US man confesses to part in $1.3M bank and payroll phishing scam

Waya Nwaki from

A 31-year-old US man from Atlanta, Georgia, admitted last week that he and his gang stole more than $1.3 million USD by phishing confidential account information from e-commerce sites, according to a release put out by New Jersey U.S. Attorney Paul J. Fishman.

Waya Nwaki, aka “Shawn Conley,” aka “usaprince12k,” pled guilty in Newark federal court to one count each of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers.

According to Fishman’s release, Nwaki and his cohorts set up bogus web pages that mimicked legitimate sites of companies, such as banks and payroll processors.

The victimized online businesses include Chase Bank, Bank of America, ADP and Branch Bank & Trust Co. All together, they lost about $1.3 million to the fraud ring.

Customers of the legitimate sites mistakenly visited the fake pages and entered confidential information, including dates of birth, social security numbers, mothers’ maiden names, and account user names and passwords.

Members of Nwaki’s gang then used the stolen confidential information to make unauthorized withdrawals from victims’ accounts.

Nwaki’s indictment charges him with receiving stolen victim information from Karlis Karklins—a Latvian national who worked with Charles Umeh Chidi—and others to set up the phony sites.

The indictment further charges Nwaki with emailing the stolen information to Marvin Hill, Osarhieme Obayagbona, Alphonsus Osuala, and others.

Nwaki and his co-conspirators allegedly used the information to make unauthorized withdrawals from victims’ accounts. In some cases, it was also used to create fake driver’s licenses that the gang members then used to impersonate victims at bank branches.

Nwaki admitted to working with others to hire “soldiers”—i.e., accomplices who went into banks and impersonated customers with fake licenses bearing the soldiers’ pictures.

The criminal gang also used the ill-gotten information to gain access to victims’ online accounts, where they could view victim signatures on check images so as to forge signatures on checks and withdrawal slips.

Nwaki admitted to using the phished information to impersonate account holders and thereby intercept and respond to emails sent from the banks to customers when an unfamiliar computer or IP address accessed an account.

Nwaki also claimed that conspirators asked him to impersonate company payroll officers in conversations with ADP, a payroll processing company.

Nwaki has been detained since his arrest in Atlanta on Dec. 29, 2011. Obayagbona and Hill are now awaiting trial.

Osuala is in custody on unrelated federal charges in Georgia. Jones was detained in Nigeria. Karklins and Chidi are still at large.

The wire fraud conspiracy and wire fraud counts to which Nwaki pleaded guilty each carry a maximum potential penalty of 20 years in prison.

Aggravated identity theft carries a mandatory two-year prison sentence. The computer fraud conspiracy count carries a maximum potential penalty of five years in prison.

Each count also carries a maximum $250,000 fine.

The fact that Nwaki and his gang targeted banks is a reflection of a trend wherein phishers have been going after ever-more profitable targets.

In the second half of 2011, the Anti-Phishing Working Group (APWG) saw phishers gravitate toward victims “that can be monetized effectively,” the consortium said in its Global Phishing Survey [PDF], published in April.

That means that phishers are going after fewer, but bigger, targets.

Thus, in the second half of 2011, PayPal, which for several years was, as described by the APWG, “far and away” the world’s No. 1 phishing target, dropped out of favor to be replaced by one of China’s top e-commerce sites,

APWG’s interpretation of the shift:

"In general, phishers concentrated on a smaller number of targets, perhaps because it was not economical to reach users of smaller institutions, or because user credentials at certain targets command a better price."

What do we potential victims do with this information?

Be careful, particularly if you do your banking at a large online bank, because those are now the favored phishing grounds.

According to the APWG’s survey, phishers are bypassing top-level domains in favor of subdirectories and subdomains. These have lighter defense compared with top-level domains, which are subject to companies’ proactive scanning for impersonator sites.

The current fashion in phishing, as described by the APWG:

Phishers almost always place brand names in subdomains or subdirectories. This puts the misleading string somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the 'base' or true domain name being used in a URL.

Note: Sophos is a member of the APWG