Federal Government Unseals Indictments In 2014 Bank Breaches

Have you ever received a spam e-mail advertising a penny stock, and assumed that it came from a general junk mail list, or someone simply typed out a list of randomly-generated addresses? Criminal charges announced today revealed that the perpetrators of a stock fraud scheme obtained e-mail addresses to contact by exploiting the Heartbleed bug to steal the names and e-mail addresses of about 80 million customers from JPMorganChase.

These e-mail addresses were used to blast messages about cheap stocks, with the goal of convincing junk mail recipients to buy the stocks, artificially inflating the price before the people behind the scheme sold all of their shares of that stock. This is called a pump and dump scheme, and in itself will get you in trouble with the Securities and Exchange Commission. (The SEC will, indeed, catch up with them about the alleged securities fraud later.)

Last year, the same hackers hit multiple banks in a series of coordinated attacks, exploiting the Heartbleed bug to harvest the e-mail addresses of people with online accounts with JPMorganChase, E-Trade, ScottTrade, and the information service Dow Jones.

It makes sense, if you’re a scammy evil-doer: if you want to perpetrate a scam that means someone has to buy the stock you’re shilling right away, it makes sense if those people are savvy enough to have online brokerage accounts or online bank accounts.

The indictment of scheme leaders describes a criminal enterprise that employed hundreds of people and began in 2012. The brokerage accounts were part of a separate scheme to start a new criminal enterprise, recruiting the people whose information was stolen as clients on false pretenses.

U.S. announces criminal charges in massive 2014 JPMorgan hack [Washington Post]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.