Phisher Guilty of $1.3 Million Scam

Bank of America, Chase Customers Targeted by Advanced Attack

By , May 8, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Phisher Guilty of $1.3 Million Scam

Fraud experts are encouraged to see banks joining forces with law enforcement to fight cybercrime. But as online attackers become increasingly organized, financial institutions may find themselves fighting even tougher battles.

See Also: Security Alerts: Identifying Noise vs. Signals

The latest win: In Georgia, a man has pleaded guilty for the role he played in a $1.3 million phishing scheme that targeted customers of Chase, Bank of America, ADP and Branch Bank & Trust.

Collaboration between the banks and the Federal Bureau of Investigation helped build a case against Waya Nwaki, a.k.a. Shawn Conley, who was arrested in December on charges of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers.

According to the indictment filed with the U.S. District Court in New Jersey, Nwaki and six co-conspirators between August 2000 and June 2010 worked across three continents to launch phishing attacks through spoofed websites designed to mimic banks and payroll processors such as ADP. When online users visited the spoofed pages, they were asked to provide confidential personal and financial information, such as dates of birth, Social Security numbers, mothers' maiden names, and online account user names and passwords.

Once the hackers obtained log-in credentials and answers to commonly-asked security questions, they accessed online accounts to make unauthorized transfers to accounts they controlled and/or wired money overseas through money remittance providers such as Western Union and MoneyGram. They also viewed signatures on check images to help them forge checks and withdrawal slips, which they used to physically withdraw funds at bank branches with fake driver's licenses and IDs.

Each count to which Nwaki pleaded guilty carries a maximum sentence of 20 years in prison and a maximum fine of $250,000. Sentencing is set for Aug. 15, 2012.

Others named in the indictment include Karlis Karklins of Latvia; Charles Umeh Chidi of the United Kingdom; Alphonsus Osuala and Osarhieme Uyi Obaygbona of Atlanta; Marvin Dion Hill of College Park, Ga.; and Olani Yi Jones of Nigeria.

How Banks Helped

Because the banks and ADP experienced fraud linked to the same ring, the FBI and the U.S. Attorney's Office combined the attacks when charges were brought against the phishing perpetrators, rather than on a case-by-case basis. The banks' timely communication with local and federal law enforcement about the schemes helped authorities link the attacks to the same ring.

Also, because BofA and Chase are top-tier banking institutions with accountholders spread throughout the United States, the U.S. Attorney's Office says it considered the case from a more national perspective, rather than regional or local, which aided in the prosecution.

Aite fraud analyst Shirley Inscoe says the case illustrates the challenge banks and credit unions face when it comes to the war on phishing - but also speaks to the power of their collaboration with law enforcement.

"This type of activity is very difficult for banks to detect and protect their clients against," she says.

"If each (bank) had looked at their losses individually, they would have probably been too low to have law enforcement assist them with the prosecution," Inscoe says. "With the activity crossing state lines and having a Nigerian connection, that helped the FBI elevate the priority of this case as well."

One Battle in Anti-Phishing War

This case highlights a common challenge facing banking institutions: Phishing.

According to BankInfoSecurity's 2012 Faces of Fraud survey, 50 percent of respondents say their institutions suffered from phishing-related fraud in 2011. It's the third most common form of fraud, behind payment card crimes and check fraud. Yet, when it comes to fighting these socially engineered schemes, only 28 percent say they feel adequately prepared to defend against these attacks.

Robert Siciliano, a McAfee consultant and ID theft expert, says until banks enhance online authentication practices and techniques, phishing attacks will continue to prove profitable for hackers.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Inside Cisco's Annual Security Report

Cisco Principal Engineer, Jason Brvenik provides insight on trends from Cisco's Annual Security...

Latest Tweets and Mentions

ARTICLE Inside Cisco's Annual Security Report

Cisco Principal Engineer, Jason Brvenik provides insight on trends from Cisco's Annual Security...

The ISMG Network