Case Study
advertisement
Case Study – Op Allandale • In October 2012, MPS were notified of 2600 phishing pages loaded onto the web aimed at Barclays Bank • Initial estimates of only 400 victims and losses of £30,000 • Accepted as a crime in action & proactive response launched • Suspect identified 13/04/2015 T/DCI Jason Tunn - MPCCU 1 Intelligence report to MPS • One suspect IP address seen to access number of victim accounts. • Fast time intelligence development revealed 3 varying identities – Samual ETU, Sunday ETU and Sunny ETU • Banking evidence revealed expenditure in Central London for all ETU bank accounts • Further examination suspect IP addresses also revealed unlawful access taking place from Park Plaza Hotel, Westminster 13/04/2015 T/DCI Jason Tunn - MPCCU 2 Park Plaza Hotel • Enquiries with Park Plaza Hotel identified that a person by name of ETU had stayed at the hotel on a regular basis • Intelligence gathering exercise commences on ETU • Significant spending identified on ETU cards at Aura Club, Mayfair • CCTV comparison proved Samual ETU was the prime suspect 13/04/2015 T/DCI Jason Tunn - MPCCU 3 Surveillance & Arrest • ETU traced to Birmingham area • Surveillance operation mounted. ETU found at Park Plaza hotel. Seen to meet with 2 Eastern European males • Checks identified them Ionut CARAMAN and Adrian IORGOVEANU from Constanta Romania. Due to leave UK in 2 days time • All suspects seen to spend substantial cash in luxury West End stores. All arrested in hotel room after seen taking laptops into a single room 13/04/2015 T/DCI Jason Tunn - MPCCU 4 Exhibit SCM/4 13/04/2015 T/DCI Jason Tunn - MPCCU 5 International evidence • Computer found to be remote connected to criminal server • Seized exhibits from room found to have limited evidence • Criminal servers in France and USA identified • Letters of Request sent 13/04/2015 T/DCI Jason Tunn - MPCCU 6 13/04/2015 T/DCI Jason Tunn - MPCCU 7 Yahoo chat from OVH France Etu Caraman 13/04/2015 T/DCI Jason Tunn - MPCCU 8 Altairdata.me • • • • • • • Remote server in Texas connected to using FTP (File Transfer Protocol) Encrypted All responses to phishing pages sent to a Gmail account which had an automated sorting program 73,590,439 - unique email addresses from text files only containing email addresses. 108,608 - unique email addresses with a country code 13,383,902 - unique IP addresses from text files only containing IP addresses 295,962 - IP unique IP addresses with location/geographical information. • • • • • 1,508,680 - IP address 325,655 - Web address 3,171,372 - Email address 214,473 Credit card # 176,252 - Visa/AMEX/MASTER • 14 phishing programmes targeting 47 banking institutions across 14 different countries 13/04/2015 T/DCI Jason Tunn - MPCCU 9 Mule arrest phase • Mule network identified in Telford through movement of funds between accounts • Most linked through social networking • Over 100 combined MPS and West Mercia resources briefed for arrest phase. • 9 arrested simultaneously at numerous addresses • Pressure on top tier criminals 13/04/2015 T/DCI Jason Tunn - MPCCU 10 Reduction in UK Phishing 13/04/2015 T/DCI Jason Tunn - MPCCU 11 Convictions Ionut Caraman – Coder from Romania Adrian Iorgoveanu – Facilitator from Romania Samual Etu – Man in country Sec 1 Cons to commit Fraud Criminal Law Act 77 Sec 7 Fraud Act 06 sec 329(1)POCA02 Pleaded guilty 7 years 2 months Sec 1 Cons to commit Fraud Criminal Law Act 77 Sec 7 Fraud Act 06 sec 329(1)POCA02 Pleaded guilty 5 years 7 months Sec 1 Cons to commit Fraud Criminal Law Act 77 Sec 7 Fraud Act 06 sec 329(1)POCA02 X5 false identity doc S4 Identity Cards Act 2010 Found guilty 8 years sec 329(1)POCA02 Pleaded guilty Various minor sentences Wright, Robertson, Colley, Collins Mules 13/04/2015 T/DCI Jason Tunn - MPCCU 12
