45-Month Sentence in Phishing SchemeRomanian Aided in Theft of Thousands of Card Numbers
A Romanian has been sentenced to 45 months in prison for his role in a phishing scheme that netted thousands of credit and debit card numbers from U.S. financial institution customers.
Iulian Schiopu was part of a loose-knit conspiracy of individuals from Craiova, Romania and neighboring areas that shared files, tools and stolen information obtained through phishing, according to the U.S. Attorney's Office for the District of Connecticut.
The scheme involved sending e-mails to customers purporting to come from various financial institutions, authorities say. In one incident, a resident of Madison, Conn., contacted the FBI about a suspicious e-mail that she had received that purported to be from Connecticut-based People's Bank. The e-mail stated that the recipient's online banking access profile had been locked and instructed the recipient to click on a link to a Web page where the recipient could enter information to "unlock" the profile, prosecutors say.
The Web page appeared to originate from People's Bank, but was actually hosted on a compromised computer in Minnesota. Any personal identifying and financial information provided by the individual would be sent by e-mail to individuals in Romania, according to the U.S attorney.
Other financial institutions and companies targeted by the defendants included Citibank, Capital One, Bank of America, JPMorgan Chase, Comerica Bank, Regions Bank, LaSalle Bank, U.S. Bank, Wells Fargo, eBay and PayPal.
Schiopu, along with co-conspirators, used and shared a number of e-mail messages containing credit or debit card numbers, expiration dates, CVV codes, PIN numbers and other personal identification information, such as names, addresses, telephone numbers, dates of birth and Social Security numbers, prosecutors say. The co-conspirators then used the information to access bank accounts and lines of credit to withdraw funds without authorization, often from ATMs in Romania.
Schiopu was primarily involved in the harvesting of e-mail addresses, trafficking in stolen information and cashing out credit and debit card account numbers, authorities say in a sentencing memo.
Schiopu pleaded guilty on April 23 to one count of conspiracy to commit fraud in connection with access devices. Of the 19 other defendants also charged in the phishing conspiracy, 12 pleaded guilty and one was convicted at trial; all 13 have been sentenced, prosecutors told Information Security Media Group. Six defendants still remain at large.