Month: May 2020

On May 18, the U.S. Department of Justice announced the unsealing of an indictment against two individuals and a company for conducting financial transactions in violation of U.S. sanctions against Iran.  The three defendants — Iranian Internet-based financial-services company Payment24, Payment24’s founder and Chief Executive Officer Seyed Sajjad Shahidian, and Payment24’s Chief Operating Officer Vahid Vali — were charged with conspiracy to commit offenses against and to defraud the United States, wire fraud, money laundering, and identity theft.  Shahidian had previously been arrested in and extradited from the United Kingdom to the United States; Vali remains at large.

According to the Justice Department, Payment24, which had offices in Tehran, Shiraz, and Isfahan, Iran, had as its primary business

helping Iranian citizens conduct prohibited financial transactions with businesses based in the United States, including the unlawful purchase and exportation of computer software, software licenses, and computer servers from United States companies.  According to PAYMENT24’s website, the company charged a fee to circumvent “American sanctions,” and claimed to have brought in millions of dollars of foreign currency into Iran.

The indictment alleged that beginning in or before 2009 through November 2018, Shahidian conspired with Vali and other individuals to commit federal criminal offenses by violating the restrictions on trade and exports from the United States to Iran.  Payment24 sold on its website

a package to assist its Iranian clients with making online purchases from United States-based businesses, which included a PayPal account, a fraudulent “ID card and address receipt,” a remote IP address from the United Arab Emirates, and a Visa gift card.  The PAYMENT24 website also offered its clients advice on how to create accounts with a foreign identity and how to avoid restrictions on foreign websites, including advising clients to “never attempt to log into those sites with an Iranian IP address.

As part of the scheme to violate sanctions restrictions, Shahidian and Vali allegedly made material misrepresentations and omissions to U.S.-based businesses regarding the destination of the U.S.-origin goods.  To accomplish the transactions, Shahidian obtained payment processing accounts from U.S.-based companies using false residency information, fraudulent passport documents, and other false documents that were “fabricated using the identity and personally identifiable information of another person.”

Note:  Iranian media have reportedly described Shahidian as “as a successful entrepreneur and a capable financial manager who earned $2.5 million in five years.”  What is otherwise noteworthy about this case is that after Shahidian’s provisional arrest in the United Kingdom, Iranian Embassy officials met with him to offer consular support, but he reportedly refused the offer.

In any event, sanctions compliance officers should share this information about the indictment with senior executives, and incorporate the details as appropriate into their corporate sanctions training courses and materials.

On May 14, enterprise software firm VMware released its “Modern Bank Heists 3.0” report on key trends and developments pertaining to cyberattacks against financial institutions. The report (available here) combines threat data analysis by VMWare’s Carbon Black team with survey responses from 25 financial institution Chief Information Security Officers (CISOs) reflecting trends over the past 12 months.

Key findings and responses in the report included the following:

• Threat Data Analysis:
  • From the start of February to the end of April 2020, attacks targeting the financial sector grew by 238 percent, and ransomware attacks against the financial sector increased by nine times.
  • 27 percent of all cyberattacks to date in 2020 have targeted either the healthcare sector or the financial sector.
• Survey Responses:
  • 80 percent of surveyed financial institutions reported an increase in cyberattacks (a 13 percent increase from 2019).
  • 82 percent said that cybercriminals have become more sophisticated.
  • 64 percent reported increased fraudulent wire transfer attempts (a 17 percent increase from 2019). The report added that these attacks “are often performed by exploiting gaps in the wire transfer verification process or through social engineering attacks targeting customer service representatives and consumers directly.”  It also noted that cybercriminals “exhibit tremendous situational awareness regarding SWIFT messaging. This is compounded with their newfound understanding of the criticality of portfolio managers’ positions.”
  • 33 percent said that they have encountered an attack leveraging “island hopping” (i.e., “an attack where supply chains and partners are commandeered to target the primary financial institution”).
  • 25 percent said that they were targeted by destructive attacks (i.e., attacks “launched punitively to destroy data and dismantle subnets”).
  • 20 percent said that they experienced a “watering-hole attack” (i.e., attacks in which financial institution and bank regulatory websites “are hijacked and used to pollute visitors’ browsers”).
• Key Attack Trends:
  • Among the top attacks seen across multiple sectors, including finance, are the Emotet family of banking malware and the Kryptic trojan, which was one of the infections found in the 2015 attack on the Ukrainian power grid.
• Cyberattacker Tactics, Techniques, and Procedures (TTPs):
  • The report stated that
    • “cybercriminals have dramatically increased their knowledge of the policies and procedures of financial institutions. They are keenly aware of the incident response (IR) stratagems being employed by IR teams and the blind spots that exist within every institution. Given the tactical shifts of the cognitive attack loop, they are maintaining and manipulating their positions within networks because of the noise created by incident response and the lack of security controls integration.”
  • It also discussed leading methods by which cybercriminals are exploiting processes running on systems. According to data from MITRE, the most prominent threat identifications affecting the financial sector from March 2019 to February 2020 were process discovery (64.81 percent) and process injection (i.e., “a method of executing arbitrary code in the address space of a separate live process,” which “may allow access to the process’s memory, system/network resources, and possibly elevated privileges”) (25.04 percent).

To respond to these cyberattack methods, the report recommended five steps for financial institutions in responding to incidents:

1. “Stand up a secondary line of secure communications” to discuss the ongoing incident, as cyberattackers may be intercepting, viewing, modifying, and otherwise compromising internal communications.
2. “Assume the adversary has multiple means of gaining access into the environment.”
3. “Watch and wait” rather than immediately starting to block malware activity and to shut off access, as the institution needs to determine potential avenues of reentry by the attackers.
4. “Deploy agents (if you must) in monitor-only mode” to avoid tipping off the attackers by trying to block or otherwise impede their activities.
5. Deploy honey tokens (i.e., “fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders”) or “deception grids” (i.e. cyber deception technology that uses decoys that “mimic user activities, while acting like real exploited users,” as well as hacker-tracing capabilities).

Note:  Information-security officers at financial institutions should distribute copies of this report to their teams, and incorporate specific findings from it into executive-level briefings and training on cybersecurity risks.  Senior leadership in financial institutions needs to understand the degree of sophistication that cyberattackers routinely display in their efforts to acquire or destroy vital data, if they are to make sound judgments about the resources that their CISOs need on a continuing basis.

On May 11, the APWG (formerly the Anti-Phishing Working Group) published its Phishing Activity Trends Report for the first quarter of 2020.  Key findings and conclusions in the Report included the following:

• Attacks Against Zoom: In only one month’s time, the number of attacks against the videoconferencing and chat service Zoom that were reported to the APWG’s eCrime eXchange increased by several orders of magnitude, from eight phishing attacks in March to 1,054 attacks in April. These latter attacks included phishing attacks designed to steal Zoom account usernames and passwords and malware-delivery attacks.
• COVID-19 Themed Business Email Compromise Attacks: According to the Report, COVID-19 themed phishing attacks started spiking the week of March 8.  These attacks included business email compromise (BEC) schemes.
• Ransomware Attacks Against Healthcare Facilities: On March 26, the cybersecurity firm RiskIQ’s Incident Investigation & Intelligence (i3) team found that ransomware attacks on healthcare facilities had increased 35 percent in comparison to similar attacks from 2016 through 2019. RiskIQ found that 70 percent of the healthcare attacks that it analyzed were directed at healthcare facilities with fewer than 500 employees.  The Report noted that “[i]It appears that attackers targeted smaller direct-patient care facilities because they might have smaller security budgets.”
• Total Phishing Sites Detected: The Report stated that the total number of phishing sites detected in the first quarter of 2020 was 165,772 – a slight increase from the 162,155 sites detected in the preceding quarter.  Since November 2019, there as been a general increase in the number of detected phishing sites, although those numbers fall short of the nearly 80,000 sites detected in October 2019.
• Unique Phishing Websites Detected: The number of unique phishing websites fluctuated from 54,926 in January to 49,560 in February to 60,286 in March.
• Unique Phishing Email Reports: The number of unique phishing e-mail reports (campaigns) that APWG received varied more substantially, from 52,407 in January to 43,270 in February, before increasingly slightly to 44,008 in March.
• Brands Targeted by Phishing Campaigns: The number of brands that phishing campaigns targeted ranged from 374 in January to 331 in February to 344 in March.
• Most-Targeted Industry Sectors: Software-as-a-Service (SaaS) and webmail sites remained the greatest targets of phishing, accounting for 34 percent of all attacks.  The financial institution sector constituted 19.4 percent of all attacks, but the payment sector dropped significantly from 20 percent of all attacks in the preceding four quarters to only 13.3 percent.
• BEC Schemes: Phishing defense provider Agari reported that gift cards accounted for 66 percent of all BEC cash-out schemes, an increase from 56 percent in the preceding quarter, while direct transfer accounted for 18 percent and payroll diversion for 16 percent. The Report took note of the fact that the amount of money that an attacker can make by obtaining gift cards “is significantly less than he can get with a wire transfer,” but that BEC attacks seeking wire transfers were seeking much larger amounts.  The average gift-card requested amount was $1,453, while the average wire-transfer requested amount was $54,006.  One reported BEC attempt sought $976,522.
• Online Criminal Activity in Brazil: During the first quarter, digital risk solutions provider Axur observed 10,910 cases of phishing directed at Brazilian brands or foreign services that are available in Portuguese in Brazil. That total represents a 24 percent increase over the fourth quarter of 2019 (8,782), and a 239 percent increase over the first quarter of 2019 (3,220).  Accounts against ecommerce sites, which accounted for a third of attacks in the first quarter, “are more prevalent in Brazil than elsewhere.”
• Use of Secure Socket Layer in Phishing Attacks: Although the percentage of phishing attacks using the HTTPS encryption protocol has risen almost continuously since the third quarter of 2016, the Report stated that during the first quarter of 2020 the percentage of phishing sites using SSL reached a high of 74 percent.

Note: Information-security officers should share this Report with their teams, and incorporate key findings from the Report into their briefings of senior executives.  It is important that senior leadership across multiple industries recognize the continuing sophistication and complexity of cyberattacks, and provide the financial and human resources necessary to keep abreast of the constantly morphing cyberthreats most likely to threaten their operations.

On May 12, the European Banking Authority (EBA) published the results of its inquiry into dividend arbitrage trading schemes, sometimes called “Cum-Ex” or “Cum-Cum” schemes.  Cum-Ex/Cum-Cum trading has been defined as “a form of dividend arbitrage where trading and lending of securities and derivatives are constructed around dividend dates in order to generate multiple withholding tax (WHT) reclaims for the same stock.”  It typically involves rapid exchanges, in as many as a dozen transactions, of exchanging stock “with” and then “without” dividends between three parties, where at least two of the parties then claim tax rebates on taxes only paid once.

Background

Since the mid-2000s, Cum-Ex trading became a means of conducting tax evasion on a massive scale.  From 2006 to 2011, according to the New York Times, hundreds of bankers, lawyers, and investors “made off with a staggering $60 billion, all of it siphoned from the state coffers of European countries.”  Because of a gap in its tax code, Germany was most heavily affected, losing an estimated $30 billion.  Ultimately, German prosecutors charged and successfully prosecuted two key figures in Cum-Ex trading, Martin Shields and Paul Mora, for tax fraud that involved double tax reclaims totaling $486 million.

In response to the extensive reporting about Cum-Ex’s role in tax evasion, the European Parliament asked the European Securities and Markets Authority (ESMA) and the EBA to

conduct an inquiry into dividend arbitrage trading schemes such as cum-ex or cum-cum in order to assess potential threats to the integrity of financial markets and to national budgets; to establish the nature and magnitude of actors in these schemes; to assess whether there were breaches of either national or Union law; to assess the actions taken by financial supervisors in Member States; and to make appropriate recommendations for reform and for action to the competent authorities concerned.

The EBA Report

The EBA Report included a number of important findings, based in part on EBA surveys, with regard to Cum-Ex schemes:

• National-Level Laws Prohibiting Cum-Ex Schemes: In eight European Union (EU) Member States,  dividend arbitrage trading schemes such as Cum-Ex schemes are tax crimes and therefore constitute a “criminal activity” within the meaning of the EU’s Fourth Money Laundering Directive.  One EU Member State indicated that such schemes were not a tax crime under its national law.  In some other Member States, such schemes were not tax crimes under national law, but “were treated as tax crimes on the basis of case law.”
• Money Laundering/Terrorist Financing (ML/TF) Risk: For five Member States, dividend arbitrage schemes were being assessed as part of those States’ national ML/TF risk assessment under Article 7 of the Fourth Money Laundering Directive.  In addition, for nine States AML/CFT supervisors indicated “that these schemes gave rise to the risk that a financial institutions’ governance and internal control framework would be insufficient to adequately manage the risk of the financial institution, or someone acting on the financial institution’s behalf, committing or facilitating tax crimes.”
• Supervisory Action Regarding Cum-Ex Schemes: Survey responses indicated that “most competent authorities have not considered the relevance that dividend arbitrage trading schemes may have for financial institutions’ sound and prudent management and for ML/TF risks due to weaknesses within the internal control framework and, consequently, few have taken supervisory actions.”
• Cooperation: Notably, most competent authorities (whether prudential and/or AML/CFT supervisors) in Member States indicated that they “had not cooperated with other public authorities in their jurisdiction (such as tax authorities) or other competent authorities in their jurisdiction or in other Member States because they believed that there were no dividend arbitrage trading schemes in their Member State.”

The Report concluded that because facilitating tax crimes, or handling proceeds from tax crimes, “undermines the integrity of the EU’s financial system,” the EBA “expects institutions and competent AML/CFT and prudential authorities to take a holistic view of the risks highlighted by dividend arbitrage trading cases, . . . which may give rise to questions about the adequacy of financial institutions’ anti-money laundering systems, internal controls and internal governance arrangements.”  The Report recommended a number of measures to address the problem with regard to the current regulatory framework.  Those included AML/CFT supervisors’ outreach to local tax authorities, cooperation arrangements for information exchange between relevant competent authorities (including tax authorities) with regard to financial institutions’ involvement in Cum-Ex schemes, and competent authorities’ taking mitigating measures that are commensurate with the risks that such schemes pose.

The EBA Action Plan

Consistent with the Report’s findings and recommendations, the EBA’s Action Plan addresses ten specific actions that the EBA will take – with deadlines specified for each action — “to enhance the future regulatory requirements applicable to dividend arbitrage trading schemes”:

1. Amend its prudential Guidelines on Internal Governance, “in order to ensure that the management body develop, adopt, adhere to and promote high ethical and professional standards”;
2. Amend its prudential Guidelines on the Assessment of the Suitability of Members of the Management Body and Key Function Holders, “in order to ensure that tax offences, including where committed through dividend arbitrage schemes, are considered in the assessment”;
3. Amend its prudential Guidelines on Supervisory Review and Evaluation Process (SREP) with regard to the section on governance, in order to include an appropriate reference to tax crimes, such as dividend arbitrage schemes”;
4. Monitor “how prudential colleges have followed up, in a risk-based approach, on guidance” with regard to Cum-Ex schemes;
5. With regard to the EBA’s ongoing consultation on its Guidelines on ML/TF risk factors, assess the responses that the EBA will receive “to identify whether the existing references to tax crimes contained in the draft Guidelines are sufficient to address the risks arising from dividend arbitrage trading schemes”;
6. Amend its Guidelines on Risk-Based AML/CFT Supervision “to include additional requirements on how AML/CFT competent authorities should, in a risk-based approach, identify, assess and address ML/TF risks associated with tax crimes such as illicit dividend arbitrage schemes”;
7. Amend its biennial Opinion on ML/TF Risks, by assessing ML/TF risks associated with tax crimes in greater detail than did the previous version of the Opinion;
8. Continue to allocate, in the EBA’s ongoing multi-annual program of staff-led AML/CFT implementation reviews of AML/CFT competent authorities, “explicit time to authorities’ handling of ML/TF risks associated with tax crimes, where this risk is significant”;
9. Monitor discussions in AML/CFT supervisory colleges, “and intervene actively as necessary, to ensure that AML/CFT colleges for financial institutions that are exposed to significant ML/TF risks associated with tax crimes, address such risks”; and
10. Carry out an inquiry, under Article 22 of the EBA Regulation, “into the actions taken by financial institutions and national authorities within their competencies to supervise compliance with requirements applicable to dividend arbitrage trading schemes as amended.”

Note:  These actions by the EBA represent a concerted effort to rationalize and coordinate efforts within the EU to treat Cum-Ex schemes as tax crimes warranting inclusion in AML/CTF regulation.   Financial institutions subject to EBA regulation should closely read the EBA Report and Action Plan, and promptly review their own AML/CTF compliance programs to identify any components that require revision to provide appropriate risk assessment and timely identification of customer participation in Cum-Ex schemes.  As the Action Plan indicates, both the EBA and national AML/CTF supervisors can be expected to devote substantial effort to addressing such schemes in 2020, 2021, and beyond.

On May 1, the U.S. General Accountability Office (GAO) publicly released a report on trade-based money laundering (TBML).  The report examined three main topics: “(1) what the available evidence indicates about the types and extent of international TBML activities, (2) the practices that international bodies, selected countries, and knowledgeable sources have recommended for detecting and combating TBML, and (3) the extent to which ICE has effectively implemented [the Trade Transparency Unit (TTU) program under the Department of Homeland Security’s (DHS) Immigration and Customs Enforcement (ICE)] and steps the U.S. government has taken to collaborate with international partners to combat TBML.”

The report first stated that different types of criminal organizations use TBML to disguise the origins of illicit proceeds and fund their operations.  These include drug trafficking organizations through Latin America, which “have used TBML schemes for decades to launder the proceeds from illegal drug sales”; other criminal organizations, which “launder proceeds from a range of other crimes, including illegal mining, human trafficking, and the sale of counterfeit goods”; corrupt government officials; and terrorist organizations including Hezbollah and the Revolutionary Armed Forces of Colombia (FARC).

These organizations use a range of TBML schemes involving many different goods and services, such as black market peso exchanges, import-export businesses, purchase and export of gold using drug proceeds, and purchase and export of higher-quality foreign goods.  The most common items in TBML schemes are precious metals, automobiles, clothes and textiles, and electronics.  The United States is not alone in dealing with TBML risks; the U.S. State Department has identified TBML risks in 26 countries or territories in multiple regions of the world, and free trade zones have been identified as particular areas of risk for TBML.

Multiple sources indicate that “the amount of TBML occurring globally is substantial and has increased in recent years,” possibly in the billions of dollars each year.  The report, however, recognized that “specific estimates of the amount of TBML occurring around the world are unavailable” from either academic or government studies.

The report took note of recommendations from official and other sources for governments to strengthen their efforts to detect and combat TBML.  It identified and discussed five categories for these recommendations: “(1) partnerships between governments and the private sector, (2) training in detecting and combatting TBML, (3) sharing information through interagency collaboration, (4) international cooperation through information and knowledge sharing, and (5) further research on challenges, such as potential impediments to combatting TBML.”

According to the report, U.S. officials and knowledgeable sources “noted several challenges to international cooperation related to technology and data uniformity.” These included changes in government administration and technological limitations that “affect the continuity and the commitment to information sharing with foreign partners,” and  a lack of trust among countries, which complicates “arrangements for sharing trade data between multiple countries as a possible means of improving detection of TBML-related activities.”

The report also stated that DHS and the Departments of Justice, State, and the Treasury “provide a variety of support to partner countries to assist in combating TBML, including establishing information-sharing methods, funding training and technical assistance, and providing ongoing law enforcement cooperation.”  In particular, the report observed that the TTU program, which it termed “[t]he U.S. government’s primary partnership effort focused specifically on combating TBML,” “has faced challenges that limited its results in disrupting TBML schemes.”

These challenges included (1) insufficient resources or support for partner TTUs, (2) slow expansion of the TTU program and limited geographic range, (3) delays in launching partner TTUs and lapses in their operation; (4) Differences in objectives between HSI and partner TTUs (i.e., placing higher priority on revenue collection than TBML scheme disruption); (5) limited authorities and lack of interagency coordination in TTU partner countries; and (6) data-sharing and connectivity problems.  The report cited DHS’s Homeland Security Investigations (HSI) for not taking “key management steps to address those challenges and to strengthen the TTU program.”

The report presented two recommendations for the Secretary of DHS: (1) direct the Director of ICE “to develop a strategy for the TTU program to ensure that ICE has a plan to and guide its efforts to effectively partner with existing TTUs, and to expand the program, where appropriate, into additional countries”;  and (2) “direct the Director of ICE to develop a performance monitoring framework for the TTU program that would enable the agency to systematically track program results and how effectively it is achieving the program’s goals.”

Note: This GAO report underscores the importance of TBML as a key, though still inadequately measured, component of money laundering worldwide.  Anti-money laundering (AML) compliance officers should circulate this report within their teams to increase overall awareness about TBML, and to assist in refining their AML risk assessment processes to take greater notice of TBML methods and techniques.