Churchgoing Nigerians Drive Business Email AttacksNew Research Uncovers Surprising Fraudster Profiles
When the computer security company SecureWorks began studying email fraud schemes out of West Africa, the profiles of one particular group surprised them. Instead of young adults working out of cyber cafes, they were older, deeply religious men working at home.
The profiles were a departure from how many West African email scammers have presented themselves on social media, posing with bundles of cash and cars. Instead, these scammers have Bible quotes on their desktops.
"These guys are older, family men," says Joe Stewart, director of malware research at SecureWorks. "They're very low key about how they're making a living. They appear well-off in their pictures on social media, but they're never being flashy about it."
The group studied by SecureWorks is one of a number that have graduated from purely social engineering scams designed to trick people into making wire transfers, known under the Nigerian criminal code as 419 scams. Instead, the scams have evolved into something that's vastly more profitable, which law enforcement refer to as business email compromise or business email spoofing.
The attackers get inside the email systems of companies and do careful reconnaissance, looking for business-to-business transactions where they can intervene. If two companies are about to make a deal, the scammers use their inside access to email systems to modify invoice details and direct payments into accounts they control.
The U.S. FBI has repeatedly warned that the attacks are causing devastating losses to businesses. In April, the agency said at least $2.3 billion had been reported lost worldwide from October 2013 through February, comprising nearly 18,000 victims (see Business Email Compromise: How Big Is the Problem?).
Source of Insight
SecureWorks gained deep insight into one of the business email compromise groups because of a big mistake by its ringleader, Mr. X.
"The operator had infected himself with his own malware," says James Bettke, an information security research adviser at SecureWorks. "He was uploading screenshots every few minutes of his desktop, so we were able to determine he was ringleader of a BEC operation."
The malware also uploaded keystroke logs and clipboard information from Mr. X's computer to an open web server, which SecureWorks analyzed. That allowed the company to gain insight into the malware and tools the group uses.
Nicknamed Wire-Wire Group 1, SecureWorks estimates the group may have caused as much as $6 million annually in losses, making a net profit of $3 million after paying off money launderers, according to a blog post. It's an enormous sum in Nigeria, where GDP per capita is $6,100 annually, according to the CIA's Fact Book. Mr. X acted as an adviser, training others in the group for a cut of their proceeds.
The group picks targets by simply trolling the web for companies that have published email addresses for employees. Then comes what they refer to as "bombing" - sending malware or phishing emails, hoping to capture credentials for email accounts.
Not many of the attacks are successful. But even if 1 or 2 out of 1,000 targets are infected and compromised, it provides more than enough work for the next, labor-intensive stage of the attack.
After a company has been compromised, the attackers read through emails to discover the relationships between people and scan for pending high-value transactions. At the last minute, the payment details for an invoice are altered. The seller never gets the money, and the buyer never gets the product.
"Both parties are sort of confused, not really knowing that this third party has somehow managed to intercept their emails and very discretely changed those fine details," Bettke says.
Nigeria has long fought a battle against 419 scams, also referred to advanced free fraud. In 2003, Nigeria set up the Economic and Financial Crimes Commission to tackle internet-related crime and create public awareness campaigns trying to dissuade youths from becoming so-called yahoo-yahoo boys.
Nigeria recently has made some progress in the fight against the email scams. On Aug. 1, Interpol and the EFCC announced the arrest of a 40-year-old Nigerian man whom authorities believe was behind $60 million in fraud.
The man, referred to as Mike, headed a group of 40 people based in Nigeria, Malaysia and South Africa who were executing business email and romance scams. The group targeted the email accounts of small to medium-size businesses in Australia, Canada, India, Malaysia, Romania, South Africa, Thailand and the U.S. In one incident, a target paid $15.4 million, officials report.
Businesses can take some easy defensive steps to reduce their exposure. For example, SecureWorks recommends using two-factor authentication on email accounts. Another best practice is to closely examine wire transfer details, especially for large transactions. It's also good to pick up the phone with the other party to confirm the details, which would route around attackers lurking inside email accounts. Administrators should also watch out for new rules set up in email accounts that divert messages to other domains.
SecureWorks has also created a tool called pdfexpose that can detect modifications to PDFs. Scammers will often modify PDF invoices with a white opaque rectangle. The tool looks in a PDF for duplicate sets of bank account routing details that may be hidden under floating layers.
There is one day, though, when businesses don't have to worry about receiving BEC-related malware from Nigeria.
"A lot of this activity actually drops on Sunday because they're actually at church and taking the day off," Stewart says.