @TrumpMov, @POTUSADJT, @imdeplorable201, @swampdrainer659, @maga2017trump, @TXCowboysRawk, @covfefeNationUS, @wokeluisa (2,000 tweets and at least 55,000 followers), @JohnCopper16, @Amconvoice, @TheTrainGuy13, @KaniJJackson, @JemiSHaaaZzz 




Sunday, September 30, 2018

FBI's Crime Data Explorer: What the Numbers Say about Cybercrime

What do the numbers say about Cybercrime?  Not much.  No one is using them.  

There is a popular quote often mis-attributed to the hero of Total Quality Management, Edward Deming:  "If you can't measure it, you can't manage it."Its one of the first things I think about every year when the FBI releases their annual Crime Statistics Report, as they just did for 2017.   (The "mis-attributed" is because for all the times he has been quoted, Deming actual said almost the exact opposite.  What he actually said, in "The New Economics," was:  "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.")

Despite being a misquote, I've used it often myself.  There is no way to tell if you are "improving" your response to a crime type if you don't first have valid statistics for it.  Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics.  This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases.  Want to test it yourself?  Call your local Police Department and tell them your computer has a virus.  See what happens.

It isn't for lack of law!  Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered "hacking."  A quick reference to all 50 states computer crime laws is here:  State Computer Crime Laws - and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.

You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation.  UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):

murder and non-negligent homicide, rape, robbery, aggravated assault, burglary, motor vehicle theft, larceny-theft, and arson.

The data for calendar year 2017 was just released this week and is now available in a new portal, called the Crime Data Explorer.  Short-cut URL:  https://fbi.gov/cde



To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS - the National Incident-Based Reporting System.  This system primarily focuses on  52 crime categories, and gathers statistics on several more.  Most importantly for us, it includes several categories of "Fraud Crimes"

  • 2 / 26A / False Pretenses/Swindle/Confidence Game
  • 41 / 26B / Credit Card/ATM Fraud
  • 46 / 26C / Impersonation
  • 12 / 26D / Welfare Fraud
  • 17 / 26E / Wire Fraud
  • 63 / 26F / Identity Theft
  • 64 / 26G / Hacking/Computer Invasion

Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate.  The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:
https://www.fbi.gov/file-repository/ucr/nibrs-countdown-flyer.pdf
In the just-released 2017 data, out of the 18,855 law enforcement agencies in the United States, 16,207 of them submitted SRS "old-style" UCR data.  Only 7,073 (42%) submitted NIBRS-style data.

Unfortunately, the situation when it comes to cybercrime is even worse.  For SRS-style reporting, all cybercrimes are lumped under "Fraud".  In 2016, SRS reported 10.6 Million arrests.  Only 128,531 of these were for "Fraud" of which cybercrime would be only a tiny portion.

Of those eight "fraud type" crimes, the 2017 data is not yet available for detailed analysis  (currently most of state data sets, released September 26, 2018, limit the data in each table to only 500 rows.  Since, as an example, Hoover, Alabama, the only city in my state participating in NIBRS, has 3800 rows of data, you can see how that filter is inadequate for state-wide analysis in fully participating states!

Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes.  In 2016, 6,191 law enforcement agencies submitted NIBRS-style data.  Of those 5,074 included at least some "fraud type" crimes.  Here's how they broke down by fraud offense.  Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:

type - # of agencies - fraud type description
==============================================
 2 - 4315 agencies -  False Pretenses/Swindle/Confidence Game
41 - 3956 agencies -  Credit Card/ATM Fraud
46 - 3625 agencies - Impersonation
12 - 328 agencies - Welfare Fraud
17 - 1446 agencies - Wire Fraud
63 - 810 agencies - Identity Theft
64 - 189 agencies - Hacking/Computer Invasion

Only 189 of the nation's 18,855 law enforcement agencies submitted even a single case of "hacking/computer invasion" during 2016!  When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered "64 - Hacking/Computer Invasion".  To explore on your own, visit the NIBRS 2016 Map.  Then under "Crimes Against Property" choose the Fraud type you would like to explore.  This map shows "Hacking/Computer Intrusion."  Where a number shows up instead of a pin, zoom the map to see details for each agency.

Filtering the NIBRS 2016 map for "Hacking/Computer Intrusion" reports
 As an example, Zooming the number in Tennessee, I can now see a red pin for Nashville.  When I hover that pin, it shows me how many crimes in each NIBRS category were reported for 2017, including 107 cases of Wire Fraud, 34 cases of Identity Theft, and only 3 cases of Hacking/Computer Invasion:

Clicking on "Nashville" as an example

I have requested access to the full data set for 2017.  I'll be sure to report here when we have more to share.






Sunday, September 16, 2018

Dangerous Invoices and Dangerous Infrastructure

One of the things I've learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap.  One of the main ways that shows up is in the reuse of infrastructure.  Or as one of my criminology friends says it "most criminals are caught by identifying patterns of habit and convenience."  That's why it can sometimes be useful to examine a malware sample, even if it fails to trigger due to age.  It is likely that OTHER samples are using the same infrastructure or deployment system.

My friends at Cofense published their finding last week that Microsoft Office macros are still the number one way that malware is being delivered via email, accounting for 45% of all malware delivery mechanisms they have recently studied.  Anyone with a spam collection can quickly reach that same conclusion.  A couple such campaigns even showed up in my personal email this week.

Here's three emails from consecutive days last week sent to one of my personal email domains:

A Purchase Order from "ADNOC" (Sep 6, 2018)

A Purchase Order from H&H Nails (Sep 5, 2018)

A Purchase Order from SS Braid (Sep 4, 2018)
The most convincing phish, as PhishMe and later Cofense have repeatedly demonstrated by studying what millions of customers actually click on, are those which imitate a common business practice, such as these Purchase Orders. In an attempt to be helpful, many will open a Purchase Order received in email, even if they don't recognize the company name, often as a means of directing the PO to the appropriate department.  Big Mistake!

Working from oldest to newest: 

SS BRAID PO.doc was recognized as being malicious by 33 of 59 AV vendors at VirusTotal - a helpful analysis from VMRay, linked in the comments section tells us that the sample attempts to download "kc.exe" from the site rollboat[.]tk.
MD5
02b6f049f4d8246ee982d8c34a160311
sale contract.doc was recognized as being malicious by 29 of 59 AV vendors at VirusTotal - and in this case, Dr.Web shared their analysis with VirusTotal, also revealing that the action of open the document would launch the same "kc.exe" file from rollboat, as the other file.
MD5
736de7cd6a9c76bd7df49e6b3df6000e
SHA-1
1315994222d45410c8508cf614378e35c4f56c94


As it turns out, in the three consecutive daily email blasts identified above, each sample had two email attachments, and they were all the same attachments only with different names.
The three 386KB files all had the same hashes, and the three 176KB files also all had the same hashes.  So, for at least September 4, 5, and 6, 2018, kc.exe was the target that the malicious actor wanted us to launch on our computer.  The file is no longer available, which could stall the investigation, but let's look at Habit and Convenience.  If the actor is already hosting on rollboat[.]tk, is it not likely he'll keep doing so until someone prevents him?

Each of the subdirectories contained additional malicious files.  By the directory time stamps, its clear that this criminal continued delivering his malware that began on Sep 4, Sep 5, Sep 6, at least through Sep 14th (Friday).  Since everyone needs a weekend, and business-process-imitating malware is most profitable on weekdays, the criminals haven't uploaded any new malware on Saturday September 15th, or Sunday September 16th.  

The leftover cnn.exe file from September 6th is well-detected (32 of 67 at VirusTotal) although Microsoft, Symantec, and TrendMicro all report the executable as "clean."  The more recent ogox.exe file from September 14th has a slightly poorer 1 in 3 detection (20 of 67 at VirusTotal), as is typical for Friday malware only 60 hours later.  (The various AV engines will all tell you that's because blah blah blah.  I'm running their code. I just infected myself with their AV running. Whatever.) 

Invoice.exe = (14 of 67 on VirusTotal)  - (checks smtp.gmail.com and then self-terminates)
MD5
1261b8382cfa2b905f0f52a3aef49ce4
SHA-1
e80c07f700cf817a1eca1f8186f820492f8a2fbc
Order.exe = (34 of 68 on VirusTotal
MD5
57b430ea422d1f33fef19f02fb85c7f0
SHA-1
60a64400207fd9835899189aa0c3cbca027fe8cf

MD5
0fa8876252c632b64afad8fd7fa6344f
SHA-1
ab372d169743758bb81abaa4bc303d5303f6d913

ogo.exe = (44 of 68 on VirusTotal
MD5
f321b38b171a3cbc1eff4a41ac5bbe47
SHA-1
da61f88e2e95a23e58d96cf845c523fd10023cb7

Regardless of what this malware actually does, the two take-aways here?  Malware continues to spread by imitating common business practices, such as processing Invoices and Purchase Orders.  And Criminals continue to rely on Habit and Convenience, which means they are still able to be tracked by looking at their infrastructure choices.

Update

Monday morning, back to work!  Sure enough, we checked the rollboat directory for fresh files this morning:

VirusTotal 19 of 65
MD5
793a3a5e434add85d24df212bf3a72d0
SHA-1
cedcb4b74baf0ba7b39aeea1983bd2f48586e9a4



MD5
d13f100887011e3110b224779c11594b
SHA-1
22971ed9a43f7f8e9b8b55de9d28406bb83cffb1



VirusTotal 20 of 67 
MD5
de1a7961917537084aa383fd398beac5
SHA-1
a52e447bfe24760c31142f9a3b0efc90cd7c2366

I'll also note that this morning on my Windows 10 machine running current Chrome, the file downloads were prevented - marked "This file is dangerous, so Chrome has blocked it."  When I told Chrome to let me download one any way, Windows Defender stopped it.  Sharing information DOES help!







Friday, September 14, 2018

Interac: One Phish to Phish Them All

I recently had the pleasure of bumping into some of my Canadian friends at a Law Enforcement conference.  So when I saw someone mention a "National Bank of Canada" phish, I thought I would pull on the string a bit and see if it was actually an "Interac" phish.   Interac is a system for easily sending money between different Canadian banks. The phishers love it, because by imitating Interac, they can steal login information from any Canadian, regardless of where they bank.

By walking up to a higher directory, sure enough, the National Bank of Canada phish was just a tiny part of an underlying Interac phish hosted at 178.128.125[.]127, a Digital Ocean box in Kalívia, Attiki, Greece.


178.128.125[.]127/deposit 
We can tell by the timestamp of the directory that this is a fresh phish - created earlier this morning:


On each of the banks, clicking on their logo would take the visitor to a phishing site for that brand.  (Curiously, HSBC did not work for this author - it took us to the real HSBC website via a Google search?) 

ATB Phish

Desjardins Phish

Laurentian Bank (LBC) Phish

Manulife Bank Phish 

RBC Royal Bank Phish 
Quite a few of the Phish seemed to be formatted for browsing on a Smart phone: 

BMO Mobile Phish 

CIBC Mobile Phish 

Meridian Bank Phish 

Scotiabank Mobile Phish 

Simplii Financial Phish 

Tangerine Phish 

TD Bank Phish 

On most of the phishing pages after entering a Userid and Password, the phish would indicate that the deposit was no longer available by displaying an Interac Error page: 

An Interac Error page displays briefly, then forwards to the real bank
This means that the banks may be able to detect this phishing victims by looking for "referring URLs" coming from pages named "error.html", for example, in this case:

hXXp://178.128.125[.]127/deposit/banks/Laurentian/error.html

A few of the brands, such as National Bank of Canada, did ask for additional information:

National Bank of Canada Phish Validation page

After "Validating" the phish forwarded to the real site, nbc.ca, which means they also might wish to check for "referring URLs" containing "Validation" in the path, such as this one:

hXXp://178.128.125[.]127/deposit/banks/National/Validation/

The CIBC Mobile Phish also had some additional questions for their potential victim:

CIBC Mobile Phish Validation page

So, my Canadian friends, if you get an unanticipated request to deposit funds to your account via Interac, you might want to delay accepting that deposit!






Tuesday, September 11, 2018

IRS Call Scammers Sentenced in Texas

Back in 2016 we blogged about a major set of arrests in India and the United States related to a call center scam imitating the IRS.  (See "Major Call Center Scam Revealed - 56 Indicted")

This post is to just share an update on that case.  There have been so many arrests made and yet the fraud continues every day!  I received two IRS calls myself in the past week!

To begin, the IRS is NEVER going to call you and threaten arrest.  If you receive such a call, the investigative agency for IRS scams is TIGTA, the Treasury Inspector General for Tax Administration. You can call their scam hotline to report at 1.800.366.4484, or share details online at the IRS Impersonation Scam Reporting form.  All of the arrests below started because someone reported their scammers.  Although the form seems to be focused on people who actually lost money, even non-loss reports can be helpful.

The biggest round of arrests came in October 27, 2016, which was the focus of that "Major Call Center Scam" blog post.  The DOJ press release was titled "Dozens of Individuals Indicted in Multimillion-Dollar Indian Call Center Scam Targeting U.S. Victims
Over the next several months, many of the criminals pled guilty.  All but two were from India, although several were now American citizens.  Each has now been sentenced for their crimes in a mass sentencing before Judge Hittner in Houston, Texas.  Below, we show their guilty plea date, where they were living and/or conducting their crime, and what the DOJ/TIGTA press release said about their guilty plea.  We feel that the sentences were fair, ranging from just over four years to 188 months (15 1/2 years).  

Just wanted to share that EVENTUALLY, Justice is served.

However, PLEASE KEEP REPORTING!  There certainly are more IRS-imitating criminals who need to go to prison!

Bharatkumar Patel (April 13, 2017) - a resident of Midlothian, Illinois - sentenced to 50 months in prison and removal to India. 


According to his plea, beginning in or about July 2013, Patel worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country. Patel admitted to purchasing reloadable cards or retrieving wire transfers and using the misappropriated personal identifying information of U.S. citizens. Patel also admitted to opening personal bank accounts in order to receive scam proceeds and payments from defrauded victims as well as creating limited liability companies in his name to further the conspiracy. According to his plea, Patel opened one bank account that received more than $1.5 million in deposits over a one-year period and another bank account that received more than $450,000 in deposits over a five-month period.

Ashvinbhai Chaudhari (April 26, 2017) - a resident of Austin, Texas. - sentenced to 87 months in prison.


According to his plea, since in or about April 2014, Chaudhari worked as a member of a crew of runners operating in Illinois, Georgia, Nevada, Texas and elsewhere throughout the country. At the direction of both U.S. and India-based co-conspirators, often via electronic WhatsApp text communications, Chaudhari admitted to driving around the country with other runners to purchase reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Chaudhari admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Chaudhari also admitted to shipping money orders purchased with victim funds to other U.S. based co-conspirators, receiving fake identification documents from an India-based co-conspirator and using those documents to receive victim scam payments via wire transfers.


Harsh Patel (May 11, 2017) - a resident of Piscataway, New Jersey. - sentenced to 82 months in prison and deportation after his sentence.


According to his plea, since around January 2015, Patel worked as a runner operating primarily in New Jersey, California and Illinois. At the direction of India-based co-conspirators, often via electronic WhatsApp text communications, Patel admitted to purchasing reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Patel admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Patel also admitted to receiving fake identification documents from an India-based co-conspirator and other sources and using those documents to receive victim scam payments via wire transfers.


Nilam Parikh (May 18, 2017) - a resident of Pelham, Alabama - sentenced to 48 months in prison 


Since around December 2013, Parikh worked as a runner operating in Alabama.  In connection with her plea, Parikh admitted that, at the direction of an India-based co-conspirator, often via electronic WhatsApp text communications, Parikh purchased reloadable cards registered with misappropriated personal identifying information of U.S. citizens.  Once victim scam proceeds were loaded onto those cards, Parikh admitted that she liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts, while keeping part of the victim funds for herself as payment.  Parikh also admitted to sending and receiving scam proceeds to and from her co-conspirators via Federal Express.


Information on the next five all came from the same DOJ Press Release: "Five More Defendants Please Guilty for their Roles in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims


Dilipkumar A. Patel (May 26, 2017) - a resident of Corona, California - sentenced to 108 months in prison and removal to India. 


Based on the admissions made in his May 26 guilty plea, since late 2013, Dilipkumar A. Patel operated as a runner in and around Southern California, along with other co-defendants based in the region. At the direction of India-based co-conspirators, often via electronic WhatsApp communications, Patel admitted to participating in the purchase of reloadable cards registered with the PII of U.S. citizens, and the subsequent liquidation of victim scam funds loaded to those cards by co-conspirators, while keeping a percentage of the victim funds on the cards for himself. 


Fahad Ali (May 26, 2017) - a resident of Dyer, Indiana (from Pakistan) - sentenced to 108 months in prison 


According to his guilty plea, also on May 26, beginning in or around 2013, Fahad Ali worked as a member of a crew of runners operating in the Chicago, Illinois area, the Southern District of Texas and elsewhere throughout the country. Ali admitted that he first served as a driver for an Illinois-based co-defendant engaging in activities in furtherance of the conspiracy. Ali later operated at the direction of that co-defendant and others, via various means of communication, including text messages, to purchase reloadable cards, and then liquidate victim scam proceeds placed on those cards by India-based co-conspirators, in exchange for recurring payments. Ali also admitted to using false identification documents to receive wire transfers from victims of the fraud.


Hardik Patel (June 2, 2017) - a resident of Arlington Heights, Illinois - sentenced to 188 months in prison and removal to India upon completion of the sentence.

Based on the statements in his June 2 guilty plea, beginning in August 2012, Hardik Patel owned and managed the day-to-day operations of an India-based scam call center before later leaving for the U.S. While in India, in his capacity as a manager, Hardik Patel communicated extensively via email, text, and other means with various India-based co-defendants to operate the scheme and exchange scripts used in the scheme, coordinate the processing of payments from scammed victims, obtain and exchange lead lists used by callers to target U.S. victims, and exchange spreadsheets containing the personal identifying information (PII) of U.S. persons misappropriated by the scammers to register reloadable cards used in the scheme. Hardik Patel also managed worker payroll and kept detailed records of profits and expenses for various associated scam call centers. Hardik Patel continued to communicate with India-based co-defendants about the scheme and assist with the conspiracy after he moved to the U.S. 



Rajubhai Patel (June 2, 2017) - a resident of Willowbrook, Illinois - sentenced to 151 months in prison 


According to his June 6 guilty plea, Rajubhai Patel operated as a runner and assisted a co-defendant in managing the activities of a crew of other runners, based primarily out of Illinois, who liquidated victim funds in various locales in the U.S. for conspirators from India-based call centers. Rajubhai Patel communicated about the liquidation of scam funds via electronic WhatsApp communications with domestic and India-based co-defendants, purchased reloadable cards registered using the misappropriated PII of U.S. citizens that were later used to receive victims’ funds, and used those cards to purchase money orders and deposit them into various bank accounts of co-defendants and others as directed. Rajubhai Patel also admitted to creating and maintaining spreadsheets that detailed deposits, payments to co-conspirators, expenses and profits from the scheme.


Viraj Patel (June 2, 2017) - a resident of Anaheim, California - sentenced to 165 months in prison and removal to India.


According to admissions made in his June 2 guilty plea, Viraj Patel first became involved in the conspiracy between April and September 2013, prior to entering the U.S., when he worked at and assisted with overseeing the operations of a call center in India engaging in scam activity at the behest of a co-defendant. After entering the U.S., beginning in December 2014 Viraj Patel engaged in additional activities in support of the scheme in exchange for a cut of the profits, including serving as a processor of scam victim payments and as a runner engaging in the purchase and liquidation of cards loaded with victim scam funds. Viraj Patel communicated with various India-and U.S.-based co-defendants in furtherance of the conspiracy, and also obtained and circulated lead lists to his co-conspirators containing the PII of U.S. citizens for use by the call centers in targeting victims of the various fraud schemes and to register reloadable cards used to launder the proceeds of the schemes.  


Bhavesh Patel (July 7, 2017) - a resident of Gilbert, Arizona and Alabama - sentenced to 121 months in prison.


According to Bhavesh Patel’s guilty plea, beginning in or around January 2014, Bhavesh Patel managed the activities of a crew of runners, directing them to liquidate victim scam funds in areas in and around south and central Arizona per the instructions of conspirators from India-based call centers. Patel communicated via telephone about the liquidation of scam funds with both domestic and India-based co-defendants, and he and his crew used reloadable cards containing funds derived from victims by scam callers to purchase money orders and deposit them into various bank accounts as directed, in return for percentage-based commissions from his India-based co-defendants. Patel also admitted to receiving and using fake identification documents, including phony driver’s licenses, to retrieve victim scam payments in the form of wire transfers, and providing those fake documents to persons he managed for the same purpose.


Asmitaben Patel (July 7, 2017) - a resident of Willowbrook, Illinois - (previously sentenced to 24 months) 


Based on admissions in Asmitaben Patel’s guilty plea, beginning in or around July 2013, Asmitaben Patel served as a runner liquidating victim scam funds as part of a group of conspirators operating in and around the Chicago area. At the direction of a co-defendant, Patel used stored value cards that had been loaded with victim funds to buy money orders and deposit them into various bank accounts, including the account of a lead generating business in order to pay the company for leads it provided to co-conspirators that were ultimately used to facilitate the scam.


The next seven criminals guilty pleas were announced by the Department of Justice on November 13, 2017 in their press release:  "Last Defendant in the United States Pleads Guilty in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims"


Miteshkumar Patel (November 13, 2017) - a resident of Willowbrook, Illinois - sentenced to 240 months.


Based on admissions in Miteshkumar Patel’s plea, beginning in or around 2013, Miteshkumar Patel managed a crew of a half dozen domestic runners involved in the criminal scheme, liquidating as much as approximately $25 million in victim funds for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Patel communicated about the fraudulent scheme with various domestic and India-based co-defendants via email, text messaging and WhatsApp messaging.  Miteshkumar Patel and his runners purchased reloadable GPR cards that were registered using the misappropriated personal identifying information (PII) of unsuspecting victims that were later used to receive victims’ funds, and used those reloadable cards containing victims’ funds to purchase money orders and then deposit those money orders into bank accounts, as directed, while keeping a portion of the scam proceeds as profit.  Miteshkumar Patel also trained the runners he managed on how to conduct the liquidation scheme, provided them with vehicles to conduct their activities in Illinois and throughout the country, and directed a co-defendant to open bank accounts and limited liability companies for use in the conspiracy.  Miteshkumar Patel further admitted to using a gas station he owned in Racine, Wisconsin to liquidate victim funds, and possessing and using equipment at his Illinois apartment to make fraudulent identification documents used by co-defendant runners in his crew to receive wire transfers directly from scam victims and make bank deposits in furtherance of the conspiracy.


Raman Patel (age 82) (November 13, 2017) - a resident of Gilbert, Arizona - (previously sentenced in Phoenix, Arizona to probation, in consideration of his age and his cooperation.)

According to admissions in Raman Patel’s guilty plea, from in or around 2014, Patel served as a domestic runner in and around south-central Arizona, liquidating victim scam funds per the instructions of a co-defendant.  Patel also served as a driver for two co-defendants in furtherance of their GPR liquidation and related activities and sent bank deposit receipts related to the processing of victim payments and fraud proceeds to an India-based co-defendant via email and document scan services offered at various retail stores.

Sunny Joshi of Sugar Land, Texas - sentenced to 151 months in prison for money laundering conspiracy, and 120 months in prison for naturalization fraud.

Rajesh Bhatt of Sugar Land, Texas - sentenced to 145 months in prison and removal to India.


Based on admissions in Joshi and Bhatt’s guilty pleas, beginning in or around 2012, Joshi and Bhatt worked together as runners in the Houston, Texas area along with a co-defendant.  They admitted to extensively communicating via email and text with, and operating at the direction of, India-based conspirators from organizational co-defendant CALL MANTRA call center to liquidate up to approximately $9.5 million in victim funds, including by purchasing GPR cards and using those cards, funded by co-conspirators with scam victim funds, to purchase money orders and deposit them in third party bank accounts, while keeping a percentage of the scam proceeds for themselves as profit.  Joshi has also agreed to plead guilty to one count of naturalization fraud pursuant to a federal indictment obtained against him in the Eastern District of Louisiana, based on fraudulently obtaining his U.S. citizenship.


Jagdishkumar Chaudhari of Montgomery, Alabama - sentenced to 108 months in prison and removal to India.


Jagdishkumar Chaudhari admitted in his plea that between April 2014 and June 2015, he worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country, at the direction of Miteshkumar Patel and others.  In exchange for monthly cash payments, Jagdishkumar Chaudhari admitted to driving to hundreds of retail stores to purchase GPR cards to be loaded with victim funds by co-conspirators in India, purchasing money orders with GPR cards that had been funded with victim proceeds, depositing money orders purchased using victim scam proceeds at various banks, and retrieving wire transfers sent by victims of the scheme.  Jagdishkumar Chaudhari is an Indian national with no legal status in the United States, and has agreed to deportation after he serves his sentence as a condition of his guilty plea.


Praful Patel of Fort Myers, Florida - sentenced to 60 months in prison 


In his plea, Praful Patel admitted that between in or around June 2013 and December 2015, he was a domestic runner who liquidated funds in and around Fort Myers, Florida for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Praful Patel communicated extensively via WhatsApp texts with his conspirators.  For a percentage commission on transactions he conducted, Praful Patel admitted to purchasing reloadable GPR cards that were registered using the misappropriated PII of unsuspecting victims that were later used to receive victims’ funds, using those reloadable GPR cards containing victims’ funds to purchase money orders and depositing those money orders into bank accounts as directed, and using fake identity documents to receive wire transfers from victims.


Jerry Norris of Oakland, California - sentenced to 60 months in prison 


According to Norris’ guilty plea, beginning in or around January 2013 continuing through December 2014, he was a runner who worked with conspirators associated with India-based call center and organizational co-defendant HGLOBAL, and was responsible for the liquidation of victim scam funds in and around California.  Norris admitted he communicated extensively via WhatsApp and email with India-based co-defendants including Sagar “Shaggy” Thakar, purchased GPR cards used in the scheme, sent lead lists to conspirators in India that were then used by callers located in the call centers to target potential victims in the telefraud scheme, received scam proceeds via wire transfers using fictitious names, and laundered scam proceeds from GPR cards via ATM withdrawals.


Others sentenced whose guilty pleas were not mentioned above include: 


Montu Barot - 60 months in prison and removal to India after sentence

Rajesh Kumar - 60 months in prison 


Nilesh Pandya - sentenced to three years probation 


Dilipkumar R. Patel of Florida - sentenced to 52 months in prison 


Nisarg Patel of New Jersey - sentenced to 48 months in prison and removal to India.


Dipakkumar Patel, of Illinois, was sentenced to 51 months by Judge Eleanor Ross in Atlanta, Georgia.