Phishing and Federal Law Enforcement

1
Phishing and Federal Law Enforcement

• Jonathan J. Rusch
• Special Counsel for Fraud Prevention
• Fraud Section, Criminal Division
• U.S. Department of Justice
• Washington, DC
• ABA Administrative Law and Regulatory Practice
  Section
• Atlanta, Georgia
• August 6, 2004

2
Overview

• A Definition and Principal Types of Phishing
• Statistics Relating to Phishing
• U.S. Enforcement Actions Against Phishers
• Other Nations Enforcement Actions Against
  Phishers
• U.S. Federal Criminal Statutes Applicable to
  Phishing
• Law Enforcement Resources

3
A Definition and Principal Types of Phishing

4
A Definition of Phishing

• Any criminal scheme in which digital
  communications play a significant role in
• acquiring multiple victims identifying or
  personal financial data by deception, and
• transferring or transmitting multiple victims
  data via the Internet for criminal use
• Note Analysis of phishing schemes should not
  focus just on one type (e.g., bogus e-mails)

5
Principal Types of Phishing

• Most Common Dragnet Method
• E-mails with falsified corporate identification,
  directing large class of people to websites with
  similarly falsified identification
• Specific prospective victims not identified in
  advance, but false information conveyed to
  trigger immediate victim response
• Rod-and-Reel Method
• Targeted initial contacts with prospective
  victims
• Specific prospective victims defined in advance,
  and false information conveyed to trigger
  responses
• Lobsterpot Method
• Creation of websites similar to legitimate
  corporate websites that narrowly defined class of
  victims are likely to seek out
• Smaller class of prospective victims identified
  in advance, but no triggering of victim response

6
Statistics Relating to Phishing

7
Gartner Group (May 2004)

• Direct financial losses from phishing attacks
  cost U.S. financial services firms about 1.2
  billion in 2003

8
U.S. Enforcement Actions Against Phishers

9
Dragnet Phishing Cases

• United States v. Forcellina (D. Conn., sentenced
  Apr. 30 and June 18, 2004)
• Husband, 23, accessed chat rooms, used device to
  capture screen names of chat room participants
  then sent e-mails pretending to be ISP requiring
  correct billing information, including current
  credit-card number
• Used credit-card numbers and other personal data
  to arrange for wire transfers of funds via
  Western Union, but had others pick up funds from
  Western Union
• Husband and wife pleaded guilty to conspiracy to
  commit access device fraud
• Husband sentenced to 18 months imprisonment wife
  sentenced to 6 months home confinement

10
Dragnet Phishing Cases

• United States v. Hill (S.D. Tex., sentenced May
  2004) FTC v. Hill (S.D. Tex., preliminary
  injunction December 2003)
• Defendant operated AOL and PayPal phishing
  scheme, used fraudulently obtained credit-card
  numbers to obtain goods and services costing more
  than 47,000
• Defendant pleaded guilty in February 2004 to
  possession and use of access devices
• Sentenced to 46 months imprisonment

11
Dragnet Phishing Cases

• United States v. Carr (E.D. Va. 2003)
• Helen Carr, 55, of Akron, Ohio, sent fake e-mail
  messages to AOL customers in United States and
  several foreign countries
• Customers advised that they must update their
  credit card/personal information on file with AOL
  to maintain their accounts
• Guilty plea October 2003 to conspiracy to possess
  unauthorized access devices
• Sentenced in January 2004 to 46 months
  imprisonment
• George Patterson, a co-conspirator, previously
  pleaded guilty to the same charge and was
  sentenced in July 2003 to 37 months imprisonment

12
Dragnet Phishing Cases

• United States v. Guevara (W.D. Wash. 2003)
• Matthew Guevara, 21, of Chicago, Illinois,
  created false e-mail accounts with Hotmail and
  unauthorized website with the address
  www.msnbilling.com through Yahoo!
• Then sent MSN customers e-mail messages,
  purporting to come from MSN, that directed
  customers to fraudulent www.msnbilling.com
  website and asked them to verify their accounts
  by providing name, MSN account, and credit card
  data
• Website automatically forwarded each customers
  data to one of Guevara's false Hotmail accounts
  Guevara used stolen credit card information
  himself and provided it to another person as well
• Guilty plea in September 2003 to wire fraud
• Sentenced January 2004 to 5 years probation, 6
  months home confinement

13
Dragnet Phishing Cases

• FTC v. ___ (C.D. Cal. 2003)
• Juvenile sent emails to consumers saying they
  needed to update AOL account information or risk
  losing their access. The emails sent recipients
  to a site that looked authentic but asked for
  detailed personal and financial information. The
  youth used the information to buy things online,
  open PayPal accounts, and open AOL accounts to
  send more junk email
• Juvenile agreed to pay 3,500 to settle FTC
  charges
• Cooperation between FTC, DOJ Computer Crime and
  Intellectual Property Section, FBI, U.S. Attorney
  for Eastern Virginia, Postal Inspection Service,
  and Los Angeles County District Attorneys Office

14
Rod-and-Reel Phishing Cases

• United States v. Gebrezihir (S.D.N.Y. 2003)
• Isaac Gebrezihir allegedly involved with scheme
  to send phony letters on bank letterhead, along
  with altered or counterfeit IRS forms, to
  victims, generally foreign nationals living
  abroad with bank accounts in the United States
• Some of altered or counterfeit forms appear
  similar to actual IRS forms that are sent to
  non-resident aliens who maintain accounts at U.S.
  banks
• Fraudulent IRS forms all require personal
  information concerning victim and victims bank
  account
• Fraudulent bank letter instructs victim to fill
  out fraudulent IRS form and then fax completed
  form, ostensibly to the IRS or to the bank
• Fax numbers provided to the victims are
  Internet-based fax numbers that convert all
  incoming faxes to e-mail attachments and then
  forward attachments to free e-mail accounts
• Wire transfer instructions then sent to banks
  and, in many instances, large amounts of money
  are transferred from victims accounts, usually
  to overseas accounts
• Overall investigation has identified more than
  700,000 in losses
• Indicted Nov. 2003

15
Rod-and-Reel Phishing Cases

• Romanian Arrest (2003)
• Romanian General Directorate for Combating
  Organized Crime, in cooperation with Secret
  Service, arrested a subject in Alba Julia,
  Romania
• Individual forwarded spoofed e-mails resembling
  actual auction webpage to the attention of
  unsuccessful bidders in an online auction
• On spoofed page, the subject advised victims of
  availability of similar item for a better price
  upon visiting the "sale" page, victims were asked
  for personal information including their name,
  bank account numbers and passwords.
• Victims then advised that they "won" the spoofed
  auction and agreed to send money to the subject
  through a spoofed escrow site created by the
  subject
• Scheme resulted in nearly 500,000 in on-line
  losses

16
Lobsterpot Phishing Case

• United States v. Kalin (D.N.J., Nov. 2003)
• Shawn Kalin of Las Vegas, Nevada, allegedly
  registered four websites with domain names
  deceptively similar to website operated by
  DealerTrack, Inc.
• DealerTrack provides services via the Internet to
  auto dealerships located throughout the United
  States, including dealers ordering credit
  reports on prospective automobile buyers
• Because Kalins websites designed to be almost
  identical to main page of the www.dealertrack.com,
  Kalin allegedly got a number of dealership
  employees mistakenly to enter usernames and
  passwords at his sites
• Could then get unauthorized access to DealerTrack
  for personal data
• Kalin charged in criminal complaint Nov. 2003

17
Other Nations Enforcement Actions Against
Phishers

18
United Kingdom

• April 2004 National High-Tech Crime Unit (NHTCU)
  arrests 21-year-old British national for
  copycat phishing scheme involving online bank
• Reportedly first in United Kingdom
• May 2004 NHTCU arrests 12 Eastern European
  nationals suspected of laundering money from
  phished bank accounts

19
Australia

• April 2004 Australian Federal Police reportedly
  seeking cooperation from French authorities to
  shut down domain name associated with large-scale
  phishing scheme

20
U.S. Federal Criminal Statutes Applicable to
Phishing

21
Identity Theft 18 U.S.C. 1028(a)(7)

• Elements
• Knowingly using or transferring
• Another (real) persons means of identification
• Means includes name, SSN, DOB, drivers
  license, passport number unique biometric data
  unique EIN, address, or routing code or access
  device (e.g., credit-card or financial account
  number)
• With intent to commit/aid or abet any unlawful
  activity that constitutes a federal violation or
  state or local felony

22
Identity Theft 18 U.S.C. 1028(a)(7)

• Penalties
• Imprisonment (Maximum)
• Fraud-Related Violation - 15 years imprisonment
  If, as result of offense, any individual
  committing the offense obtains anything of value
  aggregating 1,000 or more during any 1-year
  period
• Basic Violation - 3 years imprisonment
• Fine Maximum 250,000 for individuals
• Forfeiture - Any personal property used or
  intended to be used to commit offense

23
Identity Theft 18 U.S.C. 1028(a)(7)

• Examples of Section 1028(a)(7) Offenses
• United States v. Butcher (N.D. Ohio, indictment
  filed Apr. 28, 2004)
• Defendant allegedly applied for 10 credit card
  accounts using the identifier information of
  another person, including her name, Social
  Security account number and date of birth,
  without authorization.
• United States v. Christensen (D. Ariz., pleaded
  guilty Jan. 20, 2004)
• Defendant used more than 50 different identities
  of others typically prison inmates serving long
  sentences to obtain more than 313,000 in
  student loans

24
Wire Fraud 18 U.S.C. 1343

• Elements
• Scheme or artifice to defraud or for obtaining
  money or property by means of false or fraudulent
  pretenses, representations, or promises
• Transmits (or causes transmission of) by means of
  wire communication in interstate or foreign
  commerce
• Writing, signs, signals, pictures, sounds for
  purpose of executing scheme or artifice

25
Wire Fraud 18 U.S.C. 1343

• Penalties
• Imprisonment (Maximum)
• 30 years imprisonment if violation affects a
  financial institution (e.g., bank or savings and
  loan)
• 20 years imprisonment in other cases
• Fine Maximum 250,000 for individuals
• Forfeiture

26
Wire Fraud 18 U.S.C. 1343

• Examples of Section 1343 Offenses
• Initial e-mails to prospective victims
• Victim responses to bogus website or window
• Criminals transmission of victims personal and
  financial data to other computers across state or
  international borders

27
Mail Fraud 18 U.S.C. 1341

• Elements
• Scheme or artifice to defraud, or for obtaining
  money or property by means of false or fraudulent
  pretenses, representations, or promises
• Placing in authorized depository for mail matter
  any matter or thing to be sent or delivered by
  U.S. Postal Service (or depositing anything to be
  sent or delivered by private or commercial
  interstate carrier), or receiving matter or thing
  from U.S. Postal Service or private or commercial
  interstate carrier
• For purpose of executing such scheme or artifice
• Note Causing innocent intermediary or victim to
  use mail can constitute mail fraud

28
Mail Fraud 18 U.S.C. 1341

• Penalties
• Imprisonment (Maximum)
• 30 years if violation affect financial
  institution
• 20 years in other cases
• Fine
• Maximum 250,000 for individuals
• Forfeiture
• Examples of Section 1341 Offenses
• Criminals mailing initial solicitation to
  prospective victims
• Victims mailing response or payment

29
Access Device Fraud 18 U.S.C. 1029

• Elements Section 1029(a)(2)
• Knowingly and with intent to defraud traffics in
  or uses one or more unauthorized access devices
  (e.g., access devices obtained with intent to
  defraud) during any 1-year period
• By such conduct obtains anything of value
  aggregating 1,000 or more during that period
• Elements Section 1029(a)(3)
• Knowingly and with intent to defraud possesses 15
  or more unauthorized access devices

30
Access Device Fraud 18 U.S.C. 1029

• Elements Section 1029(a)(5)
• Knowingly and with intent to defraud effects
  transactions with 1 or more access devices issued
  to another person or persons
• To receive payment or any other thing of value
  during any 1-year period the aggregate value of
  which is equal to or greater than 1,000
• Elements Section 1029(a)(10)
• Without authorization of credit card system or
  member or its agent
• Knowingly and with intent to defraud causes or
  arranges for another person to present to member
  or its agent, for payment, 1 or more evidences or
  records of transactions made by an access device

31
Access Device Fraud 18 U.S.C. 1029

• Penalties
• Imprisonment (Maximum)
• 10 years imprisonment for 1029(a)(2), (3)
• 15 years imprisonment for 1029(a)(5), (10)
• Fine Maximum 250,000 for individuals
• Forfeiture

32
Bank Fraud - 18 U.S.C. 1344

• Elements
• Knowingly executing, or attempting to execute
• Scheme or artifice to defraud financial
  institution, or to obtain money, funds, etc.
  under financial institutions custody by means of
  false or fraudulent pretenses, representations,
  or promises
• Penalties
• Imprisonment (Maximum) - 30 years imprisonment
• Fine Maximum 250,000
• Forfeiture
• Examples of Section 1344 Offenses
• United States v. Gebrezihir (S.D.N.Y. 2003)
• United States v. Yip (S.D.N.Y. 2003)
• Individuals stole identifying and other data from
  employer, then used data to open PayPal accounts
  and fund those accounts by direct transfers from
  victims bank accounts

33
Computer Fraud and Abuse 18 U.S.C. 1030

• Elements of Section 1030(a)(2)(C) Offense
• Intentionally accessing computer without
  authorization or exceeding authorization, and
• Thereby obtaining information from any protected
  computer if conduct involved interstate or
  foreign communication
• Penalties
• Imprisonment (Maximum)
• Felony 5 years if offense or attempt to commit
  offense committed for private financial gain, in
  furtherance of any criminal or tortious act in
  violation of U.S. Constitution or U.S. federal or
  state law
• Basic offense - 1 year for first offense or
  attempt
• Fine
• Examples
• United States v. Kalin (D.N.J. 2003)

34
Computer Fraud and Abuse 18 U.S.C. 1030

• Elements of Section 1030(a)(4) Offense
• Knowingly and with intent to defraud accesses a
  protected computer without authorization, or
  exceeds authorized access
• By means of such conduct furthers the intended
  fraud and obtains anything of value
• Unless object of fraud and thing obtained
  consists only of use of computer and value of
  such use is not more than 5,000 in any 1-year
  period
• Penalties
• Imprisonment (Maximum)
• 5 years for first offense or attempt, 10 years
  for subsequent
• Fine
• Forfeiture

35
Computer Fraud and Abuse 18 U.S.C. 1030

• Examples of Section 1030(a)(4) Offense
• Hacking into computer with Trojan horse and
  downloading numbers of credit-card or bank
  accounts, then debiting those accounts
• Accessing company computer to cause unauthorized
  disbursals of stock to personal brokerage
  accounts United States v. Osowski (N.D. Cal.
  2001)

36
CAN-SPAM 18 U.S.C. 1037

• Elements of Section 1037 Offenses
• Knowingly --
• (1) accessing protected computer without
  authorization, and intentionally initiates
  transmission of multiple commercial e-mail
  messages from or through such computer,
• (2) uses protected computer to relay or
  retransmit multiple commercial e-mail messages,
  with intent to deceive or mislead recipients, or
  any Internet access service, as to the origin of
  such messages,
• (3) materially falsifies header information in
  multiple commercial e-mail messages and
  intentionally initiates transmission of such
  messages,
• (4) registers, using information that materially
  falsifies identity of actual registrant, for 5 or
  more e-mail accounts or online user accounts or
  two or more domain names, and intentionally
  initiates transmission of multiple commercial
  e-mail messages from any combination of such
  accounts or domain names, or
• (5) falsely represents oneself to be registrant
  or legitimate successor in interest to registrant
  of 5 or more Internet Protocol addresses, and
  intentionally initiates the transmission of
  multiple commercial electronic mail messages from
  such addresses
• In or affecting interstate or foreign commerce

37
CAN-SPAM 18 U.S.C. 1037

• Penalties
• Imprisonment (Maximum)
• 5 years if
• Offense is committed in furtherance of any felony
  under the laws of the United States or of any
  State or
• Defendant has previously been convicted under
  section 1037 or section 1030, or under the law of
  any State for conduct involving transmission of
  multiple commercial e-mail mail messages or
  unauthorized access to a computer system
• Less in other circumstances for various section
  1037 offenses
• Fine
• Forfeiture

38
Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)

• Aggravated Identity Theft
• If individual knowingly transfers, possesses, or
  uses, without lawful authority, a means of
  identification of another person during and in
  relation to any felony enumerated in section
  1028A(c), two years imprisonment in addition to
  punishment provided for that underlying felony
• Felonies include 18 U.S.C. 1028, 1029, 1030,
  1037, 1341, 1343, 1344
• If individual does so during and in relation to
  terrorism-related felony, five years imprisonment
  in addition to punishment provided for that
  underlying felony
• In either case, no probation for person convicted
  of section 1028A violation, and in general no
  concurrent sentencing for section 1028A violation
  and other violations

39
Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)

• Amendments of Current 18 U.S.C. 1028(a)(7)
• Section now covers knowing possession, without
  lawful authority, of anothers means of
  identification, with requisite intent to commit
  an unlawful activity that constitutes federal
  offense or state or local felony
• Section now covers knowing and unauthorized
  possession, transfer, or use of anothers means
  of identification in connection with an unlawful
  activity that constitutes federal offense or
  state or local felony
• Section now increases maximum term of
  imprisonment for basic felony under section
  1028(a)(7) from 3 to 5 years
• Section now sets 25 years imprisonment as maximum
  for identity theft relating to domestic or
  international terrorism

40
Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)

• Revision of Federal Sentencing Guidelines
• Sentencing Commission is directed to review and
  amend Guidelines to ensure appropriate punishment
  for identity theft offenses involving an abuse of
  position

41
Law Enforcement Responses to Phishing

42
Federal Investigative Agencies Addressing Phishing

• FBI
• United States Secret Service
• United States Postal Inspection Service
• Social Security Administration Office of
  Inspector General

43
Phishing Complaint Reporting

• FTC Identity Theft Data Clearinghouse
• Internet Crime Complaint Center
• Began as Internet Fraud Complaint Center in May
  2000
• Joint project of FBI and National White Collar
  Crime Center
• Receives online complaints from public, analyzes
  trends and patterns, and sends investigative
  packages to most relevant investigative field
  offices
• http//www.ic3.gov

44
Enforcement Coordination on Phishing

• Enforcement Takedowns and Sweeps
• November 2003 Operation Cyber Sweep
• Arrests or convictions of more than 125
  individuals, and return of more than 70
  indictments, for various internet fraud and other
  online economic crime offenses
• Cases involved more than 125,000 victims with
  losses of more than 100 million
• 34 U.S. Attorneys Offices, FBI, Postal, FTC,
  Secret Service, Immigration and Customs
  Enforcement, state, local, and foreign law
  enforcement
• Cooperation and collaboration with industry and
  foreign law enforcement agencies
• Similar Operations
• Operation E-Con May 2003
• Identity Theft May 2002
• Operation Cyber Loss May 2001

45
Enforcement Coordination on Phishing

• Task Forces and Specialized Units
• More than 40 FBI, Secret Service, and SSA-OIG
  task forces with focus on identity theft
• U.S. Attorney Computer Hacking and Intellectual
  Property (CHIP) Units
• Training
• Joint training for federal prosecutors and agents
  on Internet fraud includes training on phishing
• Interagency Working Groups
• Telemarketing and Internet Fraud Working Group
• Identity Theft Subcommittee of Attorney Generals
  Council on White-Collar Crime

46
Prevention and Education on Phishing

• FTC
• Website on Identity Theft www.consumer.gov/idthe
  ft
• Consumer Alert - http//www.ftc.gov/bcp/conline/pu
  bs/alerts/phishingalrt.htm
• U.S. Department of Justice
• Website on Identity Theft and Fraud
  www.usdoj.gov/criminal/fraud/idtheft.html
• Special Report on Phishing - http//www.usdoj.gov/
  criminal/fraud/Phishing.pdf
• United Kingdom
• Government Website on Identity Theft -
  www.identity-theft.org.uk

47
Contact Data for Jonathan J. Rusch

• E-Mail Jonathan.Rusch2_at_usdoj.gov
• Fax 202-514-7021
• Phone 202-514-0631
• Mail Fraud Section, Criminal Division, U.S.
  Department of Justice, 10th Street and
  Constitution Avenue, N.W., Bond Building, Room
  4300, Washington, DC 20530