West African fraudsters have been identified as the actors behind a worldwide email scam in which more than $60 million has been stolen from small and midsize businesses and their banks.
One ringleader, identified only as "Mike," was arrested by Interpol on Monday, with help from security company Trend Micro. On Thursday morning another security company, SecureWorks, released the result of an exhaustive investigation of another ring of Nigeria-based cybercriminals.
There's been a rise in "business-email-compromise" scams globally. According to the FBI, from October 2013 through February 2016, law enforcement received reports from 17,642 victims who claimed they were swindled out of more than $2.3 billion. And since January 2015, the FBI has seen a 270% increase in identified victims.
The concern for banks is that their filters typically don't spot this kind of fraud. They naturally don't have control over their business customers' email accounts and when clients customarily send payments to suppliers all over the world, it's hard to identify rogue funds transfers.
Yet experts say there are several things banks can encourage their business clients to do to protect themselves, such as using two-factor authentication on email accounts and building better security controls around wire transfers.
One reason it's so difficult to catch business email scammers is because they typically use proxy servers that hide their IP addresses. They also don't use their real names and they often use malware that can camouflage and even delete itself to escape detection.
In recent cases, researchers were able to directly monitor the scammers' computers, including their social media activity, over an extended period of time. From this they built a detailed behavioral and psychological profile of these cybercriminals.
These scammers are not like the "Nigerian princes" of the 1990s who emailed naïve Americans offering to send them millions of dollars, asking only for a bank account number to deposit them into. Nor do they fit the image of the stereotypical pale, young Eastern European hacker.
These fraudsters are middle-aged, respected pillars of their communities who don't see their activities as crimes. In their view, they are simply taking a well-deserved reward from faceless Western firms that have profited from exploiting the country's resources.
Stumbling on a Ringleader
Researchers at SecureWorks were conducting a standard security investigation; they were reverse engineering malware found on a client's computer. They found a drop site to which the malware was sending the screen shots and keystroke logs it malware captured from its victims. They combed through the site to identify victims so they could notify them of anything important.
As they studied the screen shots, they realized that one of the malware victims was the operator of the scam. They could see him not only conducting business email scams, but teaching others how to do them.
"He was infecting himself with his own malware and was sending minute-by-minute screen shots of his activity," said James Bettke, a SecureWorks Counter Threat Unit researcher. It was a way of checking that the malware was doing what it was set up to do.
"Little did he know there was a misconfigured web server on the same machine, that's how we were able to see all that," Bettke said.
The researchers watched the ringleader and his associates for several months to understand how they conducted their scam and what their motivations were. They also observed the perpetrators' communications with others on Facebook chat and internet forums.
"We know pretty much everything about them and how they live their lives, when they go to church on Sundays," Bettke said. "It's been a rare opportunity to get that level of insight."
The scam kicks off, they found, with the use of a marketing tool that scrapes email addresses off websites, say to find the contacts of top employees at manufacturing companies in India. (They typically look for manufacturing companies, chemical companies and others that buy and sell large shipments of goods.) They'll phish that email list in the hopes of catching somebody who will unwittingly click on a malicious link or attachment and thus unleash a remote access Trojan on their computer.
Once in, the malware starts scanning the victim's email accounts. This is especially easy when victims use free webmail services like SquirrelMail or Roundcube that doesn't require two-factor authentication (although Roundcube offers a second factor as an option), Bettke noted.
The attackers look for communications between buyers and sellers in large transactions. When they find a transaction they think is high value — they target invoices that average $30,000 to $60,000 — they insert themselves in the middle of it. They'll set up a rule in the seller's email so every email the buyer sends to the seller is redirected to the hackers, who make changes and then forward the message to the seller. When an invoice comes in, they'll change the seller's bank account information on the invoice, so the buyer sends the money to the wrong account. They'll also change the phone number on the invoice, so even if the buyer calls to confirm the transaction, he will not reach the right people.
"It's a full man-in-the-middle attack, but through email," Bettke said. The cybercriminal typically uses a clone email domain that's one letter off, so he can communicate with both parties and they don't realize there's a middleman.
One victim, a U.S. chemical company, wired $400,000 out to a hacker's account. The money was quickly laundered and lost.
As researchers watched the scammers, they noticed this was a different breed of cybercriminal than they'd seen in the past.
"These guys are much older," Bettke said. "They're family men. They're well-respected in their communities, they're devoutly religious.We were really surprised by that."
The fraudsters are all Facebook friends with each other, most of them live near each other and hang out at each other's houses. "They're not what you'd expect. They're not huddled up in a cybercafé wearing hoodies," he said.
"This dispelled a lot of preconceived notions I had about how this activity works," said Joe Stewart, director of malware research for the SecureWorks counter threat unit research team.
"When you see somebody who's actively engaged in fraud and stealing huge sums of money on the one hand, but you look at his desktop and he's also helping out his church, it's an odd juxtaposition," he said. "And they don't consider this theft. … They're just taking back what [they believe] rightfully belongs to them."
Reactions in these forums from fellow Nigerians tend to be positive, he said. A few commenters will protest that this activity is wrong, "but by and large most are supportive of fraudsters taking back the money they think was stolen from them during the years of colonial rule," Stewart said. (Nigeria was a British colony for parts of the 19th and 20th centuries.)
Researchers like SecureWorks try to report business email scam activity to banks to warn them, but there's no central reporting authority where they can send a bank account number and have it flagged to be monitored, Stewart said.
For banks, this fraud is difficult to spot because the transactions look like those their clients conduct every day. To protect their clients — and, ultimately, themselves — from fraud-related losses, banks should encourage their business customers to implement two-factor authentication on their email services, experts said.
Stewart estimates that business-email-compromise scams account for up to $6 million a year in fraud-related losses.
Same Country, Slightly Different Scam
On Monday, Interpol and the Nigerian Economic and Financial Crime Commission arrested a 40-year-old Nigerian business email compromise mastermind they identified only as "Mike" in Port Harcourt, Nigeria.
The authorities believe Mike is behind scams that have siphoned more than $60 million from hundreds of victims worldwide. (SecureWorks researchers say this person was not in the ring they investigated.) In one case, a target was conned into paying out $15.4 million. Interpol did not respond to requests for an interview.
The network included more than 40 perpetrators who compromised email accounts of small to midsize businesses in the U.S., Australia, Canada, India, Malaysia, Romania, South Africa and Thailand. According to Interpol, the mastermind had money laundering contacts in the U.S., China, and Europe who set up bank accounts for the illicit cash flow.
The main two types of scams run by this network, according to Interpol's press release, were payment diversion fraud — where a supplier's email would be compromised and fake messages would then be sent to the buyer with instructions for payment to a bank account under the criminal's control — and CEO fraud, in which the email account of a high-level executive is compromised and a request for a wire transfer is sent to another employee who has been identified as responsible for handling these requests.
Mike first came onto the law enforcement radar through a report provided to Interpol by Trend Micro.
Here again, Trend Micro's researchers stumbled on the scam in the course of their usual research into the criminal undergrounds in several countries, focusing on business email compromise and CEO fraud.
Trend Micro's team found out the hackers were spoofing the emails of certain company officers, for instance sending fake emails that appear to be from the CEO to CFOs and others in the organization who have the authority to transfer money.
"Cybersecurity purists might see this as a simple attack, but there's a level of research hackers are doing to understand not only the organization they're going to target but also the people to target," said Ed Cabrera, chief cybersecurity officer at Trend Micro. "Arguably, doing that research in this day and age is not that hard. With social media the way it is, it's not that hard to identify the CEO, the CFO and those that are not CFOs but have that ability to transfer funds from the organization."
These attacks have gotten more advanced, he noted. "Early on in the evolution of spam, you could detect the emails with their misspellings and poor grammar," he said. "In these attacks, they're improving their emails — the verbiage, the syntax, the slight variations on email domains that people reading email quickly don't notice."
In a common scheme, hackers will craft an email that appears to come from the CEO saying, "I'm looking to invest money, but I need to transfer money quickly to this account, please don't let anybody know about this right now because it's a very confidential transaction," Cabrera said.
In addition to two-factor authentication for email, Cabrera recommends that companies add controls around the transfer of money.
"Most companies have policies and procedures, the question is, do they follow them when they're transferring money on a daily or hourly basis?" Cabrera said. "No funds should be transferred without some kind of secondary authentication. It doesn't have to be technical, it could be follow-up phone call to a human."
Editor at Large Penny Crosman welcomes feedback at email@example.com.