An indictment was unsealed against three individuals who allegedly hacked into the telephone systems of large corporations and entities in the United States and abroad and sold information about the compromised telephone systems to Pakistani nationals residing in Italy.
In conjunction with the unsealing of the Indictment, Italian law enforcement conducted searches of approximately 10 locations in four regions of Italy and arrested the financiers of the hacking activity. Those financiers allegedly used the information to transmit over 12 million minutes of telephone calls valued at more than $55 million over the hacked networks of victim corporations in the United States alone.
“This was an extensive and well-organized criminal network that worked across continents,” said Acting U.S. Attorney Ralph J. Marra. “The hackers we’ve charged enabled their conspirators in Italy and elsewhere to steal large amounts of telecommunications capacity, which could then be used to further or finance just about any sort of nefarious activity here or overseas.” “We are extremely grateful to the FBI and authorities abroad with which we worked closely in developing this case,” Marra said.
Charged in the New Jersey indictment are three individuals currently residing in the Philippines, with conspiracy to commit wire fraud and unauthorized access to computer systems and other counts, described below.
In connection with this international investigation, each of the defendants were previously arrested on March 10, 2007, by authorities in the Philippines, where they remain. The Department of Justice will work cooperatively with the Philippine authorities to hold the defendants accountable in the United States for their alleged criminal conduct.
Operations unfolded in Italy, where at least five individuals, all Pakistanis, were arrested during early-morning raids. Searches occurred at at least 10 telephone call centers and other premises. A news conference announcing the details was held by the chief of Brescia Police, the Brescia prosecutor, head of the Italian national police counter-terrorism division from Rome and officials from the Divisione Investigazioni Generali e Operazioni Speciali.
The investigation has been ongoing since 2006 and relates to conduct ranging from October 2005 through December 2008.
M.Z and S.K, residing in Italy, were among the financiers of the hacking and owned and operated call center operations in Italy from which their customers would make calls throughout the world. To increase their profits, M.Z. and S.K. made efforts to incur as little costs as possible in routing their customers’ telephone calls to the intended call-recipient.
M.Z. and S.K. recruited Nusier, Kwan, Gomez and others to hack into the telephone networks of unsuspecting large corporations and entities so that telephone calls from the call centers could be transmitted over the hacked networks. To accomplish their mission, the hackers gained an intimate familiarity with the programming of the public branch exchange (PBX) telephone systems.
As the hackers dialed into the systems, they were able to identify the type of PBX system by the prompts and were thereby able to begin a process, known as a brute force attack, by which they sought to attack vulnerable points of the PBX systems. Often, the vulnerable points consisted of telephone extensions with default passwords still in place. After using a couple of methods to exploit the information they gained regarding the hacked PBX systems (described in greater detail in the Indictment) , the hackers transmitted the information about the hacked system back to the financiers. The hackers – Nusier, Kwan, Gomez and others – were then paid approximately $100 per hacked telephone system.
In March 2007, the Philippines National Police executed search warrants and arrested seven individuals, including Nusier, Kwan and Gomez, in connection with the present investigation. As part of the Philippines investigation, it was revealed that the PBX systems of over 2,500 victim corporations in the United States, Canada, Australia and Europe were infiltrated. The searches yielded dozens of notebooks full of the telephone numbers and access codes to the victim PBX systems.
The losses in this case, which exceeded $55 million, were borne by the victim corporations and entities, and AT&T and other long distance carriers, which provided the long-distance telephone service for the victims. (AT&T was not hacked but was among the companies that carried the long-distance calls.)
In addition to the conspiracy count, each of the defendants is charged with two counts of unauthorized access to a computer system for purposes of committing fraud, and with the possession of unauthorized access devices, including passcodes to U.S. telephone systems. The defendants face maximum prison sentences of five years on the conspiracy count, five years on each of the two respective unauthorized computer access counts, and 10 additional years on the access device count. In addition, each is subject to a maximum fine of $250,000 on each count for which they are named, or twice the gain resulting from the offense, whichever is greater.