When you think about the U.S. Postal Service, you don't normally envision a crack team of globe-trotting agents who bust international Web fraud syndicates and bring cybercriminals to justice. Actually, that's a lot of what the Postal Service's Postal Inspection Service does, in conjunction with other law enforcement agencies.
And with new and increasingly inventive cyberscams surfacing every week, the Postal Inspection Service's workload isn't likely to get any lighter.
Standing before a packed auditorium Monday at Gartner's IT security conference, Greg Crabb, U.S. postal inspector program manager for the organization's international affairs group, explained that the Postal Inspection Service gets involved in information security crimes when those crimes involve use of the U.S. Postal Service to commit fraud, which is more often than you'd think.
"Every one of you living in the United States has a mailbox in front of your house," Crabb said. "I protect that mailbox." Incidentally, the U.S. Postal Service handles 668 million pieces of mail daily.
Just last week, a film producer in Tampa, Fla., was indicted on 10 counts, including several counts for transporting obscene matter via the Internet and through the U.S. postal system. There were also reports to the American Kennel Club and the Council of Better Business Bureaus of a scammer posing as a breeder of puppies who either sends out e-mails or puts up ads offering free or inexpensive puppies. Those responding to the solicitation have paid hundreds or thousands of dollars but received no pooch in return.
Crabb on Monday outlined several different types of criminal schemes he's investigated as a member of the Postal Inspection Service, which was formed in 1909.
In one scheme, a criminal poses as a merchant and steals money and/or payment card information from someone attempting to make a purchase via the Web. Or, as with the now-infamous Nigerian money laundering scams, the criminal can simply ask for money outright. Crabb said he's been chasing a cybercriminal named Vladuz, who has repeatedly gained unauthorized access to areas of eBay's network in order to hijack established accounts and hold auctions for products he doesn't plan to deliver. Thousands of U.S. victims have sent Western Union transactions to France, Germany, the United Kingdom, and Romania, in the hopes of purchasing items from Vladuz, Crabb said. Vladuz has even posted messages on eBay's internal forums and infiltrated servers that administer employee e-mail. "We've been chasing him for some time," Crabb added.
In another type of cyber scam, a cybercrook will sell software to unsuspecting victims. When those victims download the software onto their computers, malware is installed to help the criminal later turn that computer into a bot, which could then be used to launch distributed denial-of-service or some other type of cyberattack. In one example, Crabb traced this sort of activity to Bangkok, Thailand, where in May 2003 he helped arrest Maksym Kovalchuk, a Ukrainian man, on charges of criminal copyright infringement, trafficking in counterfeit goods, and money laundering. Kovalchuk was already a known cybercriminal, having in October 2001 launched the first phishing attack that used eBay as bait to trap its victims.
"Basically, he pioneered phishing by sending out eBay and PayPal spoofs," Crabb said.
In still another variation on cybercrime under the postal inspector's jurisdiction, international criminals buy goods using stolen or fraudulent payment cards and have the goods sent to accomplices in the United States, who then ship the merchandise to the person committing the fraud. In one such operation, a Ukrainian man named Malinkas Silinkas ran a reshipping scam against a U.S. company's e-commerce operations, having ill-gotten merchandise shipped to a U.S. address and then on to his base of operations in Lithuania. Crabb said that when Silinkas was arrested, law enforcement found more than 50,000 fraudulent IDs in his possession.
These are just some of the cases Crabb was able to discuss. For him, even largest cybercrimes are old hat. "I've seen so many TJX's it's not even funny," he said in reference to the cyberattack on the parent company of T.J. Maxx that resulted in the theft of 45 million credit and debit card numbers.