Ais Attack

030

Although in many cases we see banks joining forces with law enforcement to fight cybercrime, online attackers are become increasingly organized and financial institutions may find themselves fighting even tougher battles. (Kitten, 2012)

In one such case, here in Georgia, a man has pleaded guilty for the role he played in a $1.3 million phishing scheme that targeted customers of Chase, Bank of America, ADP and Branch Bank & Trust. In his plea, Waya Nwaki admitted to using stolen log-in credentials to intercept and respond to e-mails sent by banks to customers when unfamiliar computers or IP addresses were used to access online accounts. He also admitted to impersonating payroll officers in conversations he had with ADP, which is based in New Jersey.

The case resulted from a collaboration between the banks and the Federal Bureau of Investigation against Nwaki, a.k.a. Shawn Conley, who was arrested in December on charges of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers. Each count, to which Nwaki pleaded guilty, carries a maximum sentence of 20 years in prison and a maximum fine of $250,000; sentencing is set for Aug. 15, 2012.

According to court records, Nwaki and six co-conspirators, between August 2000 and June 2010, worked across three continents to launch phishing attacks through spoofed websites designed to mimic banks and payroll processors such as ADP. When online users visited the spoofed pages, they were asked to provide confidential personal and financial information, such as dates of birth, Social Security numbers, mothers' maiden names, and online account user names and passwords.

Having obtained log-in credentials and answers to commonly-asked security questions, the hackers accessed online accounts to make unauthorized transfers to accounts they controlled and/or wired money overseas through money remittance providers such as Western Union and MoneyGram. They also viewed signatures on check images to help them forge checks and withdrawal slips, which they used to physically withdraw funds at bank branches with fake driver's licenses and IDs.

Rather than working on a case-by-case basis, the FBI and the U.S. Attorney's Office combined forces against the attacks when charges were brought against the phishing perpetrators because the banks and ADP experienced fraud linked to the same ring. Given the banks' timely communication (about the schemes) with local and federal law enforcement helped authorities link the attacks to the same ring.

Since BofA and Chase are top-tier banking institutions with accountholders spread throughout the United States, the U.S. Attorney's Office says it considered the case from a more national perspective, rather than regional or local, which aided in the prosecution.

Fraud analyst Shirley Inscoe says the case illustrates