Fraudsters convicted for fake online adverts and £1m fraud

http://www.actionfraud.police.uk/fraudsters-convicted-for-fake-online-adverts-nov13

I'm a little late coming across this news story but there are some interesting features

11 November 2013

A group of fraudsters have been convicted for stealing thousands of pounds from job seekers using fake online adverts that tricked victims into installing malware.

Fraudsters convicted for fake online adverts
A group of fraudsters have been convicted for stealing thousands of pounds from job seekers using fake online adverts that tricked victims into installing malware

Fraudsters convicted for fake online advertsThe criminals targeted innocent people looking for employment on websites such as Gumtree and Blue Arrow by posting bogus job adverts for companies including Harrods and Argos.

Victims who responded to the fake adverts were sent a hyperlink via email asking them to complete an online application form. Those who clicked on the link, downloaded malware onto their computer which recorded their keystrokes, capturing their private financial and personal data that was transmitted back to the criminal gang.

The group were also involved with postal theft and used the personal information to phone banks claiming to have lost their credit/debit card. They would request a new pin number and credit card, and wait outside the victim’s address where they would intercept the postman before the letters were posted.

The south London-based gang - Adjibola Akinlabi (aged 26), Damilare Oduwole (26), Michael Awosile (27), Tyrone Ellis (27), Nadine Windley (26) and Temitope Araoye (29) – all pleaded guilty and were convicted for conspiracy to defraud after an investigation launched by the Metropolitan Police Service (MPS) and concluded by the National Crime Agency (NCA). They will all be sentenced later this month.

The gang also defrauded the emergency cash systems of several banks by contacting them and providing illegally obtained security passwords. The bank would then issue them with a special code so they could withdraw £60 from cashpoint machines.

Mobile phone and online chat records showed the group had made more than £300,000 from their fraud, but police believe this figure in reality could be around £1million.

In another news account of the story

http://www.bbc.co.uk/news/uk-england-london-24950721

Nadine Windley, 26, who pleaded guilty to using her position as an employee of Santander bank to provide the gang with customer account data, was handed a two-year suspended sentence.

Babatunde Akinlabi, 28, who previously pleaded guilty to a 2008 offence of fraud with his brother Adjibola after they used illegally obtained bank details to obtain cash from online bank accounts, will be sentenced on 6 December.

The information held by banks on their customers is a gold mine for fraudsters and it's ludicrous to warn customers about identity theft if there is any likelihood of bank databases being compromised by staff.

The recent spate of UK countrywide phone frauds where scammers represent themselves as bank staff or the police to get the elderly to reveal their pin numbers is very suggestive of bank databases having been compromised.

If bank databases have been compromised, they are under a legal duty to notify customers and any loss that customers suffer as a result is theirs.

Following on from this I though I'd research what action was taken following on from the data breach pointed out in this criminal prosecution and I came across this story.

http://www.theregister.co.uk/2014/03/21/santander_email_spam_mystery/

21 Mar 2014

Santander customers say they are continuing to be deluged with Trojans and other junk to email addresses exclusively used with the bank months after the problem first surfaced back in November.

At least two Reg readers have put in complaints to the Information Commissioner's Office. But the data privacy watchdog told us that it has "insufficient evidence" to proceed with an inquiry.

The bank said it was investigating the complaints back in December amidst fears of an email database leak either at the bank or (more likely) one of its third-party marketing affiliate partners. Santander has not responded to repeated requests from El Reg for an update on its inquiry.

Perhaps the Information Commissioner doesn't have an internet connection or the necessary training to use Google, but there is clear evidence and a precedent as to how this information has previously been proliferated among the criminal community.

The recent countrywide targeting of elderly bank customers by scammers to snag their pin numbers concerns me as to how widespread the compromise of bank databases may be. Certain of the new stories indicate that the information held by the scammers could only come from their bank.

If banks aren't notifying customers when their details are compromised that is a very serious matter, and it will come to light at some stage in the future.

An extra snippet of information

http://www.dailymail.co.uk/news/article-2417712/Nigerian-gang-posted-fake-Harrods-job-adverts-Gumtree-fleece-1m-savings-desperate-job-seekers.html

Awosile alos denies conspiracy to commit fraud by abuse of position with his girlfriend Nadine Windley who worked as a Santander cashier who passed on bank details of account holders with more than £100,000

The problem being that unless you're employed to sweep the floor, everyone working in a bank has access to all customer details and, though you can limit access to cash and making payments, limiting access to customer details is a much greater problem. Potentially the value of that information is greater than the money in a cashier's till and it's a lot easier for the bank to safeguard its money than the customer information it holds.