THREAT 5: International organized criminals use cyberspace to target U.S. victims and infrastructure. International organized criminals use an endless variety of cyberspace schemes to steal hundreds of millions of dollars at a cost to consumers and the U.S. economy. These schemes also jeopardize the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.
One example of the intersection between organized crime and cybercrime is found in Romania. There, traditional Romanian organized crime figures, previously arrested for crimes such as extortion, drug trafficking and human smuggling, are collaborating with other criminals to bring segments of the young hacker community under their control. They organize these new recruits into cells based on their cyber-crime specialty and they routinely target U.S. businesses and citizens in a variety of fraud schemes.
One of the most lucrative schemes involves online auction fraud, where U.S. citizens are tricked into buying or selling goods, and never receive the funds or merchandise. One particular online criminal, using the online nickname “Vladuz” engaged in multiple fraud schemes, including hacking into the computers of eBay, the largest online auction retailer. On April 17, 2008, Vlad Duiculescu, a/k/a “Vladuz” was arrested in Romania by Romanian police officials and charged with crimes related to these schemes. It is believed that Vladuz is a participant in a ring of Romanian hackers who work together to develop joint U.S. targets for online frauds, share hacking techniques and launder proceeds from multiple crimes committed in the United States. U.S. prosecutors and law enforcement agents worked in Romania with Romanian officials to ensure that a case could be successfully prosecuted in Romania.
I've just reviewed the 77-page indictment unsealed today, and its clear the Attorney General is making good on his promise. To make sure the Romanians didn't miss it, Deputy Attorney General Mark Filip was in Bucharest Romania to do the press release alongside his Romanian counterparts. Here is a copy of the press release in Romanian.
At his Press Conference in Bucharest the DAG said:
The anonymity of the Internet makes it an ideal tool for this kind of fraud, and law enforcement agencies in the United States have conducted several recent investigations in partnership with our Romanian colleagues. We are proud to do so, and we are learning from each other as we jointly help to protect our citizens and people in other countries from this sort of theft and crime.
For the people arrested today, the indictments charge that the defendants sent out mass quantities of e-mails, known as "spam," to lure victims to go to fraudulent Websites that appeared to be legitimate banking or financial businesses. At those sites, victims were tricked into entering personal information such as financial and identity information and personal passwords—a scheme known as "phishing." That information was then harvested by “suppliers” who, in turn, sent the information to “cashiers” via real-time Internet chat sessions.
The cashiers used hardware encoders and related software to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards. They then directed “runners” to withdraw money from automated teller machines. A portion of the withdrawals was wired by money transfer services, such as Western Union, back to the supplier. We believe these criminals defrauded literally thousands of individual victims out of several million dollars.
These arrests and charges are the result of a joint operation by the FBI and the Romanian General Inspectorate of Police, and the cases demonstrate the close cooperation our two countries have developed to fight international organized crime.
Some of the schemes were quite interesting. In a "Smishing" scam described in the indictment, an SMS Text Message would be received that says "We're confirming that you've signed up for our service. You will be charged $2 per day unless you cancel your order on this URL: www.trustme.com -- this would result in malware being planted on the visitor's browser.
Chat logs were included in the indictment, such as Panait sending a message to Tran, telling him "bro this are from my spam . . . super fresh . . . I will spam more . . . spammed like hell . . . used 7 remote desktops and 13 smtp servers, 5 root, and sent over 1.3 million emails."
Logs from August 2006 all the way up to January 2008 were included, that make it clear the roles of each of the defendants. Discussions and logs include counterfeit cards made for:
Allegheny Federal Credit Union, American National Bank of Texas, Arizona Federal Credit Union, Artesian City Federal Credit Union, Bank of America, BB&T (Banker's Bank & Trust), Boeing Employee's Credit Union, Bowdoinham Federal Credit Union, Capital One Bank, Citibank, Credit Union One, Downey Savings & Loan, epassporte, E-Trade, First Merit Bank, Flagstar Bank, Franklin Mint Federal Credit Union, Iowa League Corporate Central Credit Union, Jeffco Schools Credit Union, Langley Federal Credit Union, Mountain America Credit Union, NASA Federal Credit Union, North Island Credit Union, PointBank, Premier Credit Union, Premier Credit Union, Southern Lakes Credit Union, Southwest Federal Credit Union, Teacher's Credit Union, Telco Credit Union & Affiliates, Valley National Bank, Washington State Employees Credit Union, and the Waterbury Teachers' Federal Credit Union.
Caroline Tath and Tran were making their cash cards with laptop computers, Tath had a Dell Inspiron and an HP laptop, Gigatech flash drives, an MSR-206 encoder, an Operah card reader, and a software system called "CC2Bank 1.3", which was used to make the cards. Tran used a Sony Vaio laptop, and also provided software to defendant Lee, including a program called "TheJermMSR206". Lee used a Sony Vaio laptop and an MSR505C encoder.
Some of the defendants used their counterfeit cards to buy goods at WalMart and CostCo. Others purchased stock on E-Trade accounts, or used E-Trade accounts to purchase Postal Money Orders. Many cards were used to withdraw cash from ATM's in Los Angeles and Orange County. Some of those funds were transferred via Western Union or MoneyGram to Romania, where the data to make the cards had been received from on a "50/50" cashier's deal.
At least one defendant also shipped "refurbished notebook computers" to co-defendants in Romania.
Some of the ATM withdrawals were made using hotel room keys with the PINs written on the back in sharpie.
Romanians (indicted in Los Angeles):
Ovidiu-Ionut Nicola-Roman
Petru Bogdan Belbita
Stefan Sorin Ilinca, AKA AzZ, AKA Kahn, AKA Kahnpath
Sorin Alin Panait, AKA scumpic4u
Costel Bulugea, AKA The.Vortex
Nicolae Dragos Draghici, AKA Marius Bogdan, AKA Nonick
Florin Georgel Spiru, AKA niggaplease
Marian Daniel Ciulean, AKA spuickeru
Irinel Nicusor Stancu, AKA sicaalex
Didi Gabriel Constantin, AKA StauLaSoare, AKA Estaulasoare, AKA snoop
Mihai Draghici
Marius Sorin Tomescu, AKA Andrei
Lucian Zamfirache, AKA Krobelus
Laurentiu Cristian Busca, AKA italianu
Dan Ionescu, AKA m1nja
Marius (Last Name Unknown), AKA 13081981
Alex Gabriel Paralescu, AKA paraiul
Andreea Nicoleta Stancuta, AKA godfather
Romanians indicted in Connecticut:
(See FBI New Haven's Press Release )
residents of Craiova:
Ciprian Dumitru Tudor
Ovidiu-Ionut Nicola-Roman
Mihai Cristian Dumitru
Petru Bogdan Belbita, AKA "CA is SK", AKA Robert Wilson
residents of Galati
Radu Mihai Dobrica
Cornel Ionut Tonita
Cristian Navodaru
Perhaps more interesting would be the international partners who were also indicted, including:
Hiep Thanh Tran, AKA John Tran, AKA Sam Lam -- a US resident from Vietnam
Hassan Parvez, AKA XID - from Pakistan
US Citizens:
Sonny Duc Vo, Alex Chung Luong, and
Leonard Gonzales, AKA Bonecrusher
Vietnam Citizens:
Nga Ngo, AKA Christina Ngo
Thai Hoang Nguyen, Loi Tan Dang, Dung Phan - Vietnam
Cambodian Citizen:
Caroline Tath
Rolando Soriano, AKA Loco, AKA Danny Villalopez - from Mexico
Four other hackers remain at large, known only by their aliases:
Cryptmaster, PaulXSS, euro_pin_atm, and SeleQtor
We can look forward to the next big bust, because there seems no indication these fools are slowing down. When we visit some of the chat rooms where "kahnpath", for example, used to advertise his wares, we are immediately greeted with ads for people looking for "Cashout partners", and trying to sell an MSR-206 card writer for $400.