Four more U.S. residents accused of using stolen data to take millions from bank accounts
Federal authorities say they have taken another step toward busting a multinational identity theft ring that is alleged to have used stolen personal data to withdraw millions of dollars from home equity line-of-credit accounts at dozens of financial institutions in the U.S., including some of the country's largest banks.

Four individuals were arrested last week in connection with the alleged scheme, which has resulted in more than $2.5 million being stolen from the affected financial institutions, according to law enforcement officials. Another $4 million worth of attempted withdrawals by the gang were unsuccessful, the U.S. attorney's office in New Jersey said in announcing the arrests last Wednesday (download PDF).

Court documents filed in connection with the case described an operation that appears to have been highly sophisticated and global in nature. The identity theft gang operates in the U.S. as well as the U.K., Canada, China, Japan, Vietnam, South Korea and several other countries, the court documents said.

Four other men already were charged with participating in the scheme after being arrested between August and October. The additional suspects arrested last week were identified as Derrick Polk, 45, of Los Angeles; Oludola Akinmola, 37, and Oladeji Craig, 39, both of Brooklyn, N.Y.; and Oluwajide Ogunbiyi, 32, of Springfield, Ill. Each was charged with three felony counts, including wire fraud and gaining unauthorized access to computers. If convicted, they face a maximum of 50 years in prison and fines of $1.5 million.

Officials at the U.S. attorney's office, which is located in Newark, didn't respond by publication time to requests for comments about the latest arrests.

According to the charging papers, the scheme involved the theft of money from home equity accounts by cybercrooks who used the personal data of legitimate customers to access their accounts online. The documents said that accounts were compromised at Citibank, JPMorgan Chase, Wachovia, Bank of America and "dozens" of other banks and credit unions, including the Navy Federal Credit Union, U.S. Senate Federal Credit Union and State Department Federal Credit Union.

The alleged perpetrators obtained confidential information belonging to thousands of customers of the various banks from co-conspirators based both in the U.S. and overseas, the court documents said. They also appear to have harvested much of the personal data and even samples of people's signatures from publicly available databases and from public records posted on government Web sites, including copies of property deeds and mortgage documents.

The information stolen by the gang included full names, birth dates, Social Security numbers and bank account numbers, balances and withdrawal limits, as well as online usernames, passwords and account security questions, the court documents said. The papers added that in cases where the alleged cybercrooks didn't have all the information about a person that was needed to carry out a fraudulent transaction, they would call the relevant bank and use social engineering tactics to gather additional data.
They then allegedly used the information to pose as legitimate customers and ask for large portions of the available funds in home equity accounts to be wired to bank accounts controlled by the group or their co-conspirators. The court documents said that the wire transfer requests were made via phone with Caller ID services blocked, or through faxes with forged signatures on them, or by accessing accounts online and initiating the transfers electronically.

To circumvent the usual practice of banks calling customers to authenticate transfer requests, the gang in some cases allegedly contacted bank workers before submitting requests and persuaded them to change the telephone numbers listed in the files of account holders to ones used by the crooks. In other instances, the gang would report a fake technical problem to an account holder's phone company and ask it to forward all incoming calls to a different number, the court documents said. In addition, the alleged crooks often managed to convince banks, credit unions and credit card companies to change the mailing addresses of customers.

The charging documents provided an example of an individual, identified only by the initials J.C., whose home equity account at a bank in Florida was depleted by about $250,000 in April through the use of such methods. The fraud, in which the money allegedly was wired to a bank account in Chicago, wasn't discovered until more than two weeks after it took place, when the real J.C. called his bank to report that he had received a statement for a transaction he didn't make.
FBI wiretaps of phone conversations between alleged members of the gang show that they planned each fraudulent transaction meticulously and possessed a vast amount of knowledge about each victim beforehand, the court filings said. To try to avoid detection, the gang allegedly used wireless cards to access e-mail accounts from their cell phones, which they also used to transmit and receive stolen data. In addition, they made use of unsecured Wi-Fi signals belonging to unsuspecting third parties to access their e-mail accounts, according to the court documents.

The alleged illegal activities highlight the increasing sophistication of cybercriminals, a development that security vendors and analysts have been warning about for some time now. For instance, a report released last month by Symantec Corp. described in detail what the security software vendor defines as a "self-sustaining" underground marketplace populated by cybercrooks.

One of the findings in the report is that information related to financial accounts — including bank, online stock trading and currency transfer accounts — is the second most common category of goods and services being offered for sale in the underground market, after credit card data. And by far the most popular type of data in the financial accounts category are bank account credentials, because they give cybercrooks the opportunity to directly withdraw money, Symantec said.

Bank account information accounted for nearly 18% of the $276 million worth of items that were offered for sale in the underground market during the 12-month period that started in July 2007, according to Symantec. The company said prices for bank account credentials ranged from $10 to $1,000, depending on the balances and locations of the accounts.

Dean Turner, director of Symantec's global intelligence network, said the potential total value of the compromised bank accounts uncovered by the company during those 12 months was at least $1.7 billion. And even that is a conservative estimate, according to Turner. "We're only looking at the publicly available, easily observable stuff here," he said. "If you include what's going on inside encrypted IRC channels, the dollar value is huge."

Compworld