Phishing with the Mafia

There is a tradition in organized crime that is absent in cybercrime: The threat of physical violence. This threat is largely based on reputation. Once an individual or a group gets a reputation for violence and carrying out threats, they are in a superior bargaining position. There are no physical enforcers in the world of cybercrime. Because of this, organized crime and cybercrime remained as two distinct career paths.

However, there are aspects of the crime business that both groups share. If one buys drugs on the deep web or from an organized crime group, those drugs must actually be delivered. Not doing so would destroy the seller’s reputation and, in order to operate effectively, a crime group must have a good reputation. They must deliver what they promise.

In a way, threats still form the backbone of both types of crime; it’s just that these threats differ in their implementation. If a victim of a ransomware attack does not pay the ransom, the ransomware gang will threaten to release sensitive data. A traditional crime group will simply rely on physical intimidation. But cybercriminals have an advantage here. Whereas traditional crime groups have to deliver the drugs or threats in person, cybercrime groups can have a regular delivery service deliver drugs and they can threaten remotely. Instead of having to worry about laundering money, cybercrime groups can simply use cryptocurrency. These advantages plus the ability to make serious money probably convinced traditional organized crime groups, like the Italian mafia, to get involved in cybercrime.

One of the first examples of this involvement occurred when the Bank of Sicily was targeted in October of 2000. In this attack “a group of about 20 people, some of whom were connected to mafia families, working with an insider, created a digital clone of the Bank’s online component.” The group was attempting to divert $400 million from the EU into their own accounts. The plan failed but only at the human level as one of the members of the team informed on them.

Since that time, the mafia has developed extensive networks by building a combined traditional and digital infrastructure. The complexity of this organization became apparent on September 20th when Europol announced a takedown of one of these hybrid crime networks.

“The Spanish National Police (Policía Nacional), supported by the Italian National Police (Polizia di Stato), Europol and Eurojust, dismantled an organised crime group linked to the Italian Mafia involved in online fraud, money laundering, drug trafficking and property crime. The suspects defrauded hundreds of victims through phishing attacks and other types of online fraud such as SIM swapping and business email compromise before laundering the money through a wide network of money mules and shell companies.”

In all, 106 people were arrested in a series of coordinated raids. Here is a video the police released that shows them in action.

Those arrested included  “computer experts, who created the phishing domains and carried out the cyber fraud; recruiters and organisers of the money muling; and money laundering experts, including experts in cryptocurrencies.” According to the report, this group pulled in at least $12 million last year alone.  

According to the Spanish police report, the criminals conducted their cybercrimes in Spain, Germany, Ireland, Italy, Lithuania and the United Kingdom. Though under the control of the Italian mafia, their main operation center appears to have been in Tenerife in Spain’s Canary Islands. And this may have only been the tip of the iceberg as they likely employed hundreds of people on the ground throughout Europe to act as mules, whether these people were aware of what they were doing or not. In addition, the report goes on to say that the money from these cybercrimes was used to support other more traditional areas of the mafia’s operation, including prostitution, weapon sales, drug trafficking, kidnapping, fraud, identity theft, falsification of documents, and crimes against Social Security. In addition, they utilized their expertise in the use of physicial force. This was shown in “robberies with force and violence, injuries and even the involvement of several of its members in two homicides carried out on the island.” In another instance they kidnapped a woman and forced her, at gunpoint, to withdraw stolen money from an ATM and then open 50 bank accounts for them. Later, after being arrested, the gang threatened the same woman and others with reprisals if they testified against them. They used the threat of violence to keep members of the group in line or to stop companies that were victims from reporting these crimes to the police.

Europol is somewhat silent on the details on how this group perpetrated its crimes. However, in reports published before the takedown they had been warning people about two crimes in specific; SIM swapping and phishing scams, both of which they say the mafia was using. In fact, there is reason to believe the mafia used both together.

In SIM swapping, the gang would manage to get a victim’s personal information, possibly from a good phishing email. Then, with this information, they would fool the mobile phone company to port the SIM they own to another phone which the phone company assumed was the legitimate owner’s (the victim’s) phone. This effectively takes over the victim’s phone and, now, they can receive all calls and messages the victim would normally receive. More importantly, they can use the phone to get into the victim’s bank account.

But this is really nothing. If this victim is part of corporate network, the serious scam can begin. If a phone call is made to the company the victim works for, the phone would show up as the actual phone of the victim. Any requests for information from this phone would seem to be valid. The same phone could also be leveraged into a supply chain attack. Europol gives the following diagram to show how this works.

Remember that with access to the compromised endpoint, the scammer (in this case, the mafia) could do a number of things, including logging into the corporate network, mapping their infrastructure, gaining access to administrative rights, stealing credentials… the list is nearly endless. In any event, when the attackers get enough information, they can pose as a supplier, ask for money to be transferred to their account, then disappear. This, once again, highlights the importance of good endpoint protection. With that, the criminals would have been stopped before they could even take the first step. 

For the moment, the Italian mafia is more interested in establishing connections between South America, cocaine, and Europe. The American drug supply mostly comes through Mexico. However, other forms of cybercrime are probably being developed by traditional crime groups in the U.S. It may take some convincing to get hackers interested in joining with the mafia, but money solves many problems. Besides, a hybrid cyber-traditional crime group with the mafia providing physical enforcement may have its niche and it could very well prove to be a lucrative business move.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s