Jailed Apple phishing duo also imported pickpockets and cloned credit cards

Constanta Agrigoroaie and Radu Savoae. Images courtesy of Metropolitan Police.

Constanta Agrigoroaie and Radu Savoae. Images courtesy of Metropolitan Police.How’s this for irony? A pair of fraudsters phished bank account details out of over 150 Apple users by sending them hairy-scary messages about their accounts having been compromised.

Naturally, those accounts weren’t compromised before the messages came, but they sure were compromised in short order after the crooks coerced people into sending account details to a bogus website.

London’s Metropolitan Police said in a release that the duo sent emails claiming to be from Apple.

The emails directed victims to update details for the purportedly compromised accounts by clicking on a link to a bogus website.

When the unsuspecting victims complied, sending data that included bank details, an email was sent directly to the defendants.

They used the details to siphon off money. Then, they turned around and used that money to buy tickets for more foreign national criminals – in effect, importing people to commit crime in the UK.

Pickpocketing on London’s transport network was a popular activity for the newly imported thieves to undertake, according to the Met Police, as was stealing metal.

The convicted pair are Constanta Agrigoroaie, 23, and Radu Savoae, 28, of Mornington Avenue, Ilford.

When police arrived at the couple’s address on 4 April, they said that they found Agrigoroaie sitting in front of a computer, checking out websites belonging to east European airlines.

She also had a script open, showing what police said was a vast amount of personal details, including bank card details with the full 16-digit number, expiry date and CVV number, as well as victims’ home addresses.

Police later arrested Savoae when he arrived at the house.

When they searched the place, police found a number of laptops, iPads, printers and USBs, a “vast” quantity of blank credit cards, an embossing machine, a hot foil tipping machine, and a magnetic card reader used to manufacture cloned credit cards.

Image of phishing courtesy of ShutterstockInvestigators also found fake Spanish and Romanian ID cards and a load of cash.

Forensics work uncovered more than 150 credit card numbers and personal details of unknown people from around the globe.

Investigators discovered a spreadsheet on the seized computer that showed a number of fraudulent transactions for vehicle insurance, flight bookings and other purchases for people the police identified as thieves involved in pick-pocketing and theft-of-metal offenses.

The two phishers were sentenced at Snaresbrook Crown Court on Thursday after pleading guilty to conspiracy to commit fraud, six counts of possession of fraudulent ID cards and possessing equipment to make fraudulent ID and bank cards.

They’re looking at a combined total of 14 years behind bars for having weaseled £15,000 ($25,630) out of their targets: Agrigoroaie was sentenced to six years and Savoae was sentenced to eight.

Chief Superintendent Matt Bell, Roads and Transport Policing Command said in the release that putting the two behind bars should keep others from falling prey to what sounds like a pretty convincing scam:

This 'phishing' duo took advantage of many internet users and duped them into providing their personal information. However as a result of a tireless investigation by the RTPC, they have been jailed which has no doubt prevented numerous bank customers from becoming victims of this crime.

Here’s a perfect example of why we should never send account details via email or be too knee-jerkish when it comes to clicking on links, even if the sender looks perfectly legitimate and sends an official-looking request – particularly when that request urgently tells us to hand over the keys to the kingdom.

It’s not just the victims’ fault, though. Not all legitimate businesses have wised up to the fact that they shouldn’t include quick-and-easy links to login pages.

As Naked Security’s Paul Ducklin pointed out recently, after the Heartbleed data leakage revelations, lots of websites got nervous about the prospect of leaked passwords.

Unfortunately, a lot of those jittery sites just couldn’t resist sending reset links to customers.

It would be nice to think we’re all too savvy to fall for scams like the newly arrested Fagins, but alas! It isn’t so.

In fact, an in-house awareness test run late last year managed to persuade 1,850 of the Canadian Justice Department’s 5,000 staff to click on scammy links – a fail rate that approaches 40%.

Hopefully, a recent article we wrote should both help businesses to avoid crafting phishy sounding emails and recipients to sniff out the difference between phish and real: Phish or legit – Can you tell the difference?

Images of Constanta Agrigoroaie and Radu Savoae courtesy of Metropolitan Police. Image of phishing courtesy of Shutterstock.