SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Eric Meiggs Pleads Guilty to Operating Nationwide Scheme to Steal Social Media Accounts and Cryptocurrency

May 3, 2021

A Massachusetts man pleaded guilty to conducting a scheme to take over victims’ social media accounts and steal hundreds of thousands of dollars in cryptocurrency.

According to court documents and statements made in connection with the plea proceeding, Eric Meiggs, 23, of Brockton, admitted that he and one or more co-conspirators targeted victims who appeared to have significant amounts of cryptocurrency and those who had high value or “OG” (slang for “original gangster”) social media account names. Using an illegal practice known as “SIM-swapping,” Meiggs and others conspired to hack into and take control of these victims’ online accounts to obtain things of value, including OG social media account names and cryptocurrency.

As alleged in the indictment, SIM-swapping attacks involve convincing a victim’s cellphone carrier to reassign the victim’s phone number from the SIM card (Subscriber Identity Module card) inside the victim’s cellphone to the SIM card inside a cellphone controlled by the cybercriminals. Cybercriminals then pose as the victim with an online account provider and request that the provider send account password-reset links or an authentication code to the SIM-swapped device now controlled by them. The cybercriminals can then reset the victim’s account log-in credentials and use those credentials to access the victim’s account without authorization, or “hack into” the account.

According to the indictment, Meiggs and his coconspirators targeted at least 10 identified victims around the country. Members of the conspiracy stole, or attempted to steal, more than $530,000 in cryptocurrency from these victims. Meiggs also took control of two victims’ “OG” accounts with social media companies.

Meiggs pleaded guilty to each of seven counts in an indictment, charging him with conspiracy, wire fraud, computer fraud and abuse, and aggravated identity theft. He is scheduled to be sentenced on Sept. 15, and faces a mandatory minimum penalty of two years in prison, to be served consecutively to any other sentence. A federal district court judge will determine the sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division; Acting U.S. Attorney Nathaniel R. Mendell for the District of Massachusetts; Special Agent in Charge Joseph R. Bonavolonta of the FBI’s Boston Field Office; and Acting Special Agent in Charge Ramsey E. Covington of IRS Criminal Investigation (IRS-CI) made the announcement.

UMAN (formerly White Ops) discovered and disrupted a new, highly sophisticated botnet focused on defrauding the Connected TV (CTV) advertising ecosystem. Omnicom Media Group, The Trade Desk, and Magnite, flagship members of The Human Collective—a newly launched initiative that brings together players throughout digital advertising to create a collectively protected ecosystem—collaborated with HUMAN, with the support of Google and Roku in leading the disruption efforts.

In short, PARETO is nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices. The botnet used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day.

HUMAN’s Satori Threat Intelligence and Research Team found the PARETO operation in 2020 and has been working with the HUMAN team to prevent its impacts to clients ever since. The operation is named for The Pareto Principle, an economics concept that dictates that 80% of the impact in any given situation is carried out by only 20% of the actors.

“CTV provides massive opportunities for streaming services and brands to engage with consumers through compelling content and advertising,” said HUMAN CEO and Co-Founder Tamer Hassan. “Because of this opportunity, it is incredibly important for the CTV ecosystem and brands to work together through a collectively protected advertising supply chain to ensure fraud is recognized, addressed and eliminated as quickly as possible.”

PARETO worked by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent CTV platforms. The botnet took advantage of digital shifts that were accelerated by the pandemic, hiding in the noise in order to trick advertisers and technology platforms into believing ads were being shown on CTVs. This particular approach is lucrative for fraudsters, as pricing for ads on connected TVs is often substantially higher than pricing on mobile devices or on the web.

"We appreciate the work of the research community, and value our collaboration with HUMAN,” said Per Bjorke, Product Manager, Ad Traffic Quality at Google. “Responsible disclosure and collaboration benefits the entire ecosystem, and we look forward to working with them on additional research in the future."

The PARETO operation has been incredibly sophisticated and evasive over the last year. However, for each spoofing cycle, as PARETO launched a new disguise for their fake traffic, HUMAN was able to detect and continuously innovate techniques to protect our customers with HUMAN’s Advertising Integrity solution. Finally, after a year of this continuous and effective threat identification and resolution, and driven by a sequence of counter measures and PARETO adaptations, HUMAN and its partners—including Omnicom Media Group, The Trade Desk, Magnite, Google, and Roku—disrupted the operation.

“Roku is committed to fighting ad fraud in every form and to the development of leading practices for staying ahead of fraud globally. We were pleased to support HUMAN’s efforts to disrupt the PARETO operation. While this scheme impacted less than 0.1% of Roku devices, our approach to creating a premium curated advertising marketplace ensured that not a single Roku advertiser was ever at risk of being impacted,” said Willard Simmons, VP of Product Management at Roku. “The PARETO case presents yet another reminder of the importance of taking fraud seriously, working with the best fraud detection partners and ensuring both the supply and demand side of the advertising ecosystem works only with trusted verified partners.”

HUMAN also observed a far smaller but connected effort attempting to spoof consumer streaming platforms. The operation detected a single developer on Roku’s Channel Store with apps connected to PARETO. The apps linked to the developer, impacting less than one half of one percent of Roku’s active devices globally, were designed to communicate with the server that operates the PARETO botnet. The primary operation was associated with 29 Android apps and the secondary operation was associated with one Roku developer delivering the malware to infected devices. These apps have all been removed from the marketplaces on which they were operating, and lists of the apps are available as appendices to HUMAN’s technical analysis of the botnet. Roku has also permanently disconnected the impacted apps from use.

“What’s especially striking about this operation is its scale and sophistication,” said HUMAN Chief Scientist Michael McNally. “The actors behind PARETO have a fundamental understanding of numerous aspects of advertising technology, and used that to their advantage in how they hid their work within the CTV ecosystem. Their efforts included low-level network protocol spoofing, which is especially hard to detect, but which our team at HUMAN spotted.”

The Satori Threat Intelligence and Research Team used numerous tools to identify the sources of the botnet, whose information has been shared with law enforcement.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement