Man Pleads Guilty in Wal-Mart Card Phishing Scheme

A Sacramento, California, man has pleaded guilty to charges for his role in an international scam that netted sensitive information on tens of thousands of Internet users and then used that data to open fraudulent Wal-Mart credit cards.

Tien "Tim" Truong Nguyen pleaded guilty to fraud and identity theft charges on Tuesday, the day before his case was set to go to trial.

Prosecutors say that, working in concert with Romanian cyber-criminals, Nguyen set up fake phishing Web sites and supplied others with stolen information that was then used to set up fake Wal-Mart instant credit accounts in stores throughout northern California.

Operated by GE Capital, kiosks run a credit check on the Wal-Mart customer and then spit out instant credit coupons -- typically for US$1,000 to $2,000 -- that can be used in the stores.

By setting up hundreds of these instant credit lines, Nguyen's two alleged co-conspirators, Stefani Ruland and Ryan Price, netted close to $193,000 in just under two months, prosecutors say. A Wal-Mart investigator uncovered the scam in September 2006, after an anonymous tipster told him that Ruland and Price had a garage full of stolen Wal-Mart items in their Sheridan, California, home.

Ruland is serving a prison sentence for her role in the scam; Price is awaiting trial, prosecutors said.

After meeting Price and Ruland over the Internet, Nguyen began giving them credit information in exchange for methamphetamine, prosecutors said in court filings. "Nguyen said that he did identity theft 'because it was so easy,'" the filings state. He told investigators that "he wanted to quit identity theft, but resumed it if he was smoking methamphetamine; and that the drug gave him the drive to do identity theft."

When Nguyen was arrested on Jan. 26, 2007, police found credit card numbers, bank account numbers and stolen information belonging to tens of thousands of people on his computer. They also found templates for making fake Web sites. Targets included eBay and a number of smaller regional financial institutions, such as Florida's Fairwinds Credit Union, Washington's Heritage Bank and the Honolulu City and County Employee's Credit Union. , now known as Aloha Pacific.

Many of Nguyen's victims were PayPal users who responded to fake e-mails or pop-up windows that asked them for personal information, authorities said. EBay owns PayPal, an online payment service.

The case "shows that information can be obtained in Sacramento and be used to carry out fraud in very far-reaching ways," said Robin Taylor, an assistant U.S. attorney who prosecuted the case.

Nguyen's guilty plea comes as part of a larger Department of Justice crackdown on Romanian phishers. In March, a federal judge in Connecticut handed a 23-year-old Romanian named Ovidiu-Ionut Nicola-Roman a four-year prison sentence for his role in an international phishing scam. The U.S. Federal Bureau of Investigation has spent the past six years strengthening connections with Romanian police and lawmakers. Last year, federal authorities arrested nearly 60 people in the U.S. and Romania as part of a phishing dragnet operation.

Taylor said that consumers who are worried about identity theft can take some basic steps, such as flagging their accounts with credit-reporting agencies, so that they know when someone tries to take out credit in their name; exercising caution online; and keeping their Social Security numbers private.

Nguyen, who has three previous felony convictions dating back to 1999, is set to be sentenced on Nov. 19.

Subscribe to the Security Watch Newsletter

Comments