The US Justice Department Press Release details a rare successful conviction of a 419 scammer:

Nora R. Dannehy, United States Attorney for the District of Connecticut, today announced that a federal jury in Bridgeport has found OKPAKO MIKE DIAMREYAN, 31, a citizen of Nigeria who sometimes resided in Accra, Ghana, guilty of three counts of wire fraud stemming from an alleged “advance fee” scam. The trial began on February 11 and the jury returned its verdict this afternoon.

The accused ran scams from 2004 garnering up to $1.5 million from victims in the US. He faces 20 years in prison and up to $250,000 for each of the three wire fraud counts. I found a ten page “RULING RE: DEFENDANT’S MOTION FOR JUDGMENT OF ACQUITTAL” from United States v. Diamreyan (D. Ct.) Case 3:309-cr-00260-JCH, Document 66, Filed 04/16/10.

The three counts of wire fraud charged in the Indictment are: Count One, a telephone call from Diamreyan in Ghana to Michael Pandelos in Connecticut on August 19, 2006; Count Two, a wire transfer via Western Union of $50 from Pandelos to Diamreyan on August 22, 2006; and Count Three, a wire transfer of $100 from Pandelos to Martine Janvier, Diamreyan’s wife, in Massachusetts on August 26, 2008.

The accused argued that there was insufficient evidence but the court ruled against him. The case and testimony give a good picture of how people become victims as well as a watermark of what is necessary to get to conviction.

AFF continues to grow as a problem. Ultrascan, based on cases they work with, now lists the top three countries with AFF fraud losses as the US ($2.1 billion) UK ($1.2 billion) and China ($936 million).

A SQL injection attack successfully breached the brokerage firm Davidson & Co in 2007 and exposed nearly 200K customer records.

Investigators followed a trail that led to the arrest of three Latvians in the Netherlands. The suspects allegedly were to pick up money from the company in an extortion plot in which D.A. Davidson initially was advised to send the money to Russia.

The Financial Industry Regulatory Authority (FINRA) has just announced a fine of $375K with Davidson to settle the matter.

Davidson had argued that the attack was “new at the time” and “relatively sophisticated”. They also claimed extensive security procedures in place during the intrusion such as “regular review” of logs for the firewall protecting the breached database. Davidson hired a third-party auditor just before the breach who was unable to penetrate. The regulators countered that an audit a year prior had recommended a network intrusion detection system but it had not been installed. The regulators also faulted Davidson for not encrypting the database information, for leaving the database with a default vendor password on a web server that was connected directly to the Internet.

Taken altogether, Davidson’s claims about sophistication and attacker stealth pale in comparison to the apparent lack of network intrusion detection in 2007, lack of proper segmentation of the database and use of a default password.

Clearly regulators and and the law (e.g. cases in Illinois and Michigan) are turning up the heat on information security management.

Hear more details about why this breach is significant, as well as others, in my Top Ten Breaches webcast for the RSA Conference next week.