phishing and federal law enforcement jonathan j. rusch special counsel for fraud prevention fraud...
TRANSCRIPT
Phishing and Federal Law Enforcement
Jonathan J. RuschSpecial Counsel for Fraud Prevention
Fraud Section, Criminal DivisionU.S. Department of Justice
Washington, DCABA Administrative Law and Regulatory Practice Section
Atlanta, GeorgiaAugust 6, 2004
Overview
A Definition and Principal Types of Phishing Statistics Relating to Phishing U.S. Enforcement Actions Against Phishers Other Nations’ Enforcement Actions Against
Phishers U.S. Federal Criminal Statutes Applicable to
Phishing Law Enforcement Resources
A Definition and Principal Types of Phishing
A Definition of Phishing
Any criminal scheme in which digital communications play a significant role in – acquiring multiple victims’ identifying or
personal financial data by deception, and transferring or transmitting multiple victims’ data
via the Internet for criminal use
Note: Analysis of phishing schemes should not focus just on one type (e.g., bogus e-mails)
Principal Types of Phishing Most Common: “Dragnet” Method
E-mails with falsified corporate identification, directing large class of people to websites with similarly falsified identification
Specific prospective victims not identified in advance, but false information conveyed to trigger immediate victim response
“Rod-and-Reel” Method Targeted initial contacts with prospective victims Specific prospective victims defined in advance, and false
information conveyed to trigger responses
“Lobsterpot” Method Creation of websites similar to legitimate corporate websites that
narrowly defined class of victims are likely to seek out Smaller class of prospective victims identified in advance, but no
triggering of victim response
Statistics Relating to Phishing
Gartner Group (May 2004)
Direct financial losses from phishing attacks cost U.S. financial services firms about $1.2 billion in 2003
U.S. Enforcement Actions Against Phishers
Dragnet Phishing Cases
United States v. Forcellina (D. Conn., sentenced Apr. 30 and June 18, 2004) Husband, 23, accessed chat rooms, used device to capture
screen names of chat room participants; then sent e-mails pretending to be ISP requiring correct billing information, including current credit-card number
Used credit-card numbers and other personal data to arrange for wire transfers of funds via Western Union, but had others pick up funds from Western Union
Husband and wife pleaded guilty to conspiracy to commit access device fraud
Husband sentenced to 18 months imprisonment; wife sentenced to 6 months home confinement
Dragnet Phishing Cases
United States v. Hill (S.D. Tex., sentenced May 2004); FTC v. Hill (S.D. Tex., preliminary injunction December 2003) Defendant operated AOL and PayPal phishing
scheme, used fraudulently obtained credit-card numbers to obtain goods and services costing more than $47,000
Defendant pleaded guilty in February 2004 to possession and use of access devices
Sentenced to 46 months imprisonment
Dragnet Phishing Cases
United States v. Carr (E.D. Va. 2003) Helen Carr, 55, of Akron, Ohio, sent fake e-mail
messages to AOL customers in United States and several foreign countries
Customers advised that they must update their credit card/personal information on file with AOL to maintain their accounts
Guilty plea October 2003 to conspiracy to possess unauthorized access devices
Sentenced in January 2004 to 46 months imprisonment George Patterson, a co-conspirator, previously pleaded
guilty to the same charge and was sentenced in July 2003 to 37 months imprisonment
Dragnet Phishing Cases
United States v. Guevara (W.D. Wash. 2003) Matthew Guevara, 21, of Chicago, Illinois, created false e-mail
accounts with Hotmail and unauthorized website with the address www.msnbilling.com through Yahoo!
Then sent MSN customers e-mail messages, purporting to come from MSN, that directed customers to fraudulent www.msnbilling.com website and asked them to verify their accounts by providing name, MSN account, and credit card data
Website automatically forwarded each customer’s data to one of Guevara's false Hotmail accounts; Guevara used stolen credit card information himself and provided it to another person as well
Guilty plea in September 2003 to wire fraud Sentenced January 2004 to 5 years probation, 6 months
home confinement
Dragnet Phishing Cases
FTC v. ___ (C.D. Cal. 2003) Juvenile sent emails to consumers saying they needed
to update AOL account information or risk losing their access. The emails sent recipients to a site that looked authentic but asked for detailed personal and financial information. The youth used the information to buy things online, open PayPal accounts, and open AOL accounts to send more junk email
Juvenile agreed to pay $3,500 to settle FTC charges Cooperation between FTC, DOJ Computer Crime and
Intellectual Property Section, FBI, U.S. Attorney for Eastern Virginia, Postal Inspection Service, and Los Angeles County District Attorney’s Office
Rod-and-Reel Phishing Cases
United States v. Gebrezihir (S.D.N.Y. 2003) Isaac Gebrezihir allegedly involved with scheme to send phony letters
on bank letterhead, along with altered or counterfeit IRS forms, to victims, generally foreign nationals living abroad with bank accounts in the United States
Some of altered or counterfeit forms appear similar to actual IRS forms that are sent to non-resident aliens who maintain accounts at U.S. banks
Fraudulent IRS forms all require personal information concerning victim and victim’s bank account
Fraudulent bank letter instructs victim to fill out fraudulent IRS form and then fax completed form, ostensibly to the IRS or to the bank
Fax numbers provided to the victims are Internet-based fax numbers that convert all incoming faxes to e-mail attachments and then forward attachments to free e-mail accounts
Wire transfer instructions then sent to banks and, in many instances, large amounts of money are transferred from victims’ accounts, usually to overseas accounts
Overall investigation has identified more than $700,000 in losses Indicted Nov. 2003
Rod-and-Reel Phishing Cases
Romanian Arrest (2003) Romanian General Directorate for Combating
Organized Crime, in cooperation with Secret Service, arrested a subject in Alba Julia, Romania
Individual forwarded spoofed e-mails resembling actual auction webpage to the attention of unsuccessful bidders in an online auction
On spoofed page, the subject advised victims of availability of similar item for a better price; upon visiting the "sale" page, victims were asked for personal information including their name, bank account numbers and passwords.
Victims then advised that they "won" the spoofed auction and agreed to send money to the subject through a spoofed escrow site created by the subject
Scheme resulted in nearly $500,000 in on-line losses
Lobsterpot Phishing Case
United States v. Kalin (D.N.J., Nov. 2003) Shawn Kalin of Las Vegas, Nevada, allegedly registered
four websites with domain names deceptively similar to website operated by DealerTrack, Inc.
DealerTrack provides services via the Internet to auto dealerships located throughout the United States, including dealers’ ordering credit reports on prospective automobile buyers
Because Kalin’s websites designed to be almost identical to main page of the www.dealertrack.com, Kalin allegedly got a number of dealership employees mistakenly to enter usernames and passwords at his sites
Could then get unauthorized access to DealerTrack for personal data
Kalin charged in criminal complaint Nov. 2003
Other Nations’ Enforcement Actions Against Phishers
United Kingdom
April 2004: National High-Tech Crime Unit (NHTCU) arrests 21-year-old British national for “copycat” phishing scheme involving online bank Reportedly first in United Kingdom
May 2004: NHTCU arrests 12 Eastern European nationals suspected of laundering money from “phished” bank accounts
Australia
April 2004: Australian Federal Police reportedly seeking cooperation from French authorities to shut down domain name associated with large-scale phishing scheme
U.S. Federal Criminal Statutes Applicable to Phishing
Identity Theft – 18 U.S.C. 1028(a)(7)
Elements Knowingly using or transferring Another (real) person’s “means of identification”
“Means” includes name, SSN, DOB, driver’s license, passport number; unique biometric data; unique EIN, address, or routing code; or access device (e.g., credit-card or financial account number)
With intent to commit/aid or abet any unlawful activity that constitutes a federal violation or state or local felony
Identity Theft – 18 U.S.C. 1028(a)(7)
Penalties Imprisonment (Maximum)
Fraud-Related Violation - 15 years imprisonment If, as result of offense, any individual committing the offense obtains anything of value aggregating $1,000 or more during any 1-year period
Basic Violation - 3 years imprisonment Fine – Maximum $250,000 for individuals Forfeiture - Any personal property used or
intended to be used to commit offense
Identity Theft – 18 U.S.C. 1028(a)(7)
Examples of Section 1028(a)(7) Offenses United States v. Butcher (N.D. Ohio, indictment filed
Apr. 28, 2004) Defendant allegedly applied for 10 credit card accounts
using the identifier information of another person, including her name, Social Security account number and date of birth, without authorization.
United States v. Christensen (D. Ariz., pleaded guilty Jan. 20, 2004)
Defendant used more than 50 different identities of others – typically prison inmates serving long sentences – to obtain more than $313,000 in student loans
Wire Fraud – 18 U.S.C. 1343
Elements Scheme or artifice to defraud or for obtaining
money or property by means of false or fraudulent pretenses, representations, or promises
Transmits (or causes transmission of) by means of wire communication in interstate or foreign commerce
Writing, signs, signals, pictures, sounds for purpose of executing scheme or artifice
Wire Fraud – 18 U.S.C. 1343
Penalties Imprisonment (Maximum)
30 years imprisonment if violation affects a financial institution (e.g., bank or savings and loan)
20 years imprisonment in other cases Fine – Maximum $250,000 for individuals Forfeiture
Wire Fraud – 18 U.S.C. 1343
Examples of Section 1343 Offenses Initial e-mails to prospective victims Victim responses to bogus website or window Criminal’s transmission of victim’s personal and
financial data to other computers across state or international borders
Mail Fraud – 18 U.S.C. 1341
Elements Scheme or artifice to defraud, or for obtaining money or
property by means of false or fraudulent pretenses, representations, or promises
Placing in authorized depository for mail matter any matter or thing to be sent or delivered by U.S. Postal Service (or depositing anything to be sent or delivered by private or commercial interstate carrier), or receiving matter or thing from U.S. Postal Service or private or commercial interstate carrier
For purpose of executing such scheme or artifice Note: Causing innocent intermediary or victim to use mail
can constitute mail fraud
Mail Fraud – 18 U.S.C. 1341
Penalties Imprisonment (Maximum)
30 years if violation affect financial institution 20 years in other cases
Fine Maximum $250,000 for individuals
Forfeiture Examples of Section 1341 Offenses
Criminal’s mailing initial solicitation to prospective victims
Victim’s mailing response or payment
Access Device Fraud – 18 U.S.C. 1029
Elements – Section 1029(a)(2) Knowingly and with intent to defraud traffics in
or uses one or more unauthorized access devices (e.g., access devices obtained with intent to defraud) during any 1-year period
By such conduct obtains anything of value aggregating $1,000 or more during that period
Elements – Section 1029(a)(3) Knowingly and with intent to defraud possesses
15 or more unauthorized access devices
Access Device Fraud – 18 U.S.C. 1029
Elements – Section 1029(a)(5) Knowingly and with intent to defraud effects transactions
with 1 or more access devices issued to another person or persons
To receive payment or any other thing of value during any 1-year period the aggregate value of which is equal to or greater than $1,000
Elements – Section 1029(a)(10) Without authorization of credit card system or member
or its agent Knowingly and with intent to defraud causes or arranges
for another person to present to member or its agent, for payment, 1 or more evidences or records of transactions made by an access device
Access Device Fraud – 18 U.S.C. 1029
Penalties Imprisonment (Maximum)
10 years imprisonment for 1029(a)(2), (3) 15 years imprisonment for 1029(a)(5), (10)
Fine – Maximum $250,000 for individuals Forfeiture
Bank Fraud - 18 U.S.C. 1344
Elements Knowingly executing, or attempting to execute Scheme or artifice to defraud financial institution, or to obtain
money, funds, etc. under financial institution’s custody by means of false or fraudulent pretenses, representations, or promises
Penalties Imprisonment (Maximum) - 30 years imprisonment Fine – Maximum $250,000 Forfeiture
Examples of Section 1344 Offenses United States v. Gebrezihir (S.D.N.Y. 2003) United States v. Yip (S.D.N.Y. 2003)
Individuals stole identifying and other data from employer, then used data to open PayPal accounts and fund those accounts by direct transfers from victims’ bank accounts
Computer Fraud and Abuse – 18 U.S.C. 1030 Elements of Section 1030(a)(2)(C) Offense
Intentionally accessing computer without authorization or exceeding authorization, and
Thereby obtaining information from any protected computer if conduct involved interstate or foreign communication
Penalties Imprisonment (Maximum)
Felony – 5 years if offense or attempt to commit offense committed for private financial gain, in furtherance of any criminal or tortious act in violation of U.S. Constitution or U.S. federal or state law
Basic offense - 1 year for first offense or attempt Fine
Examples United States v. Kalin (D.N.J. 2003)
Computer Fraud and Abuse – 18 U.S.C. 1030 Elements of Section 1030(a)(4) Offense
Knowingly and with intent to defraud accesses a protected computer without authorization, or exceeds authorized access
By means of such conduct furthers the intended fraud and obtains anything of value
Unless object of fraud and thing obtained consists only of use of computer and value of such use is not more than $5,000 in any 1-year period
Penalties Imprisonment (Maximum)
5 years for first offense or attempt, 10 years for subsequent
Fine Forfeiture
Computer Fraud and Abuse – 18 U.S.C. 1030
Examples of Section 1030(a)(4) Offense Hacking into computer with Trojan horse and
downloading numbers of credit-card or bank accounts, then debiting those accounts
Accessing company computer to cause unauthorized disbursals of stock to personal brokerage accounts [United States v. Osowski (N.D. Cal. 2001)]
CAN-SPAM – 18 U.S.C. 1037 Elements of Section 1037 Offenses
Knowingly -- (1) accessing protected computer without authorization, and intentionally
initiates transmission of multiple commercial e-mail messages from or through such computer,
(2) uses protected computer to relay or retransmit multiple commercial e-mail messages, with intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages,
(3) materially falsifies header information in multiple commercial e-mail messages and intentionally initiates transmission of such messages,
(4) registers, using information that materially falsifies identity of actual registrant, for 5 or more e-mail accounts or online user accounts or two or more domain names, and intentionally initiates transmission of multiple commercial e-mail messages from any combination of such accounts or domain names, or
(5) falsely represents oneself to be registrant or legitimate successor in interest to registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses
In or affecting interstate or foreign commerce
CAN-SPAM – 18 U.S.C. 1037
Penalties Imprisonment (Maximum)
5 years if –• Offense is committed in furtherance of any felony under the
laws of the United States or of any State; or• Defendant has previously been convicted under section 1037 or
section 1030, or under the law of any State for conduct involving transmission of multiple commercial e-mail mail messages or unauthorized access to a computer system;
Less in other circumstances for various section 1037 offenses
Fine Forfeiture
Identity Theft Penalty Enhancement Act – 18 U.S.C. 1028A (July 15, 2004) Aggravated Identity Theft
If individual knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person during and in relation to any felony enumerated in section 1028A(c), two years imprisonment in addition to punishment provided for that underlying felony
Felonies include 18 U.S.C. 1028, 1029, 1030, 1037, 1341, 1343, 1344
If individual does so during and in relation to terrorism-related felony, five years imprisonment in addition to punishment provided for that underlying felony
In either case, no probation for person convicted of section 1028A violation, and in general no concurrent sentencing for section 1028A violation and other violations
Identity Theft Penalty Enhancement Act – 18 U.S.C. 1028A (July 15, 2004) Amendments of Current 18 U.S.C. 1028(a)(7)
Section now covers knowing possession, without lawful authority, of another’s means of identification, with requisite intent to commit an unlawful activity that constitutes federal offense or state or local felony
Section now covers knowing and unauthorized possession, transfer, or use of another’s means of identification in connection with an unlawful activity that constitutes federal offense or state or local felony
Section now increases maximum term of imprisonment for basic felony under section 1028(a)(7) from 3 to 5 years
Section now sets 25 years imprisonment as maximum for identity theft relating to domestic or international terrorism
Identity Theft Penalty Enhancement Act – 18 U.S.C. 1028A (July 15, 2004)
Revision of Federal Sentencing Guidelines Sentencing Commission is directed to review
and amend Guidelines to ensure appropriate punishment for identity theft offenses involving an abuse of position
Law Enforcement Responses to Phishing
Federal Investigative Agencies Addressing Phishing
FBIUnited States Secret ServiceUnited States Postal Inspection ServiceSocial Security Administration Office of
Inspector General
Phishing Complaint Reporting
FTC Identity Theft Data Clearinghouse Internet Crime Complaint Center
Began as Internet Fraud Complaint Center in May 2000 Joint project of FBI and National White Collar Crime
Center Receives online complaints from public, analyzes trends
and patterns, and sends investigative “packages” to most relevant investigative field offices
http://www.ic3.gov
Enforcement Coordination on Phishing
Enforcement “Takedowns” and “Sweeps” November 2003 – Operation Cyber Sweep
Arrests or convictions of more than 125 individuals, and return of more than 70 indictments, for various internet fraud and other online economic crime offenses
Cases involved more than 125,000 victims with losses of more than $100 million
34 U.S. Attorneys Offices, FBI, Postal, FTC, Secret Service, Immigration and Customs Enforcement, state, local, and foreign law enforcement
Cooperation and collaboration with industry and foreign law enforcement agencies
Similar Operations Operation E-Con – May 2003 Identity Theft – May 2002 Operation Cyber Loss – May 2001
Enforcement Coordination on Phishing
Task Forces and Specialized Units More than 40 FBI, Secret Service, and SSA-OIG task
forces with focus on identity theft U.S. Attorney Computer Hacking and Intellectual
Property (CHIP) Units Training
Joint training for federal prosecutors and agents on Internet fraud includes training on phishing
Interagency Working Groups Telemarketing and Internet Fraud Working Group Identity Theft Subcommittee of Attorney General’s
Council on White-Collar Crime
Prevention and Education on Phishing
FTC Website on Identity Theft – www.consumer.gov/idtheft Consumer Alert -
http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
U.S. Department of Justice Website on Identity Theft and Fraud –
www.usdoj.gov/criminal/fraud/idtheft.html Special Report on Phishing -
http://www.usdoj.gov/criminal/fraud/Phishing.pdf United Kingdom
Government Website on Identity Theft - www.identity-theft.org.uk
Contact Data for Jonathan J. Rusch
E-Mail: [email protected]: 202-514-7021Phone: 202-514-0631Mail: Fraud Section, Criminal Division,
U.S. Department of Justice, 10th Street and Constitution Avenue, N.W., Bond Building, Room 4300, Washington, DC 20530