Thursday, November 26, 2020

Major Nigerian Phishing and BEC Actors, SSGToolz and CeeCeeBossTMT, Arrested by Nigerian Police and Interpol

 An Interpol headline on November 25, 2020 announces "Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group" however the article does not name the suspects.  The Interpol article says the three are "believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams."  Interpol's Craig Jones says the year-long investigation was known as "Operation Falcon."

The Nigerian Police actually did a press release about the trio on November 19th.  From that we find photos of the three criminals and more information about their crimes and names. The leader of the trio, Onuegwu Ifeanyi, is known online as SSGToolz.  According to the Nigerian Police, he "specializes in creating, designing, and selling phishing links and hosting malware on websites used by the gang for phishing and hacking purposes.  He collects charges running into several millions of naira from other fraudsters he mentors and improves their phishing capabilities."
Onwuka Emmanuel Chidiebere, also known as Ceeceeboss TMT, graduated from Imo State University and specializes in Business Email Compromise (BEC) and hacking. His laptop had over 50,000 email accounts with passwords harvested from various individuals and businesses worldwide.
CeeCeeBoss TMT recruited the third of the trio, Ikechukwu Ohanedozie, who was known as Dozzy. A medical school student also from Imo State, Dozzy's job was sorting out the email accounts and doing research "to determine financial strengths of prospective victims and pass the information to Ceeceeboss.
SSGToolz was not at all discrete with his work, creating his own domain for his tools, appropriately named ssgtoolz[.]net.  From there we see that he also used the gmail account, which was associated with the creation of 85 domain names.

Some of these domain names were used to anchor other types of fraud, for example "c-clh[.]com" was confirmed to be hosting malware on 17JUL2020 and 19JUL2020, and as recently as 22SEP2020, which VirusTotal says was detected as Andromeda, Fareit, or Lokibot by various anti-virus vendors.

He also used this domain to host phish, such as "[.]com" 

According to the ZoneCruncher tool from Zetalytics, At least 76 domains of his domains were observed resolving in their Passive DNS systems.  Many of them were "look alike" domains, likely used for sending malicious email.  Some xamples of these would include: 

agogpharrna[.]com (the "rn" supposed to look like an "m" to imitate agogpharma) 
iescornputers[.]com (the "rn" supposed to look like an "m" for iescomputers) 
tataintiernational[.]com (an extra "i" to imitate tatainternational) 
owenscorming[.]com (an "m" instead of an "n" for OwensCorning) 

Others seem more targeted as general "technical" phish, such as "server-update-mail-verification[.]com" which he registered 12JUN2019, or "itbackupserver[.]com" registered the same day.

CeeCeeBossTMT liked to boast of his wealth on Instagram, although he gave God Almighty all the thanks for the proceeds of his crime.  He also liked to imply that his hard work in the music studio was somehow the source of his wealth, rather than the millions he stole from innocent victims around the world.

Gotta admit, I'm thinking of finding that green track suit and shoes combo for myself.  What do you think?  Also, can anyone tell me which South African airport that top left shot was taken in?

The "TMT" coincides with his TMT Liquor Store, which he frequently tags in his posts.  TMT Liquor shares their WhatsApp Number, +234 901 069 2587 on their Instagram Bio @tmtliquorstore.

We look forward to hearing more about how these three are tied into the larger infrastructure of cybercrime in Nigeria.  If you have more information, please do reach out!

Sunday, November 15, 2020

ENISA: Top 15 Threats: Spam, Phishing, and Malware!

Part One of this post, describing the many components of "The Enisa Cybersecurity Threat Landscape" went over ENISA's Year in Review, the emphasis on Cyber Threat Intelligence, Sector specific threats, Research Topics, and Emerging Trends.  This is "Part Two" where we review the 16 documents that ENISA released to cover their "Top 15 Cyber Threats" report. In particular, we look at the Top 5.

ENISA's Top 15 Threats report starts with this summary document: 

The list of the Top 15 Threats is an annual list from ENISA, with only slight changes in positions for the various threats since last year. Malware remains in the Number 1 spot, and Web-based attacks remains Number 2. Phishing actually increased from 4th to 3rd position. Spam also rose this year, from 6th to 5th position. The threat making the greatest movement was Identity Theft, jumping from 13th to 7th position!
  A full report from ENISA is available for each of the topics below. Click to access each one. I'll only comment on a few in this blog post!
    1. Malware
    2. Web-based Attacks
    3. Phishing
    4. Web Application Attacks
    5. Spam 
    6. DDOS 
    7. Identify Theft
    8. Data Breach 
    9. Insider Threat
    10. Botnets
    11. Physical manipulation, damage, theft and loss
    12. Information Leakage 
    13. Ransomware
    14. Cyber espionage
    15. Cryptojacking 

#1 Cyber Threat - Malware

ENISA ranks Malware as the #1 threat again, pointing out several troubling trends.  Detection of malware on Business-owned Windows computers went up 13% from the previous year, and 71% of malware infections had spread from one infected user to another.  46.5% of malware delivered by email used a ".docx" file extension, indicating that our continued unsafe business practice of sharing Word documents by email continues to put our organizations and our employees at risk!  Another change was that 67% of malware was delivered via an encrypted HTTPS connection -- the "increased safety" of having encrypted web pages has also greatly increased our difficulty in understanding when an employee is receiving malware by visiting a webpage.

The number one malware family in this reporting period was Emotet, which targeted US-based businesses 71% of the time and UK targets 24% of the time.  

An increasing number of banking trojans were also seen that targeted the Android operating system.  Top families included Asacub, SVPeng, Agent, Faketoken, and HQWar.

 The so-called File-less Malware was also a significant attack method, often using Windows Management Instrumentation or PowerShell scripts to perform complex attacks more or less "at the command line" rather than by downloading a Windows PE Executable.

For C2-based malware, a growing trend in having Russian-based Command & Control servers was observed, with the likelihood of a Russian-host going up 143% from the previous reporting period.  these malware families included Emotet, JSECoin, XMRig, CryptoLoot, Coinhive, Trickbot, Lokibot, and AgentTesla (according to MalwareBytes, quoted in the report.)

ENISA says that 94% of all malware deliveries were via email during 2019, quoting from the EC3 Internet Organised Crime Threat Assessment.   Many such attacks were enabled by employee behavior and gained extended reach due to vulnerabilities in Windows, several of which allowed Remote Code Execution, making malware attacks "wormable" and able to spread throughout the enterprise, often due to poor patch management.

Proposed actions in this report include the need for better in-bound screening, including the ability to decrypt and inspect SSL/TLS traffic as it comes into the network, including web, email, and mobile applications.  Security policies must also be updated to include what processes and escalations must occur "post-detection" in the case of an infection.  Log monitoring must be improved.  

One suggestion that I strongly agree with -- "Organizations need to disable or reduce access to PowerShell functions" -- so much malware this year, especially ransomware, would be stopped cold in its tracks if PowerShell were not so prevalently deployed and enabled in our organizations!  

Although it is not mentioned by ENISA, my favorite document for understanding PowerShell threats is "The art and science of detecting Cobalt Strike" from our friends at Talos Intelligence!  More than any other attack platform, Cobalt Strike is being abused by malicious actors in order to fully compromise domains, often for the purpose of exfiltrating and encrypting for ransomware.

Please refer to the full report for additional recommendations.

#2 Cyber Threat - Web-Based Attacks

Web-Based Attacks are broken into four main vectors by ENISA.  Drive-by downloads, Watering hole attacks, Form-jacking, and Malicious URLs. 

As noted in part one, due to the age of the reporting window (January 2019 to April 2020) some of the particular attacks noted are more historical and of less keen interest by this time, however a couple trends are worth calling attention to.

"MageCart" attacks continue to be a prominent method for acquiring financial credentials.  Because of the vast popularity of a small handful of online "checkout" systems, many organized crime groups are investing heavily in hackers who have "nation-state" level capabilities in order to create new zero day attacks into these systems.  Shoppers are basically defenseless as their order information is transparently transmitted to criminals while they shop at even the largest and most prominent "trust-worthy" online vendors. 

In addition to browser vulnerabilities that can make watering hole attacks quite successful, attackers are also attacking popular web browser extensions, which often have less rigorous security updates than the base browser products themselves.

Content Management Systems also present an enormous footprint of vulnerability as platforms such as WordPress provide millions of vulnerable websites that can be used at will by hackers to host both phishing sites and malware payload files.

#3 Cyber Threat - Phishing

Phishing has historically been email-based crime that lures a target to an illicit website via a social engineering email.  It is the key to $26 Billion in losses due to Business Email Compromise, as well as to a growing number of scams linked to the COVID-19 Pandemic.  In the FIRST MONTH of the COVID-19 Pandemic, ENISA reports that phishing attacks increased 667%!  As previously mentioned, these dangerous emails are now very likely to contain a trojaned Microsoft Office family document.  

ENISA warns that phishing URLs are now being seen more frequently delivered via SMS, WhatsApp, and Social Media platforms, expanding beyond the original email platform.

While phishing historically targeted financial institutions, ENISA says that webmail became the leading target of phishing in Q1 of 2019, with Microsoft 365 services being particularly targeted.

User education and user reporting remains a critical strategy, especially as ENISA says that 99% of phishing emails require human interaction in order to be effective.

The most effective means to combat phishing continues to be the implementation of 2FA. If a phisher cannot gain access to an account with simple userid and password, many schemes would be immediately blocked.

From a financial perspective, wiring money should ALWAYS require out of band confirmation.  The cost of not getting the confirmation is simply too high, with some Business Email Compromise attacks costing tens of millions of dollars!

#5 Cyber Threat - Spam 

As the ENISA report on Spam menions, after 41 years of dealing with spam, "nothing compared with the spam activity seen this year with the COVID-19 pandemic!"

During the reporting period, Emotet, Necurs, and Gamut were some of the top spamming families.

Some other findings: 
85% of all emails exchanged in April of 2019 were spam, a 15-month high.
13% of data breaches could be traced back to malicious spam.
83% of companies were unprotected against email-based brand impersonation (DMARC)
42% of CISOs reported dealing with at least one spam-based security incident.

To bring this category up to date, we noticed that ENISA was fond of the Quarterly Spam & Phishing reports from Kaspersky.  Please find below links to the 2020 Q1, Q2, and Q3 reports from Kasperky, which will technically be part of NEXT year's ENISA reporting:

Kaspersky found that throughout the third quarter, spam was at least 48.9% of all email sent, a slight decline from Q2, however the portion of spam containing malicious emails was up significantly.  Kaspersky identified 51 Million malicious attachments in that quarter, with 8.4% of them being the keylogger commonly known as Agent Tesla (Kaspersky uses the name "Trojan-PSW.MSIL.Agensla.gen"). Microsoft Office documents exploiting CVE-2017-11882 were the second most common.

They also noted 103 million phishing attacks, with the top targeted sectors being Online Stores (19.2%) and Global Web Portals (14.48%) which would include Office365.  Only 10.8% of the phishing attacks observed by Kaspersky targeted banks!

My favorite spam campaign here was the "FTC Official Personal Data Protection Fund" which claimed that the Federal Trade Commission had found that the recipient was a victim of "personal data leakage" and they were eligible to be compensated for that loss, if they just filled out a simple form on their website (which harvested personal data, including credit card and social security number.) 

The ENISA Cybersecurity Threat Landscape

 ENISA, the European Union Agency for CyberSecurity, met on October 6, 2020 to review their current recommendations and get any last minute changes.  On October 20, 2020, they released a huge batch of reports that many folks seem to have not seen.  We wanted to take a moment to give you the guided tour and strongly recommend the consumption of these report.  Each publication is available "flip book" style on the ENISA website, and also as a downloadable PDF.

Let's get started! 

This is the 8th Year In Review for ENISA and their reporting just keeps getting better!  This year the main components of the report break down into topics like this: 

  • The Year In Review
  • Cyber Threat Intelligence Overview 
  • Sectoral and Thematic Threat Analysis 
  • Main Incidents in the EU and WorldWide
  • Research Topics
  • Emerging Trends
  • List of Top 15 Threats 

The Year In Review 

This report has a few key sections.  The first that we'll cover is the "Ten Main Trends" that were observed during the reporting period: 

  1. Attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation 
  2. There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.
  3. The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.
  4. Finely targeted and persistent attacks on high-value data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors
  5. Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft
  6. The motivation behind the majority of cyberattacks is still financial 
  7. Ransomware remains widespread with costly consequences to many organisations
  8. Still many cybersecurity incidents go unnoticed or take a long time to be detected
  9. With more security automation, organizations will invest more in preparedness using Cyber Threat Intelligence as its main capability
  10. The number of phishing victims continues to grow since it exploits the human dimension being the weakest link.
Another key section in this area was the "What To Expect" which broke the topic into three areas -- Nation States, Cyber Offenders, and Cyber Criminals.  The reader is invited to view the full report, but I did want to mention that with regards to Nation States, ENISA describes the coming year as an "Uncontrolled cyber-arms race" with a free-for-all of nation states trying to buy up and acquire the best attack tools for the "cyberspace warfare domain" possibly through sponsored agents who may not present as the purchasing nation.

In the area of What to Expect From Cyber Criminals ... BEC - Business Email Compromise, and BPC - Business PROCESS Compromise are expected to continue, along with malware targeting Managed Service Providers.  They predict that "Deep Fakes Used for Fraud" may be a rising trend.  I'm not sold on this concept as being a 2021 reality, but it is certainly something to watch for.

I also wanted to call attention to the prediction that Cyberbullying is likely to greatly increase as a growing number of adolescents are spending a much greater time online, possibly with limited parental oversight of their activities, as Mom and Dad are busy working from home as well!

Cyber Threat Intelligence Overview 

In this area, training resource links are offered, however the report begins by calling attention to the great gap between higher performing CTI practices and the training and tools available to the average user.  While praising existing frameworks, such as MITRE: ATT&CK, they also point out the short-comings in addressing specialized sector-specific systems, emerging systems, and cloud-computing and managed service threats.

The call is made to spend more emphasis on PREVENTION, DETECTION, and MITIGATION rather than the current near-total obsession with IOCs and APT-naming. Some sectors are especially trailing in the CTI area due to the specialty nature of their equipment and practices.  ALL SECTORS need to be greatly improving their capabilities in PDR (to use the more common Prevent, Detect, Respond term that I still prefer.)  The report calls attention to the fact that trailing sectors are often dealing with limited trust between organizations.  The more isolated your organization is from its peers, the more likely that your sector is struggling in this way.  Improved information sharing is a key.  To quote the report: "one should note that the deficiencies described are not due to a lack of CTI knowledge per se but rather to the lengthy cross- and intra-sector communication and coordination cycles for exchanging CTI knowledge."  A related quote => "Existing offerings concentrate on operational and tactical CTI, while strategic CTI is mostly offered independently."

Results are shared of a "Comprehensive CTI Survey" conducted by ENISA.  Some key findings include: 
  • CTI is still primarily a MANUAL PROCESS in most organizations.
  • Much CTI data is still primarily being passed through spreadsheets and email.
  • CTI Requirements are becoming more defined and beginning to take significant guidance from business needs and executive input.
  • CTI from Public Sources combined with observations from internal network and system monitoring is a popular model
  • Open-source information, enriched by threat feeds from CTI vendors is a "clear upwards trend" indicating more focus on internal CTI production.
  • Threat Detection is described as the main use for CTI, with IOCs being a base, but more interest in TTPs in the area of threat behavior and adversary tactics.
  • Only 4% of respondents felt they could measure the effectiveness of their CTI programs!  OUCH!  Machine learning was ranked especially low, with most saying the skill of the analysts was the best predictor of success!
Several areas of interest in the "Next Steps" section to me included:
-  an emphasis on coordinating CTI requirements.  While the report called for this at the EU-member state level, I would say that SECTORS should be working together to determine appropriate CTI requirements and encouraging a sector-wide improvement through collaboration.  
- development of a CTI Maturity model and Threat Hierarchies model.
- ensuring that CTI is taking into account the geopolitical world state and not just the state of bits and bytes.

Please refer to the full report for more details!  

Sectoral and Thematic Threat Analysis 

This report begins by describing the difficulty of measuring and categorizing differences by sector. I must confess to being disappointed by the lack of insights in this particular report.  As sectors shifted to the cloud during the COVID-19 Pandemic, much of the "targeting" became less sector-targeting and more "target of opportunity" focused. 

While most attack trends were "stable" there were some "cross-sector" attack types described as "Increasing" ... specifically Web Application Attacks, Phishing, and Malware.

The only sector actually that was called out as being at significantly greater risk than others based on incident trends was "Health/Medical" where increases in Malware, Insider Threat, and Web Application Attacks were all marked as Increasing.

After a lack-luster "trends" report, all of two pages long, the remainder of the report focuses on Threats to Emerging Technologies, where there are some interesting observations regarding 5G Mobile communications, Internet-of-Things (IoT), and Smart Cars.

The reader is invited to visit the report for more details.

Main Incidents in the EU and WorldWide

Unfortunately, with the official timeline of this report being January 2019 through April 2020, many of the "main incidents" here are quite dated.  Good to cover them for historical documentation, but not really worth re-hashing them at this time. Significant data breaches included the 770 million email addresses stolen from MEGA (the cloud data storage service in New Zealand run by "Kim Dot Com".) They also mention breaches such as ElasticSearch, Canva, Dream Market,, and a couple big MongoDB breaches.

The most targeted services, according to this report, are Digital Services, Government Administration, Tech Industry, Financial Institutions, and Healthcare entitites.  In the area of Digital Services, we know that the primary use is to take the email address/password pairs and use them to attempt password replay attacks attempting to use the same pair against many additional online properties.  ENISA refers to those as "credential stuffing" attacks and indicates that "companies experience an average of 12 credential-stuffing attacks each month!" 

The report indicates that 84% of cyber attacks "rely on social engineering" and that 71% of the organizations with malware activity have seen the malware spread from one employee to another. 

Groups that are depicted in the report as "Most active actors" don't really align with what we've seen from other sources, but are listed as: 
  • TURLA - attacking Microsoft Exchange serveres
  • APT27 - mentions attacks against government SharePoint servers in the Middle East 
  • Vicious Panda - targeting Mongolian government entities
  • Gamaredon - spear-phished the Ministry of Defence in Ukraine in December 2019
The report indicates that ENISA believes most cyber attacks originate from Organized Crime groups.

The Top Five motivations for attackers are: Financial, Espionage, Disruption, Political, and Retaliation.

The Top Five "Most Desired Assets" by Cyber Criminals are listed as: 
  1. Industrial property and Trade secrets
  2. State/Military classified information
  3. Server infrastructure
  4. Authentication Data
  5. Financial Data 
I won't detail is here, but the report also has advice on "What changed in the landscape with the COVID-19 Pandemic?" and refers to several previous publications from ENISA for that topic.

Research Topics

ENISA says that "apart from basic cybersecurity hygiene and training, investing in research and innovation is the most viable option for defenders." Some of the key areas that they are encouraging research to be performed are: 

  • Better understanding of the human dimension of security - (I know so many great researchers in this space, from UAB's own Nitesh Saxena, to UAB's Ragib Hasan and his current survey on "User Preferences in Authentication" to Carnegie Mellon's Lorrie Cranor and the IIIT Delhi PreCog lab run by Ponnurangam "PK" Kumaraguru.) 
  • Cybersecurity research and innovation - with a special focus on building "test labs and cyber ranges" that better reflect real world deployments. 
  • 5G Security 
  • EU Research and Innovation Projects on Cybersecurity 
  • Rapid dissemination of CTI methods and content 

Emerging Trends

This report begins by pointing out that COVID-19 has initiated "new and profound changes in the physical world and in cyberspace" and pointing out that "cybersecurity risks will become harder to assess and interpret due to the growing complexity of the threat landscape, adversarial ecosystem and expansion of the attack surface."

The Emerging Trends are given as three trend lists -- Ten Cybersecurity Challenges; Five Trends with cyber threats; and Ten emerging trends in attack vectors.  As I've said a few times, go check out the report for the full details, but a few really caught my eye, which I'll comment on below:

Cybersecurity Challenge 1 - Dealing with systemic and complex risks.  The interconnectedness of our systems and networks means that a risk introduced in one part of the environment can quickly spread throughout our organizations.  The demands of reducing complexity and increasing ease of management has unfortunately caused many organizations to create flat network structures where a single Active Directory domain may touch every resource in the environment and where network segmentation has become almost non-existent.

Unfortunately many of the other "emerging trends" in the cybersecurity challenges are seem more like wishful thinking than an emerging trend.  Reducing unintentional errors, automation of CTI ingestion, Reducing alarm fatigue and false positives, and cloud migration protections are all things we would love to see, but calling them an "emerging trend" strikes me as premature.  A few that I definitely agree with however include the role of CTI and the lack of a skilled workforce.

Cyber Threat Intelligence (CTI) is needed to help with the WHY, the HOW, and the WHAT questions.  The report points out "the value proposition of any CTI capability or program is to improve the preparedness of the organization to protect its critical assets from unknown threats." Anticipating the unknown requires a deeper understanding of both threat and adversary - not just in the form of specific Indicators of Compromise (IOCs) but in the form of TTPs - based on the Tactics, Techniques and Procedures - as evidenced by observations made both from open source intelligence (OSINT) but also through same sector and cross-sector intelligence sharing is going to be a key to hardening and preparing the organization to address forth-coming attacks instead of constantly reacting to known attacks.

Just as we see in the US, a shortage in cybersecurity skills is hitting the EU hard. 70% of firms say that lack of skills is hampering investment in new technologies, and 46% of firms report difficulty filling vacancies in cybersecurity due to a lack of skilled applicants.  In the US, I constantly refer students to the Cybersecurity Supply/Demand Heatmap maintained by  Currently they are showing 521,617 cybersecurity vacancies just in the United States!

The final "Emerging Trends" area - Ten Emerging Trends in Attack Vectors -  has a few that I wanted to call attention to as well.  I'll share the list and comment on a few:
  1. Attacks will be massively distributed with a short duration and a wider impact
  2. Finely targeted and persistent attacks will be meticulously planned with well-defined and long-term objectives
  3. Malicious actors will use digital platforms in targeted attacks
  4. The exploitation of business processes will increase
  5. The attack surface will continue expanding 
  6. Teleworking will be exploited through home devices
  7. Attackers will come better prepared 
  8. Obfuscation techniques will sophisticate 
  9. The automated exploitation of unpatched systems and discontinued applications will increase
  10. Cyber threats are moving to the edge 
A key thread that flows through many of these trends is that attacks will move to new less defended "soft spots."   The report mentions banking trojans being downloaded from the Google Play store, attacks against routers, switches and firewalls rather than servers, and attacks being presented through apps that are skating on the edge between personal and business apps, such as SMS, WhatsApp, SnapChat and various messaging platforms, as well as gaming and streaming apps that may be present on devices being used to "work from home."

List of Top 15 Threats 

The next post will address the ENISA "Top 15 Threats

Saturday, November 07, 2020

US Victims of Indian Call Center Scams Send Cash to Money Mules Across the Country

 On November 6, 2020, the US Attorney in the Eastern District of Virginia announced the sentence for a husband and wife, Chirag Choksi and Shachi Majmudar, both 36 years old.  This pair had involved themselves in the money laundering side of an international scam ring that preys on the elderly via call centers located in India.  Chirag will serve 78 months in prison while his wife Shachi will serve 14 months in prison.  

I've had the pleasure of presenting my research on Indian Call Centers at a meeting the Federal Trade Commission hosted in Washington DC last year.  The scope of these networks and the absolute impunity with which they operate should be a cause of national shame in India.  In 2019, according to the Consumer Sentinel Network Data Book 2019, assembled by the Federal Trade Commission, reported 647,472 "Imposter Scams" with total losses of $667 Million, primarily to the elders who are most deserving of our protection.  (These scams are increasing rapidly.  In 2017 there were 461,476 Imposter Scam complaints, in 2018 there 549,732 complaints.)

The Scam: Law Enforcement Impersonation

Indian Call Centers placed "robocalls" blasting them primarily to seniors in the United States which played a recorded message indicating that the recipient had been charged with a crime and needed to immediately call a certain number to avoid arrest.  When the number was called, the US-based number was routed via a Voice Over IP (VOIP) gateway to call center workers in India who would fraudulently identify themselves as a law enforcement officer and threaten immediate arrest if the caller did not follow their directions.  The caller was instructed to go to their bank, withdraw as much cash as the fake law enforcement officer was able to determine they could get, and then send the money by Federal Express, UPS, or the US Postal Service to a US-based address.

The Money Mules: Choksi and Shachi

There were actually three defendants in this indictment, but they are only a tiny part of the overall scam.  Chirag Janakbhai Choksi and Shachi Naishadh Mamjudar worked for a money mule recruiter, Shehzadkhan Khandakhan Pathan.  Pathan ran mules that he had recruited in many locations, including at least New Jersey, Minnesota, California, Indiana, Texas, and Illinois, although not all have been identified and charged yet.  The criminal complaint against Pathan remains sealed, which makes it likely more charges are forthcoming.  In each location, money mules of Indian origin were waiting to pick up packages of cash.  Chirag and Shachi were the Minnesota Money Mules.

The Money Mules would pick up the bulk cash shipments from their destinations, presenting counterfeit identification documents that used fictitious names in order to hide their identity.  In order to keep their lucrative position in the mule network, mules were required to quickly respond to pick-up orders.  They were also required to video themselves opening the package and counting the cash to ensure that they weren't skimming more of the money than they were allowed.  

Shachi was primarily the assistant, which is why she got a lesser sentence.  She would log in to FedEx or USPS to track the delivery of the packages, so that Chirag would know when he was clear to do a pick-up run.  She would also videotape Chirag as he opened the packages and counted the money.  She would also frequently be the person who went to the bank to deposit the cash into accounts belonging to other members of the conspiracy.

9594 Grey Widgeon Place, Eden Prairie, MN

In one example from the indictment, Chirag was instructed to go to 9594 Grey Widgeon Place in Eden Prairie, Minnesota to retrieve a package containing $8,500 in cash that had been sent to "Aldo Ronald."  The FedEx tracking number confirms the package was signed for by someone at that address, and that the package was shipped from Chesterfield, Virginia, where the victim resided.

Strangley, that 1600 square foot duplex claims to have seven current residents, according to, including Shachi!

According to their Facebook pages, Shachi moved to Minneapolis, Minnesota in 2013.  (The "moved" actually says 2016, but she says in her comments "I actually moved here in 2013, Facebook is just acting weird.")  Sadly for the family, the parents who are now headed to prison, posted photos of their newborn baby in January 2019. 

The Mule Recruiter: Shehzadkan Pathan

The co-conspirator, Shehzadkhan Khandakhan Pathan, goes by the name Shehzad Khan on Facebook and, like his Facebook friend Chirag, is from Ahmedabad, India. He was arrested by the FBI in Houston, Texas on January 16, 2020 and taken into custody by the US Marshall's Service.

Shehzadkhan Khan Pathan

This structure was VERY familiar to me, as it works in exactly the same way as the case we documented in 2016 in our blog post Major Call Center Scam Network Revealed - 56 Indicted.
In fact the similarities are extreme.  In that case, the primary call centers involved included a major group in Ahmedabad India, but had money mule "runners" all over the United States, who not only handled financial transactions, but also sought out victim candidates!  

Not only are the cases STRUCTURALLY  similar, but Pathan SEEMS to be linked to one of the key players in that network on Facebook.  Pathan's Facebook friend "Hardik Dave" who is likely Hardik Patel, also from Ahmedabad, from the previous case.  Although Hardik's friends marked as private, but has several interactions on his Facebook page from "Hitesh Patel" who was at the core of the 2016 case.  In that case, Ahmedabad call center companies including Call Mantra, Sharma BPO, Worldwide Solutions, and Zoriion Communications were involved in the scams.

A superseding indictment relating to Pathan was announced June 17, 2020, and names several additional co-conspirators. 

In addition to Chirag and Shachi, the new indictment includes: 
  • Pradipsinh Dharmendrasinh Parmar
  • Sumer Kantilal Patel 
  • Jayeshkumar Prabhudas Deliwala
In the new indictment we learn that the  "conspirators regularly communicated using WhatsApp Messenger." We also learn additional details about the scam calls:

"The messages told the recipients that they had some sort of serious legal problem. Often the purported problem related to potential criminal charges for the victim, tax problems, or THE RISK OF LOSING A FEDERAL BENEFITS PROGRAM SUCH AS SOCIAL SECURITY PAYMENTS." (emphasis added)

We also learn that a number of the victims had recently applied for a loan, making them aware that the victim now had cash available!  

Pathan, the recruiter, provided the counterfeit identity documents, including fake drivers licenses, and alerted his mule network where the package was being delivered and which identity they should use to retrieve the package.  After they had the cash, Pathan would let them know how much they could keep and give them details of what bank account they should deposit the additional funds into. In some cases the funds were sent via wire transfer, and Pathan would alert his money mules via WhatsApp where the money had been wired and which identity documents they would need to present in order to pick up the money from the bank account where they had been deposited.

More Mules: Parmar, Patel

Both Pradipsinh Dharmendrasinh Parmar and Sumer Kantilal Patel were money mules like Chirag.  They are charged with retrieving and signing for packages of cash, photographing or videoing themselves opening the packages and counting the cash, receiving and using counterfeit identification bearing their likeness but the name of another person, and picking up money transfers via Western Union, MoneyGram, and Walmart to Walmart, and resending portions of that amount to other locations. 

Pradispsinh Parmar is also Facebook friends with Pathan, and also from Ahmedabad, India.  His Facebook page says he lives in Spotswood, New Jersey.  HIS Facebook friend Sumer Patel is not friends with any of the other co-conspirators and may be a name coincidence as he seems to be in Brisbane, Australia.
Pradispsinh Parmar

Parmar, for example, picked up a package containing $20,000 cash sent to the name of "Neon Fredo" at 55 Stratford Village, Lancaster, Pennsylvania.  

Parmar also picked up a MoneyGram of $820 sent from a victim to the name of Larry A Lauzon, in North Carolina.  (Because he had the reference number, it was not necessarily picked up in that location.)

Patel similarly received Walmart-to-Walmart funds, including funds sent from Texas to "Caleb N Cranstone" in Virginia. 

Deliwala received and distributed a set of 20 counterfeit identification documents.

Charges in the case include: 

18 U.S. Code § 1341 - Mail fraud
18 U.S. Code § 1343 - Wire fraud
18 U.S. Code § 1349 - Attempt and conspiracy
18 U.S. Code § 982 - Criminal forfeiture