Cyber awareness month kicks off with FBI phish phry

October 13, 6:17 PMIdentity Theft ExaminerJoe Campana

Previous Next

Comment Print Email RSS Subscribe

Subscribe

Get alerts when there is a new article from the Identity Theft Examiner. Read Examiner.com's terms of use.

Email Address   Include other special offers from Examiner.com Terms of Use

News Conference with Keith Bolcar, acting Assistant
Director FBI-Los Angeles, announcing the arrests in
largest identity theft ring sting, Wednesday Oct. 7,
2009. (AP Photo/Nick Ut)

October is Cyber Awareness Month meant to recognize our responsibility to practice safe computer and surfing techniques and to protect ourselves and our families at home, at work and at school.

On October 7, the FBI announced perhaps the largest cyber crime sting, operation Phish Phry, which indicted 100 people in the United States and Egypt. The 51-count indictment accuses the defendants of aggravated identity theft, conspiracy to commit wire fraud and bank fraud, conspiracy to commit computer fraud, and domestic and international money laundering. Several charges carry maximum 20 or more years. Some defendants face multiple charges whose penalties are cumulative.

The identity theft and US/Egyptian fraud ring allegedly operated a scheme to steal identities including financial account numbers and passwords to fraudulently access accounts at two American Banks, Bank of America and Wells Fargo, and to transfer funds to other fraudulent accounts.

To steal identities, the ring used a common technique known as phishing, a type of social engineering. Victims of the phishing scam receive “official-looking” emails that appear to originate from a financial institution. The emails often include corporate logos that give them a realistic appearance. Millions of phish emails are sent, and some are received by people who have accounts with the financial institution that the fraudulent email targets. Some of those people, the victims, who have accounts at those financial institutions fall for the bait.

The bait email appeals to the victim to log into their account by clicking on a link. “Call to actions” vary. An example is a phish email that states if customer does not log into his or her account within 24 hours to verify their account details that the bank will close down their online account. When the victim clicks on the link one of two approaches are used. The first connects the victim to a spoof website. The home page of the fraudulent website looks exactly like the home page of the authentic financial institution that is targeted.

I have compared spoof website homepages to the authenticate bank website home pages. They are exactly the same.

Once the victim logs into the spoof home page with a login name, password and other authentication information, the thieves capture the login information. Now the thieves have access to the account.

The second approach is that clicking the link downloads keylogger spyware and directs the victim to the authentic website of the bank. Now the keylogger does the work by recording the keystrokes that the victim uses to log into their account including the key strokes they use to answer any challenge questions. The keylogger spyware then transmits the keystrokes to the thieves.

Hundreds, if not thousands of Bank of America and Wells Fargo customers were inconvenienced by the scam. Operation Phish Phry began in 2007 and involved the cooperation of several local and national law enforcement agencies as well as cooperation with Egyptian law enforcement authorities.