Phishing and Federal Law Enforcement - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

Phishing and Federal Law Enforcement

Description:

Phishing and Federal Law Enforcement Jonathan J. Rusch Special Counsel for Fraud Prevention Fraud Section, Criminal Division U.S. Department of Justice – PowerPoint PPT presentation

Number of Views:151
Avg rating:3.0/5.0
Slides: 48
Provided by: appsAmeri
Category:

less

Transcript and Presenter's Notes

Title: Phishing and Federal Law Enforcement


1
Phishing and Federal Law Enforcement
  • Jonathan J. Rusch
  • Special Counsel for Fraud Prevention
  • Fraud Section, Criminal Division
  • U.S. Department of Justice
  • Washington, DC
  • ABA Administrative Law and Regulatory Practice
    Section
  • Atlanta, Georgia
  • August 6, 2004

2
Overview
  • A Definition and Principal Types of Phishing
  • Statistics Relating to Phishing
  • U.S. Enforcement Actions Against Phishers
  • Other Nations Enforcement Actions Against
    Phishers
  • U.S. Federal Criminal Statutes Applicable to
    Phishing
  • Law Enforcement Resources

3
A Definition and Principal Types of Phishing

4
A Definition of Phishing
  • Any criminal scheme in which digital
    communications play a significant role in
  • acquiring multiple victims identifying or
    personal financial data by deception, and
  • transferring or transmitting multiple victims
    data via the Internet for criminal use
  • Note Analysis of phishing schemes should not
    focus just on one type (e.g., bogus e-mails)

5
Principal Types of Phishing
  • Most Common Dragnet Method
  • E-mails with falsified corporate identification,
    directing large class of people to websites with
    similarly falsified identification
  • Specific prospective victims not identified in
    advance, but false information conveyed to
    trigger immediate victim response
  • Rod-and-Reel Method
  • Targeted initial contacts with prospective
    victims
  • Specific prospective victims defined in advance,
    and false information conveyed to trigger
    responses
  • Lobsterpot Method
  • Creation of websites similar to legitimate
    corporate websites that narrowly defined class of
    victims are likely to seek out
  • Smaller class of prospective victims identified
    in advance, but no triggering of victim response

6
Statistics Relating to Phishing

7
Gartner Group (May 2004)
  • Direct financial losses from phishing attacks
    cost U.S. financial services firms about 1.2
    billion in 2003

8
U.S. Enforcement Actions Against Phishers

9
Dragnet Phishing Cases
  • United States v. Forcellina (D. Conn., sentenced
    Apr. 30 and June 18, 2004)
  • Husband, 23, accessed chat rooms, used device to
    capture screen names of chat room participants
    then sent e-mails pretending to be ISP requiring
    correct billing information, including current
    credit-card number
  • Used credit-card numbers and other personal data
    to arrange for wire transfers of funds via
    Western Union, but had others pick up funds from
    Western Union
  • Husband and wife pleaded guilty to conspiracy to
    commit access device fraud
  • Husband sentenced to 18 months imprisonment wife
    sentenced to 6 months home confinement

10
Dragnet Phishing Cases
  • United States v. Hill (S.D. Tex., sentenced May
    2004) FTC v. Hill (S.D. Tex., preliminary
    injunction December 2003)
  • Defendant operated AOL and PayPal phishing
    scheme, used fraudulently obtained credit-card
    numbers to obtain goods and services costing more
    than 47,000
  • Defendant pleaded guilty in February 2004 to
    possession and use of access devices
  • Sentenced to 46 months imprisonment

11
Dragnet Phishing Cases
  • United States v. Carr (E.D. Va. 2003)
  • Helen Carr, 55, of Akron, Ohio, sent fake e-mail
    messages to AOL customers in United States and
    several foreign countries
  • Customers advised that they must update their
    credit card/personal information on file with AOL
    to maintain their accounts
  • Guilty plea October 2003 to conspiracy to possess
    unauthorized access devices
  • Sentenced in January 2004 to 46 months
    imprisonment
  • George Patterson, a co-conspirator, previously
    pleaded guilty to the same charge and was
    sentenced in July 2003 to 37 months imprisonment

12
Dragnet Phishing Cases
  • United States v. Guevara (W.D. Wash. 2003)
  • Matthew Guevara, 21, of Chicago, Illinois,
    created false e-mail accounts with Hotmail and
    unauthorized website with the address
    www.msnbilling.com through Yahoo!
  • Then sent MSN customers e-mail messages,
    purporting to come from MSN, that directed
    customers to fraudulent www.msnbilling.com
    website and asked them to verify their accounts
    by providing name, MSN account, and credit card
    data
  • Website automatically forwarded each customers
    data to one of Guevara's false Hotmail accounts
    Guevara used stolen credit card information
    himself and provided it to another person as well
  • Guilty plea in September 2003 to wire fraud
  • Sentenced January 2004 to 5 years probation, 6
    months home confinement

13
Dragnet Phishing Cases
  • FTC v. ___ (C.D. Cal. 2003)
  • Juvenile sent emails to consumers saying they
    needed to update AOL account information or risk
    losing their access. The emails sent recipients
    to a site that looked authentic but asked for
    detailed personal and financial information. The
    youth used the information to buy things online,
    open PayPal accounts, and open AOL accounts to
    send more junk email
  • Juvenile agreed to pay 3,500 to settle FTC
    charges
  • Cooperation between FTC, DOJ Computer Crime and
    Intellectual Property Section, FBI, U.S. Attorney
    for Eastern Virginia, Postal Inspection Service,
    and Los Angeles County District Attorneys Office

14
Rod-and-Reel Phishing Cases
  • United States v. Gebrezihir (S.D.N.Y. 2003)
  • Isaac Gebrezihir allegedly involved with scheme
    to send phony letters on bank letterhead, along
    with altered or counterfeit IRS forms, to
    victims, generally foreign nationals living
    abroad with bank accounts in the United States
  • Some of altered or counterfeit forms appear
    similar to actual IRS forms that are sent to
    non-resident aliens who maintain accounts at U.S.
    banks
  • Fraudulent IRS forms all require personal
    information concerning victim and victims bank
    account
  • Fraudulent bank letter instructs victim to fill
    out fraudulent IRS form and then fax completed
    form, ostensibly to the IRS or to the bank
  • Fax numbers provided to the victims are
    Internet-based fax numbers that convert all
    incoming faxes to e-mail attachments and then
    forward attachments to free e-mail accounts
  • Wire transfer instructions then sent to banks
    and, in many instances, large amounts of money
    are transferred from victims accounts, usually
    to overseas accounts
  • Overall investigation has identified more than
    700,000 in losses
  • Indicted Nov. 2003

15
Rod-and-Reel Phishing Cases
  • Romanian Arrest (2003)
  • Romanian General Directorate for Combating
    Organized Crime, in cooperation with Secret
    Service, arrested a subject in Alba Julia,
    Romania
  • Individual forwarded spoofed e-mails resembling
    actual auction webpage to the attention of
    unsuccessful bidders in an online auction
  • On spoofed page, the subject advised victims of
    availability of similar item for a better price
    upon visiting the "sale" page, victims were asked
    for personal information including their name,
    bank account numbers and passwords.
  • Victims then advised that they "won" the spoofed
    auction and agreed to send money to the subject
    through a spoofed escrow site created by the
    subject
  • Scheme resulted in nearly 500,000 in on-line
    losses

16
Lobsterpot Phishing Case
  • United States v. Kalin (D.N.J., Nov. 2003)
  • Shawn Kalin of Las Vegas, Nevada, allegedly
    registered four websites with domain names
    deceptively similar to website operated by
    DealerTrack, Inc.
  • DealerTrack provides services via the Internet to
    auto dealerships located throughout the United
    States, including dealers ordering credit
    reports on prospective automobile buyers
  • Because Kalins websites designed to be almost
    identical to main page of the www.dealertrack.com,
    Kalin allegedly got a number of dealership
    employees mistakenly to enter usernames and
    passwords at his sites
  • Could then get unauthorized access to DealerTrack
    for personal data
  • Kalin charged in criminal complaint Nov. 2003

17
Other Nations Enforcement Actions Against
Phishers

18
United Kingdom
  • April 2004 National High-Tech Crime Unit (NHTCU)
    arrests 21-year-old British national for
    copycat phishing scheme involving online bank
  • Reportedly first in United Kingdom
  • May 2004 NHTCU arrests 12 Eastern European
    nationals suspected of laundering money from
    phished bank accounts

19
Australia
  • April 2004 Australian Federal Police reportedly
    seeking cooperation from French authorities to
    shut down domain name associated with large-scale
    phishing scheme

20
U.S. Federal Criminal Statutes Applicable to
Phishing

21
Identity Theft 18 U.S.C. 1028(a)(7)
  • Elements
  • Knowingly using or transferring
  • Another (real) persons means of identification
  • Means includes name, SSN, DOB, drivers
    license, passport number unique biometric data
    unique EIN, address, or routing code or access
    device (e.g., credit-card or financial account
    number)
  • With intent to commit/aid or abet any unlawful
    activity that constitutes a federal violation or
    state or local felony

22
Identity Theft 18 U.S.C. 1028(a)(7)
  • Penalties
  • Imprisonment (Maximum)
  • Fraud-Related Violation - 15 years imprisonment
    If, as result of offense, any individual
    committing the offense obtains anything of value
    aggregating 1,000 or more during any 1-year
    period
  • Basic Violation - 3 years imprisonment
  • Fine Maximum 250,000 for individuals
  • Forfeiture - Any personal property used or
    intended to be used to commit offense

23
Identity Theft 18 U.S.C. 1028(a)(7)
  • Examples of Section 1028(a)(7) Offenses
  • United States v. Butcher (N.D. Ohio, indictment
    filed Apr. 28, 2004)
  • Defendant allegedly applied for 10 credit card
    accounts using the identifier information of
    another person, including her name, Social
    Security account number and date of birth,
    without authorization.
  • United States v. Christensen (D. Ariz., pleaded
    guilty Jan. 20, 2004)
  • Defendant used more than 50 different identities
    of others typically prison inmates serving long
    sentences to obtain more than 313,000 in
    student loans

24
Wire Fraud 18 U.S.C. 1343
  • Elements
  • Scheme or artifice to defraud or for obtaining
    money or property by means of false or fraudulent
    pretenses, representations, or promises
  • Transmits (or causes transmission of) by means of
    wire communication in interstate or foreign
    commerce
  • Writing, signs, signals, pictures, sounds for
    purpose of executing scheme or artifice

25
Wire Fraud 18 U.S.C. 1343
  • Penalties
  • Imprisonment (Maximum)
  • 30 years imprisonment if violation affects a
    financial institution (e.g., bank or savings and
    loan)
  • 20 years imprisonment in other cases
  • Fine Maximum 250,000 for individuals
  • Forfeiture

26
Wire Fraud 18 U.S.C. 1343
  • Examples of Section 1343 Offenses
  • Initial e-mails to prospective victims
  • Victim responses to bogus website or window
  • Criminals transmission of victims personal and
    financial data to other computers across state or
    international borders

27
Mail Fraud 18 U.S.C. 1341
  • Elements
  • Scheme or artifice to defraud, or for obtaining
    money or property by means of false or fraudulent
    pretenses, representations, or promises
  • Placing in authorized depository for mail matter
    any matter or thing to be sent or delivered by
    U.S. Postal Service (or depositing anything to be
    sent or delivered by private or commercial
    interstate carrier), or receiving matter or thing
    from U.S. Postal Service or private or commercial
    interstate carrier
  • For purpose of executing such scheme or artifice
  • Note Causing innocent intermediary or victim to
    use mail can constitute mail fraud

28
Mail Fraud 18 U.S.C. 1341
  • Penalties
  • Imprisonment (Maximum)
  • 30 years if violation affect financial
    institution
  • 20 years in other cases
  • Fine
  • Maximum 250,000 for individuals
  • Forfeiture
  • Examples of Section 1341 Offenses
  • Criminals mailing initial solicitation to
    prospective victims
  • Victims mailing response or payment

29
Access Device Fraud 18 U.S.C. 1029
  • Elements Section 1029(a)(2)
  • Knowingly and with intent to defraud traffics in
    or uses one or more unauthorized access devices
    (e.g., access devices obtained with intent to
    defraud) during any 1-year period
  • By such conduct obtains anything of value
    aggregating 1,000 or more during that period
  • Elements Section 1029(a)(3)
  • Knowingly and with intent to defraud possesses 15
    or more unauthorized access devices

30
Access Device Fraud 18 U.S.C. 1029
  • Elements Section 1029(a)(5)
  • Knowingly and with intent to defraud effects
    transactions with 1 or more access devices issued
    to another person or persons
  • To receive payment or any other thing of value
    during any 1-year period the aggregate value of
    which is equal to or greater than 1,000
  • Elements Section 1029(a)(10)
  • Without authorization of credit card system or
    member or its agent
  • Knowingly and with intent to defraud causes or
    arranges for another person to present to member
    or its agent, for payment, 1 or more evidences or
    records of transactions made by an access device

31
Access Device Fraud 18 U.S.C. 1029
  • Penalties
  • Imprisonment (Maximum)
  • 10 years imprisonment for 1029(a)(2), (3)
  • 15 years imprisonment for 1029(a)(5), (10)
  • Fine Maximum 250,000 for individuals
  • Forfeiture

32
Bank Fraud - 18 U.S.C. 1344
  • Elements
  • Knowingly executing, or attempting to execute
  • Scheme or artifice to defraud financial
    institution, or to obtain money, funds, etc.
    under financial institutions custody by means of
    false or fraudulent pretenses, representations,
    or promises
  • Penalties
  • Imprisonment (Maximum) - 30 years imprisonment
  • Fine Maximum 250,000
  • Forfeiture
  • Examples of Section 1344 Offenses
  • United States v. Gebrezihir (S.D.N.Y. 2003)
  • United States v. Yip (S.D.N.Y. 2003)
  • Individuals stole identifying and other data from
    employer, then used data to open PayPal accounts
    and fund those accounts by direct transfers from
    victims bank accounts

33
Computer Fraud and Abuse 18 U.S.C. 1030
  • Elements of Section 1030(a)(2)(C) Offense
  • Intentionally accessing computer without
    authorization or exceeding authorization, and
  • Thereby obtaining information from any protected
    computer if conduct involved interstate or
    foreign communication
  • Penalties
  • Imprisonment (Maximum)
  • Felony 5 years if offense or attempt to commit
    offense committed for private financial gain, in
    furtherance of any criminal or tortious act in
    violation of U.S. Constitution or U.S. federal or
    state law
  • Basic offense - 1 year for first offense or
    attempt
  • Fine
  • Examples
  • United States v. Kalin (D.N.J. 2003)

34
Computer Fraud and Abuse 18 U.S.C. 1030
  • Elements of Section 1030(a)(4) Offense
  • Knowingly and with intent to defraud accesses a
    protected computer without authorization, or
    exceeds authorized access
  • By means of such conduct furthers the intended
    fraud and obtains anything of value
  • Unless object of fraud and thing obtained
    consists only of use of computer and value of
    such use is not more than 5,000 in any 1-year
    period
  • Penalties
  • Imprisonment (Maximum)
  • 5 years for first offense or attempt, 10 years
    for subsequent
  • Fine
  • Forfeiture

35
Computer Fraud and Abuse 18 U.S.C. 1030
  • Examples of Section 1030(a)(4) Offense
  • Hacking into computer with Trojan horse and
    downloading numbers of credit-card or bank
    accounts, then debiting those accounts
  • Accessing company computer to cause unauthorized
    disbursals of stock to personal brokerage
    accounts United States v. Osowski (N.D. Cal.
    2001)

36
CAN-SPAM 18 U.S.C. 1037
  • Elements of Section 1037 Offenses
  • Knowingly --
  • (1) accessing protected computer without
    authorization, and intentionally initiates
    transmission of multiple commercial e-mail
    messages from or through such computer,
  • (2) uses protected computer to relay or
    retransmit multiple commercial e-mail messages,
    with intent to deceive or mislead recipients, or
    any Internet access service, as to the origin of
    such messages,
  • (3) materially falsifies header information in
    multiple commercial e-mail messages and
    intentionally initiates transmission of such
    messages,
  • (4) registers, using information that materially
    falsifies identity of actual registrant, for 5 or
    more e-mail accounts or online user accounts or
    two or more domain names, and intentionally
    initiates transmission of multiple commercial
    e-mail messages from any combination of such
    accounts or domain names, or
  • (5) falsely represents oneself to be registrant
    or legitimate successor in interest to registrant
    of 5 or more Internet Protocol addresses, and
    intentionally initiates the transmission of
    multiple commercial electronic mail messages from
    such addresses
  • In or affecting interstate or foreign commerce

37
CAN-SPAM 18 U.S.C. 1037
  • Penalties
  • Imprisonment (Maximum)
  • 5 years if
  • Offense is committed in furtherance of any felony
    under the laws of the United States or of any
    State or
  • Defendant has previously been convicted under
    section 1037 or section 1030, or under the law of
    any State for conduct involving transmission of
    multiple commercial e-mail mail messages or
    unauthorized access to a computer system
  • Less in other circumstances for various section
    1037 offenses
  • Fine
  • Forfeiture

38
Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)
  • Aggravated Identity Theft
  • If individual knowingly transfers, possesses, or
    uses, without lawful authority, a means of
    identification of another person during and in
    relation to any felony enumerated in section
    1028A(c), two years imprisonment in addition to
    punishment provided for that underlying felony
  • Felonies include 18 U.S.C. 1028, 1029, 1030,
    1037, 1341, 1343, 1344
  • If individual does so during and in relation to
    terrorism-related felony, five years imprisonment
    in addition to punishment provided for that
    underlying felony
  • In either case, no probation for person convicted
    of section 1028A violation, and in general no
    concurrent sentencing for section 1028A violation
    and other violations

39
Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)
  • Amendments of Current 18 U.S.C. 1028(a)(7)
  • Section now covers knowing possession, without
    lawful authority, of anothers means of
    identification, with requisite intent to commit
    an unlawful activity that constitutes federal
    offense or state or local felony
  • Section now covers knowing and unauthorized
    possession, transfer, or use of anothers means
    of identification in connection with an unlawful
    activity that constitutes federal offense or
    state or local felony
  • Section now increases maximum term of
    imprisonment for basic felony under section
    1028(a)(7) from 3 to 5 years
  • Section now sets 25 years imprisonment as maximum
    for identity theft relating to domestic or
    international terrorism

40
Identity Theft Penalty Enhancement Act 18
U.S.C. 1028A (July 15, 2004)
  • Revision of Federal Sentencing Guidelines
  • Sentencing Commission is directed to review and
    amend Guidelines to ensure appropriate punishment
    for identity theft offenses involving an abuse of
    position

41
Law Enforcement Responses to Phishing

42
Federal Investigative Agencies Addressing Phishing
  • FBI
  • United States Secret Service
  • United States Postal Inspection Service
  • Social Security Administration Office of
    Inspector General

43
Phishing Complaint Reporting
  • FTC Identity Theft Data Clearinghouse
  • Internet Crime Complaint Center
  • Began as Internet Fraud Complaint Center in May
    2000
  • Joint project of FBI and National White Collar
    Crime Center
  • Receives online complaints from public, analyzes
    trends and patterns, and sends investigative
    packages to most relevant investigative field
    offices
  • http//www.ic3.gov

44
Enforcement Coordination on Phishing
  • Enforcement Takedowns and Sweeps
  • November 2003 Operation Cyber Sweep
  • Arrests or convictions of more than 125
    individuals, and return of more than 70
    indictments, for various internet fraud and other
    online economic crime offenses
  • Cases involved more than 125,000 victims with
    losses of more than 100 million
  • 34 U.S. Attorneys Offices, FBI, Postal, FTC,
    Secret Service, Immigration and Customs
    Enforcement, state, local, and foreign law
    enforcement
  • Cooperation and collaboration with industry and
    foreign law enforcement agencies
  • Similar Operations
  • Operation E-Con May 2003
  • Identity Theft May 2002
  • Operation Cyber Loss May 2001

45
Enforcement Coordination on Phishing
  • Task Forces and Specialized Units
  • More than 40 FBI, Secret Service, and SSA-OIG
    task forces with focus on identity theft
  • U.S. Attorney Computer Hacking and Intellectual
    Property (CHIP) Units
  • Training
  • Joint training for federal prosecutors and agents
    on Internet fraud includes training on phishing
  • Interagency Working Groups
  • Telemarketing and Internet Fraud Working Group
  • Identity Theft Subcommittee of Attorney Generals
    Council on White-Collar Crime

46
Prevention and Education on Phishing
  • FTC
  • Website on Identity Theft www.consumer.gov/idthe
    ft
  • Consumer Alert - http//www.ftc.gov/bcp/conline/pu
    bs/alerts/phishingalrt.htm
  • U.S. Department of Justice
  • Website on Identity Theft and Fraud
    www.usdoj.gov/criminal/fraud/idtheft.html
  • Special Report on Phishing - http//www.usdoj.gov/
    criminal/fraud/Phishing.pdf
  • United Kingdom
  • Government Website on Identity Theft -
    www.identity-theft.org.uk

47
Contact Data for Jonathan J. Rusch
  • E-Mail Jonathan.Rusch2_at_usdoj.gov
  • Fax 202-514-7021
  • Phone 202-514-0631
  • Mail Fraud Section, Criminal Division, U.S.
    Department of Justice, 10th Street and
    Constitution Avenue, N.W., Bond Building, Room
    4300, Washington, DC 20530
Write a Comment
User Comments (0)
About PowerShow.com