Three Romanians plead guilty in multi-million dollar “vishing and smishing” scheme

A hacking trio based in Romania has pleaded guilty to charges brought by U.S. authorities after being caught siphoning cash from unwary Americans. The three now await sentencing.

DevOps Connect:DevSecOps @ RSAC 2022

Between 2011 and 2014, three Romanian hackers working from their home country duped numerous US citizens into handing over their personal information. The hackers then used it to siphon money from the victims’ bank accounts through “vishing” and “smishing” attacks.

According to a news release by the U.S. Department of Justice, Robert Codrut Dumitrescu, 41, Teodor Laurentiu Costea, 42, and Cosmin Draghici, 29, were all from Ploiesti, a city in south-eastern Romania. All three committed multiple federal computer and fraud-related crimes in connection with this scheme, the DOJ report reveals.

The hackers illegally gained access to computer servers in the United States and deployed custom-made phishing messages designed to steal the victims’ Social Security numbers and bank account information.

The DOJ said in a press release that the defendants hacked servers in the US and installed interactive voice response and bulk emailing software that initiated thousands of telephone calls and text messages to victims to trick them into disclosing personally identifiable information (PII) such as financial account numbers, PINs and Social Security numbers.  

“When a victim received a telephone call, the recipient would be greeted by a recorded message falsely claiming to be a bank. The interactive voice response software would then prompt the victim to enter their PII,” the press release says.

“When a victim received a text message, the message purported to be from a bank and directed the recipient to call a telephone number hosted by a compromised Voice Over Internet Protocol server. When the victim called the telephone number, they were prompted by the interactive voice response software to enter their PII.

The DOJ said the “stolen PII was stored on the compromised computer servers and accessed by Dumitrescu and Costea, who then sold or used the fraudulently obtained information with the assistance of Draghici.”

When authorities arrested them, Dumitrescu possessed 3,278 financial account numbers, Draghici had 3,465, and Costea held nearly 36,050, all obtained through the scam. The FBI, which conducted the investigation that led to their arrest, estimated the victims lost a combined $21 million.

In 2017, a grand jury charged Dumitrescu, Costea and Draghici with multiple federal computer and fraud-related crimes in connection with the scheme. The three have now pleaded guilty to federal charges of wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft. Sentencing is scheduled in June for Costea and Draghici, and in July for Dumitrescu.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: