Phisher Convicted in Massive Scheme
Osarhieme Uyi Obaygbona and several others were convicted of a phishing scheme that defrauded Bank of America, Branch Bank & Trust Co., Chase Bank, and ADP, a payroll processor, out of $1.5 million. The phishing attacks directed users to fake web pages, where the users were tricked into entering information such as social security numbers, dates of birth, and usernames and passwords. The stolen information was used to access victims’ accounts and to create fake driver’s licenses in order to impersonate the victims at the banks. Karlis Karklins, one of Obaygbona’s co-conspirators, used the stolen information to gain access to payroll accounts at ADP. Fake employees were added to companies’ payrolls. Karklins and the others allegedly issued paychecks to these fake employees and had the checks cashed by money mules. Authorities say that the money mules were tricked into thinking that their actions were legal.

To prevent financial loss as a result of phishing companies and consumers need to be educated about phishing. However, according to the article, “no one wants to talk about [‘emerging schemes and trends’] openly.” To get around this, organizations such as the American Bankers Association could encourage or strongly suggest employee education of threats such as phishing be mandatory. Banks and other companies could make more of an effort to educate their customers about these types of threats. For example, they could issue a monthly information sheet that discusses various threats and how consumers can protect themselves. A partial solution mentioned in the article is the Domain Naming System initiative, which could result in the replacement of .com with .bank for bank websites.

Feds Charge Hacker in POS Attacks
Multiple charges have been filed against Dutch hacker David Benjamin Schrooten (aka “Fortezza”) for the alleged advertising and selling of stolen credit card information on underground online forums. His accomplice, Christopher A. Schroebel, hacked into the point-of-sale systems of two businesses in the Seattle area. Schroebel placed malware on their networks and copied information associated with credit card transactions. The malware transmitted the information to a server controlled by Schroebel. Credit card numbers were later sold on forums by Fortezza. Schroebel and Fortezza also allegedly worked together to build “carding websites,” to sell credit card information to criminals. Schroebel was arrested last November and pled guilty. Fortezza, who was arrested in March, has pled not guilty.

A firewall that does egress filtering could have prevented the information from being transmitted out of the companies’ networks. The transmission could have also been prevented by having a firewall policy that dictates what information can and cannot be transmitted out of the network. Or having a policy that controls where (to which IP addresses) and when (such as only during hours of operation) certain information can be transmitted. Information being transmitted to an unfamiliar IP address at 4am would raise a red flag. Also, firewalls could have been configured to log all packets. The log files would have shown the card details going to an unfamiliar IP address. The two businesses that were hacked were a restaurant and a restaurant supply store. These businesses might not have the expertise necessary to handle firewall configurations and other IT security protections. An experienced MSSP, managed security service provider, reading event logs could have alerted the businesses to the suspicious transmission of credit card information from their networks to another IP address. The MSSP might have also noticed the malware being launched within the networks.