Sunday, August 18, 2019

Lauded Nigerian Entrepreneur may be a BEC Yahoo Boy


Obinwanne Okeke: The Entrepreneur

Obinwanne Okeke, 31 year old CEO and Founder of Invictus Group, is frequently lauded as a success story.  At age 28, Forbes Africa featured him in their June 2016 issue under the title "Africa's Most Promising Entrepreneurs: Forbes Africa's 30 Under 30 for 2016".

Although the 30 are "in no particular order", Obinwanne was one of the two selected to appear on the cover of that month's Forbes Africa:

The Forbes profile described Okeke like this:
Okeke could not fail his mother. A promise meant hard work and dreaming big.  He was raised in Ukpor village, 790 kilometers from Nigeria’s capital, Abuja, as the 17th child of a polygamous father. He went to boarding school aged 10, lost his father at 16 and moved from one relative to another. He named his company Invictus after one of Nelson Mandela’s favorite a poems, by William Ernest Henley, about the undefeated and unconquerable soul of a hard worker, from an impoverished background, who will not give up.
Invictus is in construction, agriculture, oil and gas, telecoms and real estate. He has 28 permanent and 100 part-time employees across nine companies.
He was also selected to speak at the Lagos TEDx Yaba conference, where his topic was "DNA of the Nigerian Entrepreneur ... The Resilience Needed" (photo from his company website - invictus.com.ng): 

Invictus.com.ng

Obinwanne also was featured on Forbes' "YoungMoney" ... and the BBC's "Rising Star" ...

Full interview at BBC Africa's Facebook page
The BBC interview gave some of Obi's background.  He says that he started an IT company at age 16 while still in the village, printing business cards and making websites.  With this money he bought the finest bicycle in the village. Later, he was accepted to study at Monash University, where he studied International Business and Counter-Terrorism.  He says that he was fascinated with Criminology, which is interesting in hindsight.

Obinwanne Okeke: The BEC Criminal / Yahoo Boy


According to court records available on PACER, Okeke was arrested in Dulles, Virginia on August 6, 2019.  Let's just walk through the Criminal Complaint that was used to justify the arrest warrant:

Okeke was charged with Conspiracy to Commit Computer Fraud and Wire Fraud. (18 USC section 1030 and 1349.)  

In June 2018, Unatrac Holding Limited, the export sales office for Caterpillar heavy industrial and farm equipment, headquartered in the UK, contacted the FBI, reporting that Unatrac ad been scammed out of $11 Million USD.  Unatrac's Chief Financial Officer fell for a phishing email that contained a login link to a fake Microsoft Office365 website.  When the CFO entered his userid and password, it was sent to the criminals.  Between April 6 and April 20, 2018, the CFO's account was logged into from IP addresses mostly in Nigeria on 464 different occasions.

One key behavior of recent BEC scams was also present in this one.  On seven different occasions, someone modified Outlook Office365 rules to intercept legitimate emails to and from employees on the financial teams, mark them as "read" and move them to another folder outside the in box.  The complaint says "These rules appeared to have been created in an attempt to hide from the CFO any responses from the individuals to whom the intruder was sending fabricated emails."

With full access to the CFO's accounts, the intruders stole invoices, invoice templates, and logos, and used them to create fraudulent invoices, sent from external addresses to the CFO, and then forwarded "by the CFO" to the financial team for payment.  One such example email was received on April 19, 2018 from pakfei.trade@gmail.com.  The email was forwarded two minutes later to the finance team with instructions to pay.

From April 11 through April 19th, they paid 15 fraudulent payments, included three invoices for "Pak Fei Trade Limited" in the amounts of $278,270.66, $898,461.17, and $1,957,100.00.  Altogether, $11 million USD was sent out of the company.

Documents related to the CFO's travel schedule and the companies tax filings were also stolen, forwarded to the email address "iconoclast1960@gmail.com."  WHOIS queries run by the FBI indicated that the email address was used to create fraudulent "clones" of real companies websites.  One example they give is of "emmarlndustries.com" -- where the "I" in Industries is actually a lowercase "L".  The real company is a domain owned by ASM International Trading in Dubai.  Other domains, not mentioned in the affidavit, but also registered by this address, include "hmlsho-group.com" and "western-chem.net" and ".com".

Search warrants for the email addresses of iconoclast1960 revealed additional frauds, including a $108,470.55 payment received by the Red Wing Shoe Company in Minnesota.  They were victimized in a very similar way.  More than 600 additional phished userids and passwords were recovered in the gmail, along with photos of passports and driver's licenses.  

Chats between iconoclast1960 and others dating from December 2017 to November 2018 reveal the scammer interacting with people who are making his phishing sites for him, including a Docusign phishing site.  The iconoclast1960 email account also sent and received emails containing phishing kits, such as one called "microsoft.zip" where the file "verify.php" contained code to email stolen credentials to a redacted email address.

The iconoclast1960 gmail account used a recovery email address of "alibabaobi@gmail.com".  This address shared a login session cookie with several additional accounts, including "obinwannem@gmail.com".  This means that the person who logged in to Gmail as "alibabaobi" had also logged in to Gmail, from the same computer, using the Gmail account "obinwannem".  

The Obinwannem gmail account also belongs to the Nairaland.com user "InvictusObi" and to the Twitter user "@invictusobi."  The Twitter page provides repeated links to an Instagram account for InvictusObi as well.  Both the Twitter and Instagram page provide many proofs that these accounts belong to Obinwanne Okeke, the CEO of Invictus Group.

Gmail, Twitter, and Instagram all log the IP addresses from which users access their accounts.  When Okeke posted on Instagram that he was visiting Seychelles, Google's logs showed that iconoclast1960@gmail was logging in from 197.157.125.89, in Seychelles.  When Okeke was posting on Instagram that he was visiting London on April 20, 2018, the iconoclast1960@gmail account was logging in from 167.98.28.227.  When Okeke said he was visiting the United States, specifically Washington, DC, the iconoclast1960@gmail account was logging in from 68.33.78.173, a ComCast IP address in Washington, DC.

For further evidence, Okeke posted information that he had been hospitalized following a recovery from surgery.  The FBI agents searched the Google chat logs for Iconoclast1960 and found that he was mentioning in the chats "ive been in hospital. im back in nigeria but still resting.


The FBI agent also found multiple instances where the iconoclast1960 gmail account forwarded emails with attachments to the invictusobi@icloud.com account.  Search warrants were also conducted for that account, as well as obinwannem@gmail and alibabaobi@gmail.

Searches through older FBI case files show additional previous frauds conducted in the same manner using the same email addresses, dating all the way back to 2015.  

The FBI agent ended his affidavit by showing that Obinwanne Okeke has a Nigerian Passport A50254005 and uses a Visa for entry to the United States "once or twice a year."  He was currently in the country, scheduled to depart on August 6, 2019.  

Presumably that is how they knew where to find him at Dulles Airport in Virginia to arrest him as he attempted to leave the country.  That must have been a nice collar for the FBI agent who had spent all that time investigating to be able to pick him up in person!




Tuesday, July 23, 2019

FinCEN: BEC far worse than previously believed

Last week FinCEN, the Financial Crimes Enforcement Network, put out a new advisory with information about Business Email Compromise and it is far worse than has been previously disclosed.
FinCEN Advisory: FIN-2019-A005

The FBI's Internet Crimes Complaint Center (IC3.gov) has previously called BEC a $12 Billion Scam.  As we shared in April in our post IC3.gov: BEC Compromises and Romance Fraud 2018, IC3.gov documented that during calendar 2018 $1.2 Billion was stolen from 19,140 companies just in the United States.  That averages out to $3.3 Million being stolen each day with 52 U.S.-based businesses falling victim each day.  But the IC3.gov reports are based on actual reports received from victims who fill out a Complaint Form on the IC3.gov website. We strongly encourage victims to report at IC3.gov, as it offers the ability to provide many additional investigative details.

Victims are STRONGLY encouraged to report at IC3.gov! 
The FinCEN approach was able to use a different intelligence source to gather their numbers and what they found was far worse than what the FBI has reported.  From October 2013 until May 2018, the FBI's IC3.gov gathered reports of $12 Billion in fraud, from all sources, both domestically and internationally.   FinCEN's previous BEC advisory shared that from 2013 to 2016, FinCEN had identified 22,000 cases of Business E-mail Compromise and E-mail Account Compromise with $3.1 billion in losses, or roughly $1 Billion per year.  The September 6, 2016 advisory was "Advisory to Financial Institutions on E-Mail Compromise Fraud Schemes [FIN-2016-A003]".  FinCEN's current advisory states that the new information is complementary to the 2016 advisory, and that the 2016 advisory contains many important details that will still be helpful to consumers and business account holders alike.

United States Businesses and Consumers have suffered $9 Billion in BEC Fraud Attempts since September 2016!
By comparison, FinCEN reports that  JUST SINCE September 2016 they have been able to document 32,000 cases of attempted theft via BEC fraud schemes totaling $9 Billion in theft attempts.  The rate of loss has increased by three-fold!  $9 Billion since September 2016 is approximately $8.7 MILLION DOLLARS PER DAY!!!

Some of the current top trends include:

Top Sectors Targeted in BEC:

1. Manufacturing and construction (25% of all cases)
2. Commercial services (18% of all cases)
3. Real Estate (16% of all cases)

The impersonation of top executives is still a major method of social engineering in these email attacks.  50% of attacks use an email claiming to be a CEO or President of the company.

Other Top Targets by Value in BEC: 
1. Governments - many governments have been targeted, especially small municipal government offices.  Targets often include pension funds, payroll accounts, and contracted services (which may be matters of public record.)  Vendor impersonation in the latter case is especially prevalent.

2. Educational Institutions - Just in 2016 - 160 incidents attempted to steal $50 million from educational institutions, and while in 2017, only 2% of attacks were against schools, the dollar value was far higher than average.  Tuition payments, endowments, grants, and renovation and construction costs are all high value transactions often conducted online.  Again, watch for vendor impersonation! Large-scale construction and renovation projects are often publicly announced, attracting scammers to the same projects.

3. Financial Institutions - while not a high percentage by sector, the attempted theft against FIs themselves often includes very high dollar values.  These often come in the form of SWIFT payment requests (used in international wire transfers.)

The First Hop is Domestic
While previous advisories mentioned that money is often sent overseas, it is important to understand that the INITIAL transfer of funds will likely stay domestic.  A person recruited as a money mule will often have opened the intermediary account in their own name or the name of a fraudulent business they have created for the purpose.  AFTER the first hop, the money still is likely to quickly move to China, Hong Kong, the United Kingdom, Mexico, or Turkey.  Often these money mules are recruited through Romance Scams, however others join willingly knowing they are going to earn a commission helping to launder money for criminals.  This quick "wire in - wire out" is referred to in the criminal world as "wire-wire jobs" and is the inspiration of the FBI and USSS's "Operation: Wire Wire" that we blogged about in a series of articles in June of 2018:
One other blog post of ours that "walks through" a case, end-to-end, including the mule's role:
Vulnerable Business Processes Compromised
FinCEN states that "BEC perpetrators identify processes vulnerable to compromise, whether through openly available information about their targets or through cyber-enabled reconnaissance efforts (enabled through methods such as spear phishing or malware), and then insert themselves into communications by impersonating a critical player in a business relationship or transaction."

These scams are enabled by "weaknesses in the victim's authorization and authentication protocols." 

The most common type of scam simply involves a request to change the payment destination of an already approved transaction.  If your business would allow someone to change where a six- or seven-figure payment is being sent on the strength of a single email, you are far more likely to be chosen as a victim than someone who requires rigorous vetting of such a change.

Opportunities for Information Sharing Related to BEC Fraud
The USA PATRIOT Act provides the ability for financial institutions to share information with one another to stop money laundering.  These requests are known as 314(b) requests and are specifically protected forms of information sharing.  (Fun fact: Did you know USA PATRIOT is an acronym?  "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.")  Click the image below to download the FinCEN 314(b) Fact Sheet.

https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf

WHAT SHOULD WE SHARE?

If you are asked to wire funds or change a payment destination or otherwise gain information about a BEC Scam, FinCEN shares particular information about what details would be most helpful to law enforcement: 

Transaction details: 
1) Dates and amounts of suspicious transactions; 
2) Sender’s identifying information, account number, and financial institution; 
3) Beneficiary’s identifying information, account number, and financial institution; and 
4) Correspondent and intermediary financial institutions’ information, if applicable. 

Scheme details: 
1) Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps; 
2) Description and timing of suspicious email communications and any involved compromised or impersonated parties; and 
3) Description of related cyber-events and use (or compromise) of particular technology in the conduct of the fraud. For example, financial institutions should consider including any of the following information or evidence related to the email compromise fraud: 
  • a) Email auto-forwarding 
  • b) Inbox sweep rules or sorting rules set up in victim email accounts 
  • c) A malware attack 
  • d) The authentication protocol that was compromised (i.e., single-factor or multi-factor, one-step or multi-step, etc.)
For those who have the ability to file a SAR (a Suspicious Activity Report), FinCEN also requests that you choose SAR Field 42 (Cyber Event) for all of these scams, but then mark the scam with the key terms either "BEC FRAUD" or "EAC FRAUD" to differentiate between business victims and personal account victims.  Here is their guidance on both terms:

Email Compromise Fraud: Schemes in which 1) criminals compromise the email accounts of victims to send fraudulent payment instructions to financial institutions or other business associates in order to misappropriate funds or value; or in which 2) criminals compromise the email accounts of victims to effect fraudulent transmission of data that can be used to conduct financial fraud. The main types of email compromise, the definitions of which have been modified to reflect the expansion of victims being targeted, include: 

Business Email Compromise (BEC): Targets accounts of financial institutions or customers of financial institutions that are operational entities, including commercial, non-profit, nongovernmental, or government entities. 

Email Account Compromise (EAC): Targets personal email accounts belonging to an individual.


Saturday, June 29, 2019

TrickBot: New Injects, New Host


What’s in the Name: Call it IcedID or TrickBot? Tell that to a security researcher (Arsh Arora in this case) and watch them RANT

(Gar-note: today's blog post is a guest blog from malware analyst, Arsh Arora...) 

Today’s post starts with an interesting link from Dawid Golak's Medium post: “IcedID aka# Bokbot Analysis with Ghidra” which mentions that IcedID is dropping TrickBot. Although the article is about IcedID, it gets confusing quickly, because the researcher focused on finding artifacts for IcedID instead finds TrickBot artifacts. A big question for the security industry still remain is to how to classify the malware from the originator or the binary that is being dropped. We followed up on the sample he mentioned and saw the same thing.  This is definitely Trickbot.

First Stage – Sample Collection from Virus Total Intelligence

In the "AnyRun Analysis" linked to by Dawid, the TrickBot binary was downloaded from “54.36.218[.]96 (slash) tin[.]exe



Fig 1: TrickBot Sample

Second Stage – Sample Execution

After the execution in a virtual environment, I was able to see TrickBot behavior similar to what we have documented in the past in our post "Trickbot's New Magic Trick: Sending Spam":

A large number of config files and dlls were loaded into the Roaming/netcache/Data, a  unique behavior of the TrickBot binary.

Fig 2: Configs and Dlls Loaded

Third Stage – Open Firefox and visit different Bank website

It is often the case that to get any banking trojan to co-operate with the researcher, some initiation from the researcher side is needed. Due to past experience, I have learned that one needs to open up a browser and visit different bank websites to activate the banking trojan. The trojan resists until instigated by visits to these pages. I visited close to 20 different bank websites and was able to obtain injects from 7 of those bank websites. The injects and admin login panels of the websites are as follows.

Name of  Bank
Admin Login Panel
IP
Location
Bank of
America
https://aefaldnessliverhearted[.]com/load/
185.242.6.245
AS9009, Prague
Chase
https://aefaldnessliverhearted[.]com/load/
185.242.6.245
AS9009, Prague
Citi
https://remirollerros[.]com/legr/
109.234.37.246
AS48282, RU
Usaa
https://onlylocaltrade[.]com/lob.php
185.87.187.198
AS48635,NL
WellsFargo
https://wellsfargostrade.com/2wells2
185.36.189.143
AS50673, NL
PNC
https://wellsfargostrade[.]com/pncadmin/index.php
185.36.189.143
AS50673, NL
53 Bank
https://wellsfargostrade[.]com/53repadmin2
185.36.189.143
AS50673, NL

When infected, viewing the source code while visiting one of the banks is all that is needed to identify the data exfiltration destination.  Some examples follow from this infection run:

BankofAmerica

Fig 3: BoA Web Inject

Chase

Fig 4: Chase Web Inject

Fig 5: BoA and Chase Admin Panel

Citi

Fig 6: Citi Web Inject

Fig 7: Citi Login Panel

USAA


Fig 8: USAA Web Inject

WellsFargo

Fig 9: WellsFargo Web Inject

Fig 10: WellsFargo Admin Panel

PNC

Fig 11: PNC Web Inject

Fig 12: PNC Admin Panel

53 Bank

Fig 13: 53 Bank Web Inject

Fig 14: 53 Bank Admin Panel


For more details please contact Arsh Arora (ararora at uab.edu) or Gary Warner (gar at uab.edu) at UAB. Please note:  Arsh is defending his PhD this summer and looking for new opportunities.


Saturday, June 01, 2019

SMS Phish? Amazon Reward!

Are you getting text messages about winning prizes at Amazon?

I got one today with the following text from a VOIP-to-SMS number: 1 (410) 200-910

The text was:
 "FRM: You have a New Amazon Reward! MSG: http://dmkr3h.com/njngyw"

I threw up a Virtual Machine to check the destination, and got a meaningless echo of the domain name:



The problem, of course, was that they knew I was supposed to be on a cell phone, since they sent me an SMS.  No problem.  Let's make my Windows Chrome Browser a Cell Phone: 

Ok.  Now I'm a Firefox browser on an Android Mobile phone.  Let's try again.  Much better!  The CloudFlare hosted "dmkr3h" now forwards me to "simple-clubs.com" which is a CNAME alias to "seempts-explegal[.]com (35.169.148.30) " which passes my origin and affiliate data to chargingmilkshop[.]com (51.75.46.9), which forwards me to "winopinions[.]com (51.75.46.11)" which shows me this!


Before I take my Survey, I hit my "Back" button, just to see what happens, because often there are traps about such things.  Sure enough, hitting the "Back" took me to an ad totally unrelated to my Amazon Prize:


As much as I'd like to be Ketogenically Accelerated, I decided to go back to my original URL from the phone.  This time I landed at "ZoneOpinions[.]com" instead of WinOpinions, but since I was still on the same IP address, I decided to keep going and take the survey this time.  Here are my five Survey Questions:






OK, now for the excitement!  My big Amazon Reward is about to be revealed, right?





Hmmm... do I want a larger penis, a flatter belly, or a $780 watch?  I think I'll take the $780 watch, since its free and all ... 

Each time I click "Claim Reward" I get sent through a "1592track[.]com" redirector:
Which then forwards me to one of its randomly selected possible fulfillment domains ... 

getemergencygear[.]com
Odd.  Clicking on the watch takes me to a site for a free Tactical Flashlight. Oh well.  The point of this exercise is to feed some of my spam traps anyway.  We'll give them one of our spam trap email addresses just to see what they begin spamming to me. 

I wonder if ClickBank is complicit in these scams?
Since I'm not actually going to give them my credit card information, I'll see whether I get the same spam by submitting my address info for CBD Oil and Male Enhancement anyway.  Where do those clicks take me?
tryhealthoffer [.] com 


(a closer look at the Affiliate ID = 600080)

healthchoicev2 [.]com selling Primacin XL 


I saved which Spam Trap email I fed to each of the sites above.  If I start getting spam on them (none of them have existed before an hour ago and have never received any message prior to being fed to these sites) I'll do a follow-up post.

While trying to decide if this is something to share with my friends at the Federal Trade Commission, I decided to check what country these domains are hosted in ... Poland ... 

ipinfo.io/51.75.46.9 ==> OVH SAS in Poland.
According to the very useful tool at RiskIQ, it looks like 77 new domains stood up on this IP address about two days ago:
https://community.riskiq.com/search/51.75.46.9
We went ahead and exported that list so we could save a record of what other domains were there.  Looks like there are MANY alternative domains for doing the same sort of things ... 


resolvefirstSeenlastSeen
actionopinion.com5/30/20195/31/2019
airopinions.com5/30/20195/31/2019
alertandfocusednow.com5/30/20195/31/2019
alertandsharp.com5/30/20195/31/2019
blazingtea.com5/30/20195/31/2019
brainexpandnow.com5/30/20195/31/2019
brainexpandtoday.com5/30/20195/31/2019
brainexpandtonight.com5/30/20195/31/2019
cellopinion.com5/29/20195/31/2019
centeropinion.com5/30/20195/31/2019
chargingmilkshake.com5/30/20196/1/2019
companyopinions.com5/30/20195/31/2019
connectexclusive.com5/25/20195/31/2019
corpprogram.com5/30/20195/31/2019
dataopinions.com5/30/20195/31/2019
dreamopinions.com5/30/20196/1/2019
exclusivetrendingreport.com5/25/20195/31/2019
fitketonow.com5/30/20195/31/2019
fitketotoday.com5/30/20195/31/2019
fullyhardagain.com5/30/20195/31/2019
fullyhardtonight.com5/30/20195/31/2019
hardandlongagain.com5/30/20195/31/2019
hardandlonger.com5/30/20195/31/2019
hotbreakingreports.com5/30/20195/31/2019
hotnewstonight.com5/30/20195/31/2019
hotviralreports.com5/30/20195/31/2019
latestbreakingreport.com5/30/20195/31/2019
latestviralreport.com5/30/20195/31/2019
learningopinion.com5/30/20195/31/2019
lineprogram.com5/30/20195/31/2019
linkopinions.com5/30/20195/31/2019
linksprogram.com5/30/20195/31/2019
longandhardagain.com5/30/20195/31/2019
longandhardtonight.com5/30/20195/31/2019
longerhardernow.com5/30/20195/31/2019
lookprogram.com5/30/20195/31/2019
lumberingsoda.com5/30/20195/31/2019
magicopinions.com5/30/20195/31/2019
matchopinion.com5/30/20195/31/2019
maxopinions.com5/30/20195/31/2019
mindexpandnow.com5/30/20195/31/2019
monsterprogram.com5/30/20195/31/2019
newbreakingreport.com5/30/20195/31/2019
newbreakingreports.com5/30/20195/31/2019
newtrendingreport.com5/30/20195/31/2019
newtrendingreports.com5/30/20195/31/2019
newviralreport.com5/29/20195/31/2019
portalopinion.com5/30/20195/31/2019
projectopinions.com5/30/20195/31/2019
romanwatermelon.com5/25/20195/31/2019
rushingcoffee.com5/30/20195/31/2019
saveopinion.com5/30/20195/31/2019
shesreadytonight.com5/30/20195/31/2019
shoppingopinions.com5/30/20195/31/2019
slimketonow.com5/30/20195/31/2019
slimketotoday.com5/30/20195/31/2019
slimketotonight.com5/30/20195/31/2019
slowseltzer.com5/30/20195/31/2019
sluggishjuice.com5/29/20195/31/2019
sprintingspirits.com5/30/20195/31/2019
swiftespresso.com5/30/20195/31/2019
teamopinions.com5/30/20195/31/2019
thenewstrends.com5/30/20195/31/2019
tightketonow.com5/30/20195/31/2019
tightketotoday.com5/30/20195/31/2019
tightketotonight.com5/30/20195/31/2019
todaysbreakingstory.com5/25/20195/31/2019
tonightsbreakingstory.com5/25/20195/31/2019
totalbreakingnews.com5/30/20195/31/2019
touchopinion.com5/30/20195/31/2019
trendstonight.com5/30/20195/31/2019
whirlingmilk.com5/30/20195/31/2019
winopinions.com5/30/20196/1/2019
yournewsbreaks.com5/30/20195/31/2019
yournewstrends.com5/30/20195/31/2019
zoneopinions.com5/30/20195/31/2019
zoomingcider.com5/30/20195/31/2019

Many of these domains are proven to be interchangeable, as long as your user agent is right. Pasting the "path/file/parameters" from one site to another of the same type usually works.

Conclusion?  Don't think I'm going to get my Amazon Prize.  Darn.

Tuesday, May 07, 2019

The Next Miami Operation WireWire Case: Alfredo Veloso

In June of 2018, we blogged about a series of cases that the Department of Justice announced as "Operation: WireWire." In particular, we wrote three pieces about the "South Florida Cases" where a Lebanese recruiter convinced people to set up shell companies, open bank accounts, and receive large wire transfers that were quickly sent overseas.  (See Operation WireWire: The South Florida Cases -- Part 1, Part 2, and Part 3.)

Some of the earlier cases included US v. Eliot Pereira et al; US v. Gustavo Gomez et al; and US v. Cynthia Rodriguez et al.  So far, at least 250 shell corporations in South Florida have been identified that can all be linked back to the Roda Taher Money Laundering Network.  Those recruited communicated with Roda Taher, who was known as Rezi or Ressi, via WhatsApp and Email, including the gmail account "rezimarket@gmail.com." 

On April 30, 2019, DOJ announced another related guilty plea.  This time three more related cases are linked under the name "USA v. Lugo et al."

Alvaro Lugo of Sunrise, Florida, Karina Rosada of Hollywood, Florida, and Alfredo Veloso are the main trio of defendants in these cases, with Veloso pleading guilty on April 30, 2019. 

Karina Rosado

Karina Rosado ran her shell company as "Karina Luxury Trade" through her address 4001 West Flagler Street, Apr 18, Coral Gables, Florida.  Karina received both her papers of encorporation and her IRS EIN number via email from Rezi in June and July of 2017.  On August 7, 2017, Karina opened a Bank of America account ending in 8775 with a $25 deposit.  On August 18th, she received a $105,000 wire from a Business Email Compromise victim scammed by impersonating a title company person.  On August 21st, Karina withdrew $7,500 in cash, and wired $44,700 to "Tianjin Shengfa Candle Co" at China Zheshang Bank and an additional $39,988 to "Jiangxi Textile Group Imp" at Bank of China on 21AUG2017.  She drained the rest of the account, $8,800, the following day.

On August 2, 2017, Karina opened a TD Bank account ending in 2712. 

She also opened a Wells Fargo account ending in 5271 the same day.  On September 20, 2017, she received a $32,900 wire from a second victim, and on September 21, 217, an additional $59,890 was attempted from a third victim, but was blocked by the victim's bank, who filed an IC3.gov complaint on October 8, 2017.  A fourth victim wired $17,609 to her Wells Fargo account on November 2, 2017.  She withdrew another $10,000 on November 6, 2017, and $17,690 on November 9, 2017, closing the account.

On November 13, 2017, Karina opened a JP Morgan Chase account ending in 3657, providing her business name and her true social security number.  She deposited $17,609 dollars to open the account, listing in the memo, her Wells Fargo bank account number "2846705271."

After an arrest warrant was sworn out on August 20, 2018, Karina surrended on August 27th.  She posted bail on September 10, 2018, and was declared a fugitive after failing to appear on December 20, 2018.  Like several of the previous WireWire mules, Karina attended Miami Dade College in Hialeah, Florida.

Alvaro Lugo

Alvaro Lugo opened a Florida shell company "Lugo Wide Trades" from his address at 11149 NW 80th Lane, Doral, Florida.  The address he used matches his home residence address according to Florida's Driver and Vehicle Information Database.  When the company filed for its EIN number with the IRS, the IP address used to do so was in Beirut, Lebanon, and matched the IP address used to request EIN numbers for several other shell companies that were part of this network.  (Roda Taher is from Lebanon.)

Lugo opened a Bank of America account ending in 4361, using his social security number and drivers license to do so.  On October 30, he received a wire from "a motorsports dealership" in the amount of $105,532.09.  On October 31, he received an additional $74,857.69 from another victim company.  Both of these companies filed complaints at IC3.gov.  On November 3, Lugo cashed out the account with a $180,486.36 cashier's check payable to Lugo Wide Trades, Inc.

On October 26, 2017, Lugo opened a JPMC account ending in 1705.  The account was opened with $50.  On November 2, 2017, Lugo's account wrote a $50 check paid to Rosado's account.

Lugo was sentenced on April 8, 2019 to 34 months in prison.

Alfredo Veloso

Veloso's company was Veloso Bulk Trading which was registered to the address 6611 SW 99th Avenue, Miami, Florida.  In addition to Veloso Bulk Trading, Alfredo ran several other businesses from this address, including Tri Reptiles, a reptile importing company.  He also ran a "kink pornography" business from the same address, "Alex Ace 305 Productions Inc" which used the main website "kink305[.]com".  "Alex" is part of a group of 76 porn-related domain names and at least eight of the mules he recruited were women he ment through his internet video business, who were also used to open shell companies and associated bank accounts for the network. 

Veloso Bulk Trade received incoming wires totaling more than $1,000,000 from four victims - two corporations, a law firm, and an individual.  Veloso withdrew $26,686 of the funds.

In Veloso's Plea Agreement, signed on April 29, 2019, he agrees to plead guilty to counts 1 and 4 through 8.  To wit: 

1. Conspiracy to commit money laundering in violation of Title 18, USC section 1956(h) because he "did willfully with the intent to further the objects of the conspiracy, and knowingly combine, conspire, confederate, and agree with Alvaro Lugo, Karina Rosado, and others known and unknown, to knowingly conduct and attempt to conduct a financial transaction affecting interstate commerce, which transaction involved the proceeds of specified unlawful activity, knowing the property involved in the financial transaction represented the proceeds of some form of unlawful activity, knowing that such transaction was designed, in whole and in part, to conceal and disguise the nature, the location, the source, the ownership, and the control of the proceeds of specified unlawful activity, in violation of Title 18 USC Section 1956(a)(1)(B)(i) and all in violation of Title 18 USC Section 1956(h).  The specified unlawful activities were conspiracy to commit wire fraud, (Title 18 USC Section 1349) and Wire Fraud (Title 18 USC Section 1343).

Counts 4 through 8 are actually all Lacey Act offenses, related to smuggling reptiles through his "Tri Reptiles" company.

His Base Offense Level was an 8.  It goes up by 16 due to the volume of funds laundered (between $1.5 Million and $3.5 Million). +2 more for sophistication, and +2 more for being a section 1956 conviction, and +3 more because he was a "manager or supervisor, but not an organizer or leader, of criminal activity involving five or more participants."  That would give a 29, but he got a three level decrease for "demonstrating acceptance of responsibility."   He's likely looking at 63 to 78 months in prison.  The prosecution agreed to run the animal smuggling sentence, if any, concurrently.

(Veloso DID HAVE a reptile importing license from 2010 to 2014, as "Xtreme Reptiles", but he failed to renew his license and paid no taxes on his current reptile business.)  Veloso was "shipping large quantities of reptiles on a weekly basis." He made about $150,000 per year on his illegal reptile business, selling reptiles "in bulk" to pet stores around the country.  


Tuesday, April 30, 2019

IC3.gov: BEC Compromises and Romance Fraud 2018

The Internet Crime & Complaint Center, IC3.gov, publishes annual statistics about the crimes which have been reported to them during the previous calendar year.  The full report offers insights and analysis into current trends in cybercrime.  While it is widely acknowledged that cybercrime is dramatically under-reported, there are still some shocking trends when looked at on a state-by-state breakdown.

https://www.ic3.gov/media/annualreports.aspx
While the IC3 has been collecting Internet Crime complaints since 2000, starting in 2016, the IC3 provided a more detailed state-by-state breakdown than  ever before, allowing us to see how many victims experienced how much loss by crime type reported.  What is abundantly clear in the 2018 numbers is that the greatest dollar losses among the reports are coming from Business Email Compromise.

Previous reporting from IC3.gov called Business Email Compromise The $12 Billion Scam (July 12, 2018), although quite a bit of that figure is "exposed dollar value" - meaning how much the criminals COULD have lost.  Actually losses in the US in reports gathered by the IC3 included $1.3 Billion stolen from 21,723 domestic companies from October 2013 to May 2016, and $1.6 Billion stolen from 19,335 domestic companies from June 2016 to May 2018.

In the 2018 State by State breakdown, we find documentation of 19,140 companies losing $1.2 Billion stolen from companies in the 50 states, with millions more from DC, Puerto Rico, and other US territories.  That means on the average day in 2018, criminals stole $3.3 Million dollars from 52 US businesses per day.

StateBEC LossesBEC VictimsAverage Loss Per VictimVictims per 100,000 PopulationBEC Losses per 100,000
Alabama$7,542,651190$39,6983.89$154,314
Alaska$777,53966$11,7818.92$105,102
Arizona$19,364,749401$48,2915.72$276,008
Arkansas$3,187,56393$34,2753.09$105,765
California$190,033,2053032$62,6767.67$480,610
Colorado$16,742,410453$36,9598.08$298,598
Connecticut$23,879,979263$90,7987.33$665,551
Delaware$831,59843$19,3394.45$85,983
Florida$82,979,7681433$57,9066.73$389,589
Georgia$38,310,258446$85,8974.44$381,462
Hawaii$3,119,42678$39,9935.49$219,602
Idaho$3,001,04085$35,3064.85$171,077
Illinois$50,139,264745$67,3015.82$391,713
Indiana$19,845,399265$74,8883.96$296,559
Iowa$9,491,169126$75,3274.01$301,690
Kansas$11,152,097142$78,5364.88$383,035
Kentucky$3,399,040152$22,3623.41$76,314
Louisiana$6,785,75325$271,4300.54$145,618
Maine$767,59753$14,4833.97$57,455
Maryland$29,185,800414$70,4976.84$482,250
Massachusetts$46,339,422595$77,8818.67$675,502
Michigan$27,174,665451$60,2544.53$272,783
Minnesota$26,090,980312$83,6255.59$467,832
Mississippi$2,618,16357$45,9331.91$87,666
Missouri$13,191,920229$57,6073.75$215,766
Montana$1,793,38938$47,1943.58$168,821
Nebraska$5,419,13383$65,2914.3$280,891
Nevada$6,110,393217$28,1587.24$203,816
New Hampshire$2,783,48786$32,3666.4$207,259
New Jersey$54,132,347554$97,7126.22$607,647
New Mexico$3,158,731101$31,2754.84$151,280
New York$124,028,6391288$96,2966.59$634,671
North Carolina$29,829,247436$68,4164.25$290,450
North Dakota$427,37931$13,7864.08$56,228
Ohio$70,274,973539$130,3804.62$602,701
Oklahoma$5,425,276147$36,9073.74$138,013
Oregon$14,585,319272$53,6226.57$352,047
Pennsylvania$30,638,648715$42,8515.58$239,232
Rhode Island$3,543,031115$30,80910.85$334,248
South Carolina$8,077,180201$40,1854$160,772
South Dakota$836,73428$29,8833.17$94,843
Tennessee$16,072,195297$54,1154.42$239,312
Texas$117,017,1472094$55,8827.4$413,488
Utah $7,931,467201$39,4606.48$255,689
Vermont$687,93443$15,9986.89$110,306
Virginia$18,992,122662$28,6897.82$224,228
Washington$30,899,686507$60,9466.85$417,225
West Virginia$2,093,28050$41,8662.75$115,269
Wisconsin$10,588,528257$41,2004.43$182,718
Wyoming $1,637,11629$56,4525.02$283,367


The table above shows Business Email Compromise losses by state for calendar 2018, as based on complaints received by the team at IC3.gov.  These are losses experienced by BUSINESSES.  As you can see, the average loss by business varied greatly from state to state.  Alaska only lost $11,000 per BEC case, while Ohio had $130,000 lost per BEC case and the average BEC case in Kentucky lost $271,000!  The average loss from a BEC scam in the 50 states in calendar 2018 was $62,849 per business.  ($1,202,934,836 stolen from 19,140 businesses.)

The Top Ten states for BEC by the number of victims per 100,000 population are:
Rhode Island - 10.85
Alaska - 8.92
Massachusetts - 8.67
Colorado - 8.08
Virginia - 7.82
California - 7.67
Texas - 7.4
Connecticut - 7.33
Nevada -  7.24
Vermont - 6.89

The median number of BEC victims per 100,000 by state was 4.86.
(My home state of Alabama was #41 at 3.89)

The Top Ten states for BEC by average losses per victim are:
Louisiana - $271,430
Ohio - $130,380
New Jersey - $97,711
New York - $96,295
Connecticut - $90,798
Georgia - $85,897
Minnesota - $83,624
Kansas - $78,535
Massachusetts - $77,881
Iowa - $75,326

The median state for "average loss per victim was: $47,742.80
(Alabama was #33 at $39,689 average loss per victim)

The table below documents the category of fraud that the IC3.gov team labels as "Confidence Fraud / Romance".  We know that Romance scams tend to target the lonely and the elderly in a disproportionate way, and are often enabled by social media.  While the average losses per incident are lower, realize that these are often losses experienced by a senior citizen, often representing the loss of their entire life savings!  The average loss from a Romance scam in the 50 states in calendar 2018 was $19,114.14.  ($296,613,212 stolen from 15,518 individual victims.)


StateRomance LossesRomance VictimsAverage Loss Per VictimVictims per 100,000 PopulationRomance Losses per 100,000
Alabama$1,796,307235$7,6444.81$36,750
Alaska$1,077,48785$12,67611.49$145,647
Arizona$7,975,890429$18,5926.11$113,681
Arkansas$1,332,727135$9,8724.48$44,220
California$72,355,4752105$34,3735.32$182,993
Colorado$4,782,810376$12,7206.71$85,301
Connecticut$3,956,170143$27,6663.99$110,261
Delaware$927,25948$19,3184.96$95,873
Florida$20,555,5381191$17,2595.59$96,508
Georgia$6,626,814361$18,3573.59$65,984
Hawaii$1,207,60859$20,4684.15$85,013
Idaho$1,463,39788$16,6305.02$83,422
Illinois$6,342,425433$14,6483.38$49,550
Indiana$5,390,594273$19,7464.08$80,554
Iowa$3,321,947165$20,1335.24$105,593
Kansas$2,047,571161$12,7185.53$70,327
Kentucky$1,527,974210$7,2764.71$34,306
Louisiana$2,063,99965$31,7541.39$44,292
Maine$883,37268$12,9915.09$66,121
Maryland$4,180,307316$13,2295.22$69,073
Massachusetts$8,004,624346$23,1355.04$116,685
Michigan$9,487,821461$20,5814.63$95,240
Minnesota$5,737,051287$19,9905.15$102,870
Mississippi$464,302108$4,2993.62$15,547
Missouri$5,849,242319$18,3365.22$95,670
Montana$500,41542$11,9153.95$47,107
Nebraska$1,782,49792$19,3754.77$92,392
Nevada$6,282,784254$24,7358.47$209,566
New Hampshire$1,068,70468$15,7165.06$79,576
New Jersey$8,275,788332$24,9273.73$92,897
New Mexico$2,608,857140$18,6356.7$124,945
New York$16,867,421782$21,5704$86,313
North Carolina$2,686,807432$6,2194.21$26,162
North Dakota$1,303,70235$37,2494.6$171,522
Ohio$9,085,821424$21,4293.64$77,923
Oklahoma$2,339,940164$14,2684.17$59,525
Oregon$2,713,780266$10,2026.42$65,503
Pennsylvania$10,029,245577$17,3824.51$78,310
Rhode Island$1,389,85451$27,2524.81$131,118
South Carolina$3,439,585187$18,3943.72$68,463
South Dakota$99,74731$3,2183.51$11,306
Tennessee$5,101,479268$19,0353.99$75,960
Texas$20,635,5591238$16,6684.37$72,917
Utah $2,380,004172$13,8375.54$76,725
Vermont$129,32225$5,1734.01$20,736
Virginia$9,128,873480$19,0185.67$107,779
Washington$2,062,979493$4,1856.66$27,856
West Virginia$1,367,24774$18,4764.07$75,289
Wisconsin$5,603,169391$14,3306.75$96,690
Wyoming $370,92233$11,2405.71$64,203

The Top Ten states by the number of Romance Scam victims per 100,000 population are:

Alaska - 11.49 victims per 100,000
Nevada - 8.47
Wisconsin - 6.75
Colorado - 6.71
New Mexico - 6.7 
Washington - 6.66
Oregon - 6.42
Arizona - 6.11
Wyoming - 5.71
Virginia - 5.67 

The median number of victims per 100,000 population was 4.79.
(Alabama was #25 with 4.81 victims per 100,000 population) 

The Top Ten states by average loss per Romance Scam victim are:
North Dakota - $37,248
California - $34,373
Louisiana - $31,753
Connecticut - $27,665
Rhode Island - $27,252
New Jersey - $24,927
Nevada - $24,735
Massachusetts - $23,134
New York - $21,569
Ohio - $21,428 

The median average loss per state was $17,858.
(Alabama was #44 with average Romance Scam losses of $7,634 per victim.)