Tuesday, January 29, 2019

Money Laundering and Counter-Terrorist Financing: What is FATF?

Many cybercrime investigators seem narrowly focused on the bits and bytes of the crimes they investigate while not truly understanding or interacting with those who focus on where the money goes.  As we've been expanding our horizons, I've learned quite a bit and wanted to share some resources for others who may have been similarly limited in their focus.

The Financial Action Task Force (FATF) was established in 1989. It built a list of Forty Recommendations for countries to address Money Laundering, which were first issued in 1990, and revised in 1996, 2001, 2003, and 2012.  Their latest FATF Annual Report (2017-2018) addresses Terrorist financing as well as new methods and trends and announces a research project on financing of recruitment for terrorism.  Many of these Recommendations meet our lives in the form of regulations on financial institutions and interactions between international law enforcement agencies.
"Regardless of their size and complexity, the financial activities and channels of terrorists are an essential source of intelligence.  Financial investigation can identify terrorist cells, their associates and facilitators, and reveal the structure of terrorist groups, and their logistics and facilitation networks." -- FATF President Santiago Otamendi, 14DEC2017, NYC.
FATF also released an important report "Financing of Recruitment for Terrorist Purposes" in January 2018, and a second report "Concealment of Beneficial Ownership" in July 2018.
Beneficial Ownership (July 2018)
Terrorist Recruitment (January 2018)
FATF is composed of 38 member states, covering most of the major financial centers of the world. Each of these member states has pledged to come into compliance with the Forty Recommendations, and to measure its progress.

The FATF Forty Recommendations on Money Laundering and Counter Terrorism Finance

International Standards on Combating Money Launderingand the Financing of Terrorism& Proliferation (Oct 2018)
The Recommendations fall into seven major categories:

A - AML/CFT Policies and Coordination
  • R1. Asessing risks & applying a risk-based approach
  • R2. National cooperation and coordination

B - Money Laundering and Confiscation

  • R3. Money laundering offense 
  • R4. Confiscation and provisional measures

C - Terrorist Financing and Financing of Proliferation

  • R5. Terrorist financing offense
  • R6. Targeted financial sanctions related to terrorism and terrorist financing
  • R7. Targeted financial sanctions related to proliferation 
  • R8. Non-profit organizations

D - Preventative Measures

  • R9. Financial institution secrecy laws
  • R10. Customer due diligence 
  • R11. Record keeping 
  • R12. Politically exposed persons
  • R13. Correspondent banking
  • R14. Money or Value transfer services
  • R15. New technologies
  • R16. Wire transfers 
  • R17. Reliance on third parties 
  • R18. Internal controls and foreign branches and subsidiaries
  • R19. Higher-risk countries
  • R20. Reporting of suspicious transactions
  • R21. Tipping-off and confidentiality 
  • R22. Designated non-Financial Businesses and Professions: Customer due diligence
  • R23. Designated non-Financial Businesses and Professions: Other measures 

E - Transparency and Beneficial Ownership of Legal Persons and Arrangements

  • R24. Transparency and beneficial ownership of legal persons
  • R25. Transparency and beneficial ownership of legal arrangements 

F - Powers and Responsibilities of Competent Authorities and Other Institutional Measures

  • R26. Regulation and supervision of financial institutions
  • R27. Powers of supervisors
  • R28. Regulation and supervision of Designated non-Financial Businesses and Professions
  • R29. Financial intelligence units
  • R30. Responsibilities of law enforcement and investigative authorities 
  • R31. Powers of law enforcement and investigative authorities 
  • R32. Cash couriers 
  • R33. Statistics
  • R34. Guidance and feedback 
  • R35. Sanctions 

G - International Cooperation

  • R36. International instruments 
  • R37. Mutual legal assistance 
  • R38. Mutual legal assistance: freezing and confiscation
  • R39. Extradition 
  • R40. Other forms of international cooperation 

Mutual Evalution and Ranking of Members  

4th Round Ratings
In this chart, each member state, including the Associate members, is ranked on how well they comply with each of the 11 "Immediate Outcomes" and 40 Recommendations.  For example, the United States is currently not compliant with recommendations 22, 23, and 24 -- so, we don't do well in non-financial institutions, and our shell company games are impossible to monitor as of now, but we do generally do well in most others.  Clicking the "4th Round Ratings" label will take you to the full chart.  If you do international business, it may be a form of risk doing businesses in countries with poor ratings across the board here.

FATF Member Assessments

Each member is encouraged to perform regular assessments to measure themselves on how they are complying with the Forty Recommendations.  Here are example reports from the United States, but these reports are available for every country that participates in FATF or one of the Associate Members.  In the United States, these assessments are published by the Department of the Treasury.  These reports were issued in 2015 by the Treasury Undersecretary for Terrorism and Financial Intelligence, Adam Szubin.

2015 Money Laundering Risk Assessment

2015 Terrorist Financing Risk Assessment

The goal of sharing these examples is to serve as a reminder that from the FATF site, ALL such reports for all member states are available, by looking for the "Mutual Evalutions Publications." As of this writing the four newest ones are from Tunisia, Nicaragua, Panama, and Tajikistan.

FATF Associate Members

FATF also has 9 Regional Bodies, considered "FATF Associate Members" each of which put out specialized information for their portion of the world.  For those who are interested in that Region, following up on those specific regions reports from their representative task forces and groups will be worthwhile.

A Special Focus on Terrorist Financing Risks 

FATF issued their first special report offering guidance on Terrorist Financing in 2008:

Several more recent reports would be especially interesting regarding terrorist financing, stemming from an emergency meeting of 55 states, the United Nations, the Egmont Group of Financial Intelligence Units, the International Monetary Fund, the World Bank, and others specifically to address curbing the financing of ISIS/ISIL.

In the Paris meeting of 19OCT2018, FATF encouraged members to expand their focus from looking specifically at ISIL to more broadly include Al Qaeda and its Affiliates, issuing this guidance:

Regional Terrorist Financing Focuses

There have also been significant regional reports issued by sub-groups and associate members.

The Counter-Terrorism Financing Summit, hosted by Australia's Financial Intelligence Agency (AUSTRAC) and the Indonesian counterpart, Pusat Pelaporan dan Analisis Transaksi Keuangan (PPATK), issued the Regional Risk Assessment on Terrorism Financing 2016.  The following year, the event was repeated, adding Bank Negara Malaysia as a partner.  These events issued two small statements, and one more substantial report, addressing events in Philippines, Thailand, Malaysia, Singapore, Indonesia, and Australia, and how those events were funded.

A risk methodology for their region (p.22)

The Nusa Dua Statement - August 2016 
Kuala Lumpur Communique - November 2017 

West and Central Africa have very different concerns, and held a summit to discuss these differences, resulting in this excellent joint publication: 

"Terrorist Financing in West and Central Africa", October 2016
50 page joint report from FATF, GIABA, and GABAC

Particular Funding Methods for Terrorism Finance

Many other special reports have been issued, related to the trade in:

Virtual Currencies of Growing Concern

In the Paris meeting 19OCT2018, a special issue that was raised was the Regulation of Virtual Currencies.  This was deemed to be a matter of strategic interest that will be further evaluated, especially with regard to Initial Coin Offerings and their role in Money Laundering.  FATF has committed to work with the G20 to come up with new guidelines to update their previous report "Virtual Currencies: Key Definitions and Potential AML/CFT Risks" as well as their report "Guidance for a Risk-based Approach to Virtual Currencies" (June 2015 - 46 page PDF).  

The work so far is in the form of a report to the G20, which addresses many topics in addition to Virutal Currencies:

In part the report shares:

"Noting that virtual currencies/crypto-assets raise issues with respect to money laundering and terrorist financing, they committed to implement the FATF Standards as they apply to virtual currencies/crypto-assets.  They looked forward to the FATF review of those Standards, called on the FATF to advance global implementation, and asked the FATF to provide an update on this work in July 2018.  The FATF will take this work forward under the US presidency from 1 July 2018 to 30 June 2019."

This work begins with first reviewing laws and regulations regarding crypto-assets and virtual currencies in each of the G20 states.

More on this topic will certainly be forth-coming from FATF.

Thursday, January 24, 2019

Facebook Lotteries to Avoid - with help from AA419

This morning I received a tip from one of the top West African fraud experts in the world, Derek Smythe from AA419. Derek and his team had been in communication with several victims of a "Poker Lottery" scam and had documented a set of linked domains.

PokersLottery[.]me website
The home page of these websites explains how the Lottery works:
Under The Gambling Act 2015, The Poker Lottery Online Board’s Purpose Is To Benefit The Facebook Community By Distributing The Profits From States Lotteries Run By The United State Of America,United Kingdom,Australia And Canada Lotteries Commission.

The Board Is Empowered By The Gambling Act To Make Allocations To Lottery Distribution Committees; The Minister Responsible For The Board For Distribution For Community Purposes; And This Statutory Bodies – A Worldwide Promotion For Disabled, Employed And Unemployed Workers, Retired, Young & Old People. A Sophisticated Automated Database To Randomly Select E-Mail Accounts And Profile Page Owners That Frequently Surf The Facebook. Consequent Upon This, Your Facebook Profile Account Was Chosen As A Winner. 
Doesn't that sound a bit suspicious?  Sure, if that's all there was ... but wait, there is more!
Each website has a list of the 100 "beneficiaries" who have been chosen to receive a prize!


Today is your lucky day!  Of course, since there are only 100 winners, they needed to make a bunch of these websites.  Derek and the team at AA419 documented quite a few of them yesterday and today, including these:

Poker Lotto domains, from AA419
The "Beneficiaries" pages all looked something like this, where each named individual is someone who has been invited to be scammed by receiving a Facebook message:

Beneficiary List from a Poker Lotto page

Another Beneficiary List Style
As far as we can tell, the "Status" has one of three meanings:

Delivered - you've already been suckered.
Not Yet Claimed - you've received the Facebook Message, but have not "verified" yourself.
Processing - you've provided your personal information, but they don't have your money yet.

The "AGENT/OFFICER IN CHARGE" link takes you to a Facebook Page, which will be the source of the message that you received via Facebook Messenger.  For many, this acts as a Verification.  They get a message, they follow the link, they see their own name, and when they click "AGENT/OFFICER" it takes them to the Facebook page of the person who sent them the message, completing the loop, and solidifying the concept that this is a "real thing."

Some of the AGENT/OFFICERs we found were:


It is also possible that the "Delivered" statuses are just decoys, because who would actually fall for these scams, right?  Actually - according to AA419 and their law enforcement friends, these guys have already stolen money from dozens of victims!

So what happens next?  Next, we need to gather a bit of personal information so we know where to send your money, and make sure that we file your tax information about your winnings:

Necessary Information to Claim Winnings
There were actually several versions of the Verification Form, with some asking for an SSN while others did not.  We believe this may indicate what country that particular form was targeting.  For example, many of the victims were in South Africa, which does not identify their National ID number as a "Social Security Number."  By not having that field, they may avoid raising suspicion.

Quite a few of the websites are hosted on SquareSpace, who thankfully has been terminating the domains as AA419's team swung into action!  Thankfully several of them now look like this:

Well Done, SquareSpace!
So how much did the victims lose?  Strangely, it appears that you get to choose your own winnings, depending on how large a payment you are willing to make.  Yes, as you may have guessed if you are familiar with 419 Scams, there is a small fee that needs to be paid.

Cheap? Pay $1050 to claim $50,000.  Loaded?  Pay $420,000 to claim $20 Million!
On the form one fills out to choose their prize, note that one of the required fields is that you must upload your photo id!!!

Our advice?  Perhaps you shouldn't do that!

US Government Facebook Lotteries?

While Derek and I were exploring the sites and looking for additional ones, we realized that there is another version of the scam that imitates United States Federal Government Agencies.  All of the above works in exactly the same way, however instead of being branded "Poker Lotto" the websites take on a more "Official" tone.

The first one we found claims to be a service to help those who find themselves unemployed run by the United States Agency for International Development (USAID).

The USAIDWBENEFITS[.]COM website is hosted in NameCheap's data center in Los Angeles on the IP address

There are sixteen pages of beneficiaries who have won the USAID WORLD BENEFITS award, listed in alphabetical order by first name

USAID Benefactors, from A ... 

... to Z 

The other US Government agency we found being abused in these scams was the Department of Labor.

wcabcompensations[.]com and also wcabdhhs[.]org

The "Winners List" from wcabdhhs[.]org

The WCAB / DHHS site is more advanced than the Poker Lotto sites, though not as advanced as the
USAID site, which seems to be the most recent in the evolutionary chain.

The Department of Labor doesn't seem to have as much money as Poker Lotto.  The "Claim" fees are smaller, but then so is the maximum prize:

Don't copy this!  It is (C) 2019 the Workers Compensation Appeals Board and the Department of Health & Human Services!

I'm not quite sure what the National Endowment for the Humanities has to do with this one . . . 

The address information left behind on this "Contact Us" form tells us a bit about how long these scams have been going on.  When we searched on the address information with the phrase "Claim Your Grant" as part of the search, we found that the National Endowment for the Humanities put out a press release on June 21, 2016 warning people about exactly this type of scam!  See: "Scam Impersonates NEH" on their website.

The Workers Compensation Board version of the scam is likely just as old, as one of their "AGENT" Facebook pages that are listed on these scam sites was created in 2015 and updated in 2016!  People may have been receiving notices of Lottery winnings from her account for a Very Long Time!

Asuncio from the Worker's Compensation Board has the odd Facebook Handle "CLAIM IT ONLINE1" 
The other Workers Compensation Appeals Board website did have an option to claim a LOT MORE MONEY, but you also had to pay a much larger fee:

$15 Million!  And all I have to send to Nigeria is $1.2 Million!  What a deal!

A Facebook Lottery?

The last lottery of this type that we explored actually imitates Facebook itself.

The Facebook Benefit site also uses "A Sophisticated Automated Database to Randomly select E-mail Accounts And profile Page Owners that frequently surf the Facebook."

They like to capitalize almost as much as ME!

fbusersbenefit[.]com Beneficiary List
The agent for this one was - https://www.facebook.com/lise.richard8 

Could You Do Us A Favor?

WHEW!  That was a lot of Lottery Scams to review.  Could you do us a favor?

First, please share this blog post with your friends so they will be aware of this type of scam. Victims tend to be elderly and perhaps more trusting of computers, so sharing this with your older friends might be helpful.

Secondly, if you, a friend, or a family member has encountered any of these lottery scams and have saved any of your communications from the scammers, it would be SUPER HELPFUL if you could share that information.  Especially if you have email addresses or bank accounts that were used by the scammers.  

Feel free to leave me a comment below if you'd like to pass it to me, or if you are in the United States, please take a moment to share your details with the FBI's Internet Crime and Complaint Center, IC3.gov.   The great people at AA419 work closely with the website ScamSurvivors.com and would love to have you report details about anything you may have experienced related to this or other scams by visiting the Scam Survivors Forum.

Sunday, January 20, 2019

Romanians on a Skimming Crime Spree?

When I posted last month about a Romanian skimming case (see: "Alert Traffic Patrolman Unveils Romanian Skimming Ring") I got two strong reactions.  One was from my Romanian Information Security friends who wanted to remind me that not all Romanians are criminals -- of course not! There are great researchers from Romania!  But the other was email after email telling me about other cases where the people being caught planting skimmers or using the cards stolen by them were also from Romania.

As we looked into this accusation more, it seems to be quite true that Romanians traveling to the United States for the purpose of planting skimmers and cashing out cloned cards seems to be in the news almost every week.

January 5, 2019 - San Luis Obispo, California - has a very nice video in the article  "These foreigners ran a credit card skimmer ring in the Tri-Cities" - in this case four Romanians were arrested with 268 gift cards, each with a separate skimmed mag stripe and PIN already burned onto them.  Emil Kabirov (21), Denis Legun (24), Ana Onici (22) and George Vasile (35) were arrested as they were seen at a Numerica Credit Union using cloned cards to withdraw funds.

Eric Vitale, fraud investigations specialist for San Luis Obispo PD, explains the scam
December 20, 2018 - Nashville, Tennessee - 159 gift cards with cloned stripe data recovered. In a jailhouse interview their American driver says they stole as much as $500,000.  George Zica and Madalin Palanga of Romania were arrested with him.

American Forrest Beard tells about his time with Romanian skimmers  in this WKRN exclusive
November 27, 2018 - Atlanta, Georgia - Romanian Gogut Serban (35) was sentenced for skimming and stealing at least $80,000 from at least 70 credit union customers in Atlanta, Lawrenceville, Norcross, and other locations in Georgia.  He'll serve 26 months in Federal prison.

November 8, 2018 - Nixa, Missouri - Romanian woman Lordeana Baceanu is facing a 49-count felony for planting at least 15 skimming devices and making a large number of withdrawals, including from Southern Bank.  When arrested, she had 49 Visa and American Express gift cards with her that had been re-encoded with the magnetic data from skimmed cards.  She was previously arrested in 2012 as part of a five women three men team who traveled through Wales and the UK, committing at least 30 burglaries in five months.

November 2, 2018 - Springfield, Oregon - two Romanian teens were arrested, aged 15 and 17,  for planting skimmers on ATMs belonging to Northwest Community Credit Union.

October 31, 2018 - Boston, Massachusetts - 3 Romanian men plead guilty in federal court related to their ATM skimming operations.  Nicusor Bonculescu (24), Suedin Chiciu (28), and Florinel Vaduv (22) were actually indicted along with 12 others in 2017.

October 27, 2018 - Houston, Texas - 2 Romanian men have pleaded guilty to traveling to Houston to place card skimmers on ATMs and stealing money from bank accounts.  Crisian Viorel Ciobanu (30) and Bogdan Mirel Constantin (40) were arrested with Daniel Marius Muraretu.  The three used fake cards and stolen PINs to steal at least $390,495.

A nearly undetectable credit card skimming device was discovered at an ATM in Alameda. Photo: Alameda Police
A skimmer on an ATM in Alameda, Texas - Source: https://www.facebook.com/AlamedaPD/posts/1761406967269034
October 9, 2018 - South Strabane - "Elvis Roman", (probably an alias), a 33 year old native of Romania, conducted 255 unauthorized withdrawals from Washington Financial Bank using cards that were cloned after being captured with an ATM skimmer.  After bank surveillance pulled his license plate number, he was pulled over by traffic police and arrested.

"Elvis Roman"

September 11, 2018 - Springfield, Massachusetts - Romanian Bogdan Viorel Rusu (38) living in Queens, New York, plead guilty to stealing $868,000 via cloned ATM cards from at least 530 individuals in three states via skimmers.  $364,419 stolen from Massachusetts, $75,715 from New York, and $428,581 from New Jersey residents.

August 22, 2018 - Louisiana - Alexandru-Nicusor Nita (27), Daniela-Stefani Ianev (31), both of Romania, planted skimmers around Baton Rouge, Louisiana at Neighbors Federal Credit Union ATMs.  Nita was arrested by the US Secret Service in a Memphis hotel room along with 5 other Romanians who were charged with possession of marijuana and manufacturing fake ids. He was sentenced in December 2018 to 24 months imprisonment and restitution of $149,802.44.

August 15, 2018 - Richmond, Virginia - 50 year old Antal Kancsal pleads guilty to stealing $1.2 Million via ATM skimming. He worked as the partner of Brazilian Roberto De Miranda-Martinez (43).  He entered the US on a tourist Visa which expired in March and never went home.  The pair planted skimmers in Virginia, Pennsylvania, Maryland, and elsewhere.

July 17, 2018 - Friendswood, Texas - 18 year old Romanian national Fabrizio Victor Slatineo was arrested after bank employees alerted the police to a vehicle associated with a series of suspicious ATM transactions.  Traveling with Fabricio was an eleven-year old girl who had $60,000 cash and dozens of blank debit cards that had skimmed stripes burned onto them hidden in her floor-length skirt.

<p>Recently, three Romanian men were sentenced to prison for using credit card skimmers to steal victims' personal information.</p>
A skimmer on a Texas Credit Union ATM - Source: LMTOnline.com
Jun 12, 2018 - Fond du Lac, Wisconsin - 26 year old Mihai-Alexandru Preda and 35 year old Catalin-Adrian Capanu were caught at a Marine Credit Union with 137 cloned debit cards and $7500 in cash.  The pair had been driving from California to Wisconsin, conducting crimes all along the way. See "Romanian nationals arrested in Fond du Lac for skimming, cash outs, organized crime ring"

Police release photos, info on skimming scam
Romanian suspect glues a PIN camera on a Kenosha, Wisconsin Educators Credit Union ATM 
Jun 6, 2018 - Richmond, Virginia - Romanians Florin Bersanu (31) and Viorel Naboiu (43) were charged with placing skimmers on ATMs in Virginia, West Virginia, and Florida.  Directly attributable losses are $42,756.80 stolen from BB&T Bank, Henrico Federal Credit Union, United Bank of West Virginia, and Pen Air and Eglin Federal Credit Unions in Florida.

Bersanu and Naboiu: Okaloosa County Sheriff's photo

May 14, 2018 - Boston, Massachusetts - The ring-leader of the gang, Constantin Denis Hornea (23) was sentenced to 65 months in prison and $242,141 restitution for ATM-skimming and racketeering.  The Hornea Crew did ATM-related crimes in at least seven states: Massachusetts, New Hampshire, Connecticut, New York, South Carolina, North Carolina, and Georgia.  At least 17 members of the Hornea Crew are now indicted, though some are still awaiting extradition from Germany and Hungary.  Their skimmers were found in Amherst, Bellingham, Billerica, Braintree, Chicopee, Quincy, Southwick, Waltham, Weymouth, and Whately, Mass.; Enfield, Conn.; Columbia, Greenville, Greenwood, Mauldin, and Saluda, S.C.; Savannah, Ga.; and Yadkinville, N.C.  They made ATM withdrawals in at least 44 different towns, 29 of them in Massachusetts.

Hornea crew with many aliases - often linked to their Facebook accounts

members of the Hornea crew used a "Fast and the Furious" frame on their Facebook profile pictures 

Denis Hornea's Porsche (from his Facebook page)

Ion Văduva - proud to be a gangster
May 11, 2018 - Henrico County, Virginia - Romanians Florin Bersanu and Viorel Naboiu were arrested for defrauding a huge number of accounts that they accessed after cloning ATM cards via skimming.  Their victims included 226 Pen Air Credit Union customers, 235 accounts in West Virginia, and 190 accounts from BB&T banks in Virginia.  The skimmers planted by the pair use Bluetooth technology to transmit the stolen card stripes.  

April 13, 2018 - North Carolina - Valeri Gornet sentenced to 48 months for ATM Skimming in Troy, North Carolina. He entered the US on an H1B non-immigrant visa and was supposed to leave October 10, 2016.  He originally told the police he was Geani Vales from Lithuania when he was caught installing a skimmer at a North Carolina State Credit Union ATM.  

Feb 21, 2018 - Pittsburgh, PA -  Nicu Sorin Pantelica (28) was indicted after being caught with a mag stripe writer (MSR606) and an Acer laptop and $6100 in cash.  Nicu was arrested while "loitering suspiciously" in a van near an ATM in South Strabane township Pennsvylvania. As in some of the other cases we looked into, he was traveling with an underaged female who claimed to be his sister who was concealing more than 40 Vanilla Visa cards, many bearing stickers with four digit numbers on them, believed to be the PINs for the cards.