Vlad the Emailer : Feds Bust Romanian Phishing Ring

December 23, 2011

Imagine if Vlad the Impaler Had A Computer

Way back in January 2007 - before the onset of the Great Recession, before the euro crisis - a federal grand jury sitting in New Haven, CT returned an indictment charging Romanian citizens Ciprian Dumitru Tudor, Mihai Cristian Dumitru, and others with running an online phishing scheme.

My, how our global village has become so much cozier. Was a time when all we knew about Romania was that it was the land of vampires, Count Dracula - the real-life Vlad the Impaler.  A few centuries later and, in the name of progress, Romania has become the land of Vlad the Emailer.Gothic horror stories aside, federal prosecutors found little quaint about the online crimes emanating out of Romania. Nearly three years after the initial Indictment, in November 2010, a Superseding Indictment fleshed out the case against Tudor, Cumitru, and 12 others.

Just as vampire hunters must await the sunrise in hopes of entering the crypt and driving the wooden stake through the living dead's blackened heart, the feds bided their time.  Waiting. Waiting for just the right moment when they could swoop down upon the Romanians and nail them.  Consequently, theSuperseding Indictment was kept under wraps - "sealed" in more legal jargon - pending the ability of the United States to secure the extradition of the defendants responsible for the phishing crimes.

Phishing: An Internet scheme that fraudulently targets recipients' email accounts in order to obtain private personal and financial information.  This scam generally involves the transmittal of e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions or other companies.  Unwary recipients reply to requests for information contained in the bogus messages or are directed to seemingly authentic websites and asked to fill-out online forms.  In fact, the bogus messages have directed the victims to bogus websites where the submitted personal/financial information will be mined by criminals in furtherance of identity theft, money laundering, and other scams.

I'm sure - I'm positive - that many (if not most) of you have received a phishing email.  You may have been savvy enough to spot the warning signs of such crap and quickly marked it as spam or deleted it.  If you weren't so lucky, you may have entered the digital equivalent of Hell.

People's Bank

In this case, the Indictment alleges that in June 2005, one or more of the defendants sent spam e-mail purporting to be from Connecticut-based People's Bank. The e-mail stated that the recipient's online banking access profile had been locked and instructed recipients to click on a link, which would take them to the bank's web page, where they could enter information to "unlock" their profile.

No! Don't do it!! STOP!!!

Those who received this phishing email should never, ever have clicked on the link.  If you receive such a message, you would be better advised to telephone the bank to confirm the authenticity of the message; and don't use the phone numbers provided on the phishing email because they may be bogus.  If you must, separately log on to what you know to be the bank's real URL - get the phone numbers from  your old records or do an online search.  Open up a separate computer window and access the bank's authentic website and see if there are any messages to you on that page - or you could access any existing online "Help" lines.  What you should never do is respond to such queries by clicking on links provided in the spam mail.

WARNING!!!: If you have clicked on the email and opened it, there is a chance that you have downloaded a virus.  It gets even worse. As you continue to use your computer, that virus may be capturing the names of the websites you visit, retrieving your account ID and passwords.  In less time than it takes to pound a stake through a vampire's heart, your financial accounts could be wiped out and your credit ruined.

If you think that you've been targeted by a phishing email, get the hell offline.  Immediately.

You should have already installed a malware and anti-virus program on your computer. Make sure that such programs have downloaded the most current virus alerts - if your program is not current, you may scan your drive and get a "No Virus Found" confirmation, but that scan may not have included the virus that was created last week and included in the updated download that you failed to install.

Once you're offline, run your malware/anti-virus programs.  Don't do anything else.  If you are notified by your program that your computer has been compromised, quarantine the flagged files and delete them.  If you don't know what you're doing but you're told that your drive has been hit, spend a few bucks and hire a professional to clean your system.

One last warning, be careful about downloading those free malware/anti-virus programs - some of the sites offering such help are themselves frauds and will phish your information when you fill out their online forms, or, even worse, the freebie software that you will download is a trojan.  Here the cure may be worse than the disease.  Think of it as a vampire's bite.

The unfortunates who clicked on the link provided by the defendants in this case wound up on a web page that, for all intents and purposes, really appeared to be  People's Bank.  Ah, but the for all intents and purposes is what kills you here. The bank website wasn't what it seemed. In reality, it was a fake web page on a fake website that was hosted on a computer that had nothing to do with  People's Bank.  The personal and financial information that worried email recipients so quickly provided was transmitted by email to one or more of the defendants or to a s0-called "collector" account (set up as a repository for the phished records).

SIDE BAR: In addition to People's Bank, the defendants also targeted Citibank, Capital One, Bank of America, JPMorgan Chase & Co., Comerica Bank, Regions Bank, LaSalle Bank, U.S. Bank, Wells Fargo & Co., eBay and PayPal.

The Charges

The Indictment alleges that Defendant Tudor, Dijmitru and others used and shared a number of collector accounts.  Those collector accounts retained  thousands of e-mail messages with:

  • credit or debit card numbers;
  • expiration dates;
  • CVV codes (a Card Verification Value - usually a four-digit number on the card); and
  • PIN numbers.

But that's not the end of the treasure trove of compromised data.  Additionally, the victims provided the defendants with their:

  • name;
  • addresses;
  • telephone numbers;
  • date of birth; and
  • Social Security number.
Just imagine what a bunch of crooks could do with all that personal and financial data.  Rather than imagine, let me clue you in:  The Indictment alleges that the co-conspirators  used the phished information to access bank accounts and lines of credit and to withdraw funds without authorization, often from ATMs in Romania.

In early December 2011, defendants Bolovan, 27, Davidescu, 38, and Busca, 26, were extradited from Romania to the United States and were arraigned on December 21, 2011.  These three defendants have pleaded Not Guilty to the charges and are detained pending trial (scheduled for March 2012).

On December 22, 2011, a federal Indictment was unsealed charging Romanian residents:

1.            Ciprian Dumitru Tudor,

2.            Mihai Cristian Dumitru,

3.            Bogdan Boceanu,

4.            Bogdan-Mircea Stoica,

5.            Octavian Fudulu,

6.            Iulian Schiopu,

7.            Razvan Leopold Schiba,

8.            Dragos Razvan Davidescu,

9.            Andrei Bolovan,

10.          Laurentiu Cristian Busca,

11.          Gabriel Sain,

12.          Dragos Nicolae Draghici,

13.          Stefan Sorin Ilinca And

14.          Mihai Alexandru Didu

with conspiracy, fraud and identity theft offenses stemming from their alleged participation in an extensive Internet "phishing" scheme.

Each of the 14 defendants is charged with conspiracy to commit:

  • bank fraud, which carries a maximum term of imprisonment of 30 years and a fine of up to $1 million, and
  • fraud in connection with access devices, which carries a maximum term of imprisonment of five years and a fine of up to $250,000.

Certain defendants, including Davidescu and Busca are also charged with aggravated identity theft, which carries a mandatory consecutive two-year term of imprisonment.

NOTEAn Indictment is not evidence of guilt and the charges are only allegations.  Each defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.