Title: Phishing and Federal Law Enforcement
1Phishing and Federal Law Enforcement
- Jonathan J. Rusch
- Special Counsel for Fraud Prevention
- Fraud Section, Criminal Division
- U.S. Department of Justice
- Washington, DC
- ABA Administrative Law and Regulatory Practice
Section - Atlanta, Georgia
- August 6, 2004
2Overview
- A Definition and Principal Types of Phishing
- Statistics Relating to Phishing
- U.S. Enforcement Actions Against Phishers
- Other Nations Enforcement Actions Against
Phishers - U.S. Federal Criminal Statutes Applicable to
Phishing - Law Enforcement Resources
3 A Definition and Principal Types of Phishing
4A Definition of Phishing
- Any criminal scheme in which digital
communications play a significant role in - acquiring multiple victims identifying or
personal financial data by deception, and - transferring or transmitting multiple victims
data via the Internet for criminal use - Note Analysis of phishing schemes should not
focus just on one type (e.g., bogus e-mails)
5Principal Types of Phishing
- Most Common Dragnet Method
- E-mails with falsified corporate identification,
directing large class of people to websites with
similarly falsified identification - Specific prospective victims not identified in
advance, but false information conveyed to
trigger immediate victim response - Rod-and-Reel Method
- Targeted initial contacts with prospective
victims - Specific prospective victims defined in advance,
and false information conveyed to trigger
responses - Lobsterpot Method
- Creation of websites similar to legitimate
corporate websites that narrowly defined class of
victims are likely to seek out - Smaller class of prospective victims identified
in advance, but no triggering of victim response
6Statistics Relating to Phishing
7Gartner Group (May 2004)
- Direct financial losses from phishing attacks
cost U.S. financial services firms about 1.2
billion in 2003
8U.S. Enforcement Actions Against Phishers
9Dragnet Phishing Cases
- United States v. Forcellina (D. Conn., sentenced
Apr. 30 and June 18, 2004) - Husband, 23, accessed chat rooms, used device to
capture screen names of chat room participants
then sent e-mails pretending to be ISP requiring
correct billing information, including current
credit-card number - Used credit-card numbers and other personal data
to arrange for wire transfers of funds via
Western Union, but had others pick up funds from
Western Union - Husband and wife pleaded guilty to conspiracy to
commit access device fraud - Husband sentenced to 18 months imprisonment wife
sentenced to 6 months home confinement
10Dragnet Phishing Cases
- United States v. Hill (S.D. Tex., sentenced May
2004) FTC v. Hill (S.D. Tex., preliminary
injunction December 2003) - Defendant operated AOL and PayPal phishing
scheme, used fraudulently obtained credit-card
numbers to obtain goods and services costing more
than 47,000 - Defendant pleaded guilty in February 2004 to
possession and use of access devices - Sentenced to 46 months imprisonment
11Dragnet Phishing Cases
- United States v. Carr (E.D. Va. 2003)
- Helen Carr, 55, of Akron, Ohio, sent fake e-mail
messages to AOL customers in United States and
several foreign countries - Customers advised that they must update their
credit card/personal information on file with AOL
to maintain their accounts - Guilty plea October 2003 to conspiracy to possess
unauthorized access devices - Sentenced in January 2004 to 46 months
imprisonment - George Patterson, a co-conspirator, previously
pleaded guilty to the same charge and was
sentenced in July 2003 to 37 months imprisonment
12Dragnet Phishing Cases
- United States v. Guevara (W.D. Wash. 2003)
- Matthew Guevara, 21, of Chicago, Illinois,
created false e-mail accounts with Hotmail and
unauthorized website with the address
www.msnbilling.com through Yahoo! - Then sent MSN customers e-mail messages,
purporting to come from MSN, that directed
customers to fraudulent www.msnbilling.com
website and asked them to verify their accounts
by providing name, MSN account, and credit card
data - Website automatically forwarded each customers
data to one of Guevara's false Hotmail accounts
Guevara used stolen credit card information
himself and provided it to another person as well - Guilty plea in September 2003 to wire fraud
- Sentenced January 2004 to 5 years probation, 6
months home confinement
13Dragnet Phishing Cases
- FTC v. ___ (C.D. Cal. 2003)
- Juvenile sent emails to consumers saying they
needed to update AOL account information or risk
losing their access. The emails sent recipients
to a site that looked authentic but asked for
detailed personal and financial information. The
youth used the information to buy things online,
open PayPal accounts, and open AOL accounts to
send more junk email - Juvenile agreed to pay 3,500 to settle FTC
charges - Cooperation between FTC, DOJ Computer Crime and
Intellectual Property Section, FBI, U.S. Attorney
for Eastern Virginia, Postal Inspection Service,
and Los Angeles County District Attorneys Office
14Rod-and-Reel Phishing Cases
- United States v. Gebrezihir (S.D.N.Y. 2003)
- Isaac Gebrezihir allegedly involved with scheme
to send phony letters on bank letterhead, along
with altered or counterfeit IRS forms, to
victims, generally foreign nationals living
abroad with bank accounts in the United States - Some of altered or counterfeit forms appear
similar to actual IRS forms that are sent to
non-resident aliens who maintain accounts at U.S.
banks - Fraudulent IRS forms all require personal
information concerning victim and victims bank
account - Fraudulent bank letter instructs victim to fill
out fraudulent IRS form and then fax completed
form, ostensibly to the IRS or to the bank - Fax numbers provided to the victims are
Internet-based fax numbers that convert all
incoming faxes to e-mail attachments and then
forward attachments to free e-mail accounts - Wire transfer instructions then sent to banks
and, in many instances, large amounts of money
are transferred from victims accounts, usually
to overseas accounts - Overall investigation has identified more than
700,000 in losses - Indicted Nov. 2003
15Rod-and-Reel Phishing Cases
- Romanian Arrest (2003)
- Romanian General Directorate for Combating
Organized Crime, in cooperation with Secret
Service, arrested a subject in Alba Julia,
Romania - Individual forwarded spoofed e-mails resembling
actual auction webpage to the attention of
unsuccessful bidders in an online auction - On spoofed page, the subject advised victims of
availability of similar item for a better price
upon visiting the "sale" page, victims were asked
for personal information including their name,
bank account numbers and passwords. - Victims then advised that they "won" the spoofed
auction and agreed to send money to the subject
through a spoofed escrow site created by the
subject - Scheme resulted in nearly 500,000 in on-line
losses
16Lobsterpot Phishing Case
- United States v. Kalin (D.N.J., Nov. 2003)
- Shawn Kalin of Las Vegas, Nevada, allegedly
registered four websites with domain names
deceptively similar to website operated by
DealerTrack, Inc. - DealerTrack provides services via the Internet to
auto dealerships located throughout the United
States, including dealers ordering credit
reports on prospective automobile buyers - Because Kalins websites designed to be almost
identical to main page of the www.dealertrack.com,
Kalin allegedly got a number of dealership
employees mistakenly to enter usernames and
passwords at his sites - Could then get unauthorized access to DealerTrack
for personal data - Kalin charged in criminal complaint Nov. 2003
17Other Nations Enforcement Actions Against
Phishers
18United Kingdom
- April 2004 National High-Tech Crime Unit (NHTCU)
arrests 21-year-old British national for
copycat phishing scheme involving online bank - Reportedly first in United Kingdom
- May 2004 NHTCU arrests 12 Eastern European
nationals suspected of laundering money from
phished bank accounts
19Australia
- April 2004 Australian Federal Police reportedly
seeking cooperation from French authorities to
shut down domain name associated with large-scale
phishing scheme
20U.S. Federal Criminal Statutes Applicable to
Phishing
21Identity Theft 18 U.S.C. 1028(a)(7)
- Elements
- Knowingly using or transferring
- Another (real) persons means of identification
- Means includes name, SSN, DOB, drivers
license, passport number unique biometric data
unique EIN, address, or routing code or access
device (e.g., credit-card or financial account
number) - With intent to commit/aid or abet any unlawful
activity that constitutes a federal violation or
state or local felony
22Identity Theft 18 U.S.C. 1028(a)(7)
- Penalties
- Imprisonment (Maximum)
- Fraud-Related Violation - 15 years imprisonment
If, as result of offense, any individual
committing the offense obtains anything of value
aggregating 1,000 or more during any 1-year
period - Basic Violation - 3 years imprisonment
- Fine Maximum 250,000 for individuals
- Forfeiture - Any personal property used or
intended to be used to commit offense
23Identity Theft 18 U.S.C. 1028(a)(7)
- Examples of Section 1028(a)(7) Offenses
- United States v. Butcher (N.D. Ohio, indictment
filed Apr. 28, 2004) - Defendant allegedly applied for 10 credit card
accounts using the identifier information of
another person, including her name, Social
Security account number and date of birth,
without authorization. - United States v. Christensen (D. Ariz., pleaded
guilty Jan. 20, 2004) - Defendant used more than 50 different identities
of others typically prison inmates serving long
sentences to obtain more than 313,000 in
student loans
24Wire Fraud 18 U.S.C. 1343
- Elements
- Scheme or artifice to defraud or for obtaining
money or property by means of false or fraudulent
pretenses, representations, or promises - Transmits (or causes transmission of) by means of
wire communication in interstate or foreign
commerce - Writing, signs, signals, pictures, sounds for
purpose of executing scheme or artifice
25Wire Fraud 18 U.S.C. 1343
- Penalties
- Imprisonment (Maximum)
- 30 years imprisonment if violation affects a
financial institution (e.g., bank or savings and
loan) - 20 years imprisonment in other cases
- Fine Maximum 250,000 for individuals
- Forfeiture
26Wire Fraud 18 U.S.C. 1343
- Examples of Section 1343 Offenses
- Initial e-mails to prospective victims
- Victim responses to bogus website or window
- Criminals transmission of victims personal and
financial data to other computers across state or
international borders
27Mail Fraud 18 U.S.C. 1341
- Elements
- Scheme or artifice to defraud, or for obtaining
money or property by means of false or fraudulent
pretenses, representations, or promises - Placing in authorized depository for mail matter
any matter or thing to be sent or delivered by
U.S. Postal Service (or depositing anything to be
sent or delivered by private or commercial
interstate carrier), or receiving matter or thing
from U.S. Postal Service or private or commercial
interstate carrier - For purpose of executing such scheme or artifice
- Note Causing innocent intermediary or victim to
use mail can constitute mail fraud
28Mail Fraud 18 U.S.C. 1341
- Penalties
- Imprisonment (Maximum)
- 30 years if violation affect financial
institution - 20 years in other cases
- Fine
- Maximum 250,000 for individuals
- Forfeiture
- Examples of Section 1341 Offenses
- Criminals mailing initial solicitation to
prospective victims - Victims mailing response or payment
29Access Device Fraud 18 U.S.C. 1029
- Elements Section 1029(a)(2)
- Knowingly and with intent to defraud traffics in
or uses one or more unauthorized access devices
(e.g., access devices obtained with intent to
defraud) during any 1-year period - By such conduct obtains anything of value
aggregating 1,000 or more during that period - Elements Section 1029(a)(3)
- Knowingly and with intent to defraud possesses 15
or more unauthorized access devices
30Access Device Fraud 18 U.S.C. 1029
- Elements Section 1029(a)(5)
- Knowingly and with intent to defraud effects
transactions with 1 or more access devices issued
to another person or persons - To receive payment or any other thing of value
during any 1-year period the aggregate value of
which is equal to or greater than 1,000 - Elements Section 1029(a)(10)
- Without authorization of credit card system or
member or its agent - Knowingly and with intent to defraud causes or
arranges for another person to present to member
or its agent, for payment, 1 or more evidences or
records of transactions made by an access device
31Access Device Fraud 18 U.S.C. 1029
- Penalties
- Imprisonment (Maximum)
- 10 years imprisonment for 1029(a)(2), (3)
- 15 years imprisonment for 1029(a)(5), (10)
- Fine Maximum 250,000 for individuals
- Forfeiture
32Bank Fraud - 18 U.S.C. 1344
- Elements
- Knowingly executing, or attempting to execute
- Scheme or artifice to defraud financial
institution, or to obtain money, funds, etc.
under financial institutions custody by means of
false or fraudulent pretenses, representations,
or promises - Penalties
- Imprisonment (Maximum) - 30 years imprisonment
- Fine Maximum 250,000
- Forfeiture
- Examples of Section 1344 Offenses
- United States v. Gebrezihir (S.D.N.Y. 2003)
- United States v. Yip (S.D.N.Y. 2003)
- Individuals stole identifying and other data from
employer, then used data to open PayPal accounts
and fund those accounts by direct transfers from
victims bank accounts
33Computer Fraud and Abuse 18 U.S.C. 1030
- Elements of Section 1030(a)(2)(C) Offense
- Intentionally accessing computer without
authorization or exceeding authorization, and - Thereby obtaining information from any protected
computer if conduct involved interstate or
foreign communication - Penalties
- Imprisonment (Maximum)
- Felony 5 years if offense or attempt to commit
offense committed for private financial gain, in
furtherance of any criminal or tortious act in
violation of U.S. Constitution or U.S. federal or
state law - Basic offense - 1 year for first offense or
attempt - Fine
- Examples
- United States v. Kalin (D.N.J. 2003)
34Computer Fraud and Abuse 18 U.S.C. 1030
- Elements of Section 1030(a)(4) Offense
- Knowingly and with intent to defraud accesses a
protected computer without authorization, or
exceeds authorized access - By means of such conduct furthers the intended
fraud and obtains anything of value - Unless object of fraud and thing obtained
consists only of use of computer and value of
such use is not more than 5,000 in any 1-year
period - Penalties
- Imprisonment (Maximum)
- 5 years for first offense or attempt, 10 years
for subsequent - Fine
- Forfeiture
35Computer Fraud and Abuse 18 U.S.C. 1030
- Examples of Section 1030(a)(4) Offense
- Hacking into computer with Trojan horse and
downloading numbers of credit-card or bank
accounts, then debiting those accounts - Accessing company computer to cause unauthorized
disbursals of stock to personal brokerage
accounts United States v. Osowski (N.D. Cal.
2001)
36CAN-SPAM 18 U.S.C. 1037
- Elements of Section 1037 Offenses
- Knowingly --
- (1) accessing protected computer without
authorization, and intentionally initiates
transmission of multiple commercial e-mail
messages from or through such computer, - (2) uses protected computer to relay or
retransmit multiple commercial e-mail messages,
with intent to deceive or mislead recipients, or
any Internet access service, as to the origin of
such messages, - (3) materially falsifies header information in
multiple commercial e-mail messages and
intentionally initiates transmission of such
messages, - (4) registers, using information that materially
falsifies identity of actual registrant, for 5 or
more e-mail accounts or online user accounts or
two or more domain names, and intentionally
initiates transmission of multiple commercial
e-mail messages from any combination of such
accounts or domain names, or - (5) falsely represents oneself to be registrant
or legitimate successor in interest to registrant
of 5 or more Internet Protocol addresses, and
intentionally initiates the transmission of
multiple commercial electronic mail messages from
such addresses - In or affecting interstate or foreign commerce
37CAN-SPAM 18 U.S.C. 1037
- Penalties
- Imprisonment (Maximum)
- 5 years if
- Offense is committed in furtherance of any felony
under the laws of the United States or of any
State or - Defendant has previously been convicted under
section 1037 or section 1030, or under the law of
any State for conduct involving transmission of
multiple commercial e-mail mail messages or
unauthorized access to a computer system - Less in other circumstances for various section
1037 offenses - Fine
- Forfeiture
38Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)
- Aggravated Identity Theft
- If individual knowingly transfers, possesses, or
uses, without lawful authority, a means of
identification of another person during and in
relation to any felony enumerated in section
1028A(c), two years imprisonment in addition to
punishment provided for that underlying felony - Felonies include 18 U.S.C. 1028, 1029, 1030,
1037, 1341, 1343, 1344 - If individual does so during and in relation to
terrorism-related felony, five years imprisonment
in addition to punishment provided for that
underlying felony - In either case, no probation for person convicted
of section 1028A violation, and in general no
concurrent sentencing for section 1028A violation
and other violations
39Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)
- Amendments of Current 18 U.S.C. 1028(a)(7)
- Section now covers knowing possession, without
lawful authority, of anothers means of
identification, with requisite intent to commit
an unlawful activity that constitutes federal
offense or state or local felony - Section now covers knowing and unauthorized
possession, transfer, or use of anothers means
of identification in connection with an unlawful
activity that constitutes federal offense or
state or local felony - Section now increases maximum term of
imprisonment for basic felony under section
1028(a)(7) from 3 to 5 years - Section now sets 25 years imprisonment as maximum
for identity theft relating to domestic or
international terrorism
40Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)
- Revision of Federal Sentencing Guidelines
- Sentencing Commission is directed to review and
amend Guidelines to ensure appropriate punishment
for identity theft offenses involving an abuse of
position
41Law Enforcement Responses to Phishing
42Federal Investigative Agencies Addressing Phishing
- FBI
- United States Secret Service
- United States Postal Inspection Service
- Social Security Administration Office of
Inspector General
43Phishing Complaint Reporting
- FTC Identity Theft Data Clearinghouse
- Internet Crime Complaint Center
- Began as Internet Fraud Complaint Center in May
2000 - Joint project of FBI and National White Collar
Crime Center - Receives online complaints from public, analyzes
trends and patterns, and sends investigative
packages to most relevant investigative field
offices - http//www.ic3.gov
44Enforcement Coordination on Phishing
- Enforcement Takedowns and Sweeps
- November 2003 Operation Cyber Sweep
- Arrests or convictions of more than 125
individuals, and return of more than 70
indictments, for various internet fraud and other
online economic crime offenses - Cases involved more than 125,000 victims with
losses of more than 100 million - 34 U.S. Attorneys Offices, FBI, Postal, FTC,
Secret Service, Immigration and Customs
Enforcement, state, local, and foreign law
enforcement - Cooperation and collaboration with industry and
foreign law enforcement agencies - Similar Operations
- Operation E-Con May 2003
- Identity Theft May 2002
- Operation Cyber Loss May 2001
45Enforcement Coordination on Phishing
- Task Forces and Specialized Units
- More than 40 FBI, Secret Service, and SSA-OIG
task forces with focus on identity theft - U.S. Attorney Computer Hacking and Intellectual
Property (CHIP) Units - Training
- Joint training for federal prosecutors and agents
on Internet fraud includes training on phishing - Interagency Working Groups
- Telemarketing and Internet Fraud Working Group
- Identity Theft Subcommittee of Attorney Generals
Council on White-Collar Crime
46Prevention and Education on Phishing
- FTC
- Website on Identity Theft www.consumer.gov/idthe
ft - Consumer Alert - http//www.ftc.gov/bcp/conline/pu
bs/alerts/phishingalrt.htm - U.S. Department of Justice
- Website on Identity Theft and Fraud
www.usdoj.gov/criminal/fraud/idtheft.html - Special Report on Phishing - http//www.usdoj.gov/
criminal/fraud/Phishing.pdf - United Kingdom
- Government Website on Identity Theft -
www.identity-theft.org.uk
47Contact Data for Jonathan J. Rusch
- E-Mail Jonathan.Rusch2_at_usdoj.gov
- Fax 202-514-7021
- Phone 202-514-0631
- Mail Fraud Section, Criminal Division, U.S.
Department of Justice, 10th Street and
Constitution Avenue, N.W., Bond Building, Room
4300, Washington, DC 20530