Feds Go Phish And A Whole Mess Of Defendants Are In Hot Water

May 3, 2012

Old fish fry sign, New Orleans

Feds are planning a old-fashioned fish fry of phishing defendants

On April 28, 2011, federal prosecutors indicted the following defendants, as set forth in this fascinating caption:


KARLIS KARKLINS, a / k / a Susanne O'Neill, a / k / a Kris, a / k / a Steven Bing

CHARLES UMEH CHIDI, a / k / a Charlie

WAYA NWAKI, a / k / a Jonh Done, a / k / a Prince Abuja, a / k / a Shawn Conley, a / k / a USAPrince 12k

OSARHIEME UYI OBAYGBONA, a / k / a Uyi Obaygbona, a/k/a bside bside

MARVIN DION HILL, a / k/a Da Boss a / k / a Nyhiar Da Boss, a / k / a Nihiar Springs

ALPHONSUS OSUALA, a / k / a Andrew Johnson, a / k / a jamal j

OLANI YI JONES,a / k / a Brenda Stuart, a / k / a Olaniy i Victor Makinde, a / k / a Makinde Olaniyi Victor

For a fascinating exposition of the alleged crime, read the full-text Indictment.

The Indictment alleges that defendants Karklins, Chidi, Nwaki, Obaygbona, Hill, Osuala, Jones and others engaged in a conspiracy to steal money from payroll processors and banks by using phishing and spear phishing attacks to obtain Log-In Credentials and Personal Identifiers that were used to make unauthorized withdrawals from customers' online accounts. Allegedly, Nwaki received the stolen identifiers from other indicted individuals, including Karklins, a Latvian national who worked with Chidi and others, to deploy phishing websites across the Internet. Nwaki then provided the stolen identifiers via e-mail to Hill, Obayagbona, Osuala, and others.

SIDE BAR: The Indictment offers the following explanations:

In "phishing" attacks, online criminals create fraudulent websites and e-mails that mimic the legitimate websites and e-mails of e-Commerce providers (such as banks, payroll processors, and utilities) in an attempt to trick unwitting computer users - who believe that they are dealing with legitimate websites - into divulging their Log-In Credentials and other personally identifying information, such as dates of birth, Social Security Numbers, addresses, telephone numbers, mother's maiden names, and responses to online security questions ("Personal Identifiers"). The Log-In Credentials and Personal Identifiers, once stolen, can be used in furtherance of computer crimes that involve unauthorized access to online accounts.

"Spear phishing" attacks are phishing attacks where online criminals select their victims using knowledge of the victims' existing account relationships. The attack depends upon the premise that impersonating communications from ADP, for example, is a far more effective tactic when communications are sent to ADP customers (a spear phishing attack) than if they are sent indiscriminately to employers nationwide (a phishing attack) .

The Indictment alleges that Nwaki and his co-conspirators used the phished information to make unauthorized withdrawals from victims' accounts; and to create fake driver's licenses the conspirators could use to impersonate victims at bank branches. Nwaki admitted he worked with others to hire "soldiers" to go into the banks and impersonate real customers using fake licenses made with the soldiers' pictures.  Nwaki also admitted he was asked as part of the scheme to impersonate company payroll officers in conversations with ADP, a national payroll processing company headquartered in New Jersey.

Allegedly, the ring also used the information to gain access to the victims' online accounts, where they could view victim signatures on check images in order to forge them on checks and withdrawal slips. In situations where banks noted that their customers were attempting to access their accounts from an unfamiliar computer or IP address, the institution might have sent an e-mail query; however, in some instances Nwaki was able to intercept those messages and reply with false assurances using the indentifiers for confirmation.

Prosecutors allege that Chase Bank, Bank of America, ADP and Branch Bank & Trust Co. together lost approximately $1.3 million to the fraud ring.

Nwaki was arrested in Atlanta, GA,  on Dec. 29, 2011, and has been detained since his arrest. Obayagbona and Hill are awaiting trial on the Indictment. Osuala is in custody on unrelated federal charges in Georgia. Jones is detained in Nigeria. Karklins and Chidi are at large.

On May 2, 2012, Nwaki pleaded guilty to one count each of wire fraud conspiracy; wire fraud; aggravated identity theft; and conspiracy to gain unauthorized access to computers-counts one, nine, 14, and 20 of the indictment against him. The wire fraud conspiracy and wire fraud counts to which Nwaki pleaded guilty each carry a maximum potential penalty of 20 years in prison; the aggravated identity theft carries a mandatory two years in prison, to be consecutive to the sentence imposed on the wire fraud conspiracy count; and the computer fraud conspiracy count carries a maximum potential penalty of five years in prison. Each count also carries a maximum $250,000 fine.

NOTE: The charges and allegations contained in the Indictment are merely accusations, and they are considered innocent unless and until proven guilty beyond a reasonable doubt in a court of law.