Operation Phish Phry hooks 100 in U.S. and Egypt
Investigation called largest cybercrime probe in U.S., leading to most arrests in a single case
Computerworld - More than 50 people in Southern California, Las Vegas and Charlotte, N.C., were indicted by a grand jury in Los Angeles for scheming to steal bank account information from thousands of people in the U.S. using phishing techniques.
U.S. authorities today arrested 33 of those named in the indictments and are on the lookout for the other 20.
In addition, authorities in Egypt charged another 47 co-conspirators in connection with the same scheme, bringing the total number of people charged to 100 -- the largest number of defendants ever charged for the same cybercrime, according to the FBI.
The indictments stem from a two-year operation dubbed "Phish Phry," which involved the FBI, the U.S. Attorney's Office, the Electronic Crimes Task Force in Los Angeles and Egyptian law enforcement authorities.
The arrests were announced in Los Angeles by Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, George Cardona, acting U.S. Attorney in Los Angeles, and Egyptian law enforcement authorities.
The 51-count indictment, which was unsealed today, accused all of the defendants with conspiracy to commit wire fraud and bank fraud. Some of those named were also charged with aggravated identity theft, unauthorized access to protected computers and money laundering.
Phishing is a form of social engineering in which attackers send e-mails made to look like legitimate correspondence from reputable institutions such as banks. Victims are directed to Web sites that look authentic but are actually fakes. Once there, they are asked to enter information that can later be used to break into accounts or to commit identity theft.
According to the indictment, hackers in Egypt used phishing techniques to obtain bank account numbers and related personal data from thousands of bank customers in the U.S. The information was then used to break into customer accounts at two U.S. banks, Bank of America and Wells Fargo.
The Egyptian hackers then recruited individuals in the U.S. to help transfer funds from the compromised accounts to newly created accounts. The U.S. part of the crime ring was allegedly managed by Kenneth Lucas, Nichole Merzi and Jonathan Clark, all of whom are residents of California, the FBI said in statement.
The three individuals are alleged to have directed associates to recruit "runners" to establish bank accounts to which funds stolen from the compromised accounts could be transferred. A portion of the funds was wired to the conspirators in Egypt.
The alleged conspirators typically withdrew amounts ranging from a few hundred dollars to more than $2,000 from compromised bank accounts and then transferred the money into the new accounts.
"The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed," Bolcar said in a statement. The operations of the group had a significant impact on the operations of two banks and caused "huge headaches" for the victims, the statement added.
All of the individuals charged in the U.S face prison terms of up to 20 years if they are convicted.
John Harrison, a group product manager for security vendor Symantec Corp. said the arrests highlight the truly global nature of phishing operations. Despite heightened awareness of the problem, phishing schemes continue to thrive on the Internet, he said.
Last year, Symantec counted more than 55,000 phishing sites. That figure represented an increase of more than 60% from 2007 levels, Harrison said. The growing availability of sophisticated phishing tool kits is adding to the problem by making it much simpler for would-be phishers to create spoofed Web sites that can be used to trick victims into parting with confidential information, he said.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts