May 162019

There have been numerous estimates over the years about how much a patient’s information sells for on dark web marketplaces.  But what about a doctor’s information? If you had the necessary documentation on a physician who could bill electronically for their services, how much could you make by sending fraudulent bills to Medicare or insurers? And what would it cost you to get those documents?

Warning: Health Insurance Fraud

According to a listing on a dark web marketplace, if you’re an experienced fraudster, you could make more than $1 million a year. And the records you need to support your lucrative fraud operations will cost you (only) $500.

I didn’t recognize the seller’s username when I came across the listing, but  my research indicated that they are likely to be the same seller who had called themself  “PikachuPacket” on WallStreet Market. From the registration date, it appears that when WSM shuttered, “PikachuPacket”simply moved over to this other marketplace and started selling under a new username.  While many sellers would use the same username they had used elsewhere so their old customers could find them again, PikachuPacket did not have particularly high ratings on WSM and a name change on a new marketplace may have seemed a good way to start to build a better reputation. is not naming the marketplace or providing the seller’s new username.

The listing was a bit unusual because the seller’s listing linked to two FBI wanted posters that have not really drawn media attention. If you’re trying to sell information to use for fraud, would you link to wanted posters of fraudsters?  But this seller seems to have decided that the wanted posters validated the value of fraud that could be committed by what he was selling:

Some fraudsters who know very well what this info is worth (But obviously wern’t as careful as they could have been):

The FBI’s wanted poster for the male suspect states:

The unknown suspect and a female accomplice are alleged to have stolen the identities of at least 19 medical professionals from across the United States. The suspects have then allegedly used these identities to submit fraudulent claims to Medicare for high-end surgeries. These claims have been paid electronically into more than 30 bank accounts that were opened using false or stolen identities. The unknown suspects allegedly use these accounts to launder the money from one account to another, then obtain the fraudulent funds through ATM withdrawals.

Referring to those posters, the seller wrote:

This is a new and extremely valuble scheme and I’m not selling info on how to to it, only the details needed to cary out the scam.

To give you the rundown, you can use these identities to submit fraudulent claims to Medicare and Insurance for high-end surgeries and have the funds sent to a drop.

And what can you get for your $500? If you purchase from this seller, you supposedly get high-quality color scans that include a:

Bachelor Diploma
Bachelor Medical Technology
Malpractice Insurance Document
Medical Diploma & Board Recommendations
Medical Doctor License
DEA License
Medical Technologist Certification (ASCP)
New Mexico MD License
Driving License Scan
Passport Scan

As of today, there haven’t been any sales.

And as a color-me-curious side note: I wonder how this threat actor knew about those wanted posters. Is the doctors’ information for sale in this listing part of the data that the two wanted suspects had stolen?  You’d think that insurers would have flags up on the names of the professionals whose information had been stolen, but was any warning or PIN ever sent to health insurers about these 19 sets of compromised credentials that had been used for insurance fraud?

Apr 192019

Defendant’s “Codeshop” Website Sold Troves of Stolen Credit Card Data and Bank Account Logins on the Black Market

April 17 – Earlier today, in federal court in Brooklyn, Djevair Ametovski, a Macedonian citizen, was sentenced by United States District Judge Eric N. Vitaliano to 90 months’ imprisonment after previously pleading guilty to access device fraud and aggravated identity theft.  Those crimes related to Ametovski’s operation of “Codeshop,” a website he created for the sole purpose of selling stolen credit and debit card data, bank account credentials and personal identification information.  Judge Vitaliano also ordered the defendant to forfeit $250,000 and to pay restitution in an amount to be determined by the Court at a later date.  Ametovski was arrested in Ljubljana, Slovenia, in January 2014, and was extradited to the United States in May 2016.

Richard P. Donoghue, United States Attorney for the Eastern District of New York, and David E. Beach, Special Agent-in-Charge, United States Secret Service, New York Field Office (USSS), announced the sentence.

“Ametovski and his co-conspirators were merchants of crime, stealing victims’ information and selling that information to other criminals,” stated United States Attorney Donoghue.  “This Office and our law enforcement partners will tirelessly pursue cybercriminals who seek to profit at others’ expense.”  Mr. Donoghue thanked the Slovenian Ministry of the Interior and Ministry of Justice, the United States Marshals Service, the U.S. Department of State Regional Security Officers in Slovenia and the Netherlands, and the Justice Department’s Office of International Affairs, for their assistance with the investigation and prosecution of the defendant.

“The sentencing of this transnational cybercriminal emphasizes the commitment of the Secret Service to disrupt and dismantle global criminal networks,” stated USSS Special Agent-in-Charge Beach.  “The Secret Service will continue to work closely with our network of law enforcement partners to dismantle criminal enterprises seeking to victimize innocent people, regardless of geographic distance or borders.”

Ametovski and his co-conspirators operated Codeshop between August 2010 and January 2014, victimizing hundreds of thousands of individuals around the world by hacking into the computer databases of financial institutions and other businesses and through “phishing” scams designed to induce accountholders to unwittingly surrender private identification information.  They packaged this stolen data for sale and posted it on the Codeshop website, a fully indexed and searchable website that allowed users to search by bank identification number, financial institution, country, state and card brand to find the data they wanted.  The stolen data could then be used to make online purchases and to encode plastic cards to withdraw cash at ATMs.  Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own.  Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards.

The government’s case is being handled by the Office’s National Security & Cybercrime Section.  Assistant United States Attorneys Saritha Komatireddy and David K. Kessler are in charge of the prosecution.

The Defendant:

DJEVAIR AMETOVSKI (also known as “xhevo,” “codeshop,” “sindrom” and “sindromx”)
Age: 32

E.D.N.Y. Docket No. 16-CR-409 (ENV)

Apr 172019

Irina Ivanova reports:

Most people trust their accountant. But security breaches at accounting firms and legal firms are contributing to the plethora of tax information available at rock-bottom prices online, according to a cybersecurity executive.

These documents—which include prior years’ tax returns and forged W-2s—can now be had for rock-bottom prices, according to a report from Carbon Black, a cybersecurity firm. The report pulled up 10 listings of name-date of birth-Social Security number combinations, which ranged in price from 19 cents to $62. Prior-year tax forms, on sale by three different vendors, cost from $1.04 to $52. (People with higher incomes, and whose identity hasn’t yet been stolen, command higher prices.)

Read more on CBS.

Mar 082019

ATLANTA – Robert Codrut Dumitrescu pleaded guilty to federal charges of wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft in connection with a scheme, orchestrated from Romania, which resulted in the illegal intrusion into computer servers in the United States, deployment of phishing messages to thousands of victims, and subsequent theft of victims’ social security numbers and bank account information.  His conspirators, Teodor Laurentiu Costea and Cosmin Draghici, also pleaded guilty earlier this year to federal charges related to this scheme.

“These defendants thought they could hide behind their computers in Romania and defraud the citizens of the Northern District of Georgia and elsewhere across the United States,” said U.S. Attorney Byung J. “BJay” Pak.  “These guilty pleas resulted from a tireless investigative effort to locate these fraudsters and bring them to justice in our District.  We will continue to protect our citizens from cyber-criminals, no matter how far the investigation reaches.”

“Cyber criminals cannot hide in the shadows of the internet no matter where they are,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “The FBI won’t let geographic boundaries stop us from pursuing those persons who cause tremendous financial pain to U.S. citizens. To the victims of these three conspirators and other cyber criminals, we will continue to identify them and pursue justice.”

According to U.S. Attorney Pak, the charges, and other information presented in court: From approximately October 2011 through February 2014, Robert Codrut Dumitrescu, Teodor Laurentiu Costea and Cosmin Draghici conducted a “vishing” and “smishing” scheme from Romania.  “Vishing” is a type of phishing scheme that communicates a phishing message, that is, a message that purports to be from a legitimate source, in this case the victims’ banks, through a voice recording. “Smishing” is similar to “vishing,” but communicates a phishing message through text messages.

As part of the scheme, the defendants compromised computer servers located in the Northern District of Georgia, and elsewhere, and installed both interactive voice response and bulk emailing software which initiated thousands of telephone calls and text messages to victims in the Northern District of Georgia, and across the United States, tricking them into disclosing Personally Identifiable Information (PII) such as financial account numbers, PINs, and social security numbers.   When a victim received a telephone call, the recipient would be greeted by a recorded message falsely claiming to be a bank. The interactive voice response software would then prompt the victim to enter their PII.

When a victim received a text message, the message purported to be from a bank and directed the recipient to call a telephone number hosted by a compromised Voice Over Internet Protocol server. When the victim called the telephone number, they were prompted by the interactive voice response software to enter their PII. The stolen PII was stored on the compromised computer servers and accessed by Dumitrescu and Costea, who then sold or used the fraudulently obtained information with the assistance of Draghici.

At the time of their arrests in Romania, Dumitrescu possessed 3,278 financial account numbers, Costea possessed 36,050 financial account numbers, and Draghici possessed 3,465 financial account numbers – all fraudulently obtained through this scheme.   Based upon these numbers alone, the estimated loss amount is expected to exceed $21,000,000.

On August 16, 2017, a grand jury charged Robert Codrut Dumitrescu, 41, Teodor Laurentiu Costea, 42, and Cosmin Draghici, 29, all of Ploiesti, Romania, with multiple federal computer and fraud-related crimes in connection with this scheme.  Dumitrescu, Draghici, and Costea were extradited from Romania to Atlanta last year to face these charges.

Sentencing is scheduled for Costea on June 11, 2019 at 2:00 p.m., for Draghici on June 12, 2019 at 11:00 a.m., and for Dumitrescu on July 23, 2019 at 2:00 p.m., all before U.S. District Judge Thomas W. Thrash.

This case was investigated by the Federal Bureau of Investigation.

Assistant U.S. Attorney Michael Herskowitz, Chief of the Cyber and Intellectual Property Crime Section, is prosecuting the case.

Source: U.S. Attorney’s Office,  Northern District of Georgia

Feb 222019

Whitney Leggett reports:

A Winchester man charged in Singapore with leaking the confidential information of more than 14,000 HIV patients is facing new federal charges in Kentucky. 

Mikhy Farrera-Brochez, 34, was arrested in Clark County December and charged with third-degree criminal trespassing for allegedly refusing to leave his mother’s property. According to court documents, it was the second time Brochez had been asked to leave the property, and he was arrested for third-degree criminal trespassing.

According to a press release from the U.S. Attorney for the Eastern District of Kentucky, Farrera-Brochez was charged Friday with unlawful transfer of stolen identification documents and possession with intent to distribute those documents in violation of federal law. 

Read more on Winchester Sun.