The FBI, depending on the news story you read, either “netted,” “snared,” “hooked,” “reeled in” or “lured” a huge number of cybercriminals in a massive phishing investigation. We’ll resist the temptation to add to the trend by referring to the FBI as “fishing for phishers,” although we may reserve the right to wonder aloud at “the one that got away.”
This week, the FBI announced that a multinational investigation, conducted both in the US and Egypt, resulted in 53 defendants being indicted in the US, and 47 more charged in Egypt, for an even hundred, which according to Computerworld, is the largest number of people ever charged with the same cybercrime. Looks like they “bagged their limit.” Of the 53 US defendants, 33 have already been arrested.
The joint investigation actually got underway in 2007, when FBI agents went to work with banks to “identify and disrupt” criminal phishing rings that targeted the financial services industry. During the course of the investigation, information gleaned by the FBI led them to enter into a joint agreement with Egyptian authorities, when it quickly became clear that the scope of the criminal enterprise was international.
According to court records, hackers in Egypt were able to use phishing techniques to obtain bank account numbers and other personal information from banking customers. The phishing techniques weren’t anything new—it simply involved the old tried and true method of an email message that was disguised to appear as though it was from a bank or credit card company, asking people to click on a link or log onto a phony web page and enter their account details. Members of the criminal enterprise then were able to hack into accounts and transfer funds online. It was apparently quite a sophisticated operation, and included “runners” who set up bank accounts in banks to hold the stolen money, and allow it to be easily withdrawn. The US-based conspirators then wire transferred a portion of the ill-gotten gains to their Egyptian counterparts as payment.
On the US side, each defendant was charged with conspiracy to commit bank fraud and wire fraud, and will face a maximum penalty of 20 years.
Kudos to the US and Egyptian authorities for their work on this one. Ultimately though, removing this one particular crime ring certainly won’t be fishing out the stream any time soon, and phishing is still going strong. We still need to be on guard, and there are still something along the lines of 50,000 phishing web sites, and those are just the ones that have been detected by the Anti-Phishing Working Group.