At the University of Alabama at Birmingham, our UAB Computer Forensics program has a mix of Computer & Information Science and Criminal Justice students who are working together to research how phishing investigations are performed. When I saw this story back in the news today, I thought we might have another agent who could help us understand how the US Secret Service investigates phishing. While I'm very glad that Nguyen was picked up, and it looks like ECSAP-trained Senior Special Agent Brian Korbs did an excellent job on the Computer Forensics aspects of this case, unfortunately this wasn't a "phishing investigation."
Several of my students learned about the US Secret Service Electronic Crimes Special Agent Program (ECSAP) while visiting the National Computer Forensics Institute in Hoover, Alabama, about ten miles from our campus, earlier this month. Housed at the NCFI, the Electronic Crimes Task Force for the Birmingham field office of the Secret Service maintains a computer forensics lab where computer forensics examiners from the US Secret Service and the Alabama Bureau of Investigation work side-by-side with examiners from the Alabama District Attorneys Association and the Hoover Police Department to perform examinations and provide training and forensic services to all manner of law enforcement cases. The NCFI provides the equivalent of the Secret Service ECSAP training for state and local law enforcement officers across the country. ECSAP-based courses available in Hoover include "Basic Investigation of Computer and Electronic Crimes Program (BICEP)", "Network Intrusion Responder Program (NITRO)", "Basic Computer Evidence Recovery Training (BCERT)", and "Advanced Computer Evidence Recovery Training (ACERT)", which is ten full weeks of very hands-on training! The NCFI also offers two "Computer Forensics in Court" classes, CFC-J for Judges, and CFC-P for Prosecutors.
Back to the story . . . According to the Affidavit of SSA Brian Korbs, Nguyen was clearly involved in phishing. He was able to establish that from at least October 15, 2005 through January 26, 2007, Nguyen was involved in multiple identity theft, phishing, and credit card fraud activities.
The forensics examination covered:
A Dell Laptop Computer "Latitude" Serial Number 8P530B1
A Toshiba Laptop Computer "M-45" with black thumb drive Serial Number 26234221Q
A Hewlett Packard Laptop Computer "Pavilion D1000" with Serial Number CNF5382K5T
two black USB thumb drives and
A Dell Computer Model 470 Serial Number 37NQC61
These showed that Nguyen was regularly communicating with Eastern Europeans to acquire credit card and debit card numbers, social security numbers, and other personal identification information. Files on the computer were used to create phishing websites, including sites against eBay, Fairwinds Credit Union (Florida), Heritage Bank (Olympia, Washington), Honolulu City and County Employees Credit Union, and others. A program for encoding credit cards, lists of account information, a magnetic card writer, and a laminator were found. Thousands of email addresses, sorted by the state in which they were located, were found to be used for sending out phishing emails state-by-state. (For example, it would make sense to only send "Honolulu City and County Employees Credit Union" phishing emails to people who live in Hawaii.)
The fruit of the phishing was "thousands of pages of customer information" from companies "such as eBay, Western Union, and others." Korbs reported finding
"Hundreds of files of credit card numbers, many with PINs, as well as the true cardholders name, address, email address, password, bank account information, social security number, driver's license number, telephone number, etc." Korbs estimates that "tens of thousands" of identities were on the computer, which is certainly "more than 15" as described in the Federal statute (see below).
Yahoo! chat logs were also found on the computer, which, if printed, would be 16,000 pages of logs. Many of the chats related to buying and selling credit cards, and exchanging email addresses for phish targeting.
In Nguyen's case, the whole story seems to be that he worked with several Romanians to build phishing sites and steal personally identifiable information. Then he provided that information to local accomplices who cashed out in an interesting manner. Apparently GE Capital runs a system of kiosks in California Wal-Mart stores where you can enter your information and be approved for an instant line of credit, which is provided as Wal-Mart coupons that can be used to shop in the store. According to Special Agent Korbs, they did this for more than $200,000 worth of merchandise. In the full indictment, it lists many of the items purchased with these cards, including laptops, monitors, satellite radio systems, 8 ipods, infrared night light, a "Nightowl" night vision scope, CB radios, GPS units, watches, televisions, a radar detector, etc.
When Detective Jim Hudson, from the Placer County Sheriff, and Special Agent Korbs talked to Tien Nguyen after he was arrested on January 26, 2007, he waived his Miranda rights and told them pretty much everything. He admitted to using his computer to trade identities and credit card information, and he explained the GE Capital / Wal Mart scheme.
Enter the 9th Circuit
So, why after all this time is Nguyen just now pleading guilty? Apparently the defense's plan all along has been to say that all of the evidence that was obtained from Nguyen, INCLUDING HIS CONFESSION, was based on a warrantless search of the premises, which meant all of the evidence should be suppressed. After the recent 9th Circuit ruling, Nguyen's lawyer, Micheal K. Cernyar of Long Beach, California, thought he had fresh evidence, and on September 8, 2009 a hearing was held before the Honorable Morrison C. England, Jr, to hear this a plea to establish a new hearing for a new motion to suppress. Here are the basics outlined in the Motion to Suppress:
* Mr. Nguyen was arrested on or about January 26, 2007 on a Ramey Warrant at his residence located at 8225 & 8229 Gerber Road, Sacramento, California. "A warrantless search of the residence" uncovered all of the information, while Nguyen and his companion were detained in the living room of the home.
* On March 27, 2007, Special Agent Korbs applied for a federal search warrant seeking the items seized on January 26, 2007. After receiving this search warrant, Nguyen was indicted April 26, 2007.
* Nguyen moved "to suppress all evidence and any statements obtained" claiming his Fourth Amendment rights were violated, and his motion was denied October 15, 2008.
Here's the new part . . .
7. Last week, in United States v. Gonzalez -- F.3d --, (9th Cir. 2009) (D.C. No. 07-30098), the Ninth Circuit reversed a matter regarding suppression of evidence based upon a warrentless search when applying the recent ruling in Arizona v. Gant. The Ninth Circuit held that Mr. Gonzalez was entitled to benefit from the Supreme Court's ruling in Gant.
8. Counsel believes that the facts in Mr. Nguyen's warrentless search incident to arrest are at the very list similarly situated to those in the Gant and Gonzalez matter.
Rodney Joseph Gant v. Arizona was a case where a man was arrested, and after his arrest police went and searched his vehicle, which he was not in at the time of the arrest. In the car, they found cocaine, not related to the charges for which he had just been arrested, and expanded the charges to include drug possession. Because they did not have a warrant for the vehicular search, and because the perp was not in the vehicle, the Supreme Court ruled that they should not have searched the vehicle without a warrant. (This has been standard practice, called "The Bright Line rule" since 1981 . . .)
How does this relate to the 9th Circuit decision in US. v. Gonzales? It is well-established practice that police can perform a warrantless search "incident to arrest", meaning that after I've arrested you, it is "not unreasonable" to search for evidence related to the crime for which you have been arrested, both on your person, as well as in the immediate vicinity. The question of what is meant by the immediate vicinity is one that has had the legal scholars appealing searches on Fourth Amendment grounds over and over. In this case, it all starts with Chimel v. California. The Supreme Court held that when someone is arrested in their home, officers would be reasonable to search not only the room of the arrest, but other "sufficiently large spaces" where someone might be hiding that could be a risk to officer safety. So, the idea was, if I arrest you in your living room, but I feel that someone might be hiding in the closet, I can look in the closet, without a warrant, to see if your brother is hiding in their with a shotgun planning to jump out and shoot me. I couldn't search the drawer in the end-table, because it is unlikely a potential attacker is hiding in that drawer. Several arguments since then have argued whether you should only be able to do such a search if there was a suspicion that such a risk to officer safety was probable, and then, only in certain "reasonable areas", with three cases helping define those boundaries and expectations -- Maryland v. Buie, Belton v. New York, and Thornton v. United States. Arizona v. Gant reset those expectations by overruling some of those prior standards of when it was reasonable to do an "suspicionless search", which lead to the 9th Circuit Decision.
The judge rightly denied the motion to suppress, since this WAS a search "INCIDENT TO ARREST", and there was EVERY REASON to believe that the computers held relevant evidence of the crime for which Nguyen was being arrested, based on his own statements, and his own permission to search, meaning that NONE of those prior cases really had anything to do with this case.
With his last hope extinguished, Nguyen pleaded guilty, but even then went all the way to the wire. I really thought he was going to go to trial! His lawyer had submitted Questions for the Jury (Voire Dire) as recently as September 2, 2009! I had to chuckle as I read through them . . . he asks if they Bank Online, if they use their Debit Card online, if they have purchased online items in the past year . . . I thought the next question might be "Please state your debit card number slowly, and tell us your PIN." When it came down to the start of the Jury Trial, at 9:00 am on September 8th, the Courtroom minutes tell us that Nguyen asked for a five minute recess, and came back in and pleaded guilty to counts 1-4. He then asked for another recess, and came back and pleaded guilty to count 5.
The Penalty Slip with the indictment includes the charges. Especially sweet that the Aggravated Identity Theft adds an automatic +2 years. Nguyen was found to have a shotgun in his bedroom as well, a Remington 870 Express Magnum.
18 USC § 371 - Conspiracy to Commit Computer Fraud and Access Device Fraud:
- Not more than $250,000 or notmore than gross gain or loss;
- Not more than 5 years imprisonment, or both
- Not more than 3 years of supervised release
18 USC § 1029(a)(2) - Access Device Fraud
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 5 years imprisonment, or both
- Not more than 3 years of supervised release
18 USC § 1029(a)(3) - Possession of More than 15 Unauthorized Access Devices
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 10 years imprisonment, or both
- Not more than 3 years of supervised release
18 USC § 1028A(a)(1) - Aggravated Identity Theft
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 2 years imprisonment, or both
- Not more than 3 years of supervised release
18 USC § 922(g)(1) - Felon in Possession of a Firearm or Ammunition
- Not more than $250,000 or not more than gross gain or gross loss;
- Not more than 10 years imprisonment, or both
- Not more than 3 years of supervised release
(Nguyen had already spent "more than a year" in jail back in 1999 for "Receipt of Stolen Property" and "Making and Passing Fictitious Checks", but these were state of California crimes rather than Federal crimes.)
The sentencing for Nguyen will be on November 19th, at 9:00 am.
The question for my student's research project is - "Was this a phishing investigation?" We haven't talked to Special Agent Korbs yet, but from a reading of the court documents, I believe the answer will be "No." This was a credit card fraud investigation, which uncovered a phishing case after the Computer Forensics evidence was evaluated.
The on-going and unsolved question for our research is, "Could this case have been worked the other way around?" If we had started with the Honolulu City and County Employees Credit Union phishing site, would we have still ended up at Tien Truong Nguyen's front door? If you are a law enforcement officer with first-hand experience in phishing investigations, we'd love to talk with you and get your opinion.
References: Stranger than Dictum: Why Arizona v. Gant Compels the Conclusion that Suspicionless Buie Searches Incident to Lawful Arrests are Unconstitutional by Colin Miller, Assistant Professor of the John Marshall Law School.
No comments:
Post a Comment