This is an update of a February 25, 2011 "Street Sweeper" column.
In June 2007, Belarussian nationals Dmitry M. Naskovets and Sergey Semashko (also referred to as "Semasko" in some Department of Justice reports) created CallService.biz ("CallService"), a Russian language online business hosted in Lithuania. Unfortunately, that mundane start to this story doesn't continue along such an innocuous path. To the contrary, this online business venture takes us over to the dark side.
Naskovets and Semashko created CallService with the intention of assisting identity thieves to exploit stolen financial information, such as credit card and debit card numbers. CallService was designed to thwart the security measures put in place by financial institutions.
In exchange for a fee, Naskovets and Semashko provided through CallService the services of English- and German-speaking individuals to persons who had stolen account and biographical information. On the front-end of this transaction, the identity thief provided:
Thereafter, Naskovets and his co-conspirators would assign someone of the same gender and who spoke the same language as the authorized account holder. CallService's foreign language speakers would pose as the authorized account holders and telephone financial institutions and other businesses in order to conduct or confirm fraudulent account activity on behalf of the identity thieves. If successful, the CallService employees would, among other criminal acts:
After the requested call was made, Naskovets and his co-conspirators reported back to the identity thief and awaited further instructions.
CallService posted advertisements for its services on other websites used by identity thieves, including CardingWorld.cc, which was operated by Semashko. One such advertisement noted "a special offer of an unlimited number of confirmation calls" to interested individuals, among which were listed "successful Carders (drop handlers . . . PIN cashers, etc.). . ." Other advertisements boasted that CallService had "over 2090 people working with" it and had "done over 5400 confirmation calls" to banks, referencing calls to defeat security screening procedures and confirm or conduct fraudulent transactions.
SIDE BAR: Personal information may be stolen through a variety of means, including:
Hacking into financial institutions' computer systems
Phishing attacks whereby a fraudulent email/Instant Message directs the recipient to enter confidential information onto an apparently trustworthy website. In fact, that website is masquerading as one that is bona fide and is actually controlled by the sender of the phishing message.
Malware that infects victims' computers with malicious software
Keylogger viruses that covertly tracks the keys struck on the infected computer's keyboard.
The goal of such criminal conduct is to illegally obtain the victim's name, address, telephone number, social security number, user names/passwords, and other identification.
Recently, we have seen the growth of "carding" websites that provide criminals with online locations where they can buy/sell stolen identification and financial information. The lexicon used on such sites includes:
A Carder buys/sells/trades/exploits stolen or unlawfully obtained credit/debit card numbers and information.
A Drop Handler hires/manages "drops," which are addresses/individuals used by the identity thief as shipment destinations
A PIN Casher uses stolen credit/debit card information to withdraw cash from the victim.
At the request of the United States, Naskovets was arrested by Czech authorities on April 15, 2010. Also on that day, in a joint operation, Belarusian law enforcement authorities arrested Semashko in Belarus; and Lithuanian law enforcement authorities seized the computers on which CallService was hosted. Belarusian authorities also arrested additional co-conspirators for related criminal conduct. In addition, the New York Office of the Federal Bureau of Investigation simultaneously seized the Website domain name pursuant to a seizure warrant.
On September 20, 2010, Naskovets was extradited from the Czech Republic. A U.S. Indictment charged Naskovets with one count of conspiracy to commit wire fraud, one count of conspiracy to commit access device fraud, and one count of aggravated identity theft.
On February 23, 2011, Naskovets, 26, pled guilty to charges of conspiracy to commit wire fraud and credit card fraud. He faces a maximum sentence of 37 and one-half years in prison. He is scheduled to be sentenced on May 26, 2011.
On March 23, 2012, Naskovets was sentenced to 33 months in prison, three years of supervised release, and ordered to pay a $200 special assessment fee.
So, you feel better? Do you think that your account information is safer at Citi, Bank of America, Wells Fargo, or JP Morgan? You think that no one is trying to get your American Express, Visa, MasterCard, or Discover card data?
Yeah . . . be afraid, be very afraid. There are more of these folks out there, waiting to get you. Sleep tight.