International Effort Busts Phone Hacking Ring

Stolen Service Valued at $55 Million, Some Money May Have Been Used to Fund Terrorism

A federal grand jury in New Jersey has indicted a group of people for allegedly breaking into the phone systems of more than 2,500 firms in the U.S., Canada, Australia and Europe in order to route calls through the hacked networks.

In conjunction with the indictment, Italian law enforcement conducted searches of approximately 10 locations in four regions of Italy and arrested the financiers of the hacking activity. Five individuals, all Pakistanis, were arrested.

From about October 2005 through December 2008, the hackers sold telephone service to customers of call centers and then placed the calls over the compromised networks. According to the indictment, the hackers stole 12 million minutes of telephone service, valued at $55 million. Italian news reports said some of the money was used to fund terrorist activities, but the indictment and the U.S. Attorney’s office could not confirm that.

According to the indictment, the group used a “brute force attack” – breaking computer codes by systematically attempting a large number of telephone extensions and corresponding passcodes in the hope that eventually the proper combination would be used.

The hackers used a combination of “loop-back” and “passcode” methods.

In the loopback method, the hackers and their clients would place a phone call into a hacked telephone system and then used the hacked system to dial back to a second number that the hackers controlled, resulting in the call being charged to the hacked system. The hackers then manipulated the compromised system to place calls to third parties while maintaining an open phone line, causing the company that owned the hacked system to incur the full cost of the call.

In the passcode method, the hackers and their clients would place a call through the hacked system and then - using the passcode stolen via the brute force attack - manipulate the hacked system to dial codes to third parties located in dialing areas with significantly more expensive dialing rates than those of the initial calls placed to the hacked system.

The hackers would still pay their own long distance carriers for the initial calls, but the rate for those calls would be far less than the rates to the ultimate call destination. The higher rate was charged to the owners of the hacked systems.

The indictment alleges that three hackers, Mahomoud Nusier, 40, Paul Michael Kwan, 47, and Nancy Gomez, 24, all residents of the Philippines, were working in conjunction with call centers in Italy and Spain. Unlike in the U.S., where call centers are predominantly used by large companies to field customer service and other calls, in Italy there are call centers that provide the public with local and long-distance service in addition to the more well-known corporate call centers.

Whatever method was used, the hackers would transmit the hacked numbers, extensions and passcodes to operators at the Bresica call center, who would then wire payments to the hackers via Western Union, Ria Financial Systems and MoneyGram. The hackers – Nusier, Kwan, Gomez and others – were then paid approximately $100 per hacked telephone system.

The Brescia call center operators, in turn, transmitted the hacked phone numbers, extensions and passcodes to operators of other call centers, including Spain, in return for payment.

“This was an extensive and well-organized criminal network that worked across continents,” said Ralph J. Marra, Jr.,  acting U.S. Attorney for New Jersey, whose office handled the case. “The hackers we’ve charged enabled their conspirators in Italy and elsewhere to steal large amounts of telecommunications capacity, which could then be used to further or finance just about any sort of nefarious activity here or overseas.”

The defendants face maximum prison sentences of five years on the conspiracy count, five years on each of the two respective unauthorized computer access counts, and 10 additional years on the access device count. In addition, each is subject to a maximum fine of $250,000 on each count for which they are named, or twice the gain resulting from the offense, whichever is greater.

Until you lose your identity, you may not realize just how precious it is.

Some 6,000 people were jolted by this shocking reality when they fell victim to one of the largest international identity theft and credit card fraud rings in recent history.

The unraveling of this multi-million dollar scam began in September, 2007 when a package delivered to an employee of a  real estate office was opened by the owner of the office.  Upon finding 60 valid credit cards inside the package, the owner reported the find to law enforcement authorities who – with aroused suspicions – began a nearly two year investigation, involving electronic eavesdropping, physical surveillance and the translation of thousands of conversations and e-mails.

The investigation was revealed when forty-five indictments were handed down last month to individuals alleged to have stolen the credit cards and personal credit information of thousands of hapless victims.  The defendants are accused of shipping stolen or illegally obtained credit cards to buyers around the world.  The fraud, estimated at a staggering $12 million, hit individuals across the United States and Canada.

While announcing the bust, Queens Distrct Attorney Richard A. Brown said, “Our investigation reveals that – in terms of just the sheer number of people indicted – this is one of the largest identity theft networks uncovered in recent history and is just possibly the tip of a much larger global credit card trafficking operation.  Besides draining the bank accounts of individuals throughout North America, we believe that the defendants – some of whom live in California, Illinois, Maryland, Pennsylvania and Toronto – also shipped stolen or fraudulently obtained credit cards to buyers around the world and that purchases were made in such far-off places as Japan, Saudi Arabia and Dubai.”

New York City Police Commissioner Raymond W. Kelly and Brown said the ring was made up of three enterprises working together.  Commissioner Kelly said, “When these suspects said ‘charge it’ they stole more than cash and goods.  They robbed unsuspecting victims of their identities too.  This was a sophisticated crime ring which met its just end through painstaking investigation by NYPD detectives and unstinting support by Queens prosecutors.”

As part of the identity theft ring’s operation, a simple, easy-to-obtain and inexpensive technique called Caller ID Spoofing enabled the suspects to defraud the victims and their banks and credit card companies.  Caller ID Spoofing changes the number appearing on Caller ID and some providers of Caller ID Spoofing also provide services that can alter the caller’s voice to such an extent that a man can sound like a woman and vice-versa.

Legitimate uses of Caller ID Spoofing and SpoofCards purportedly enable professionals such as doctors and attorneys to protect their cell phone numbers.  However, in the hands of the defendants named in the indictments, Caller ID Spoofing allowed the defendants to impersonate legitimate credit card account holders by pretending to be calling the account holders financial institution.  Brown went on to explain, “SpoofCards are virtually untraceable and can be used by identity thieves and hackers to pose as government and financial entities as a means to unscrupulously obtain personal information from unsuspecting consumers.”

To acquire the credit cards three methods were used. Cards were either fraudulently taken over, fraudulently opened or intercepted in the mail.  Once the thieves had the stolen cards, all they had to do was visit the nearest ATM machine.  ID mills produced bogus back-up identification materials, such as driver’s licenses, to enable the suspects to present the cards to bank tellers and withdraw larger amounts of money.

This multi-faceted crime ring appears to have been well organized with individuals assigned to specific roles such as account washers, account preparers and account maintainers.

Account Washers:  Gathered specific information on account holders such as mother’s maiden name, household income and occupation to enable account preparers to take over the account.

Account Preparers:  Caller ID Spoofing allowed the defendants to activate the account by pretending to be calling from the account holder’s phone.  By posing as the account holder, the account preparers could then manipulate the information to their advantage by changing key information including the mailing address, PIN number and/or increasing the credit line on the account.

Account Maintainers:  Paid off accounts to avoid any suspicision of fraud and upped the credit lines.  Once the credit line reached a high point, all monies were withdrawn.

But, that’s not all.  Compromised accounts were then sold to identity theft cell leaders who in turn distributed them to the ring’s foot soldiers and shoppers.  Shoppers bought top-of-the-line electronics and were charged with finding “fences” who would buy the electronics from them.

The indictments charge the defendants with Enterprise Corruption under New York State’s Organized Crime Control Act.  Said District Attorney Brown, “Technological advances have made it increasingly easier to carry out identity theft and fraud, two of the fastest growing crimes in the United States…We will continue to work closely with our law enforcement colleagues to stamp out such fraud and help to maintain our nation’s safety and security.”

Today, President Barack Obama released the administration’s much-anticipated Cyberspace Policy Review.

The preface of the report states:

Cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprises, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure that the United States and its citizens, together with the larger community of nations, can realize the full potential of the information technology revolution.

The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation’s confidence in the information systems that underlie our economic and national security interests.

The Federal government is not organized to address this growing problem effectively now or in the future. Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way. The government needs to integrate competing interests to derive a holistic vision and plan to address the cybersecurity related issues confronting the United States. The Nation needs to develop the policies, processes, people, and technology required to mitigate cybersecurity-related risks.

Information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms. The United States needs a comprehensive framework to ensure coordinated response and recovery by the government, the private sector, and our allies to a significant incident or threat.

The United States needs to conduct a national dialogue on cybersecurity to develop more public awareness of the threat and risks and to ensure an integrated approach toward the Nation’s need for security and the national commitment to privacy rights and civil liberties guaranteed by the Constitution and law.

Research on new approaches to achieving security and resiliency in information and communications infrastructures is insufficient. The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.

For the full report see the pdf at Cyberspace Policy Review. 

I had the privilege of authoring a piece about cloud computing security for Computer Technology Review that was published as an exclusive cover story this week.

The piece is titled, Do clouds mean a stormy future, and begins as follows:

The use of the word cloud as a metaphor for computing services that are accessed via the Internet may be more apropos than originally intended. Depending on their configuration, clouds in nature can presage a range of meteorological events from benign, to threatening or even devastating weather with unforeseen consequences and damages. Arguably, cloud computing offers an equally challenging array of possibilities from a security perspective.

Still, there can be little doubt that for the foreseeable future clouds will remain predominant in the forecast for our information based society. Consequently, with the growing emphasis on moving enterprise IT systems toward cloud systems, the inevitable security questions arise.

For the entire article, see Do clouds mean a stormy future.

Just about every day, a story is published somewhere across the country documenting the failure of a local, state or federal government agency to protect critical information – including the personal identifying information (PII) Americans trust the government to keep out of the hands of identity thieves.

Perhaps, because of the volume of these reports, we’ve all become immune to the inability of our government to maintain the security of our nation’s secrets – much less our personal information. 

Perhaps, we excuse our government officials based on the defensible belief that information security is a complex issue and, therefore, information can never be completely secured from all threats. 

Realistically, both factors are in play.

But, the story today from SC Magazine that the U.S. Marshals Service and Federal Bureau of Investigation fell victim to a computer virus last week because a software security patch wasn’t installed documents an inexcusable security failure on behalf of the federal government.

Why?

Because the patch in question has been available since October of last year.

This leaves me wondering.  How can we as citizens trust the federal government to run our financial, auto and health care industries if they can’t even install run-of-the-mill security patches on computers?

“For a business of any size, moving any portion of IT operations to a cloud provider means you’re putting your data in its hands. Can it protect your data from criminals and accidents as well as or better than you can? A thorough examination of both your own operation and your prospective provider should be undertaken before jumping to the cloud.”

This piece was written by Rob Douglas of www.IdentityTheft.info for E-Commerce Times.  For the full article see: Pinning Down Enterprise Data Security in the Cloud. 

Queens District Attorney Richard A. Brown, joined by Police Commissioner Raymond W. Kelly, today announced that an international forged credit card and identity theft ring based in the New York metropolitan area and with roots in Nigeria has been successfully dismantled following the indictment this week of forty-five individuals. The ring – which was comprised of three separate identity theft and forged credit card groups that employed multiple cells – is alleged to have been responsible for stealing the credit cards and personal credit information of thousands of American and Canadian consumers, costing these individuals, as well as financial institutions and retail businesses, more than $12 million in losses over the past year alone.

The full press release is available at: http://www.queensda.org./newpressreleases/2009/may/operation%20plastic%20pipeline_05_2009_ind.pdf

Afilias, a global provider of Internet infrastructure services, today announced that a new Global Phishing Survey released by the Anti-Phishing Work Group (APWG) reveals that the .INFO domain is the generic top-level Internet domain (gTLD) safest from phishing attacks. The results of the Survey show that, during the second half of 2008, .INFO had the lowest phishing rates and the lowest average attack duration among the gTLDs measured. .INFO’s phishing durations were half the world average.

“The .INFO registry is at the forefront of protecting Internet users from online identity theft across the world,” said Greg Aaron, Director of Key Account Management and Domain Security at Afilias, and a co-author of the study. “In January 2008, Afilias implemented a vigorous anti-phishing program working closely with .INFO registrars. We are pleased that the hard work of the .INFO anti-phishing team and dedicated registrars have propelled .INFO to the top spot for safety from phishing.”

The Global Phishing Survey analyzes the APWG phishing attack repository and other data sources comprising a comprehensive archive of phishing activity. It reports 56,959 phishing attacks worldwide in the second half of 2008, hosted on 30,454 unique domain names. Phishing took place on domain names in 170 top-level domains (TLDs). According to the report, a phishing rate is a standard measure of the number of detected phishing Web sites for every 10,000 domains registered, and indicates the prevalence of phishing in a top-level domain. Attack duration measures the amount of time a phishing Web site remains online — the longer one stays online, the more unsuspecting users may fall victim to the criminals.

Phishing is a common way that criminals perpetrate Internet identity theft and fraud. A phisher builds a fake Web site that masquerades as a trustworthy entity such as a bank, to fool Internet users into revealing sensitive information such as their usernames, passwords, and financial information.

“Identity theft and fraud are important issues for anyone who goes online, and criminals are using vulnerable top-level domains and registrars to steal identities and money,” said Ram Mohan, Executive Vice President and CTO of Afilias. “The new data demonstrates the effectiveness of active, self-regulated domain name anti-abuse programs in improving the safety of Internet users against those who steal from them.”

View the full report at: http://www.apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf

About .INFO

.INFO was the first generic, unrestricted TLD to be launched since .com. Registrations in .INFO first became available in 2001. Since then, .INFO has grown to become the fourth largest gTLD in the world. Domains are currently available in ten Internationalized Domain Name (IDN) scripts. For more information please visit www.info.info.

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.

Over at the Identity Theft Assistance Center (ITAC) blog, they’ve made note of the continuing delay in the Obama administration’s much anticipated release of its review of U.S. Cybersecurity.  ITAC hopefully proffers that the report may see the light of day this week.

As ITAC reports – based on a piece published by Federal Computer Week – the most recent delay in the report is being attributed to the outbreak of Swine Flu.

I fear if the report has actually been delayed because of this very mild outbreak of flu, that does not bode well for how the federal government is prioritizing cybersecurity.

There will always be competing emergencies on multiple fronts that the administration will have to juggle.  Cybersecurity can no longer take a back seat to any other priorities.  To do so, is to imperil this country even more than it already is.

It continues to be a boom time for cybercrime according to the latest Consumer Reports National Research Center “State of the Net” survey. Consumer Reports found that one in five online consumers have been victims of cybercrime in the last two years to the tune of an estimated $8 billion. And the overall rate of the crime has remained consistent over the five years that Consumer Reports has been tracking.

But Consumer Reports notes that the problem stands to get worse as rising unemployment and foreclosures fuel a wave of recession-orientated Internet scams, and as the popularity of social networking services grow, creating more openings for identity thieves. Consumer Reports found that 13 percent of social-network users experienced some form of abuse.

Additionally, Consumer Reports estimates that 1.2 million consumers have had to replace their computers over the past two years due to software infections and an estimated 3.7 million households with broadband Internet access did not use a firewall to protect against hackers. Below are additional findings related to major online threats:

• Phishing or sending authentic-looking but fraudulent e-mail designed to steal sensitive personal information is a continuing concern. Consumer Reports estimates that about 7 million consumers gave phishers personal information over the past two years; that’s 1 in 13 online households. Among scam victims, 1 in 7 lost money in the past two years, comparable with data from the last survey. Total damage to U.S. consumers through phishing attacks works out to about $483 million.
• Spyware: Consumer Reports found 545,000 households had to replace computers in the past six months and one in 12 people had serious problems with spyware.
• Online identity theft: Consumer Reports estimates 1.7 million households were victims of ID theft committed over the Internet in the past year, of those two-thirds said the incident occurred because of an online purchase.

Certain online threats are almost as prevalent today as when Consumer Reports conducted its first survey five years ago. Consistent with last year’s findings, 1 in 3 respondents had heavy levels of spam and 1 in 7 have had serious problems with viruses.

See the full press release at:  PRNewswire