In 2020 through well researched social engineering, cyber criminals are targeting the senior management of large corporations and simply asking for money. Through email.
It’s the old ‘man in the middle’ spoofed email attack. Newly revised as Business email compromise (BEC)
A cyber criminal gang researches a companies corporate structure. Preferably one with overseas subsidiaries or vendors. They analyse the management structure then focus on an individual to target by creating a spoofed company email address. A slight variation in the email of a senior manager or decision maker who can approve international wire transfer payment. The cyber criminal injects themselves into the email chain by impersonating the corporate employee and creates an fraudulent international payment scenario.
Payments for invoiced services between the company and themselves as the seemingly legitimate vendors. This involves a change of banking details with the payment being transferred to a money mule account under control of the cyber gang. The BEC fraudsters will typically register a domain and use the provided email from that domain to create a spoofed email address and domain of the targeted company.
Photo by David Rotimi on Unsplash
Having entered the email chain of a company a manager may receive a friendly reminder.
‘Please be aware our banking services have recently changed.
Please transfer the outstanding funds to our new bank account listed below. We look forward to further mutually beneficial business transactions with your good selves.’
Something along those lines. Sometimes it’ll work, and if not then it’s onto the next corporate target.
If the emails originate from Nigerian cyber fraudsters they may contain the odd grammar or spelling mistake. But many of them will hit home none the less. They will cast the net far and wide.
The Nigerian culture places an importance on education and family. A small percentage are cyber criminals. The small percentage have created an international rep for the country as online scammers and yahoo boys. Romance scams and fake lotteries.
As with many African countries when the political elite are proven to be corrupt and not much happens to them..some of the population will follow suit.
One evening at work in 2014 I received an email from ‘the FBI’
The agent warned me that a raid of my house was imminent unless I paid the outstanding fine for the crime committed. I replied to the agents yahoo email address and thanked him for the sufficient warning. I was also impressed the FBI themselves would execute the raid in South Africa. That was dedication.
He never replied. Still for weeks afterwards I was like Henry Hill looking for that surveillance helicopter overhead. A sweaty anxiety ridden mess.
Goodfellas – Courtesy Warner Brothers
Hushpuppi and Mr Woodbery
In early June, Raymond Abbas – a Nigerian known to his 2.4 million Instagram followers as “Hushpuppi” and Jacob Olalekan Ponle also known on Instagram as Mr Woodbery, were arrested by Dubai Police for cyber fraud and money laundering totalling an alleged £350 million.
They were among 12 person arrested for the crimes in a series of coordinated raids. The pair received the most media attention due to their social media celebrity status. The FBI led international operation had been going for months. Their consistent Instagram posting allowed investigators to confirm their location through their accounts. They gave themselves dubious titles for an explanation of their wealth – real estate investor. Bitcoin entrepreneur.
The Dubai Police with local jurisdiction, working alongside the FBI seized £30 million in cash from Hushpuppi’s Dubai apartment. 12 luxury vehicles were also seized.
Electronic storage devices were seized which allegedly contained information on 1,926,400 international victims of fraud. Future scam targets were also identified including apparently an English Premier league club.
The pair were rounded up and promptly extradited to Chicago US to face federal charges.
Discretion optional. One of Hushpuppi’s many instagram poses. Luxury vehicles, private jets, designer watches.
The Nigerian cyber criminals targeted a New York law firm and made almost a million dollars. They created an an email chain to trick a paralegal into transferring funds for a clients real estate refinancing. The funds were wired into a money mule account under the co conspirators control.
Illin’ in Illinois
Hushpuppi and Mr Woodbery frequently used US based money mules for their US scams. The persons allowed their bank accounts to receive fraudulently obtained funds in exchange for a cut of the scam or simply payment for the use of their account. These funds were then almost immediately moved into bitcoin wallets. Several million dollars were involved. In Chicago the FBI allege Mr Woodbery received over $6 million in Bitcoin for one fraud alone.
Cyber crime forensic researcher Gary Warner provided a full break down
A US based money mule must have been ‘convinced’ by the FBI to cooperate with law enforcement. Several details he provided led investigators further along the trail. The FBI obtained records from the various companies the scammers had used.
In likely debriefs with the FBI the money mule said that he had received money laundry instructions from someone he knew as ‘Mark Kain’. Mark Kain used a voice over IP telephone allocated from the company Dingtone. This number was paid for by someone using a South African mobile phone.
The money mule was asked to make transfers to a Bitpay wallet account. The account was created in September 2015 and was opened with the email address email@example.com. Apple records were obtained. The South African number was from an IPhone registered to Jacob Olalekan Ponle (Mr Woodbery). The email firstname.lastname@example.org was used while logged into that phone.
Apple also helpfully provided images from the phone. A Nigerian passport for Ponle and a UAE resident card for Ponle. (Mr Woodbery and Hushpuppi were both living in Dubai when arrested.)
Then came Whatsapp chat records between Mr Woodbery and various money mules involving various scams. Large scale frauds involving companies in several Mid Western states. It seems Whatsapp chats are only encrypted so long as you don’t commit large scale wire fraud and money laundering.
In February 2019 a huge Chicago scam accounted for $2.3 million. The money mule immediately sent $ 2.1 million into a cryptocurrency exchange and told Mr Woodbery he would be sent the funds $500,000 at a time in Bitcoin to his Bitcoin account. An analysis of the Bitcoin blockchain showed Mr Woodberry had received almost $35 million in current Bitcoin value over the lifetime of the account being under his control.
Photo by Bermix Studio on Unsplash
The consequences of Hush puppi’s Instagram bragging had also trapped him.
In much the same way as his accomplice Mr Woodbery, the communication devices and emails used by Hushpuppi provided the necessary evidence to arrest him in Dubai.
In the New York law firm fraud they had used a Los Angeles based money mule to receive over $300, 000. This placeD the crime jurisdiction under the FBI’s LA field office. The LA FBI had seized and examined a money mules IPhone which showed regular communications between himself and an individual listed as ‘Hush’ with a UAE based number.
Another contact saved to the phone was “hushpuppi5” a Snapchat account called – “the Billionaire Gucci Master!!!” The FBI’s checked Hushpuppi’s Instagram account and found a post where he listed his own Snapchat account as “Hushpuppi5.”
The FBI once more retrieved important information via Instagram. The account used the email “email@example.com” and a UAE based number. The account had many logins from the UAE.
Snapchat provided more nuggets. The Hushpuppi5 account used the same email as the Instagram account, firstname.lastname@example.org and a different UAE number.
Gmail and Apple provided investigators with more. Ray Hushpuppi used both the gmail account and an Apple account “email@example.com” linked to his Gmail.
Another Gmail account used was “firstname.lastname@example.org” but often used the name “Ramon Abbas” in account records. The mailing address provided was “1706 Palazzo Versace, Dubai, UAE.” The email@example.com account was shown to lease that property.
IP address login records and telephone login records showed the accounts belonged to the same individual, Hush puppi.
As with Mr Woodbery the emails also contained other gems – copies of Hush puppi’s Nigerian passport and UAE Resident card.
The Nigerians were both celebrated then undone by US based social media.
From Russia with love
There are new players in the BEC game now.
The creme de la creme of online criminal sophistication – Russian cyber criminals.
Russian and Eastern European cyber criminals have realised socially engineered email frauds are much less costly and technologically simpler than their usually complex malware scams. Why not research a multinational corporation thoroughly then simply ask for the money?
No need to hire Malware developers and spent some much time and money setting up structures.
Cyber security firm Agari have discovered the first ever Russian BEC scam
targeting senior executives in 46 countries with millions of dollars stolen already.
The organised cyber gang known as Cosmic Lynx are highly professional and conduct thoroughly detailed research in their socially engineered attacks.
Check out the sophistication…
They meticulously researched large multinational companies and Fortune 500’s to analyse the CEO and executive structure.
Once an appropriate company was identified they impersonated the CEO creating a credible spoofed email, using that email for communication between the ‘CEO’ and a highly placed manager.
A highly sensitive and confidential task was created for that individual to exclusively handle – the merger and acquisition of a South East Asian company.
Non disclosure agreements were agreed to. The ‘CEO’ informed the executive that outside counsel would handle the legalities.
The Cosmic Lynx cyber gang then introduced a British based law firm to facilitate the acquisition of the company.
The executive would be in direct email contact with this lawyer.
Cosmic Lynx created a domain closely mimicking a real London law firm.
They created an email for an actual lawyer who worked there. They added a picture of that lawyer pulled from the law firms website or his personal Linkedin account and added it to the bottom of the email.
The ‘lawyer’ would then make contact with the executive introducing themselves.
The non disclosure agreement would be referenced. The discreet and confidential ‘operation’ would be expertly arranged by the lawyer.
The wire transfer account was provided in the body of the email to the executive.
Some lawyer speak would be added:
“It would be appreciative if immediate transfer could be facilitated due to time sensitive constraints concerning this acquisition”
The account provided would be a Hong Kong based money mule account under control of Cosmic Lynx. The funds then further transferred between different mule accounts.
Everything appears legitimate. The result is often large corporations sending huge sums of money to cyber criminals for the merger and acquisition.
Research has shown the average amount requested in most executive impersonation BEC attacks is $55,000.
Cosmic Lynx emails have asked for hundreds of thousands. Sometimes millions of dollars.
Their emails are well written. They contain no phishing style malicious links or attachments for the companies email filters to pick up and reject. They use domains that mimic secure email or network infrastructure and register them with anonymous domain providers.
Introducing outside counsel lawyers from the UK also carry a certain cache. Especially a London based firm. The Amy Adam’s character in American Hustle spoke of her “London banking connections” which immediately impressed her future scam victims.
Educate Your Escape analysis:
If Russian cyber criminals have shifted into BEC fraud and are moving away from Malware attacks, the world’s global conglomerates should be concerned. Russian and Eastern European cyber rings are highly sophisticated, organised and professional.
Organised Russian cyber-crime syndicates understand discretion.
Nigerian Instascammers do not.
There will be no social media bragging or online displays of wealth.
The Russians won’t follow the West African E trail where Ego leads to Envy which leads to Evidence and eventually Extradition.
Don’t shit where you eat
The Nigerians were well enough organised to make a lot of fraudulent money from US Companies. They laundered and cashed out but left an evidential trail.
They did themselves no favours by leaving an evidential runway on social media.
They used US based companies for almost everything – Money mule US accounts, bitcoin wallets, social media accounts, email accounts, Apple devices.
US based companies all have liaison staff to assist law enforcement in fraudulent investigations. They will gladly assist a federal agency out of courtesy or court order.
The Nigerians converted the stolen money into Bitcoin. Forensic accountants can identify bitcoin transactions through the bitcoin blockchain.
By defrauding and money laundering in the USA the Nigerians opened themselves up to federal wire fraud and money laundering charges.
Cosmic Lynx seem more aware of this and won’t make the same mistakes.
By using a complex system of money mule accounts in Hong Kong, an administrative region of China, there is a far less likely chance of cooperation when US Federal investigators come calling.
Their BEC emails focus on confidentiality and non disclosure.
They highlight a potentially lucrative merger and acquisition in economically trying times. Capitalising on seizing a market opportunity ahead of competitors.
A strategic email sent on a Friday afternoon with a request for fund wire transfer before the weekend to secure the asset.
There is a clever understanding of corporate psychology underpinning their BEC frauds as well.
By entrusting a senior manager or executive to handle everything.
The Russians know they are empowering a manager and can rely on a number of things;
The manager wants to handle it himself and look good in the eyes of the ‘CEO’ of the company.
There may be an understanding of corporate politics and career progression involved.
The senior manager hoping for a promotion down the road for their good work with this deal. Positioning themselves as someone the CEO can really trust to get things done.
The corporate chain of command with email used as correspondence will most likely eliminate any phone calls or direct discussions with the real CEO.
The reliance on email communication and an emphasis on the confidential ‘project’
Could they be aware of big business etiquette and protocol?
Don’t bother the CEO with an email or a phone call when he or she is trusting you to facilitate the transaction and make payment.
The injection of a British law firm also provides even more credibility to proceedings.
Finally Cosmic Lynx is part of the 4% of attacks to exploit organisations that do not have a DMARC email policy in place.
DMARC (Domain-Based Message Authentication, Reporting, and Conformance) is a special protocol that reassures that an email was sent from a specific sender. It eliminates the possibility of phishing, spoofing and other malicious activity.
This enhances the authenticity of their emails by directly spoofing the email addresses of CEO’s when possible.
It seems through their target research the cyber crime group are aware of which organisations have an effective DMARC policy and which organisations don’t.
There are two main objectives to cyber crime.
The online fraud itself and accessing the money the fraud provides.
Cyber criminals have to cash out
otherwise their fraud is pointless.
If Cosmic Lynx is any indicator the Russians aren’t going anywhere.
In BEC fraud stealth is wealth.