DPN 2008 Phish

Loading ...
Global Do...
News & Politics
The Italian Job: international phishing gangs 
in the operation “Phish & Chip”
Digital PhishNet Conference
San Diego, CA
September 30th, 2008
Operation "Phish & Chip“
(started on February, 2007)
Provincial Command of the Military 
Financial Police in Milan
Guardia di Finanza, Gruppo Pronto Impiego
MINISTERUL INTERNELOR SI REFORMEI ADMINISTRATIVE
INSPECTORATUL GENERAL AL POLIłIEI ROMÂNE
DirecŃia Generală de Combatere a CriminalităŃii Organizate
Brigada de Combatere a Criminalitatii Organizate
Criminal Court in Milan
Cybercrime Unit
Procura della Repubblica 
presso il Tribunale di Milano
On December 2007, for the first time in Italy, the 
Judge for preliminary hearing Piero Gamacchio brought 
in a verdict of guilty regarding two transnational 
criminal associations which committed 
offences of phishing:
6 years sentence (the main responsible person)
5 years and 4 months sentence 
(the Romanian phisher arrested in Italy)
Suspects chose the so called summary procedure (1/3 reduction of penalty)
After one year of investigation, in April 2008 we had also 
the first verdict of guilty for two young Romanian 
phishers who were operating directly from Romania
as important element in the criminal environment: they 
were arrested in Craiova at the end of the last year and 
extradited in Italy following the issuance of a European 
warrant of arrest
3 years and 1 month sentence
(they have been the only ones to give back the money)
Phish&Chip start
(February, 2007)
26 Warrants of Arrest
(July, 2007)
5 months investigation
“Poste Italiane” is the government-owned 
postal service which offers financial 
services across Italy
“Banca Intesa” is one of the 
most important banks in Italy
“the first attempt to face the phenomenon of the criminal 
organizations apt to the systematic attempt of phishing in 
an organic manner, both from the investigative point of 
view and also contesting offences of association”
(Mr. Guido Salvini, Judge for preliminary investigations)
Notified charges
 criminal association 
 falsification of IT communication content 
 unauthorized access to IT systems 
 aggravated fraud 
 unauthorized use of credit cards 
the criminal acts have taken place in Italy but have 
been planned for an important portion in Romania
Transnational charges
Regarding Phish&Chip it was possible to apply – for 
the first time in a phishing case - the rules of the 
Italian law which has ratified the Convention of 
the United Nations against transnational 
organized crime
This Convention also allows the confiscation of 
assets for the equivalent value product, profit or 
price of the charge
\download\Adsense SECRET - Profit In Less Than 5 
Minutes\How To Guide.txt
09/01/07 11:51:58
12/02/07 11:12:03
09/01/07 11:51:58
How To Guide.txt
Investigative strategy
 profiling cybercrime

telephone interceptions

lying in wait
 money flow analysis
One step back: March, 2005
(the first phishing email in Italy)
A way to transfer money abroad
?
Phishing email
@
(1st step)
Email offering a 
work as financial
manager
(2nd step)
@
Let’s work for us !
@
online illegal 
bank transfer
@
(3rd step)
(4th step)
operative 
instructions to 
the financial 
manager
“… there is money for you!”
Wester Union money 
tranfer operation
(5th step)
As soon as we found out this new criminal method, 
the Italian Judicial Authority has reached an agreement 
with the Western Union Inc. in USA 
(“The international seizure warrant” )
“The international seizure warrant” = to delay the suspect 
money transfers for 48 hours, which was the time 
needed to verify everything
“The international seizure warrant” = to seize over 
250,000 euros in two months 
(thanks to the guys of the Military Financial Police in Milan
called “Gruppo Repressione Frodi”, and in particular to 
Mr. Gerardo Costabile and Mr. Giuseppe Mazzaraco)
“If the mountain won't come 
to Muhammad, Muhammad must go 
to the mountain!”
In order to fight the monitoring of the Western Union 
transactions, in 2006 we had the first case of people 
who were coming directly from East Europe to Italy
to collect money by themselves from phishing attacks
4 years sentence
(2 Latvians arrested in Milan whose purpose was to open bank 
accounts with false passaports and documentations)
Can I stay abroad, sending email of phishing and receiving 
money without using the Western Union?
A new kind of cybercrime 
immediately discovered through 
the Phish&Chip operation
Prepaid credit cards…. 
I LOVE YOU !
FRAUD MANAGENENT
OF POSTE ITALIANE
MONITORING OF THE PREPAID CARD ACTIVATIONS
WITHIN THE TERRITORY OF MILAN
UNUSUAL BUYING 
OF PREPAID CARDS
GUARDIA 
DI FINANZA
UNUSUAL OPERATIONS 
CONCERNING PREPAID CARDS
REPORT
Operative framework
 members of the organization activating prepaid cards
 phisher sending emails, collecting the access data 
and entering the bank accounts
 the boss whose duty was
- to collect the prepaid card, paying 50/100 euros for each buying
- to give phisher instructions in order to prepay the cards
- to withdraw the money once each card was top up
Fake web pages 
on servers abroad
Prepaid card 
collecting
Recruitment and management
of the members of the organization
Spamming
Access datas
from phishing
Top up cards
online illegal 
bank transfer
ATM withdrawals
Operative framework
The Casinò system
The withdrawal of the illegally transferred amounts was 
carried out through a particular mechanism: some of the 
members of the criminal organisation went to Italian and 
foreign casinos (mainly in Germany, Austria and Greece) 
and they purchased fiches for the maximum allowed 
amount with the cards “charged” illegally 
In this way they managed to “monetize” 3,000 euros 
per withdrawal, instead of the mere 250 euros at the 
ATM banks
February 9th, 2007
IDENTIFICATION OF 
AN ITALIAN I.P.
REGARDING AN 
ILLEGAL ONLINE 
BANK  TRANSFER 
OPERATION
OPERATION START
LOG FILES REQUEST
February 26th, 2007
INTERCEPTION 
BEGINNING
The mobile interception
an elementary information system mistake, 
even for a criminal association committing 
cybercrimes…
CONVERSATIONS
INTERNET OPERATIONS
…. using the same SIM card, even for only one single 
time, for the illegal activities via the Internet as well 
as for the conversations between the people taking 
part in the criminal association
House searches, telephone interceptions and 
chats content analysis, that occurred among the 
various targets both in Italy and Romania in the 
first phase of the investigation, have guaranteed a 
precious collection in terms of evidence and 
important confirmations relevant to the 
investigative hypothesis
The closure of the investigation 
about the first of the two criminal 
organizations
The information system hacker of the first group was a 
22 years old Romanian boy. During his questioning 
at the Attorney’s office he confessed his sending 
emails as if they were sent by Poste Italiane and his 
collecting the victim access datas on email 
addresses of providers operating in Italy but with 
servers based abroad. 
The computer forensics analysis confirmed his 
confession
The phishing email used and its link to
a fake Poste Italiane website 
<TABLE cellSpacing=0 cellPadding=3 bgColor=#373abe border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=1 cellPadding=2 width=570 border=0><!--
STN MODIFIED for Courier New into BODY TEXT: 
<TBODY>
<TBODY>
<TR bgColor=#ffffff>
<TD><FONT face=Courier>
<DIV align=left><FONT face=Verdana size=2><STRONG>Caro cliente Poste.it,</STRONG></FONT></DIV>
<DIV align=left>&nbsp;</DIV>
<DIV align=left><FONT face=Verdana size=2>Una nuova gamma completa di servizi online è adesso disponibile !</FONT></DIV>
<DIV align=left><FONT face=Verdana size=2>Per poter usufruire dei nuovi servizi online di Poste.it occorre prima diventare 
UTENTE VERIFICATO.</FONT></DIV><FONT face=Verdana size=2><FONT size=3>&nbsp;</FONT> 
<DIV align=left><BR>&nbsp;&nbsp;&nbsp;<A title="Accedi a Poste.it »" 
href="http://www.bancopostaonline.smtp.ru/myposte/online/personale/loginhome.fcc?TYPE=
33554433&amp;REALMOID=06-695104d5-ea5e-11d7-b948-
0004ac930313&amp;GUID=NO&amp;SMAUTHREASON=0&amp;METHOD=GET&amp;SMAGENTNAME=-SM-
FPzPQkoRGVLrueTkY6Sv%2fY%2biVtboedS11OLZk%2fRYho8UmgBWAwYmy9fHt6KinlBc&amp;TARGET" target=""><IMG 
alt="Accedi a Poste.it »" src="http://posteitaliane.it/img/ico/egramma_g.gif" border=0></A><FONT size=3>&nbsp; <A title="Accedi a 
Poste.it »" 
href="http://www.bancopostaonline.smtp.ru/myposte/online/personale/loginhome.fcc?TYPE=33554433&amp;REALMOID=06-
695104d5-ea5e-11d7-b948-
0004ac930313&amp;GUID=NO&amp;SMAUTHREASON=0&amp;METHOD=GET&amp;SMAGENTNAME=-SM-
FPzPQkoRGVLrueTkY6Sv%2fY%2biVtboedS11OLZk%2fRYho8UmgBWAwYmy9fHt6KinlBc&amp;TARGET" ?><FONT 
color=#0000ff size=2><STRONG>Accedi ai servizi online di Poste.it e diventa UTENTE VERIFICATO 
»</STRONG></FONT></A><STRONG>&nbsp;</STRONG></FONT></DIV>
<DIV align=left><STRONG><FONT size=3></FONT></STRONG>&nbsp;</DIV>
<DIV align=left>L'Assistenza Clienti, dopo aver ricevuto la documentazione e averne verificato la completezza e la veridicità, 
provvederà immediatamente ad attivare&nbsp;il suo " <STRONG>Nome Utente Verificato</STRONG> ". Verrai informato 
telefonicamente di tale attivazione.</DIV></FONT><BR><BR><IMG alt=TELEFONO src="http://www.poste.it/img/ico/telfono_b.gif" 
border=0></FONT><FONT face=Verdana size=2>&nbsp;<B>TELEFONO</B><BR><STRONG>Numero gratuito 
803.160</STRONG> (dal lunedì al sabato dalle ore 8 alle ore 
20).</FONT></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>··
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< 220-You are user number 8 of 500 allowed.
< 220-Local time is now 22:09. Server port: 21.
< 220-This is a private system - No anonymous login
< 220 You will be disconnected after 5 minutes of inactivity.
> USER bpol_promozion01
< 331 User bpol_promozion01 OK. Password required
> PASS (hidden)
< 230 0 Kbytes used (0%) - authorized: 381178347520 Kb
……….
< 150 Connecting to port 49177
< 226 1 matches total
! 68 bytes received/sent in 0 seconds (723 Bytes/sec)
> MKD myposte
< 257 0 Kbytes used (0%) - authorized: 381178347520 Kb
> TYPE A
> LIST
< 150 Connecting to port 49180
< 226 1 matches total
! 64 bytes received/sent in 0 seconds (688 Bytes/sec)
> CWD /myposte/online
< 250 OK. Current directory is /myposte/online
> TYPE A
< 200 TYPE is now ASCII
> PORT 217,201,132,173,192,29
< 200 PORT command successful
> LIST
< 150 Connecting to port 49181
< 226 0 matches total
! 0 bytes received/sent in 0 seconds (0 Bytes/sec)
> MKD personale
< 257 0 Kbytes used (0%) - authorized: 381178347520 Kb
> TYPE A
< 200 TYPE is now ASCII
> PORT 217,201,132,173,192,30
< 200 PORT command successful
> LIST
< 150 Connecting to port 49182
< 226 1 matches total
! 67 bytes received/sent in 0 seconds (1080 Bytes/sec)
> CWD /myposte/online/personale
< 250 OK. Current directory is /myposte/online/personale
> TYPE A
200 TYPE is now 8-bit binary
> PORT 217,201,132,173,192,34
< 200 PORT command successful
> STOR /myposte/accediservizi.css
< 150 Connecting to port 49186
< 226 1.113 seconds (measured here), 1.16 
Kbytes per second
! 1318 bytes received/sent in 1 seconds 
(1190 Bytes/sec)
> PORT 217,201,132,173,192,35
< 200 PORT command successful
> STOR /myposte/esigenze.css
Some ftp log founded in the 
phisher’s computers
The continuation of the investigations 
in order to arrest the two Romanian 
phishers in Craiova
 the interception of the communications in the 
Romanian country (asked and obtained with a 
rogatory)
 the exchange of information, often in real time, 
between the investigators in Craiova and the officials of 
the Guardia di Finanza in Milan, turned out to be of vital 
importance for the identification, the localization and 
the subsequent capture of the main responsible person 
and of some fugitives who escaped to Romania during 
the July arrest
 some money flows from Italy to Romania have been 
analyzed and rebuilt: this has already allowed the 
identification of the fees for the contribution given by 
the technical experts who participated in the association
The two young Romanian 
phishers arrested in Craiova
October 23rd, 2007
December 28th, 2007
The Romanian Information Technology 
Olympic Games
The second young man was much more expert 
and better than the first one
In fact, the criminal organization needed to “empty” a bank 
account of 100,000 euros and so they called another 
phisher, known in the young criminal underground 
because he successfully took part at the Romanian 
Information Technology Olympic Games in 2004
… besides we arrived at his definitive identification even 
because the classification was still available in the 
Internet!
http://olimpiada.info/oni2004/participanti/participanti.htm.
In order to take the young “Olympic man”, currently 
hold in Como Jail, back to Craiova, it seems that even 
“a powerful Romanian information technology 
industrialist is taking action”, who is “always looking for 
new brains to employ in his societies”, considering 
moreover that the phisher would be “the son of a 
programmer of the Romanian Government”. 
(according to the Italian press)
Final considerations
an agile cooperation model between the police force 
and legal authorities, which also happens in real time 
and therefore it’s able to carry out 
an efficient contrast action
EUROJUST
-DEN HAAG -OLANDA
“I did the activities so far described on my computer, 
which I had in Craiova. I’ve never thought that in that 
way I could be traced, as I used a program, 
free-provided by “America On Line” and utilized 
to have AOL’s servers as proxy, so that all my internet 
navigations were referable to an American IP.”
What really counts is the investigative phantasy of men, 
more than the technical potentiality of machines
(to oppose to the one of cyber criminals)
Thank You !
For more information: F.CAJANI, G. COSTABILE, G. MAZZARACO “Phishing e furto di identità digitale. Indagini informatiche e sicurezza 
bancaria” (Phishing and digital identity theft.  Legal investigations and bank security), edited by Giuffrè, 2008 – www.giuffre.it
Francesco Cajani
Deputy Public Prosecutor
Cybercrime Unit
Court of Law in Milan
Italy

francesco.cajani@giustizia.it
Marshal Davide D’Agostino: dagostino.davide@gdf.it
Marshal Giuseppe Gorgoni: gorgoni.giuseppe@gdf.it