US man confesses to part in $1.3M bank and payroll phishing scam

Filed Under: Data loss, Law & order, Phishing

Waya Nwaki from

A 31-year-old US man from Atlanta, Georgia, admitted last week that he and his gang stole more than $1.3 million USD by phishing confidential account information from e-commerce sites, according to a release put out by New Jersey U.S. Attorney Paul J. Fishman.

Waya Nwaki, aka "Shawn Conley," aka "usaprince12k," pled guilty in Newark federal court to one count each of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers.

According to Fishman's release, Nwaki and his cohorts set up bogus web pages that mimicked legitimate sites of companies, such as banks and payroll processors.

The victimized online businesses include Chase Bank, Bank of America, ADP and Branch Bank & Trust Co. All together, they lost about $1.3 million to the fraud ring.

Customers of the legitimate sites mistakenly visited the fake pages and entered confidential information, including dates of birth, social security numbers, mothers’ maiden names, and account user names and passwords.

Members of Nwaki's gang then used the stolen confidential information to make unauthorized withdrawals from victims’ accounts.

Nwaki's indictment charges him with receiving stolen victim information from Karlis Karklins—a Latvian national who worked with Charles Umeh Chidi—and others to set up the phony sites.

The indictment further charges Nwaki with emailing the stolen information to Marvin Hill, Osarhieme Obayagbona, Alphonsus Osuala, and others.

Nwaki and his co-conspirators allegedly used the information to make unauthorized withdrawals from victims’ accounts. In some cases, it was also used to create fake driver’s licenses that the gang members then used to impersonate victims at bank branches.

Nwaki admitted to working with others to hire "soldiers"—i.e., accomplices who went into banks and impersonated customers with fake licenses bearing the soldiers’ pictures.

The criminal gang also used the ill-gotten information to gain access to victims’ online accounts, where they could view victim signatures on check images so as to forge signatures on checks and withdrawal slips.

Nwaki admitted to using the phished information to impersonate account holders and thereby intercept and respond to emails sent from the banks to customers when an unfamiliar computer or IP address accessed an account.

Nwaki also claimed that conspirators asked him to impersonate company payroll officers in conversations with ADP, a payroll processing company.

Nwaki has been detained since his arrest in Atlanta on Dec. 29, 2011. Obayagbona and Hill are now awaiting trial.

Osuala is in custody on unrelated federal charges in Georgia. Jones was detained in Nigeria. Karklins and Chidi are still at large.

The wire fraud conspiracy and wire fraud counts to which Nwaki pleaded guilty each carry a maximum potential penalty of 20 years in prison.

Aggravated identity theft carries a mandatory two-year prison sentence. The computer fraud conspiracy count carries a maximum potential penalty of five years in prison.

Each count also carries a maximum $250,000 fine.

The fact that Nwaki and his gang targeted banks is a reflection of a trend wherein phishers have been going after ever-more profitable targets.

In the second half of 2011, the Anti-Phishing Working Group (APWG) saw phishers gravitate toward victims "that can be monetized effectively," the consortium said in its Global Phishing Survey [PDF], published in April.

That means that phishers are going after fewer, but bigger, targets.

Thus, in the second half of 2011, PayPal, which for several years was, as described by the APWG, "far and away" the world's No. 1 phishing target, dropped out of favor to be replaced by one of China's top e-commerce sites,

APWG's interpretation of the shift:

"In general, phishers concentrated on a smaller number of targets, perhaps because it was not economical to reach users of smaller institutions, or because user credentials at certain targets command a better price."

What do we potential victims do with this information?

Be careful, particularly if you do your banking at a large online bank, because those are now the favored phishing grounds.

According to the APWG's survey, phishers are bypassing top-level domains in favor of subdirectories and subdomains. These have lighter defense compared with top-level domains, which are subject to companies' proactive scanning for impersonator sites.

The current fashion in phishing, as described by the APWG:

Phishers almost always place brand names in subdomains or subdirectories. This puts the misleading string somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the 'base' or true domain name being used in a URL.

Note: Sophos is a member of the APWG

, , , , , , , , , , , , , ,

You might like

One Response to US man confesses to part in $1.3M bank and payroll phishing scam

  1. I investigated Bank of America, reporting my findings in my book I SEE RUDE PEOPLE (McGraw-Hill, 2009) and found that it was especially possible there to steal BofA customers' identity at their teller windows because they cheaped out on their computer system. Instead of having a single computer system connecting all the banks they bought, many tellers can see no more than how much money you have in your account. They basically just *hope* it's you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.