The US and Egyptian authorities have busted a huge phishing operation, charging 100 people with illegally obtaining personal bank account information from Bank of America and Wells Fargo customers and stealing money from their accounts.
In the US, more than 50 people in Southern California, Las Vegas and North Carolina were indicted by a grand jury in Los Angeles for scheming to steal bank account information from thousands of people in the US using phishing techniques.
US authorities today arrested 33 of those named in the indictments and are on the lookout for the other 20.
In addition, authorities in Egypt charged another 47 co-conspirators in connection with the same scheme, bringing the total number of people charged to 100 - the largest number of defendants ever charged for the same cybercrime, according to the FBI.
The indictments stem from a two-year operation dubbed "Operation Phish Phry," which involved the FBI, the US Attorney's Office, the Electronic Crimes Task Force in Los Angeles and Egyptian law enforcement authorities.
FBI officials called the operation the largest cybercrime investigation in the US. The arrests were announced in Los Angeles by Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, George Cardona, acting US Attorney in Los Angeles, and Egyptian law enforcement authorities.
The 51-count indictment, which was unsealed today, accused all of the defendants with conspiracy to commit wire fraud and bank fraud. Some of those named were also charged with aggravated identity theft, unauthorised access to protected computers and money laundering.
Phishing is a form of social engineering where attackers send emails made to look like legitimate correspondence from reputable institutions such as banks. Victims are directed to websites that look authentic but are actually fakes. Once there, they are asked to enter information that can later be used to break into accounts or to commit identity theft.
According to the indictment, hackers in Egypt used phishing techniques to obtain bank account numbers and related personal data from thousands of bank customers in the US. The information was then used to break into customer accounts at two US banks, Bank of America and Wells Fargo.
The Egyptian hackers then recruited individuals in the US to help transfer funds from the compromised accounts to newly created accounts. The US part of the crime ring was allegedly managed by Kenneth Lucas, Nichole Merzi and Jonathan Clark, all of whom are residents of California, the FBI said in statement.
The three individuals are alleged to have directed associates to recruit "runners" to establish bank accounts to which funds stolen from the compromised accounts could be transferred. A portion of the funds was wired to the conspirators in Egypt.
The alleged conspirators typically withdrew amounts ranging from a few hundred dollars to more than $2,000 from compromised bank accounts and then transferred the money into the new accounts.
"The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed," Bolcar said in a statement. The operations of the group had a significant impact on the operations of two banks and caused "huge headaches" for the victims, the statement added.
All of the individuals charged in the US face prison terms of up to 20 years if they are convicted.
John Harrison, a group product manager for security vendor Symantec Corp. said the arrests highlight the truly global nature of phishing operations. Despite heightened awareness of the problem, phishing schemes continue to thrive on the Internet, he said.
Last year, Symantec counted more than 55,000 phishing sites. That figure represented an increase of more than 60% from 2007 levels, Harrison said. The growing availability of sophisticated phishing tool kits is adding to the problem by making it much simpler for would-be phishers to create spoofed websites that can be used to trick victims into parting with confidential information, he said.