Chapter 41. Wire Transfers From Nowhere

KENNETH C. CITARELLA LAURA A. FORBES

The Internet is often used by people who want to connect with new acquaintances, new business partners and even new lovers. In the darker corners of the Internet, however, criminals engage in anonymous communications to peddle services and sell contraband. Among the unlawful commodities available online are stolen identities complete with valid credit card information. Identity thieves harvest this information through phish-ing and pharming scams, in which the thieves trick unwary consumers into revealing their personal information, and then sell data to others to misuse for their own fraudulent purposes. Completely separate groups, unknown to each other except by their Internet screen names, can team up in this fashion and cause considerable harm to honest citizens.

In this case, one gang operating largely in the Northeast United States bought stolen identities and credit card information from a group of professional identity thieves operating overseas. The U.S. gang consisted of 13 young men of college age, most of whom were high-school classmates in a small town not too far north of New York City. At the time, five of them resided in Ravenna, a small city in upstate New York, and eight lived down-state, in Hudson's Landing, a New York City suburb. They were ethnically and economically diverse, but shared an affinity for computers, the Internet — and fraud.

The upstate members were Brian Noonan, Bart Grayson, Chuck Colty, Karl Kollins and Marty Brim, all of whom were officially registered at a local college, but for whom attendance seemed to be a forgotten obligation. Internet fraud provided them with a lucrative diversion from earning an honest living. The downstate suburban group consisted of Mike Peters, Andy Hook, Art Eason, John Mullins, Al Higgins, Walt Guss, Chris Morton and Miguel Salsa.

Each member of the U.S. gang had a specific job function. Mike Peters was at the center of the conspiracy. He was the most experienced carder among them all; an expert at using stolen credit card and personal information to obtain wire transfers through Money Transfer Services, Inc. (MTS), an international financial services company. Hook, Eason, Mullins, Guss and Morton were runners whom Peters sent to various MTS offices to collect wired funds. Peters paid a runner $100 for a successful retrieval of this money, which ranged from $200 to $1,000 per transaction. Peters even had a friend, known only as "Greg," who operated as a runner in California. Hook and Eason also spent time with Peters driving through wealthy neighborhoods looking for cars from which they could steal electronic equipment. As will be described later, this proved to be their downfall.

Noonan, Grayson and Colty were all carders in their own right, like Peters. Using the same overseas sources as Peters, they purchased stolen personal and credit card information via the Internet and then charged cash advances against credit cards for wire transfers through MTS. They also all served as runners for each other.

Outside of their screen names and the Web sites they used at the time, nothing was known about the number of or identities of the overseas phishers.

The Mathematics of Profit

The individual consumers who were victimized in this scam were as diverse as America itself. They only had two characteristics in common: They owned a credit card and fell victim to a phishing ploy. They came from at least seven different states scattered between California and New York. The exact number of individuals involved will never be known, but their credit cards were collectively used for probably more than 30,000 attempted or successful fraudulent wire transfers.

Phishing is one of the most common Internet scams; you've probably gotten many of them yourself. Phishers send fraudulent e-mail that mimic actual communications from banks or other financial institutions to their credit card holders. Phishers painstakingly duplicate the logos, colors and layout of genuine e-mail messages sent by the issuing institution. Some individuals, lulled into a false sense of security by the genuine appearance of the phishing e-mail, believe it to be a legitimate communication. With their guard down, unsuspecting cardholders accept the e-mail at face value. They believe the false assertion that a suspicious attempted charge requires a "reverification" of their account data and use a link in the e-mail to go to a Web site to "reenter" their personal identifying information and credit card number. They completely overlook the fact that their bank already has all that data readily on hand. Once the consumer has entered his or her personal and credit card information, everything is in the hands of the phishers to do with as they will.

Phishers cast their hooks blindly to massive quantities of e-mail addresses that are easily obtained online. Once the fraudulent e-mail communication and the mailing list are prepared, the cost of distribution is negligible whether 100 copies are sent or 1 million. In the latter case, a positive response rate of only 0.1 percent would mean that 1,000 consumers gave away the key to their financial identities. These are the mathematics that create the profits associated with e-mail advertising of any nature. Neither the phishers nor the carders cared where the actual credit card owners lived. All they wanted was an American identity and a valid card number.

The New York–based gang of carders victimized MTS offices throughout the state, using as many stolen identities as they could secure from their anonymous overseas providers. Because of the presence of one runner in California, several MTS offices in that state were victimized as well.

A Pattern Emerges

Trying to pinpoint when a widely dispersed fraud scheme was first uncovered is like trying to determine precisely when water begins to boil. All of a sudden, things were happening everywhere — puzzled consumers began to wonder about charges for wire transfer fees and cash advances posted to their credit cards. They reacted the way we all would, by calling their credit card issuer and asking why the unauthorized charges appeared on their statements. Once consumers started to make those calls, it was only a matter of time before the boiling point was noticeably reached. The credit card issuers began to react once they realized the charges were not isolated events but a pattern. Their security and investigations departments, staffed by experienced fraud examiners who were assisted by pattern-detecting software, contacted their counterparts at other financial institutions and reached out to law enforcement.

MTS, of course, was also on task. As reports of disputed charges began to come in from various offices, data was gathered and analyzed. Security personnel distributed information throughout the corporation to alert branches to what certainly appeared to be a coordinated fraud. Patterns of names began to emerge from the early chaotic reports. When the fraudsters assumed false names to use in their dealings with intended victims, they often used names similar to their own or to those they used elsewhere. This made it easier for them to devise and remember new names. MTS branches had security cameras, but the runners often wore dark glasses or hoods to disguise their features. Nonetheless, some useful images were captured.

The various security departments cooperated and provided all of their information to the federal agency coordinating the investigation. Eventually, enough information was assembled to enable the investigators to understand exactly what happened, what some of the runners looked like and the pattern of their aliases. The investigation focused on the activities around Ravenna. The pattern of behavior indicated that the perpetrators were likely younger rather than older, were certainly quite computer savvy and knew the ways and means of Internet-based identity theft very well.

They were also very bold and not deterred by failed attempts. The growing body of data enabled MTS to deny many requested transfers. The gang attempted more than 30,000 fraudulent wire transfers, every one of which required a valid-appearing but stolen identity and credit card information. For each transaction MTS accepted, a runner with identification had to be dispatched and made to appear as if he were picking up money from the victim. In all they attempted to process $1.4 million in wire transfers, and succeeded in stealing more than $200,000. Fraud had become the full-time occupation of the upstate and downstate groups. No wonder they seldom got to class.

Their actual identities, however, continued to elude those on their trail and awaiting the kind of mistake that would provide a clue to who they were.

A Fortuitous Error

Mike Peters, Andy Hook, and Art Eason were busy one evening cruising wealthy neighborhoods in downstate New York, looking for easy marks. Their crime scenes of preference were vehicles parked near the street in the driveway of upscale houses. When they found one such location, they would pull over and leave one member behind the wheel while the others peered through the windows of the parked car for valuable electronics behind unlocked doors. In the course of a night, they often found several victims at diverse locations, not leaving clues behind for law enforcement to follow. Distraught victims only knew in the morning that their valuables were gone.

On this particular night, they found a laptop on the backseat of a car in the town of Mt. Benton, a short drive north of New York City. For Internet fraudsters, a stolen laptop can be a valuable commodity, and, of course, the price was right.

The next morning, Fred Hart walked out to his car and found the laptop issued to him by his corporate employer missing. Embarrassed for having left corporate property so foolishly exposed, he dutifully reported the loss to his employer and to the Mt. Benton Police Department. In truth, no one expected to ever hear about that laptop again. But, several months later, a gang member began to use it to access the Internet. There is often one such critical and fortuitous error that resolves sophisticated frauds.

Fred Hart's corporate employer had equipped each employee's laptop with theft-detection software from Laptop Protection, Inc. (LPI). When one of those laptops connected to the Internet, it automatically sent its unique identification number to LPI. After Hart reported the theft, the corporate IT department notified LPI and that laptop's identification number was added to LPI's list of stolen laptops. It was just a waiting game to see if the laptop was used.

It sat unused for several months until Peters sold it to Brian Noonan to use in their scheme. Noonan knew there was a risk of theft-detection software on the laptop and removed the original hard drive and installed a new one. Fortunately, the LPI software had been installed by the laptop's manufacturer into the computer's basic input/output system (BIOS) and not on its hard drive. It is often referred to as firmware — software permanently residing on memory and designed to be the first steps taken at boot up. The BIOS tells a computer how it is configured and how its various components should interact. Despite Noonan's clever attempt to avoid detection, he didn't have a chance.

Thus when Noonan used Hart's laptop, like a lost ET it called home and provided its identification number. More important, since it was now on the LPI list of stolen laptops, the computer automatically provided its Internet protocol (IP) address and uploaded selected contents of its hard drive that revealed how it was being used. LPI forwarded that information to Hart's employer and through them to the Mt. Benton police. Detective Alan Mitchell was assigned to the case. Knowing he needed assistance beyond the capabilities of his small department, Mitchell contacted the Westchester County District Attorney's Office High Technology Crime Bureau for assistance. From our perspective, this is where the case began.

Mitchell came to see me, Assistant District Attorney Laura Forbes, because of my experience in computer crime and identity theft. From that moment on, although they didn't know it, time was running out for the identity theft gang.

Among the files the laptop uploaded to LPI were temporary files that recorded the Internet communications among members of the U.S. gang, and their contacts with the overseas phishers. The entire identity theft plan and the larceny from MTS were laid out in jargon-laded chats that, once understood, provided a roadmap for their crimes. The laptop also contained a series of personal information profiles — called fulls — that gang members had legitimately purchased on the Internet. Every consumer discloses a considerable amount of personal information during the course of financial transactions. Marketing research companies collect as much of that information as they legally can and compile it into what can be a comprehensive report on any given individual. They in turn resell that information to the purchaser as a full. It may contain a consumer's name, date of birth, Social Security number and residential address. Equipped with this pedigree information, as well as the credit data compiled by phishing, the gang members would be able to assume another online identity and order money through MTS for in-person pickups.

We did not need to secure the permission of a court to acquire this invaluable evidence. Since the laptop was stolen, its unauthorized users had no privacy rights to the computer or its contents. As long as their Internet communications were not monitored in real time, neither federal nor state wiretapping laws were violated. A perfectly lawful report on an ongoing crime was being provided to law enforcement every time the laptop accessed the Internet. (The legality of the theft-detection software was not an issue at the time of this case but the law continues to develop, so this should be reviewed before such evidence is used in any new investigation.)

Armed with this information, we were able to identify the locations at which the laptop appeared to be used through the IP addresses. We then issued subpoenas to the Internet service providers (ISPs) for the name and street address information for every account that was using the laptop. The information we received indicated that the computer had been used all over the country in a matter of days. Clearly this did not seem accurate. Whoever was using the computer had managed to disguise his actual IP address. However, several weeks into the investigation, we figured out that the IP addresses used consistently came from three locations: the upstate apartment where Noonan lived with Grayson and Colty; the suburban apartment where Mike Peters lived with his parents; and Noonan's parents' apartment in Westchester. Noonan had gotten lazy and, because of that, he was now identified.

A background check of Noonan revealed a suspicious activity report generated by MTS when he was observed with Andy Hook making more pickups in one day than is usual for customers. The same background check also revealed that Noonan went to high school with Mike Peters, Andy Hook, Art Eason, John Mullins, Al Higgins, Walt Guss, Chris Morton and Miguel Salsa.

Combining Forces

When Detective Mitchell contacted the Ravenna Police Department in upstate New York, he was notified that there was already an ongoing investigation by the department and a federal agency into an identity theft and fraudulent wire transfer scam involving our targets. We quickly assembled a multiagency meeting to hammer out the protocols for proceeding with a joint investigation. We mutually agreed on each agency's role and on the criteria for determining which future defendants would be prosecuted federally versus locally. When the information — painstakingly compiled by the credit card issuers, MTS and the local and federal investigators — was combined with the uploaded files from the laptop, we were able to attach names to faces and the investigation took a giant leap forward.

The main two locations, the Ravenna apartment and the Peters's residence in Hudson's Landing, were placed under regular surveillance and its residents were identified. We reviewed the evidence we had and I began drafting a search warrant for the Ravenna apartment. Approximately five months after Hart's stolen laptop began to be used as part of the identity theft and wire transfer fraud scheme, law enforcement was prepared to strike.

Early Morning Surprises

In the predawn hours of an early winter day, investigators from the Ravenna Police Department, the Westchester County District Attorney's Office, the Mt. Benton Police Department and the federal agency burst into the Ravenna apartment, surprising its sleeping inhabitants — a state Supreme Court justice had authorized a no-knock search warrant. Because of the clearly demonstrated computer skills of the suspects and the ephemeral nature of digital evidence, we had strong arguments for requesting that the court permit the police to enter the apartment without having to knock on the door and identify themselves. If the suspects had programmed some destructive code into the laptop, then the seconds that would pass from the time the police knocked on the door until they had located and secured the laptop could have proved fatal to the evidence it contained. The court agreed.

Noonan, Grayson and Colty were all asleep in the apartment when the police entered. They were completely surprised. The law enforcement agents quickly secured the premises and located the laptop. Some high-quality electronics were also seized that might have been purchased with stolen money. All three gang members were interrogated and Noonan began to come clean. The investigators and I interviewed Noonan for hours that day. We never revealed the presence of the LPI software in the laptop's BIOS. Based on the extremely detailed information we had about the scheme, Noonan believed that the gang's communications had been wiretapped and concluded there was no reason for him to withhold any information. We did nothing to dissuade him from that faulty reasoning; indeed, we used it to our advantage. His attempt to avoid theft-detection software worked against him for a second time. Not only did he fail to remove it, but his misplaced confidence in that effort caused him to wrongly conclude that we had even more evidence than we really did. Because of his false conclusions, we were able to confirm our understanding of Noonan's activities, as well as get details on his coconspi-rators' conduct.

Noonan told us that Peters was the ringleader of the entire scheme, but he proudly hailed himself as the more skillful fraudster. He stated that Peters was the one who devised the scam but that he, Noonan, was the one who perfected it. He also stated that he was originally spoofing his IP address to make it appear that the computer was somewhere else, but he admitted that he later grew lazy and cocky and stopped hiding behind false IP addresses. Noonan also implicated every other member of the ring: Mike Peters, Andy Hook, Art Eason, John Mullins, Al Higgins, Walt Guss, Chris Morton, Miguel Salsa and his roommates. Noonan made sure that as he mentioned the names, he pointed out that none of them were as clever or computer savvy as he was.

We decided that Noonan's statements, when combined with the information previously assembled regarding Peters and the use of the laptop in the family residence, provided enough evidence for a search warrant for his coconspirator's residence. In a few days, the same agencies executed the warrant and found Mike Peters, a sister and his parents at home in the early morning. The parents were extremely defensive and denied their son had done anything wrong. Peters had nothing to say. But in the bottom of his bedroom closet, pushed deep into the toe of a sock, was approximately $40,000 and a counterfeit New York driver's license, which was shown to MTS employees when Peters picked up money using that false name. Mr. Peters claimed the money was his, resulting from a recently liquidated investment, but the police decided that a stray sock in a son's closet was an unusual place to store such proceeds. They took the sock and the money and Mr. Peters didn't come up with proof of his alleged investment.

The Outcome

In all, six members of the gang were prosecuted at the state or federal level. As commonly happens in cases like this, there was less evidence against the more peripheral players and many of them escaped prosecution. Mike Peters pleaded guilty to state larceny and identity theft charges, forfeited the $40,000 found in his sock, and was sentenced to up to four years in state prison and to pay an additional $33,000 in restitution. Brian Noonan pleaded guilty to state identity theft charges and to federal wire fraud charges for which he was sentenced to four and a half years in federal prison. Walt Guss pleaded guilty to a state identity theft charge, paid $6,000 in restitution, and was sentenced to 5 years of probation. Three other members pleaded to lesser charges.

To date, no charges have been brought against the overseas phishers.

Note

Lessons Learned

We can only speculate how long this fraud could have continued had Noonan not started to use the laptop Peters stole. Investigators can't deny the significance of mistakes made by their targets. But from this case history, several other important lessons are obvious.

Foremost among them is that the entire crime was completely preventable. If consumers had not fallen victim to phishing, their identities would not have been stolen and thus available for sale online to the Peters/Noonan gang. Considering the costs incurred by the various credit card issuers to investigate this matter and cooperate with law enforcement, it seems likely that increasing their efforts at identity theft protection would be money well spent. Every consumer who is educated about the various Internet identity theft scams and avoids being deceived reduces fraud loss to the financial institution and investigation expenses. Increasing consumer education by mail inserts or e-mail notices is step number one.

Second, this case benefited from the remarkable cooperation of several law enforcement agencies and corporate security departments. Such a lesson cannot be emphasized too often. Law enforcement agencies easily fall prey to turf wars. Corporations sometimes withhold information that they deem too embarrassing or sensitive. Such conduct decreases the likelihood of a successful investigation.

Last, the presence of BIOS-installed theft-prevention software was critical to the case. Businesses that issue laptops to their employees should install some kind of theft-prevention software. Although most laptop thieves lack the technical awareness to suspect the presence of theft-prevention software, it certainly makes sense to have that software in the BIOS rather than on the hard drive.

About the Authors

Kenneth C. Citarella, Esq., MBA, CFE, CCS, had a distinguished 28-year career as a white-collar and computer crime prosecutor in the Westchester County (NY) District Attorney's Office, which he concluded as Deputy Chief of the Investigations Division. Ken prosecuted investment frauds, larcenies, embezzlements, anti-trust violations, public corruption, forgeries and many other economic crimes. Also a pioneer in computer crime prosecution, Ken obtained convictions for computer intrusions, malicious software attacks, a software time bomb, spamming, digital child pornography and the use of the Internet for child exploitation, among other cases. Now with the Corporate Investigations Division of Prudential Financial Services and an Adjunct Professor of Law at New York Law School, Ken has lectured widely before professional, legal, academic, corporate and community groups on computer crime and fraud-related issues.

Laura A. Forbes, Esq., is a Senior Assistant District Attorney with the Office of the Westchester County District Attorney. She is currently assigned to the High Technology Crimes Bureau of the Investigations Division, in which she investigates and prosecutes Internet and identity theft-related crimes. She was previously assigned to the Economic Crimes Bureau. Laura received a JD from Pace University School of Law and a BS in Business Management from Marymount College.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.228.180