US authorities have charged 38 members of an international criminal gang that allegedly used spam e-mails to steal bank account details and passwords from thousands of customers.
A federal grand jury in Los Angeles has charged 33 people - 22 Romanians, five Vietnamese, three Americans, one Cambodian, one Pakistani and one Mexican - in a 65-count indictment, according to the US Department of Justice.
Seven Romanians were charged in a District of Connecticut indictment for their roles in an Internet phishing scheme, including two who were also charged in Los Angeles.
The group is accused of participating in an international racketeering scheme that used the Internet to defraud thousands of individual victims and hundreds of financial institutions.
According to the Los Angeles indictment, gang members based in Romania obtained thousands of credit and debit card accounts and related personal information through phishing. The DoJ says the gang unleashed more than 1.3 million spam e-mails in one phishing attack.
The Romanian "suppliers" then sent the data to US-based "cashiers" via Internet chat messages. The cashiers used encoders to record the stolen information onto the magnetic strips on credit and debit cards.
"Runners" then tested the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested - dubbed cashable - were used to withdraw money from ATMs or point of sale terminals.
A portion of the proceeds was then wire-transferred to the supplier who had provided the access device information.
The Los Angeles indictments include charges of conspiracy to violate the Racketeer Influenced and Corrupt Organisations (Rico) Act, conspiracy in connection with access devices, unauthorised access to a protected computer, bank fraud and aggravated identity theft.
The Rico conspiracy charge carries a maximum prison sentence of 20 years, while production, use and trafficking in counterfeit access devices carries a maximum 10 year prison sentence. The charge of bank fraud carries a maximum 30 year prison sentence.
Seuong Wook Lee, a cashier in the scheme, pleaded guilty on May 15 to racketeering conspiracy, bank fraud, access device fraud and unauthorised access of a protected computer, says the DoJ.
The Connecticut investigation was triggered by a phishing e-mail message received by a customer of Connecticut-based People's Bank. The e-mail directed victims to a computer in Minnesota that had been compromised and used to host a bogus Web banking site.
The gang also targeted customers of other banks, including Citibank, Capital One, JPMorgan Chase, Comerica Bank, Wells Fargo, eBay and PayPal.
Commenting on the international investigation, Deputy Attorney General Mark Filip, says: "Criminals who exploit the power and convenience of the Internet do not recognise national borders; therefore our efforts to prevent their attacks cannot end at our borders either."
"This case shows that Internet fraudsters cannot avoid prosecution just by launching their attacks against US residents and US companies from overseas," says Acting US Attorney for the District of Connecticut Nora Dannehy. "With the help of our law enforcement partners around the world, we will investigate and prosecute fraudsters wherever they can be found."
In separate news, high street bank Abbey is the UK financial institution most targeted by phishing fraudsters, according to figures from anti-spam outfit Clearmymail.
In the first quarter of 2008 33% of all phishing e-mails blocked by Clearmymail were targeting Abbey - up from just six per cent in the fourth quarter of 2007. Citi was second in the table and the target of 19.2% of spam, followed by Natwest 11.6%, Halifax 8.5% and PayPal 7.2%.
In Janaury Clearmymail named NatWest as the bank most targeted by phishers, based on a review of all the spam and fraudulent phishing e-mails blocked by the vendor in December.