A Romanian man has been jailed for 11 years after pleading guilty for his role in three cyber security scams.
Adrian Mitan was charged in 2018 for conducting a money laundering scheme arising from eBay fraud, a brute-force phishing scheme and a vishing campaign.
Mitan admitted to posting adverts for bogus goods on online marketplaces such as eBay and Craigslist. Once the victim paid for the item, the cyber crime gang laundered the money to prevent the purchaser from claiming a refund.
These scams are prevalent across online auction sites, because it’s almost impossible for organisations to ensure that its sellers are genuine.
Attackers typically create a new account for each scam and close it down once they’ve duped someone, preventing victims from submitting complaints.
There is also typically no need to authenticate your identity when creating an account, making it difficult to identify who was responsible.
However, an FBI investigation was able to connect Mitan to a string of offenses in a rare victory for law enforcement over cyber criminals.
According to one report, only 20% of fraud offences are reported to the police – and only a handful of those lead to convictions. This is partly due to a lack of resources to investigate incidents but also down to attackers’ ability to cover their tracks.
Another factor is that attackers are often based in a foreign country, limiting the jurisdiction of national law enforcement agencies.
In this case, though, the FBI was helped by the fact that Mitan’s money laundering scheme was partially based in the US.
Phishing and vishing attacks
Mitan also confessed to conducting a phishing scam in which he captured people’s payment card details. His co-conspirators used the information to launch brute-force attacks on point-of-sale systems, gathering the additional information needed to create cloned payment cards and make cash withdrawals.
The money was then converted to bitcoin in an account controlled by Mitan.
In another scheme, Mitan orchestrated a vishing scheme. This is a type of phishing attack conducted over the phone rather than by email.
The gang hacked into small businesses’ voice over IP systems, and used a script to phone financial institution customers and trick them into handing over their payment card details.
Mitan said that he and his gang targeted more than ten organisations and gathered 2,130 payment card details.
Protect your organisation from scams
The key to avoiding phishing scams such as these is education. Attackers are always looking for ways to bypass technological defences, and when they do, organisations depend on their employees to spot the signs of a scam.
Our Complete Staff Awareness E-learning Suite offers a quick, affordable and comprehensive solution to your training needs.
The suite contains all eight of our e-learning courses, covering essential topics such as the GDPR, ISO 27001 and phishing. All you need to do is purchase a licence for the number of staff taking the courses.
The suite is available on a one-year, easily renewable licence, and the courses can be taken as many times as you like.