Download Phishing - American Bar Association

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts

Criminalization wikipedia , lookup

Public-order crime wikipedia , lookup

Internet vigilantism wikipedia , lookup

Transcript 
Phishing and Federal Law
Enforcement
Jonathan J. Rusch
Special Counsel for Fraud Prevention
Fraud Section, Criminal Division
U.S. Department of Justice
Washington, DC
ABA Administrative Law and Regulatory Practice Section
Atlanta, Georgia
August 6, 2004
Overview
 A Definition and Principal Types of Phishing
 Statistics Relating to Phishing
 U.S. Enforcement Actions Against Phishers
 Other Nations’ Enforcement Actions Against
Phishers
 U.S. Federal Criminal Statutes Applicable to
Phishing
 Law Enforcement Resources
A Definition and Principal
Types of Phishing
A Definition of Phishing
Any criminal scheme in which digital
communications play a significant role in –
acquiring multiple victims’ identifying or
personal financial data by deception, and
transferring or transmitting multiple victims’ data
via the Internet for criminal use
Note: Analysis of phishing schemes should
not focus just on one type (e.g., bogus emails)
Principal Types of Phishing
 Most Common: “Dragnet” Method
 E-mails with falsified corporate identification, directing large
class of people to websites with similarly falsified identification
 Specific prospective victims not identified in advance, but false
information conveyed to trigger immediate victim response
 “Rod-and-Reel” Method
 Targeted initial contacts with prospective victims
 Specific prospective victims defined in advance, and false
information conveyed to trigger responses
 “Lobsterpot” Method
 Creation of websites similar to legitimate corporate websites that
narrowly defined class of victims are likely to seek out
 Smaller class of prospective victims identified in advance, but no
triggering of victim response
Statistics Relating to Phishing
Gartner Group (May 2004)
Direct financial losses from phishing
attacks cost U.S. financial services firms
about $1.2 billion in 2003
U.S. Enforcement Actions
Against Phishers
Dragnet Phishing Cases
 United States v. Forcellina (D. Conn., sentenced Apr.
30 and June 18, 2004)
 Husband, 23, accessed chat rooms, used device to capture
screen names of chat room participants; then sent e-mails
pretending to be ISP requiring correct billing information,
including current credit-card number
 Used credit-card numbers and other personal data to arrange
for wire transfers of funds via Western Union, but had others
pick up funds from Western Union
 Husband and wife pleaded guilty to conspiracy to commit
access device fraud
 Husband sentenced to 18 months imprisonment; wife
sentenced to 6 months home confinement
Dragnet Phishing Cases
United States v. Hill (S.D. Tex., sentenced
May 2004); FTC v. Hill (S.D. Tex.,
preliminary injunction December 2003)
Defendant operated AOL and PayPal phishing
scheme, used fraudulently obtained credit-card
numbers to obtain goods and services costing
more than $47,000
Defendant pleaded guilty in February 2004 to
possession and use of access devices
Sentenced to 46 months imprisonment
Dragnet Phishing Cases
 United States v. Carr (E.D. Va. 2003)
Helen Carr, 55, of Akron, Ohio, sent fake e-mail
messages to AOL customers in United States and
several foreign countries
 Customers advised that they must update their credit
card/personal information on file with AOL to maintain their
accounts
Guilty plea October 2003 to conspiracy to possess
unauthorized access devices
Sentenced in January 2004 to 46 months imprisonment
George Patterson, a co-conspirator, previously pleaded
guilty to the same charge and was sentenced in July
2003 to 37 months imprisonment
Dragnet Phishing Cases
 United States v. Guevara (W.D. Wash. 2003)
 Matthew Guevara, 21, of Chicago, Illinois, created false e-mail
accounts with Hotmail and unauthorized website with the
address www.msnbilling.com through Yahoo!
 Then sent MSN customers e-mail messages, purporting to come
from MSN, that directed customers to fraudulent
www.msnbilling.com website and asked them to verify their
accounts by providing name, MSN account, and credit card data
 Website automatically forwarded each customer’s data to one of
Guevara's false Hotmail accounts; Guevara used stolen credit
card information himself and provided it to another person as
well
 Guilty plea in September 2003 to wire fraud
 Sentenced January 2004 to 5 years probation, 6 months
home confinement
Dragnet Phishing Cases
 FTC v. ___ (C.D. Cal. 2003)
Juvenile sent emails to consumers saying they needed
to update AOL account information or risk losing their
access. The emails sent recipients to a site that looked
authentic but asked for detailed personal and financial
information. The youth used the information to buy
things online, open PayPal accounts, and open AOL
accounts to send more junk email
Juvenile agreed to pay $3,500 to settle FTC charges
Cooperation between FTC, DOJ Computer Crime and
Intellectual Property Section, FBI, U.S. Attorney for
Eastern Virginia, Postal Inspection Service, and Los
Angeles County District Attorney’s Office
Rod-and-Reel Phishing Cases
 United States v. Gebrezihir (S.D.N.Y. 2003)
 Isaac Gebrezihir allegedly involved with scheme to send phony letters
on bank letterhead, along with altered or counterfeit IRS forms, to
victims, generally foreign nationals living abroad with bank accounts in
the United States
 Some of altered or counterfeit forms appear similar to actual IRS forms that
are sent to non-resident aliens who maintain accounts at U.S. banks
 Fraudulent IRS forms all require personal information concerning victim and
victim’s bank account
 Fraudulent bank letter instructs victim to fill out fraudulent IRS form and
then fax completed form, ostensibly to the IRS or to the bank
 Fax numbers provided to the victims are Internet-based fax numbers that
convert all incoming faxes to e-mail attachments and then forward
attachments to free e-mail accounts
 Wire transfer instructions then sent to banks and, in many instances,
large amounts of money are transferred from victims’ accounts, usually
to overseas accounts
 Overall investigation has identified more than $700,000 in losses
 Indicted Nov. 2003
Rod-and-Reel Phishing Cases
 Romanian Arrest (2003)
Romanian General Directorate for Combating Organized
Crime, in cooperation with Secret Service, arrested a
subject in Alba Julia, Romania
 Individual forwarded spoofed e-mails resembling actual
auction webpage to the attention of unsuccessful bidders
in an online auction
 On spoofed page, the subject advised victims of
availability of similar item for a better price; upon visiting
the "sale" page, victims were asked for personal
information including their name, bank account numbers
and passwords.
 Victims then advised that they "won" the spoofed auction
and agreed to send money to the subject through a
spoofed escrow site created by the subject
Scheme resulted in nearly $500,000 in on-line losses
Lobsterpot Phishing Case
 United States v. Kalin (D.N.J., Nov. 2003)
Shawn Kalin of Las Vegas, Nevada, allegedly registered
four websites with domain names deceptively similar to
website operated by DealerTrack, Inc.
 DealerTrack provides services via the Internet to auto
dealerships located throughout the United States,
including dealers’ ordering credit reports on prospective
automobile buyers
 Because Kalin’s websites designed to be almost identical
to main page of the www.dealertrack.com, Kalin allegedly
got a number of dealership employees mistakenly to enter
usernames and passwords at his sites
 Could then get unauthorized access to DealerTrack for
personal data
Kalin charged in criminal complaint Nov. 2003
Other Nations’ Enforcement
Actions Against Phishers
United Kingdom
April 2004: National High-Tech Crime Unit
(NHTCU) arrests 21-year-old British
national for “copycat” phishing scheme
involving online bank
Reportedly first in United Kingdom
May 2004: NHTCU arrests 12 Eastern
European nationals suspected of
laundering money from “phished” bank
accounts
Australia
April 2004: Australian Federal Police
reportedly seeking cooperation from
French authorities to shut down domain
name associated with large-scale phishing
scheme
U.S. Federal Criminal Statutes
Applicable to Phishing
Identity Theft – 18 U.S.C. 1028(a)(7)
Elements
Knowingly using or transferring
Another (real) person’s “means of identification”
“Means” includes name, SSN, DOB, driver’s license,
passport number; unique biometric data; unique EIN,
address, or routing code; or access device (e.g.,
credit-card or financial account number)
With intent to commit/aid or abet any unlawful
activity that constitutes a federal violation or
state or local felony
Identity Theft – 18 U.S.C. 1028(a)(7)
Penalties
Imprisonment (Maximum)
Fraud-Related Violation - 15 years imprisonment If,
as result of offense, any individual committing the
offense obtains anything of value aggregating $1,000
or more during any 1-year period
Basic Violation - 3 years imprisonment
Fine – Maximum $250,000 for individuals
Forfeiture - Any personal property used or
intended to be used to commit offense
Identity Theft – 18 U.S.C. 1028(a)(7)
 Examples of Section 1028(a)(7) Offenses
United States v. Butcher (N.D. Ohio, indictment filed Apr.
28, 2004)
 Defendant allegedly applied for 10 credit card accounts
using the identifier information of another person,
including her name, Social Security account number and
date of birth, without authorization.
United States v. Christensen (D. Ariz., pleaded guilty
Jan. 20, 2004)
 Defendant used more than 50 different identities of others
– typically prison inmates serving long sentences – to
obtain more than $313,000 in student loans
Wire Fraud – 18 U.S.C. 1343
Elements
Scheme or artifice to defraud or for obtaining
money or property by means of false or
fraudulent pretenses, representations, or
promises
Transmits (or causes transmission of) by means
of wire communication in interstate or foreign
commerce
Writing, signs, signals, pictures, sounds for
purpose of executing scheme or artifice
Wire Fraud – 18 U.S.C. 1343
Penalties
Imprisonment (Maximum)
30 years imprisonment if violation affects a financial
institution (e.g., bank or savings and loan)
20 years imprisonment in other cases
Fine – Maximum $250,000 for individuals
Forfeiture
Wire Fraud – 18 U.S.C. 1343
Examples of Section 1343 Offenses
Initial e-mails to prospective victims
Victim responses to bogus website or window
Criminal’s transmission of victim’s personal and
financial data to other computers across state
or international borders
Mail Fraud – 18 U.S.C. 1341
 Elements
Scheme or artifice to defraud, or for obtaining money or
property by means of false or fraudulent pretenses,
representations, or promises
Placing in authorized depository for mail matter any
matter or thing to be sent or delivered by U.S. Postal
Service (or depositing anything to be sent or delivered
by private or commercial interstate carrier), or receiving
matter or thing from U.S. Postal Service or private or
commercial interstate carrier
For purpose of executing such scheme or artifice
 Note: Causing innocent intermediary or victim to use mail
can constitute mail fraud
Mail Fraud – 18 U.S.C. 1341
 Penalties
Imprisonment (Maximum)
 30 years if violation affect financial institution
 20 years in other cases
Fine
 Maximum $250,000 for individuals
Forfeiture
 Examples of Section 1341 Offenses
Criminal’s mailing initial solicitation to prospective
victims
Victim’s mailing response or payment
Access Device Fraud – 18 U.S.C. 1029
Elements – Section 1029(a)(2)
Knowingly and with intent to defraud traffics in
or uses one or more unauthorized access
devices (e.g., access devices obtained with
intent to defraud) during any 1-year period
By such conduct obtains anything of value
aggregating $1,000 or more during that period
Elements – Section 1029(a)(3)
Knowingly and with intent to defraud possesses
15 or more unauthorized access devices
Access Device Fraud – 18 U.S.C. 1029
 Elements – Section 1029(a)(5)
Knowingly and with intent to defraud effects transactions
with 1 or more access devices issued to another person
or persons
To receive payment or any other thing of value during
any 1-year period the aggregate value of which is equal
to or greater than $1,000
 Elements – Section 1029(a)(10)
Without authorization of credit card system or member
or its agent
Knowingly and with intent to defraud causes or arranges
for another person to present to member or its agent, for
payment, 1 or more evidences or records of transactions
made by an access device
Access Device Fraud – 18 U.S.C. 1029
Penalties
Imprisonment (Maximum)
10 years imprisonment for 1029(a)(2), (3)
15 years imprisonment for 1029(a)(5), (10)
Fine – Maximum $250,000 for individuals
Forfeiture
Bank Fraud - 18 U.S.C. 1344
 Elements
 Knowingly executing, or attempting to execute
 Scheme or artifice to defraud financial institution, or to obtain
money, funds, etc. under financial institution’s custody by means
of false or fraudulent pretenses, representations, or promises
 Penalties
 Imprisonment (Maximum) - 30 years imprisonment
 Fine – Maximum $250,000
 Forfeiture
 Examples of Section 1344 Offenses
 United States v. Gebrezihir (S.D.N.Y. 2003)
 United States v. Yip (S.D.N.Y. 2003)
 Individuals stole identifying and other data from employer, then used
data to open PayPal accounts and fund those accounts by direct
transfers from victims’ bank accounts
Computer Fraud and Abuse – 18 U.S.C.
1030
 Elements of Section 1030(a)(2)(C) Offense
 Intentionally accessing computer without authorization or
exceeding authorization, and
 Thereby obtaining information from any protected computer if
conduct involved interstate or foreign communication
 Penalties
 Imprisonment (Maximum)
 Felony – 5 years if offense or attempt to commit offense committed
for private financial gain, in furtherance of any criminal or tortious
act in violation of U.S. Constitution or U.S. federal or state law
 Basic offense - 1 year for first offense or attempt
 Fine
 Examples
 United States v. Kalin (D.N.J. 2003)
Computer Fraud and Abuse – 18 U.S.C.
1030
 Elements of Section 1030(a)(4) Offense
Knowingly and with intent to defraud accesses a
protected computer without authorization, or exceeds
authorized access
By means of such conduct furthers the intended fraud
and obtains anything of value
 Unless object of fraud and thing obtained consists only of
use of computer and value of such use is not more than
$5,000 in any 1-year period
 Penalties
Imprisonment (Maximum)
 5 years for first offense or attempt, 10 years for
subsequent
Fine
Forfeiture
Computer Fraud and Abuse – 18 U.S.C.
1030
Examples of Section 1030(a)(4) Offense
Hacking into computer with Trojan horse and
downloading numbers of credit-card or bank
accounts, then debiting those accounts
Accessing company computer to cause
unauthorized disbursals of stock to personal
brokerage accounts [United States v. Osowski
(N.D. Cal. 2001)]
CAN-SPAM – 18 U.S.C. 1037
 Elements of Section 1037 Offenses
 Knowingly - (1) accessing protected computer without authorization, and intentionally
initiates transmission of multiple commercial e-mail messages from or
through such computer,
 (2) uses protected computer to relay or retransmit multiple commercial email messages, with intent to deceive or mislead recipients, or any Internet
access service, as to the origin of such messages,
 (3) materially falsifies header information in multiple commercial e-mail
messages and intentionally initiates transmission of such messages,
 (4) registers, using information that materially falsifies identity of actual
registrant, for 5 or more e-mail accounts or online user accounts or two or
more domain names, and intentionally initiates transmission of multiple
commercial e-mail messages from any combination of such accounts or
domain names, or
 (5) falsely represents oneself to be registrant or legitimate successor in
interest to registrant of 5 or more Internet Protocol addresses, and
intentionally initiates the transmission of multiple commercial electronic mail
messages from such addresses
 In or affecting interstate or foreign commerce
CAN-SPAM – 18 U.S.C. 1037
 Penalties
Imprisonment (Maximum)
 5 years if –
• Offense is committed in furtherance of any felony under the
laws of the United States or of any State; or
• Defendant has previously been convicted under section 1037
or section 1030, or under the law of any State for conduct
involving transmission of multiple commercial e-mail mail
messages or unauthorized access to a computer system;
 Less in other circumstances for various section 1037
offenses
Fine
Forfeiture
Identity Theft Penalty Enhancement Act –
18 U.S.C. 1028A (July 15, 2004)
 Aggravated Identity Theft
 If individual knowingly transfers, possesses, or uses, without
lawful authority, a means of identification of another person
during and in relation to any felony enumerated in section
1028A(c), two years imprisonment in addition to punishment
provided for that underlying felony
 Felonies include 18 U.S.C. 1028, 1029, 1030, 1037, 1341, 1343,
1344
 If individual does so during and in relation to terrorism-related
felony, five years imprisonment in addition to punishment
provided for that underlying felony
 In either case, no probation for person convicted of section
1028A violation, and in general no concurrent sentencing for
section 1028A violation and other violations
Identity Theft Penalty Enhancement Act –
18 U.S.C. 1028A (July 15, 2004)
 Amendments of Current 18 U.S.C. 1028(a)(7)
Section now covers knowing possession, without lawful
authority, of another’s means of identification, with
requisite intent to commit an unlawful activity that
constitutes federal offense or state or local felony
Section now covers knowing and unauthorized
possession, transfer, or use of another’s means of
identification in connection with an unlawful activity that
constitutes federal offense or state or local felony
Section now increases maximum term of imprisonment
for basic felony under section 1028(a)(7) from 3 to 5
years
Section now sets 25 years imprisonment as maximum
for identity theft relating to domestic or international
terrorism
Identity Theft Penalty Enhancement Act –
18 U.S.C. 1028A (July 15, 2004)
Revision of Federal Sentencing Guidelines
Sentencing Commission is directed to review
and amend Guidelines to ensure appropriate
punishment for identity theft offenses involving
an abuse of position
Law Enforcement Responses
to Phishing
Federal Investigative Agencies
Addressing Phishing
FBI
United States Secret Service
United States Postal Inspection Service
Social Security Administration Office of
Inspector General
Phishing Complaint Reporting
 FTC Identity Theft Data Clearinghouse
 Internet Crime Complaint Center
Began as Internet Fraud Complaint Center in May 2000
Joint project of FBI and National White Collar Crime
Center
Receives online complaints from public, analyzes trends
and patterns, and sends investigative “packages” to
most relevant investigative field offices
http://www.ic3.gov
Enforcement Coordination on Phishing
 Enforcement “Takedowns” and “Sweeps”
 November 2003 – Operation Cyber Sweep
 Arrests or convictions of more than 125 individuals, and return of
more than 70 indictments, for various internet fraud and other online
economic crime offenses
 Cases involved more than 125,000 victims with losses of more than
$100 million
 34 U.S. Attorneys Offices, FBI, Postal, FTC, Secret Service,
Immigration and Customs Enforcement, state, local, and foreign law
enforcement
 Cooperation and collaboration with industry and foreign law
enforcement agencies
 Similar Operations
 Operation E-Con – May 2003
 Identity Theft – May 2002
 Operation Cyber Loss – May 2001
Enforcement Coordination on Phishing
 Task Forces and Specialized Units
More than 40 FBI, Secret Service, and SSA-OIG task
forces with focus on identity theft
U.S. Attorney Computer Hacking and Intellectual
Property (CHIP) Units
 Training
Joint training for federal prosecutors and agents on
Internet fraud includes training on phishing
 Interagency Working Groups
Telemarketing and Internet Fraud Working Group
Identity Theft Subcommittee of Attorney General’s
Council on White-Collar Crime
Prevention and Education on Phishing
 FTC
Website on Identity Theft – www.consumer.gov/idtheft
Consumer Alert http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.ht
m
 U.S. Department of Justice
Website on Identity Theft and Fraud –
www.usdoj.gov/criminal/fraud/idtheft.html
Special Report on Phishing http://www.usdoj.gov/criminal/fraud/Phishing.pdf
 United Kingdom
Government Website on Identity Theft - www.identitytheft.org.uk
Contact Data for Jonathan J. Rusch
E-Mail: [email protected]
Fax: 202-514-7021
Phone: 202-514-0631
Mail: Fraud Section, Criminal Division,
U.S. Department of Justice, 10th Street
and Constitution Avenue, N.W., Bond
Building, Room 4300, Washington, DC
20530
Related documents
Prevent Online Fraud and Identity Theft
Prevent Online Fraud and Identity Theft
Click to
Click to
Computer Ethics
Computer Ethics
Data Mining, Cookies, and Identity Theft
Data Mining, Cookies, and Identity Theft
Abstract - Compassion Software Solutions
Abstract - Compassion Software Solutions
PRIVACY_IN_COMPUTINGbyWill
PRIVACY_IN_COMPUTINGbyWill
Document
Document
February 2009 - Fredonia.edu
February 2009 - Fredonia.edu
Consumer Fraud
Consumer Fraud
A large number of problems in data mining are related to fraud
A large number of problems in data mining are related to fraud
Ways in which Information can be misused
Ways in which Information can be misused