Hieu Minh Ngo, 25, pleaded guilty in March 2014 to operating what is described as “a massive international hacking and identity theft scheme,” after being arrested on entering the US in February 2013.
Ngo admitted running a number of dodgy trading sites, including superget.info and findget.me, where he put up for sale bundles of personal data known as “fullz.”
The packages often included complete sets of information on individuals, including names, dates of birth, Social Security numbers, banking details and payment card data – data that crooks could use to easily defraud victims.
Ngo’s operation ran from 2007 to 2012, when a 15-count indictment was filed against him with charges including wire fraud, identity fraud, access device fraud and conspiracy charges relating to these various types of fraud.
At the time of the indictment, Ngo faced a total maximum sentence of well over 40 years.
Although the US Department of Justice’s release on the sentencing describes the source of Ngo’s data as “hacking into US businesses’ computers” and an unnamed “New Jersey-based business” as one of the hacked victims, it does not connect the data theft to data broker Experian, a link made by investigative writer Brian Krebs.
According to Krebs, Ngo acquired large amounts of personally identifiable information (PII) by posing as a US-based private investigator, and buying the information in bulk from a firm called Court Ventures, acquired by Experian while Ngo was a customer.
Much of the data sold by Ngo through his markets was used to commit US tax refund fraud, a very popular method used by cybercriminals to turn stolen personal information into hard cash.
The premise is simple – with little more than a name, address and Social Security number, scammers can file fraudulent tax returns and have the resulting payments redirected to addresses they control.
This is done early in the tax season, to ensure the scammers get their claims in before the real people they are impersonating.
The FTC offers detailed advice to people whose tax refunds are denied thanks to fraudulent claims having already been filed in their names.
The fraud has been described as a “growing epidemic,” one of the “highest priorities” for tax investigators and the “No 1 scam” seen by the IRS in 2013.
In that year, some 5 million dodgy returns were filed, claiming around $30 billion in refunds, of which some $24 billion were either stopped before being issued or recovered later, leaving $6 billion lost to scammers.
Losses through such fraud have been predicted to reach as much as $21 billion by next year.
Data sold by Ngo is thought to have resulted in the filing of $65 million in false refund claims affecting over 13,000 individuals, with Ngo making as much as $2 million from sales of data to over 1,300 clients.
At least one of those clients, Lance Ealy, will be familiar to Naked Security readers – he was brought to justice earlier this year after fleeing his trial and posting a taunting selfie on Twitter.
Another, Florida resident Derric Theoc, was jailed for 27 months after pleading guilty to attempted identity theft in October 2014. Theoc had tried to buy PII from a US Secret Service agent posing as Ngo.
With such epic amounts of money to be made from a relatively simple scam, it’s unlikely that the sentence handed down to Ngo will make a major dent in the booming trade in PII.
The tough sentence should send a signal to would-be fraudsters though, warning them that their activities are being tracked and could well result in serious jail time. Even deterring a small proportion of PII scammers is a good start.
Image of ID fraid courtesy of Shutterstock.