One of the most frustrating things about cyber crime is how rarely threat actors receive real punishment, particularly when they’re based abroad.
So it was a breath of fresh air when, on August 16th last year, a Federal grand jury issued an indictment against two Romanian threat actors. The pair stand accused of stealing over 36,000 financial account numbers via social engineering attacks against US citizens between 2011-2014, leading to estimated losses of $18 million.
And it gets even better.
Since the indictment was issued, Teodor Laurentiu Costea and Robert Codrut Dumitrescu have been extradited to Atlanta to face charges of wire fraud conspiracy, wire fraud, computer fraud and abuse, and aggravated identity theft. A third actor, Cosmin Draghici, is currently in Romanian custody awaiting extradition.
So… What Happened?
Between July 12 and October 31 2011, PhishLabs analysts detected a number of telephone phishing (known as vishing) attacks against one of our clients, a well known financial institution.
The format of these attacks was simple: A member of the general public would receive a text message prompting them to call a certain number. If the number was called, an automatic system would instruct the victim to enter their bank card details. Naturally, when entered, this information was sent directly to the threat actors responsible for the attack.
Shortly after these vishing attacks started, PhishLabs analysts also noticed an increased volume of phishing attacks against customers of the same financial institution. These attacks, which used spoof web pages, once again attempted to steal card details — an unusual approach for phishing campaigns, which typically aim to compromise online banking accounts.
Between these two campaigns, it became clear our client’s customers were being specifically targeted.
In cases like this, PhishLabs analysts work with telecommunications companies to pursue shutdown of the telephone numbers used to carry out attacks. We also request that the end customers who operate the numbers get in touch with us so we can work with them to investigate further, e.g., by analyzing log files, using network traces, etc.
In addition to our own investigations, we also contract with third parties who specialize in providing intelligence about cyber-criminals. In this case, one of our sub-contractors had been independently collecting information about an actor who appeared to be involved in vishing attacks.
By combining our own intelligence with that provided by our sources, we developed a clear picture of the parties responsible for the attacks we had identified, as well as a number of later attacks against a second prominent financial institution. Ultimately, this intelligence would be shared with U.S. law enforcement agencies to fuel their investigation.
Why The Indictment Matters
This indictment is a huge win for law enforcement and financial institutions.
Over the past two decades cyber actors have consistently stolen money, financial records, medical records, intellectual property, and just about anything else you can think of… and received very little in the way of punishment.
Why? Because in most cases it’s incredibly difficult to find the actors responsible for an attack, and even when that does happen a large proportion of threat actors are physically located in countries which don’t have extradition agreements with the U.S.
At the same time, the individuals and organizations targeted by these attacks can seek some solace from the fact that the actors responsible are about to face the consequences of their actions. In this case, the financial institutions targeted lost an estimated $18 million as a result of the attacks, so they (and their customers) will no doubt be happy to know justice will be served.
“Our message to the victims of cyber fraud is that the FBI won’t let geographic boundaries stop us from pursuing and prosecuting the persons who cause them tremendous financial pain,” stated David J. LeValley, Special Agent in Charge of FBI Atlanta. “Our message to the perpetrators of these crimes is that cybercriminals cannot hide in the shadows of the internet. We will identify them and bring them to justice.”
But the positives of this indictment run deeper than simple justice.
Disrupting the Food Chain
In general, attempts to fight back against phishing actors involve having malicious web pages or telephone numbers shut down.
And that’s great, because it solves the immediate problem, but it’s also a little short sighted. Threat actors can, after all, simply register alternative domains and phone numbers.
In order to truly disrupt the threat landscape, an alternative strategy is needed: Going after the threat actors (or groups) themselves. If a threat group can be identified, targeted, and prosecuted, they will no longer be able to launch attacks.
This is where threat intelligence comes in. Rather than simply working to have attack mechanisms shut down, threat analysts can work with third parties and law enforcement agencies to close the net on threat groups — even those in foreign countries — and work towards a more final solution.
As U. S. Attorney Byung J. “BJay” Pak put it:
“These extraditions send a strong warning to cybercriminals and fraudsters worldwide, that we, along with our law enforcement partners, will work tirelessly to bring you to justice.”