Thursday, June 11, 2015

A Nigerian in Spain arrested for phishing and online shopping with stolen credentials

From Spanish news source "ElComercio" we bring you this phishing story - about a Nigerian citizen arrested in Spain.  Click the Spanish headline for the original story.   A Google-translate-assisted version of the story is shared below for the convenience of our English-speaking readers with permission from Olaya!)

Detenido un nigeriano por realizar compras 'on line' con datos robados a cien víctimas

(A Nigerian Arrested locally for online shopping with a hundred victims' stolen data)
Olaya Suarez, Gijon @OlayaSuarez0

 A 44 year-old Nigerian citizen was arrested locally for defrauding hundreds of people by using their bank details to make purchases online and then resell these products on the black market. The National Police estimates that he gained more than 50,000 euros in this way.
The investigation began in September 2014 after receiving the first reports of victims whose banking data had been used illegally for various internet shopping portals. Police work was arduous and complex, but eventually determine that all the fraud in Spain was the work of a single author, but that he used different identities and operated using WIFI connections in private homes, cafes and public  spaces, thus trying to hinder their location.

After months of investigations, officers of the Economic Crime group of the Brigade of Judicial Police Station Gijon found that the suspect had fixed his residence in Gijon, "where he received shipments getting their illicit activity," sources said the police station.

A job as a lure

"The person under investigation belonged to a criminal organization operating transnational nature of the internet and dedicated to credit card fraud and debit cards. The network operated by credentials and numbers for bank cards using different methods, from cloning, 'phishing' or 'hacking' of online data, "says the police.
After obtaining this data, the fraud is facilitated through servers and private links to other members of the organization in exchange for financial compensation. The Nigerian resident in Gijon, allegedly, took this information and using it, effected purchases of technological devices such as televisions, tablets, laptops or mobile phones.
Each week they conducted three or four purchases of items using many identities and facilitating different directions for collection, "but always expecting the dealers on the street to avoid the reliable verification of your address." "Under the pretext of facilitating the work identified in the street before the workers of delivery companies and so getting the immediate delivery of the item, the cost would be charged to the person who had fraudulently obtained card information» , reports the National Police.
All of the material obtained in this way coming back into the virtual market since it was offering immediately in Internet-based ad pages to people unaware of its illicit origin and not belonging to this criminal network. Despite all the precautions taken by the investigation to hide his true location, the officers managed to identify and establish a means for his arrest. His precise location was noted when he was picking up one of his orders and he was taken to the police station.

49 Corporate Email Phishers arrested in Operation Triangle

The Europen Union's Judicial Cooperation Unit, EUROJUST, along with Europol's European Cybercrime Center (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) have announced one of their most successful cyber actions to date.   The case, known internally as Operation Triangle, involves three lead agencies - Italy's Postal and Telecommunications Police through its office in Perugia, Spain's Investigative Court no. 24 in Barcelona, and Poland.  (EUROJUST Press Release: "Eurojust and Europol in massive joint action against cybercriminals")

(Click for article:J-CAT operations)
58 search warrants were executed in Spain, Poland, Italy, Belgium, Georgia, and the United Kingdom, resulting in 20 arrests in Italy, 18 arrests in Poland, 10 arrests in Spain, and 1 arrest in Belgium.  Most of those arrested were from Nigeria and Cameroon. 

By gaining control of the email accounts of well-placed individuals in corporations across Europe, the criminals were able to alter requests for payment to send the payments to themselves rather than the business bank accounts that were the intended destinations.  In a short period of time, more than 6 million euros were transferred to accounts controlled by the criminals.

In the United Kingdom, where the J-CAT task force is headquartered, recent government reports indicated that 81% of large businesses (>250 employees) and 60% of small businesses (less than 50 employees) experienced an information security breach in 2013.
(Report available here)

Next week, many European governments will be represented in the Octopus Conference 2015: Cooperation Against Cybercrime. Through the work of Octopus and others, European agencies are gradually coming into agreement on how to address multi-jurisdictional cybercrime.  At last year's Octopus conference, delegates were encouraged to work together through 18 Cybercrime Scenarios.  Fascinating puzzles that we NEED agreement on if we are truly going to stand a chance against the multi-national criminals who steal from our citizens.

UPDATE!  La Stampa article -- 

(Click for LaStampa article, which includes a short video of Italy's Polizia di Stato Cybercrime group)


For the convenience of my mostly English-speaking readers, I offer an English translation via Google Translate below.  This article is available to the Italian reader by clicking the story headline in Italian:

Phishing contro aziende: 62 arresti in Italia e all’estero, smantellata rete internazionale

Phishing Against Companies:  62 arrested in Italy and Abroad, International network dismantled: 
An operation that goes from Perugia to Turin and expands throughout Europe.  Here's how the scammers did it.

Via "LaStampa" journalist Carola Frediani and Google Translate -- 

It all started with a payment of 33 thousand euro. A routine, a transfer made ​​by a company of the Venetian food, which through its Spanish subsidiary had paid a supplier. Or rather, what he thought to be a provider, not suspecting that behind the request for a change of code Iban which paid the money was concealed an organization dedicated to computer fraud to the detriment of businesses and recycling. He had before hacked supplier and now he was impersonating online through email.
So that money, rather than to the real suppliers of the Veneto, end up on a postal account in Perugia made ​​out to a citizen of Cameroon. Which in turn has contacts with a criminal group based in Turin, specializes in money laundering and run by Nigerians, as revealed recently in an investigation of Europol and the Guardia di Finanza Piedmont.

 Operation Phishing 2.0

This episode started then the footage of another Italian international investigation, codenamed Phishing 2.0, which has once again at the center of the fraud against companies, and this morning has resulted in 62 arrest warrants in various countries, including 29 issued by prosecutors in Perugia.
An investigation then born and coordinated in Perugia, bounced on Turin had already been identified where a hub of illicit proceeds, and extended between Italy, Spain and Poland, with the support of Europol and Eurojust, the judicial cooperation unit of 'European Union.

The victims

Fifty (7 of which are Italian) companies all over the world were victims of digital fraud, 800 scam transfers were identified, 800 thousand euro taken away from businesses and recovered during the investigation, around 5 million euro estimate of the economic damage caused by the group in its business that dates back to 2012. The offenses: unauthorized access to computer systems, impersonation, aggravated fraud, and receiving stolen property.

How did it work

The mechanism of the scam started with a series of computer intrusions in the mailboxes of the companies targeted - characterized by having many foreign relations - through an advanced form of phishing, a technique that consists of sending email fake trying to trick the recipient, and then infect and / or [carpirgli] information. After obtaining the credentials of the emails of employees of a company, cybercriminals were monitoring the exchange of mail identifying commercial relationships, creditors and debtors; then they sent an email to the debtor to turn communicating a change of Iban [online payment destination address?]. Iban that actually corresponded to an account managed by a member of the organization.
To manage the assets of phishing was a network of Nigerians, Cameroonians and Senegalese, some of whom were residents in Italy. Once at the bank, also on many giro Italian, the money were taken quickly and redistributed abroad through various systems, including money transfer. "There was a division of roles," he told La Stampa Anna Lisa Lillini, assistant chief of the police post Umbrian added. "Who identified the victims took 50 percent of the amount; who was offering the bill received 30%; and the mediator that the hacker got in touch and took the 20%. " The amount stolen went from 800 up to 250 thousand euro. "In one case we have intercepted one wire of 300 thousand euro from America to  Turin," explains Lillini.

Between Umbria and Piedmont

Turin made ​​from recycling center, and here the investigation Perugia converges with what we previously reported from Turin, [LaStampa's article "Nigerian Drops: Women and Companies Cheated Online"] . In that system, the money stolen from the companies were sent to other parties, with dozens of credit transfers and of people involved, up to a stage where cash was taken piecemeal. A branched system, which were scattered in many streams ([ribattezzatto] precisely Nigerian Drops by investigators) and that has been traced through some specific analysis tools used by Europol. "In one case, one person has taken 150 thousand euro in eight hours making dozens of drops in different branches," says La Stampa Captain David Giangiorgi of the Financial Police of Turin. "The fraud was perpetrated by persons residing in Nigeria. The money was sent in the form of assets purchased with the proceeds of the scam and then shipped to the African country. "

A growing phenomenon

This kind of scams are increasingly common. "Just this week, carrying out a survey of defense on behalf of an Italian company that had lost many thousands of euro through a similar system, we were able to triangulate who had sent the phishing emails, and these seem to come just from Lagos (Nigeria) ", explains Paolo Dal Checco, the Turin studio of computer forensics, Digital Forensics Bureau (Di. Fo. B) that has long followed precisely such cases.
The interesting aspect is that the story in question fraudsters had been in touch with the company through Skype, as well as email. And through the program of VoIP (and with some tracking systems of the email), computer forensic experts have identified the IP address of the interlocutors. "By now using increasingly sophisticated techniques," says Dal Checco. "In some cases they go even to call pretending to be a creditor of the company contacted."

UPDATE #2 -- The News from Spain

The Spanish National Police have also released information about this case, in their press release of June 10, 2015.   As with the Italian article above, click the Spanish headline below for the original article.  For the convenience of English-speaking readers, we share a Google-translate-assisted version below:

Operación simultánea en España, Italia, Bélgica y Polonia contra una red de fraude cibernético

 (Images, courtesy of Spanish National Police press office -
Spanish National Police perform on-site mobile forensics during one of their raids

Two suspects detained by Spanish National Police

Simultaneous operation in Spain, Italy, Belgium and Poland against cyber fraud network

National Police
Spain, Italy, Belgium, Poland, 06/10/2015
Joint operation of the National Police, NCA and the British Police in Italy and Belgium, coordinated by Europol and Eurojust
There are 49 detainees -10 of them in Spain and there have been 28 homes in which 9,000 euros have been seized along with laptops, hard disks, phones, tablets, credit cards and extensive documentation on the activities of the network.
Those arrested by means of intrusion techniques and social engineering, were able to control corporate email accounts and to interfere in international financial transactions between different companies and thus were able to modify the target bank accounts and thus appropriating money illegally
National Police agents have participated in a simultaneous operation conducted in Spain, Italy, Belgium and Poland against a network of cyber fraud. In this joint operation coordinated by Europol and Eurojust also they participated British NCA agents and police in Italy and Belgium. There are 49 detainees -10 of them in Spain and there have been 28 homes in which 9,000 euros have been seized laptops, hard disks, phones, tablets, credit cards and extensive documentation on the activities of the network. Those arrested by intrusion techniques and social engineering, were made to the control of corporate email accounts to interfere in international financial transactions between different companies. Thus they managed to change the target bank accounts and thus appropriate the money illegally.
The international coordination was established effectively through Europol headquarters in The Hague and link to cybercrime agent of the National Police. In this way it has enabled the operation has been developed jointly and simultaneously in all countries where they lived active members of the criminal structure dismantled. It also has received support personnel and Europol mobile office moved to places where it has intervened.
Modus operandi
The cyber attack used by this criminal group is called man-in-the-middle, which is to control email accounts, in the case of medium and large European companies. The members of the network were reviewing the messages sent and received from corporate accounts to detect requests for payment. Then modified the messages for payments were transferred to bank accounts controlled by the criminal group.
These payments were charged by the criminal organization immediately through different means. The investigation, originating mainly from Nigeria, Cameroon and Spain, then transferred the money out of the European Union through a sophisticated network of money laundering transactions.
The investigation culminated with the arrest of 49 people in Spain (10), Italy, Belgium and Poland. In addition there have been 28 homes, 8 in Spain, 2 in the UK and 18 in Italy, where agents have seized 9,000 euros in cash (5000 in Italy and 4000 in Spain), laptops, hard drives, mobile tablets, credit cards and extensive documentation on the activities of the network.
The operation was carried out by officers of the Unit for Technological Research and the Police Headquarters of Catalonia of the National Police, the Italian Polizia di Stato, the Polish National Police and the British National Crime Agency.  

UPDATE #3 -- The News From Poland

The Polish National Police have also issued a press release about the arrests made in Poland.  Click the Polish language headline below for the original article.  A Google-translate assisted version follows for the benefit of our English-speaking readers.  (stills from video )

Police in Poland prepare for a raid.

The Phishing suspect is apprehended

Laptops, passports, cell phones, and cash seized in the raid

Międzynarodowa operacja Europolu i Eurojustu - w sumie zatrzymano 49 cyberprzestępców

(International Operation of Europol and Eurojust - a Total of 49 Criminals Arrested)

Officers Coordination Team Central Bureau of Investigation Police and Border Guard as well as police officers Municipal Police Headquarters in Krakow and the Department for Combating Cybercrime Regional Police Headquarters in Krakow, acting under the supervision of Appellate Prosecutor's Office in Krakow together with the police and law enforcement authorities from Italy and Spain, with collaboration with investigators from Belgium, Georgia and the UK and support of Europol and Eurojust, figured out an international organized criminal group, engaged in money laundering, originating, inter alia from phishing attacks carried out against citizens of European countries. On the Polish territory had been detained this matter for a total of 18 people.
On June 9th and 10th,  Europol and Eurojust conducted an international action against cyber criminals. A total of 49 suspects have been detained. The activities were also conducted in Poland.
Yesterday, in the province of Malopolska police activity was carried out in this case, one of the most important leading to the arrest of five people, including the man who organized criminal dealings on Polish territory. The Central Investigation Bureau Police seized more than 160 thousand from phishing.
In total, the Polish were detained in that case 18 people. According to estimates investigators, members of criminal group could "launder" a total of over 7.7 million (this amount coming only from the crimes committed in our country).
Detained charges of fraud, money laundering and participation in an organized criminal group.
On account of the suspect threatened penalties and fines secured property value of 1.8 million.
Results of "Operation Triangle" are the result of large-scale investigations carried out in Italy, Spain and Poland (Central Bureau of Investigation Police Department with the participation of cybercrime Police Headquarters in Krakow under the supervision of Appellate Prosecutor's Office in Krakow). The aim was to break organized crime groups engaged in phishing on the Internet. These types of crimes are carried out by specialized criminals who use the Internet to commit fraud. In addition criminals from exploiting cyberspace to "laundering" of money, proceeds of crime. In this way, embezzlement made substantial amounts of money from victims throughout Europe.
In parallel, the investigation showed the existence of international fraud on a massive scale, extortion million in short time. The suspects, mainly from Nigeria and Cameroon, upload illegal profits outside the European Union through a complex network of transactions related to money laundering.
In preparation for the run yesterday and today operations, Eurojust coordinated the gathering of information from various law enforcement agencies, as well as organized several coordination meetings with representatives of national authorities from Italy, Spain, Polish, Belgium and Great Britain. With all these joint efforts, coordination center was established who carried out the operation with the support Team. Analysis Affairs Eurojust, the European Centre for the fight against Cybercrime Europol (EC3) and the Joint Task d. Cybercrime (JCAT) - a new European institution created to assist investigations to combat cybercrime.
Joint action brought excellent results, while she realized that joining forces selected EU agencies and national authorities can successfully contribute to the fight against one of the most difficult to detect forms of contemporary crime.
Teresa-Angela Camelio, National Assistant Representative of Italy to Eurojust, commented: "Eurojust played a key role in promoting the agendas of EU efforts in combating this type of crime, which requires knowledge, cooperation and coordination between all involved national and international actors. The results of the two-day operation are a clear signal to criminals that they will be prosecuted in every jurisdiction. "
Phishing on the Internet: This type of cybercrime, carried out by organized criminal groups, depends on gaining access to passwords and names (nicknames) of users for illegal activities. Criminals replace respective owners information through "phishing" their data and thereby gain access to their accounts, which means access to the money the victims and their customers. Credentials obtained in this way by organized criminal groups hurts many Internet clients, while generating billions of euros of profits for organized crime groups.