DOJ Busts Up Global Phishing Ring, Charges 38

Law enforcement authorities in two countries on Monday charged 38 people in the U.S. and Romania with taking part in two different phishing-related fraud schemes that authorities say were tied to organized crime worldwide.

The United States Department of Justice and the Prosecutor General of Romania announced the charges Monday, stemming from an investigation that grew out of a push by U.S. law enforcement to work more closely with counterparts in other countries.

A federal grand jury in Los Angeles charged 33 individuals in a 65-count indictment stemming from an international racketeering scheme that used the Internet to defraud thousands of individual victims and hundreds of financial institutions. Seven people were charged in an indictment issued in Connecticut, two of whom were also named in the L.A. case.

Crossing Borders

All 38 have "ties to international organized crime," said U.S. Deputy Attorney General Mark R. Filip.

"International organized crime poses a serious threat not only to the United States and Romania, but to all nations," he commented. "Criminals who exploit the power and convenience of the Internet do not recognize national borders; therefore, our efforts to prevent their attacks cannot end at our borders either. Through cooperation with our international partners, we can disrupt and dismantle these enterprises."

Nine people are being sought for arrest in the U.S.; Romanian officials are preparing to execute search warrants in that country.

Phishing and Scheming

The indictments charge that the Romanian members of the ring obtained thousands of credit and debit card accounts by using phishing e-mails, including one single attack that involved more than 1.3 million messages. The e-mails directed recipients to bogus Web sites. Once they provided their personal information, that data was sent to U.S. members of the ring via Web-based chat programs.

The U.S. members of the ring then encoded the stolen data onto fake credit cards. The cards were tested first with small-scale transactions such as ATM withdrawals, and those that were successful were used again for larger transactions. A portion of the money pilfered was shared with the Romanian members of the ring, authorities allege.

Three of those charged -- Sonny Duc Vo, Alex Chung Luong and Leonard Gonzales -- are U.S. citizens, a fourth is a Vietnam native now a permanent U.S. resident and a fifth is a Mexican resident allegedly living in the U.S. illegally. Others charges live in Cambodia, Vietnam and Pakistan. The rest -- including four known only by Web aliases such as "Cryptmaster," "euro_pin_atm" and "SeleQtor" -- are believed to be Romanian nationals.

'Surprisingly Effective'

The California indictment alleges that members of the ring conspired to violate the anti-racketeering RICO Act; committed bank fraud and identity theft; and used and trafficked in counterfeit access devices. Each RICO charge alone carries a possible penalty of 20 years in prison.

One person -- Seuong Wook Lee, who authorities say was a "cashier" in the scheme -- has already pleaded guilty in the case to a host of charges, including racketeering conspiracy and bank fraud.

Despite years of efforts to curtail it through public awareness and security technologies, phishing remains one of most vexing problems facing the Internet, posing a risk to consumer confidence and harm to the companies whose brands are spoofed to steal the personal information, said Gartner (NYSE: IT) analyst Avivah Litan.

"Phishing remains surprisingly effective despite widespread efforts to educate the public about the risks of responding to e-mails that request sensitive information," Litan told the E-Commerce Times.

Phishers have gotten increasingly sophisticated in their attacks, and have learned to create Web sites and e-mail addresses that look surprisingly similar to the brands they are mimicking, she added. "Because they send tens of thousands of e-mails at a time, if even a tiny percentage of them are successful, it can be very lucrative for the criminals and costly for the victims."

Persistent Problem

One of the long-acknowledged problems with cracking down on phishing has been the international reach of those conducting the attacks, which have long been tied to organized crime in the former Soviet block countries of Eastern Europe.

Even high-profile arrests and charges are unlikely to diminish the threat of phishing in the short-term because the schemes remain lucrative, Sophos Senior Security Consultant Carole Theriault told the E-Commerce Times.

Sophos recently reported that 20 percent of U.S. business computer users receive 5 or more phishing e-mails every day while almost 60 percent receive at least one per day.

New Targets

Phishers are moving well beyond the traditional targets such as users of eBay (Nasdaq: EBAY) and PayPal, with new attacks purporting to be e-mails from the likes of the IRS, the company reports.

"Every day, new users fall victim to phishing attacks -- that's why there are so many of them," Theriault said. As phishing rings grow more sophisticated, law enforcement efforts may be able to weaken the larger players or even take them down, but others are likely to take their place.

Arrests and indictments have a role in the battle against phishing, as do security technologies and public education. "The best advice is to always be wary of unsolicited e-mails," she added.