Justice Department Obtains Indictment Against Four Senior Executives for Price-Fixing and Bid-Rigging in Broiler-Chicken Market

On June 3, the U.S. Department of Justice announced that it had obtained an indictment against four current and former senior executives from two major broiler chicken producers, for conspiring to fix prices and rig bids for broiler chickens under section 1 of the Sherman Act.  (Broiler chickens are chickens raised for human consumption and sold to grocers and restaurants.)

According to the indictment in this case, from at least as early as 2012 until at least early 2017, two executives of a Colorado-headquartered chicken supplier — Jayson Penn, the President and Chief Executive Officer, and Roger Austin, a former Vice President – and two executives of a Georgia-headquartered broiler chicken producer — Mikell Fries, the President and a member of the board, and Scott Brady, a Vice President – participated in a conspiracy to fix prices and rig bids for broiler chickens across the United States.

The indictment specifically alleged that the four defendants and other unidentified coconspirators participated in a network that they used to pursue the following aims:

  • “to reach agreements and understandings to submit aligned, though not necessarily identical, bids and to offer aligned, though not necessarily identical, prices, and price-related terms, including discount levels, for broiler chicken products sold in the United States”;
  • “to participate in conversations and communications relating to nonpublic information such as bids, prices, and price-related terms, including discount levels, for broiler chicken products sold in the United States with the shared understanding that the purpose of the conversations and communications was to rig bids, and to fix, maintain, stabilize, and raise prices and other price-related terms, including discount levels, for broiler chicken products sold in the United States”; and
  • “to monitor bids submitted by, and prices and price-related terms, including discount levels, offered by, Suppliers and co-conspirators for broiler chicken products sold in the United States.”

It also sets forth sequences of emails that appear to demonstrate ongoing discussions between the defendants relating to pricing for dark chicken meat and wings, and to dark meat and chicken-on-the-bone supplies.  It further alleged the defendants’ discussions of protecting, and thereafter acting to protect, the purpose and effectiveness of the conspiracy, through sequences of emails.

Note: This indictment is noteworthy because these four defendants, in the Department’s words, “are the first to be charged in an ongoing criminal investigation into price fixing and bid rigging involving broiler chickens.”

Because price-fixing and bid-rigging are core criminal violations under the Sherman Act, antitrust compliance officers should brief senior executives in their firms about this indictment, and include information from the indictment in antitrust-compliance training materials.  Those briefing and training materials should include examples of the types of alleged email exchanges between the executives, to show the kinds of words and actions that the Antitrust Division is likely to consider highly probative of executives’ knowledge of and participation in price-fixing and bid-rigging.

Nigerian EFCC Acting Chairman Offers Business Intelligence to Prospective Investors in Nigeria

On May 23, the Acting Chairman of the Nigerian Economic and Financial Crimes Commission (EFCC), Ibrahim Magu, offered to provide business intelligence to prospective investors in Nigeria.

Speaking at a virtual conference of 500 Nigerians in diaspora around the world, Magu stated that the EFCC, which is responsible for preventing, investigating, prosecuting, and penalizing economic and financial crimes in Nigeria, “is aware of the frustration, uncertainties and risks, local fraudsters are posing to credible businessmen and women abroad, who wish to invest in the Nigerian economy.” For that reason, he said, the EFCC “is ready to offer intelligence services to anyone seeking genuine business partners in Nigeria.”  He explained that the EFCC would obtain and deliver “[p]rofiles of potential business partners in Nigeria . . . to the foreign-based investors” to assist them in making decisions on who might be a legitimate local business partner.

Magu further offered to provide “intelligence on any line of business desired by the Nigerians in the diaspora.  We are ready to do all these to encourage credible and serious investors who do not want to be defrauded by fraudsters at home.”

Magu also urged Nigerians in the diaspora to avail themselves of the opportunities the EFCC is offering, to bring more investments into the local economy in Nigeria, and to support the EFCC’s anti-corruption efforts “by exposing foreign assets of local politicians” under the Nigerian government’s whistle- blowing policy.

Note: Companies that are interested in doing business in Nigeria, but that have concerns about the reliability of prospective business partners there, should take Acting Chairman Magu’s offers seriously.  While Nigeria continues to grapple with its longstanding reputation for extensive fraud and corruption, the EFCC has repeatedly demonstrated, to Nigeria and other countries, its effectiveness and integrity in investigating and prosecuting fraud and corruption.  Chairman Magu’s offers reflect a sincere interest in enabling prospective investors to avoid running afoul of criminal groups.

Companies should therefore test the waters with the EFCC and request business intelligence on several prospective and current Nigerian business partners.   As this service will cost a company nothing, and potentially enhance the company’s corporate due diligence, companies can determine for themselves the value of the EFCC’s assistance, and, if it proves beneficial, expand its use of the EFCC’s resources for future due diligence.  Contact information for the EFCC is available here.

U.S. Department of Justice Indicts Three for Iranian Sanctions-Related Crimes, Extradites One Defendant

On May 18, the U.S. Department of Justice announced the unsealing of an indictment against two individuals and a company for conducting financial transactions in violation of U.S. sanctions against Iran.  The three defendants — Iranian Internet-based financial-services company Payment24, Payment24’s founder and Chief Executive Officer Seyed Sajjad Shahidian, and Payment24’s Chief Operating Officer Vahid Vali — were charged with conspiracy to commit offenses against and to defraud the United States, wire fraud, money laundering, and identity theft.  Shahidian had previously been arrested in and extradited from the United Kingdom to the United States; Vali remains at large.

According to the Justice Department, Payment24, which had offices in Tehran, Shiraz, and Isfahan, Iran, had as its primary business

helping Iranian citizens conduct prohibited financial transactions with businesses based in the United States, including the unlawful purchase and exportation of computer software, software licenses, and computer servers from United States companies.  According to PAYMENT24’s website, the company charged a fee to circumvent “American sanctions,” and claimed to have brought in millions of dollars of foreign currency into Iran.

The indictment alleged that beginning in or before 2009 through November 2018, Shahidian conspired with Vali and other individuals to commit federal criminal offenses by violating the restrictions on trade and exports from the United States to Iran.  Payment24 sold on its website

a package to assist its Iranian clients with making online purchases from United States-based businesses, which included a PayPal account, a fraudulent “ID card and address receipt,” a remote IP address from the United Arab Emirates, and a Visa gift card.  The PAYMENT24 website also offered its clients advice on how to create accounts with a foreign identity and how to avoid restrictions on foreign websites, including advising clients to “never attempt to log into those sites with an Iranian IP address.

As part of the scheme to violate sanctions restrictions, Shahidian and Vali allegedly made material misrepresentations and omissions to U.S.-based businesses regarding the destination of the U.S.-origin goods.  To accomplish the transactions, Shahidian obtained payment processing accounts from U.S.-based companies using false residency information, fraudulent passport documents, and other false documents that were “fabricated using the identity and personally identifiable information of another person.”

Note:  Iranian media have reportedly described Shahidian as “as a successful entrepreneur and a capable financial manager who earned $2.5 million in five years.”  What is otherwise noteworthy about this case is that after Shahidian’s provisional arrest in the United Kingdom, Iranian Embassy officials met with him to offer consular support, but he reportedly refused the offer.

In any event, sanctions compliance officers should share this information about the indictment with senior executives, and incorporate the details as appropriate into their corporate sanctions training courses and materials.

VMware Issues “Modern Bank Heists 3.0” Report Featuring Cyberthreat Data Analysis and CISO Survey Data

On May 14, enterprise software firm VMware released its “Modern Bank Heists 3.0” report on key trends and developments pertaining to cyberattacks against financial institutions. The report (available here) combines threat data analysis by VMWare’s Carbon Black team with survey responses from 25 financial institution Chief Information Security Officers (CISOs) reflecting trends over the past 12 months.

Key findings and responses in the report included the following:

  • Threat Data Analysis:
    • From the start of February to the end of April 2020, attacks targeting the financial sector grew by 238 percent, and ransomware attacks against the financial sector increased by nine times.
    • 27 percent of all cyberattacks to date in 2020 have targeted either the healthcare sector or the financial sector.
  • Survey Responses:
    • 80 percent of surveyed financial institutions reported an increase in cyberattacks (a 13 percent increase from 2019).
    • 82 percent said that cybercriminals have become more sophisticated.
    • 64 percent reported increased fraudulent wire transfer attempts (a 17 percent increase from 2019). The report added that these attacks “are often performed by exploiting gaps in the wire transfer verification process or through social engineering attacks targeting customer service representatives and consumers directly.”  It also noted that cybercriminals “exhibit tremendous situational awareness regarding SWIFT messaging. This is compounded with their newfound understanding of the criticality of portfolio managers’ positions.”
    • 33 percent said that they have encountered an attack leveraging “island hopping” (i.e., “an attack where supply chains and partners are commandeered to target the primary financial institution”).
    • 25 percent said that they were targeted by destructive attacks (i.e., attacks “launched punitively to destroy data and dismantle subnets”).
    • 20 percent said that they experienced a “watering-hole attack” (i.e., attacks in which financial institution and bank regulatory websites “are hijacked and used to pollute visitors’ browsers”).
  • Key Attack Trends:
    • Among the top attacks seen across multiple sectors, including finance, are the Emotet family of banking malware and the Kryptic trojan, which was one of the infections found in the 2015 attack on the Ukrainian power grid.
  • Cyberattacker Tactics, Techniques, and Procedures (TTPs):
    • The report stated that
      • “cybercriminals have dramatically increased their knowledge of the policies and procedures of financial institutions. They are keenly aware of the incident response (IR) stratagems being employed by IR teams and the blind spots that exist within every institution. Given the tactical shifts of the cognitive attack loop, they are maintaining and manipulating their positions within networks because of the noise created by incident response and the lack of security controls integration.”
    • It also discussed leading methods by which cybercriminals are exploiting processes running on systems. According to data from MITRE, the most prominent threat identifications affecting the financial sector from March 2019 to February 2020 were process discovery (64.81 percent) and process injection (i.e., “a method of executing arbitrary code in the address space of a separate live process,” which “may allow access to the process’s memory, system/network resources, and possibly elevated privileges”) (25.04 percent).

To respond to these cyberattack methods, the report recommended five steps for financial institutions in responding to incidents:

  1. “Stand up a secondary line of secure communications” to discuss the ongoing incident, as cyberattackers may be intercepting, viewing, modifying, and otherwise compromising internal communications.
  2. “Assume the adversary has multiple means of gaining access into the environment.”
  3. “Watch and wait” rather than immediately starting to block malware activity and to shut off access, as the institution needs to determine potential avenues of reentry by the attackers.
  4. “Deploy agents (if you must) in monitor-only mode” to avoid tipping off the attackers by trying to block or otherwise impede their activities.
  5. Deploy honey tokens (i.e., “fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders”) or “deception grids” (i.e. cyber deception technology that uses decoys that “mimic user activities, while acting like real exploited users,” as well as hacker-tracing capabilities).

Note:  Information-security officers at financial institutions should distribute copies of this report to their teams, and incorporate specific findings from it into executive-level briefings and training on cybersecurity risks.  Senior leadership in financial institutions needs to understand the degree of sophistication that cyberattackers routinely display in their efforts to acquire or destroy vital data, if they are to make sound judgments about the resources that their CISOs need on a continuing basis.

APWG Publishes 1st Quarter 2020 Phishing Activity Trends Report

On May 11, the APWG (formerly the Anti-Phishing Working Group) published its Phishing Activity Trends Report for the first quarter of 2020.  Key findings and conclusions in the Report included the following:

  • Attacks Against Zoom: In only one month’s time, the number of attacks against the videoconferencing and chat service Zoom that were reported to the APWG’s eCrime eXchange increased by several orders of magnitude, from eight phishing attacks in March to 1,054 attacks in April. These latter attacks included phishing attacks designed to steal Zoom account usernames and passwords and malware-delivery attacks.
  • COVID-19 Themed Business Email Compromise Attacks: According to the Report, COVID-19 themed phishing attacks started spiking the week of March 8.  These attacks included business email compromise (BEC) schemes.
  • Ransomware Attacks Against Healthcare Facilities: On March 26, the cybersecurity firm RiskIQ’s Incident Investigation & Intelligence (i3) team found that ransomware attacks on healthcare facilities had increased 35 percent in comparison to similar attacks from 2016 through 2019. RiskIQ found that 70 percent of the healthcare attacks that it analyzed were directed at healthcare facilities with fewer than 500 employees.  The Report noted that “[i]It appears that attackers targeted smaller direct-patient care facilities because they might have smaller security budgets.”
  • Total Phishing Sites Detected: The Report stated that the total number of phishing sites detected in the first quarter of 2020 was 165,772 – a slight increase from the 162,155 sites detected in the preceding quarter.  Since November 2019, there as been a general increase in the number of detected phishing sites, although those numbers fall short of the nearly 80,000 sites detected in October 2019.
  • Unique Phishing Websites Detected: The number of unique phishing websites fluctuated from 54,926 in January to 49,560 in February to 60,286 in March.
  • Unique Phishing Email Reports: The number of unique phishing e-mail reports (campaigns) that APWG received varied more substantially, from 52,407 in January to 43,270 in February, before increasingly slightly to 44,008 in March.
  • Brands Targeted by Phishing Campaigns: The number of brands that phishing campaigns targeted ranged from 374 in January to 331 in February to 344 in March.
  • Most-Targeted Industry Sectors: Software-as-a-Service (SaaS) and webmail sites remained the greatest targets of phishing, accounting for 34 percent of all attacks.  The financial institution sector constituted 19.4 percent of all attacks, but the payment sector dropped significantly from 20 percent of all attacks in the preceding four quarters to only 13.3 percent.
  • BEC Schemes: Phishing defense provider Agari reported that gift cards accounted for 66 percent of all BEC cash-out schemes, an increase from 56 percent in the preceding quarter, while direct transfer accounted for 18 percent and payroll diversion for 16 percent. The Report took note of the fact that the amount of money that an attacker can make by obtaining gift cards “is significantly less than he can get with a wire transfer,” but that BEC attacks seeking wire transfers were seeking much larger amounts.  The average gift-card requested amount was $1,453, while the average wire-transfer requested amount was $54,006.  One reported BEC attempt sought $976,522.
  • Online Criminal Activity in Brazil: During the first quarter, digital risk solutions provider Axur observed 10,910 cases of phishing directed at Brazilian brands or foreign services that are available in Portuguese in Brazil. That total represents a 24 percent increase over the fourth quarter of 2019 (8,782), and a 239 percent increase over the first quarter of 2019 (3,220).  Accounts against ecommerce sites, which accounted for a third of attacks in the first quarter, “are more prevalent in Brazil than elsewhere.”
  • Use of Secure Socket Layer in Phishing Attacks: Although the percentage of phishing attacks using the HTTPS encryption protocol has risen almost continuously since the third quarter of 2016, the Report stated that during the first quarter of 2020 the percentage of phishing sites using SSL reached a high of 74 percent.

Note: Information-security officers should share this Report with their teams, and incorporate key findings from the Report into their briefings of senior executives.  It is important that senior leadership across multiple industries recognize the continuing sophistication and complexity of cyberattacks, and provide the financial and human resources necessary to keep abreast of the constantly morphing cyberthreats most likely to threaten their operations.