AGARI CYBER INTELLIGENCE DIVISION...into wiring their savings to criminals. We also saw a similar...
35
REPORT © Copyright 2019 Agari Data, Inc. AGARI CYBER INTELLIGENCE DIVISION Behind the “From” Lines: Email Fraud on a Global Scale Ten Cybercriminal Organizations Unmasked
Transcript of AGARI CYBER INTELLIGENCE DIVISION...into wiring their savings to criminals. We also saw a similar...
REPORT
© Copyright 2019 Agari Data, Inc.
AGARI CYBERINTELLIGENCE DIVISION
Behind the “From” Lines: Email Fraud on a Global ScaleTen Cybercriminal Organizations Unmasked
2
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Executive Summary
Nigerian Scammers Target American Businesses
Over the course of the past 10 months, using responsible active defense techniques, Agari captured 78 criminal email accounts, belonging to 10 criminal organizations, and containing 59,652 unique email messages. Agari analyzed the contents of these email accounts to investigate the tactics, targets and identities of the criminals. And now, that analysis enables stronger defensive strategies and measures.
What’s more, Agari has used this analysis to warn financial institutions about accounts being used for criminal activity, and to provide evidence to law enforcement. Agari has also warned victims, and in at least once case, quick action helped a company recover its money.
One of the more interesting findings from this analysis was that while much of the high-profile cybersecurity news of the past year has involved state sponsors like Russia and North Korea, American businesses and individuals are far more likely to be targeted by Nigerian scam artists.
Nigerian scam artists, traditionally associated with implausible get-rich-quick schemes and other scams of individuals, have become more sophisticated and a significant threat to American businesses. The groups Agari captured began ramping up their business email compromise (BEC) attacks between 2016 and 2018. They have targeted the largest corporations, small businesses, real estate agents, and even hospice care providers with sophisticated, commercially purchased malware.
By compromising these organizations with malware, these criminals can misdirect down payments on homes to steal the life savings of victims, send fake invoices to real customers, reroute product deliveries to false locations to be stolen, and steal sensitive information to target even more victims. By the time the victims realize they have been scammed, their money is long gone.
Even as they move into more sophisticated attacks against businesses, these criminal groups continue duping individuals through rental scams (which yield lucrative revenue) and fraudulent romance (which yields new money mules, in addition to revenue). Among these victims, we found two women who had been bilked out of a half million dollars each. One of them lost her home and was forced to pull her children out of school, while the other appears to have become a knowing accomplice to an online lover who was never real.
“ Since I can't send more money, maybe I'm of no use to you now. I certainly feel like that could be the deal here...A realtor is coming over tomorrow to help me list my house for sale. I'm talking to an attorney now about how to keep the collection agencies away and protect my kids. All this time, I'm wondering if I've heard from you for the last time. Please don't let that be the case.”
Romance scam victim, email to her attacker.
3
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Table of Contents
IntroductionKey FindingsBackground: Nigerian Princes Really Are From NigeriaAttack Trends: The Business of Email CompromiseCriminal Gains: At What Cost?Conclusion: Addressing a Future of Criminal Automation
456
143034
4
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Introduction
Business email compromise is an advanced email attack that leverages the most common form of identity deception—display name deception—most frequently targeting finance teams to make fraudulent payment requests.
Through social engineering, cybercriminals are completely bypassing traditional perimeter defenses. There’s no malware to detect, nothing suspicious in the code, nothing unfamiliar in the message—it’s just that the person on the other end of the email isn’t who they claim to be.
The 2018 Verizon Data Breach Incident Report recognizes that “we’re only human” when it comes to social engineering. But this human weakness results in the single most common and costly form of cyberattack. According to Verizon, “phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).” And the FBI reports that BEC has resulted in exposed losses of more than $5 billion.
It’s ironic—and problematic—that many of these attacks are using our own infrastructure against us. Cloud-based email services have commoditized basic email security, but they also offer a low barrier to entry for criminal organizations that want to create dozens of fraudulent accounts to impersonate otherwise trusted identities. Generally, it is more difficult to detect these attacks because they are launched from legitimate infrastructures that traditional security controls have been taught to trust.
Not only are the rewards high for these crimes, the risks are low. These international operations face little consequence in the U.S. for the crimes they commit overseas. However, just like the drug trade, many of these operations make use of U.S.-based mules to aid and abet them. The average U.S. company may be suspicious about wiring money to a Nigerian bank account, but when the bank is in the U.S. (thanks to a mule) it is less likely to raise a red flag.
In short, these criminals have used identity deception and trusted infrastructures to circumvent traditional security. But there is a solution. Thanks to recent advanced in AI-powered defense systems, we can change the equation, turn the tables and fight back against the epidemic of BEC and identity deception—and we must.
This report fills critical gaps in our awareness of these attacks, provides direct insight into the organizations and individuals committing these crimes, and demonstrates the value of proactive protection against identity deception. With this new insight, it is our goal to foster better cooperation and information sharing between law enforcement, the security industry
and the organizations they each serve to protect.
5
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Key Findings
Despite billions of dollars of investment and major advances in sophisticated security technology, the vast majority of businesses remain utterly vulnerable to BEC attacks, which use identity deception to impersonate a trusted contact.
• Agari captured 76 criminal email accounts from 10 organized crime groups, containing 59,652 unique messages for analysis. The inception of the accounts ranged from 2009 to 2017.
• Nine out of 10 organized crime groups were based in Nigeria. In many instances, we have been able to identify the real identity of the criminal email accounts because of poor operational security of the organized crime groups.
• After focusing for years on simple romance and rental scams, most of the groups began conducting BEC attacks between 2016 and 2018.
• Most organized crime groups focused on romance scams until the advent of BEC attacks.
• BEC was the most popular attack vector (24% of all attacks, over the life of the accounts), a remarkable finding considering that most of these groups did not begin BEC attacks until 2016 or later.
• BEC attacks require little effort for high reward:
- The average BEC attack is active for less than three days (a very quick attack), whereas the average romance scam is active for 25 days.
- BEC has the highest success rate of the tracked attacks, with 0.37 victims per 100 probes. BEC attacks are 10 times more successful if the victim answers an initial probe (3.97 victims per 100 answered probes).
- The average payment requested across all BEC attacks was $35,500.
- BEC attacks have an expected profit of between $982 to $5,236 per answered probe, based on previously available FBI IC3 report statistics, making it at least 700 percent more lucrative than a romance scam.
• Agari found man-in-the-middle real estate purchase scams that trick home buyers into wiring their savings to criminals. We also saw a similar attack technique used to compromise a hospice organization.
• Scammers are targeting SMBs and major enterprises, intercepting their invoice payments and directing equipment deliveries to drop sites.
• Organized crime groups make use of legitimate infrastructure and online tools to evade detection and support their operation.
- Gmail accounts are commonly used for email service.
- Grammarly is used to correct spelling and punctuation errors.
- RocketReach and GuideStar are used to find business listings.
- Match.com and other dating sites are commonly used to target romance scam victims, many of whom become money laundering mules.
$35,500 is the average payment requested across BEC attacks
3.97% of people that answer a BEC email become victims
24% of all email scams are BEC
6
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Background: Nigerian Princes Really Are From Nigeria
In this section, we will focus on understanding the modus operandi of the perpetrators behind these attacks at both a macro and micro view.
During the course of our research, Agari identified 78 criminal email accounts from 10 organized crime groups. And this is just the tip of the iceberg. In addition to the 78 criminal email accounts identified by Agari, we have observed communication with 188 more criminal email accounts.
Our researchers were able to access for additional analysis a total of 59,652 messages from the inbox, sent and spam message folders of these criminal email accounts. These messages included communication among members within these organized crime groups, enabling our researchers to correlate their relationships. Our researchers were also able to further assign identity and location because the criminal email accounts were used for personal services, including Facebook and Uber.
No Representation without TaxonomyPreviously, Agari has developed a comprehensive Threat Taxonomy that categorizes and classifies security threats, including email attacks, in a way that makes them easier to understand, anticipate and counter. In this report, we have assigned a similar taxonomy to these organized crime groups.
To create a meaningful characterization of these organizations, an important first step is to identify what is worth measuring. Based on the analysis of the criminal email accounts that Agari has captured, and relative to email-based social engineering crime, we have created the following taxonomy of criminal organizations:
1 What? This dimension highlights the attack vectors that organized crime groups use. We will be covering these attacks in-depth in section two of this report. However, we can briefly state that among the criminal email accounts captured by Agari, BEC was the most common attack vector, corresponding to a quarter of the fraud attempts.
2 Where? Agari determined the location of the criminals, both in terms of their apparent headquarters and in terms of the location of their affiliates. All of the captured criminal email accounts appeared to be headquartered in Africa, and nine out of ten in Nigeria (with the remainder in Kenya). Each of these organized crime groups have confirmed affiliates in either the United States, the European Union, or both. We will further explore this attribution in this section.
3 Who? The question of who starts with the size of the criminal organization, whether measured in terms of number of active email accounts or number of confirmed unique individuals. Other important aspects are the names and phone numbers of the criminals, and their social networks. We will further explore this attribution in this section.
7
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
4 Activity. The activity descriptor addresses the age of the organization, the volume of criminal attempts, and historical behavior. The average age of the captured criminal email accounts was roughly four and a half years, with the oldest one being ten years old. The volume of attacks was very uneven, with one organized crime group essentially generating the same volume as the remaining nine organizations. In terms of the history, one organization started performing BEC attacks in earnest in 2016 and one in 2018, with all the others starting in 2017. All but one of the organizations started out performing romance scams, and then turned to business email compromise.
5 Operations. We break down the operations of these organized crime groups into operational security, their criminal approach and potential innovation. Proxies and VPNs are popular services among these organized crime groups because they can help hide their true location. Business contact services, such as RocketReach, Crunchbase and GuideStar are popular for their ability to identify targets. Even Grammarly has its place, as it helps the organized crime groups write more effective communications. Our researchers have also identified instances of underground tools and services, such as custom-made malware. We will further explore criminal approach and potential innovation in the next section.
6 Impact. Finally, the impact category describes how these organized crime groups profit. How many confirmed successes did the criminal organizations enjoy, what types of crimes did they correspond to, and what are the estimated gains? We will explore this in more detail in section three of the report. However, we can briefly mention that BEC is the most effective attack vector and attacks are 10 times more likely to succeed when the victim answers an initial probe message, such as “Are you available to make a payment?”
Figure 1: Development of Major Scam Types within Organized Crime Groups. Nearly every organized crime group began with romance scams before
turning to business email compromise (BEC) in 2016 or later.
8
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Figure 2: Origin of Mailbox Creation Year. The average age of the captured criminal email accounts was roughly
four and a half years, with the oldest one being ten years old.
Figure 3: Average Sent Emails Per Active Day. Group Six was the most prolific, sending an average of 81 emails per day
during active days
Figure 4: Distribution of Daily Mailbox Activity. Even organized crime groups are working for the weekend; attacks spike at the beginning of the week and taper off by the weekend.
9
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Unmasking the Impostors
A One-man WolfpackWe can trace the origins of Group One to 2013, when it was focused entirely on romance scams. Our researchers have correlated a primary email account from Group One with two other frequently used email addresses, a male and female alias used in romance scams. Our hypothesis is that Group One may be a single individual managing multiple criminal email ac-counts. The remainder of the criminal email accounts in Group One are a variation of the same email address, a technique used to circumvent rate limiting on sending email. Among these accounts, we have discovered a plethora of captured email account usernames and passwords, which were stolen using a script created by a third-party actor with the alias “Anthrax.”
Agari first detected Group One in August 2017 when we intercepted a BEC email to the Chief Accounting Officer of a customer protected by Agari Advanced Threat Protection. The email used display name deception to make it appear that it was sent by the company’s CEO. This was the start of an attempted BEC scam. We will focus more on Group One, as we unfurl a heartbreaking romance scam initiated by “Jim Blackie.”
Figure 6: Pictures of “Jim Blackie” flying first class and in a shopping mall obtained from Facebook accounts linked to the email address used in the romance and BEC scams
Figure 5: Distribution of Hourly Mailbox Activity (UTC +1 West Africa). These organized crime groups were most active between 11am - 8pm UTC +1 (West Africa),
which coincides with American business hours, 7am - 4pm Eastern.
10
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Figure 7: Facebook Check-ins of Jim Blackie placing him in Lagos, Nigeria
Figure 8: Facebook Check-ins of Jim Blackie placing him in Pretoria, South Africa, which based on email communications may be his residence.
Define “Ethical” HackerIn the world of law enforcement, there’s a concept known as “felony stupid”—that is, an ingeniously orchestrated heist is spoiled when the criminal does something really dumb that leads the authorities right to them. In the analog world, one of the most stunning examples of “felony stupid” is when a perpetrator uses a legitimate personal credit card to rent the getaway vehicle. And the same concept holds true for cybercriminals, especially when criminals access personal services from their criminal email accounts.
Group Nine is particularly egregious in this regard, much to the delight of our researchers. We have been able to correlate a dozen email addresses to this organized crime group, including two that have associated social media profiles with them.
Our researchers have identified one of the attackers as Joseph David Oluwaseun. Oluwaseun describes himself as a graphic designer, brand manager, media strategist and cartoonist living in Dutse, Nigeria. He has also posted multiple public check-ins, which further validate his location in Nigeria.
11
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Figure 9: Facebook Profile for Joseph David Oluwaseun.
Figure 10: Joseph David Oluwaseun Location Check-Ins.
We have also identified his partner as Abdulwahab Adebowale Ashimi. Ashimi is a self-described blogger, programmer, hacker and founder of SchoolDiary, an education blog. A WhoIs lookup of SchoolDiary reveals it was registered by the same criminal email account that was captured by Agari. Similarly, he has posted multiple public check-ins, which further validates his location in Nigeria. Ironically, Ashimi recently posted a Udemy Certificate of Completion for “The Definitive Ethical Hacking Course.”
This is just one example of what can be done to turn the tables on seemingly anonymous imposters and cybercriminals—and a great example of what becomes possible when AI-driven defense systems reveal tangible clues for human sleuths to work with.
12
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Figure 11: Facebook Profile for Abdulwahab Adebowale Ashimi.
Figure 12: Udemy Certificate of Completion for “The Definitive Ethical Hacking Course.”
A Master Conman, Hiding in Plain SightAmong the more sophisticated and dangerous of the criminal email accounts we captured is “Master Comann.” Comann uses malware hidden in attachments to penetrate the email systems of real estate agents and other companies, positioning him to do real estate purchase scams and other man-in-the-middle BEC attacks. He also continues to conduct simple romance and rental scams, providing a flow of cash and new mule accounts.
These kinds of cons are not only financially devastating, but also heartbreaking to witness. While it is difficult to identify any one criminal email account as being the most callous, one of Master Comann’s exploits is a contender. He penetrated the email system of an association for hospice care facilities, which provide comfort to the terminally ill. The hospice center, with offices in North Carolina, is a non-profit supporting local hospice facilities and patients. We weren’t able to follow this exploit any further, but believe that once he has access to legitimate email accounts of hospices he could easily attack the families of hospice patients, who will be especially vulnerable at that time.
Master Comann, who appears to be based in Kenya, uses commercially-available malware creation tools that even provided him with tech support when he ran into difficulty. The malware is hard to detect and hard to remove. In November, Agari warned five real estate firms that their email was compromised. Two weeks later, their emails were still forwarding to Comann’s inbox, likely due to persistence of the malware used by Comann.
13
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
At some point, Master Comann created a Google+ page, featuring the name “Manuel Villarreal” and an L.A. Dodgers avatar.
Figure 13: Master Comann’s Google+ Account, Registered to “Manuel Villarreal.”
Our researchers identified an additional “Manuel Villarreal” Google+ page with a similar email address to Master Comann (the second “N” was deleted), leading us to believe both addresses were operated by the same person. This secondary account included a link to a Picasaweb photo album with the same L.A. Dodgers avatar.
Figure 14: A Picasaweb photo album, presumably associated with Master Comann.
Our researchers were able to determine that this secondary email address was used to create Twitter and Facebook accounts, also with the name “Manuel Villarreal.” These accounts dated back to 2010 and use similarly abstract profile pictures. The majority of the Twitter posts were in Spanish, suggesting that Master Comann may not actually be from (or in) Kenya. Our researchers have strongly correlated evidence indicating that Master Comann is “Manuel Villarreal,” although it is possibly an alias or a stolen identity. If Master Comann truly is “Manuel Villarreal”, our evidence suggests that he is in the United States (perhaps using a VPN or proxy to throw researchers off his trail).
Details like this are instrumental in the work of law enforcement agents who track down, capture and prosecute perpetrators of identity-based crime.
14
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Attack Trends: The Business of Email CompromiseTwo Types of TrendsIt is meaningful to consider trends on two different levels, the technical and the social. In this section we will discuss both, as well as provide some real-world conversations between captured criminal email accounts and their victims.
Technical trends explore the types of identity deception attacks these organized crime groups utilize to generate trust with their victims. Figure 15 below shows the different methods attackers use.
Figure 15: A Dimension of Agari’s “Threat Taxonomy” Focused on Identity Deception Techniques.
Social trends relate to whom is being attacked and how. About 10 years ago, the most common type of fraudulent email was a phishing email, in which an intended victim received an email appearing to come from his or her bank, asking him or her to click on a link to log in. Historically, another common type of fraudulent email was the consumer-facing “Nigerian prince” email. Recently, these email attacks have switched to target enterprises, and most of the time, the attacker attempts to impersonate a colleague or a vendor asking for a transfer of funds.
What Drives These Trends?Technical trends are typically driven by improved delivery rates for the attackers, as they learn how to circumvent security controls. Social trends tend to be driven by how quickly attackers discover where to find the most lucrative and most vulnerable targets. By understanding these trends ourselves, we can begin to anticipate where the next wave of attacks is likely to occur and get one step ahead of the wrong-doers.
Still, one must never underestimate the agility and avarice of organized crime. While most criminal organizations are running multiple types of fraud schemes, there are three types that are almost always present: romance scams, rental scams and BEC scams.
These three types of scams are very different, yet complementary, which explains why they are commonly seen together. Romance scams are high-effort, requiring continuous interaction between the criminal and the victim. On average, a criminal email account will send 235 messages across 10 different threads for 25 days during a romance scam. This is a lot of work, but the payoff is not only monetary—many romance scam victims may be converted to money mules (often unwittingly), for use in future attacks.
In comparison, rental scams are short-lived and low-effort, providing a predictable near-term income stream to the criminals. During a rental scam, on average, a criminal email account will send 67 messages across 20 different threads for a mere five days.
15
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
But BEC is where the big money lies, and this is where we see the biggest growth in cyberattacks. On average, a BEC attack lasts for less than three days, during which the criminal will send 46 messages across 26 threads. As we will further explore, BEC also has the most victims per probe, making it the most effective of these attacks.
Looking at the relationship between these three types of scams over time, through the lens of 10 criminal organizations observed by Agari, it’s plain to see the alarming growth in attacks. It is important to realize that these three types of attacks are just pieces of a larger puzzle. Agari has been able to produce a more complete picture, having captured so many criminal email accounts belonging to these 10 organized crime groups. Many of the observed scams are a variation of the “advance fee” fraud, but with different pitches and different targets. We elaborate on many of these scams in more detail below.
Other types of scams are used as alternative money exit methods, such as “mystery shopper” scams in which the unwitting mule is purchasing gift cards and forwarding the codes of these to the attackers. By studying the longevity of these campaigns, we can infer the likely benefits the different scams present attackers with, allowing us to make predictions about future developments, to assess the comparative levels of sophistication and innovation among criminals, and to suggest effective countermeasures for likely targets.
Diversification of Scam Activity Within GangsExamination of the attackers’ activity shows that BEC scammers are involved in a whole host of other scams. Historically, these organized crime groups have engaged in romance scams, but more recently BEC attacks have emerged as a more lucrative and successful approach.
Even as these criminals have taken on more sophisticated attacks, they have continued romance scams. We believe there are two reasons for this. First, they provide steady cash flow to fund the criminal enterprise while it goes after larger prey. Second, they allow the gang to generate a continuous supply of new money mules who they depend on to retrieve their funds.
We have also seen a division of labor within some gangs, which seem to run like businesses. One member collects lists of leads and correlates multiple executives within the same company to target in BEC attacks. Another communicates with the targeted victims. A third manages the money flows.
PrevalenceOur research classified 2,512 discrete attempted scams. We have classified the scams into the following categories, with prevalence noted:
Figure 16: Prevalence of Different Attacks. BEC is the most common attack type, indicative of a growing risk since the average age of
the accounts was more than four years old, but BEC did not emerge until less than two years ago.
16
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Figure 17: Initial Response Rates for Different Types of Scams. These percentages indicate the initial response rate to a variety of attacks, regardless if the attack was ultimately successful or not.
Money MulesParting people from their money isn’t necessarily the hardest part of the scammer’s job. The real bottleneck is getting the money out of the system. For most North American and European companies, a request to mail a check or wire money directly to an individual in Nigeria would raise more red flags than a payment to a domestic recipient. Meanwhile, banks and other financial intermediaries have tightened their controls over all large wire transfers, especially between unknown senders and receivers, whether to Nigeria or elsewhere.
For that reason, recruiting money mules is a full-time effort for each of the groups we captured. As the scammer groups are typically based overseas, a successful scamming operation is entirely dependent on money transfer techniques that evade suspicion.
A money mule is an individual, generally located in the same country as the victim, who helps the scammer launder stolen money, by methods including routing it through their bank accounts or using iTunes or gift cards. Mules typically begin as unwitting co-conspirators. Over time, they become victims, either through direct financial losses or through falling afoul of law enforcement. Some mules, particularly those recruited through romance scams, become witting co-conspirators, either by refusing to believe their love interest is a scammer, or through blackmail with a threat of turning them in for their role in the scams.
There are two primary sources of money mules: romance scams and work-from-home scams, a type of job scam. These are covered in the section below.
BEC AttacksBEC is a type of advanced email attack that inherently relies on the use of identity deception and evades detection by avoiding the use of a detectable payload such as a URL or attachment. Commonly, the criminal will pose as a colleague of the intended victim or as a vendor of the organization of the intended victim, and either ask the intended victim to perform a payment or to send some sensitive data.
There are three different types of identity deception that criminals use to execute a BEC attack: spoofing, look-alike domains and display name deception. Previous Agari research has indicated that 82 percent of BEC attacks use simple display name deception.
In addition to using identity deception, some criminals use corrupted accounts to perform BEC attacks. This gives the criminal access to past interactions between the corrupted user and the intended victim, allowing them to customize the pitch and make it even more believable.
17
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
A Reversal of FortuneMost BEC attacks proceed in a similar fashion. Criminals leverage business contact databases, social networks and even a company’s own website to identify key individuals. In the instance shown below, we captured a criminal email account that was using display name fraud to appear as the president of an entertainment company in Los Angeles.
The attacker sends a simple request to a member of the accounts payable team to determine if his employee is available to make a payment. (The real names and company of the “president” and victim have been redacted.)
From: “President of Company” (Display name deception)
To: "Accounts Payable Victim"
Subject: Due Payment
"Accounts Payable Victim," Are you available to make a payment?
We can see from the next exchange that the target has taken the bait, as the criminal sends a follow-up email to the target. Our research shows that BEC attacks are more than 10 times more likely to succeed after an initial response is received. In this message, our criminal requests an overnight payment for $64,250:
On Mon, Apr 9, 2018, “Victim” wrote:
HI “President”, yes, how can I help?
From: “President of Company” (Display name deception)
To: "Accounts Payable Victim"
Subject: Re: Due Payment
"Accounts Payable Victim," See attached W-9 for vendor details, Overnight a check for $64,250. e-mail me with tracking# once check is mailed out. Thanks, “President”
As the attack proceeds, accounts payable requests the email address of the vendor to verify her payment. The criminal provides an affiliated email address that will provide the fraudulent bank account information.
18
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
On Mon, Apr 9, 2018 , “Accounts Payable Victim” wrote:
Will do! Also, before we can do that, I need to get her email address so I can email her a link to verify her vendor information. Would you be able to send me her email address when you have a sec?
Thanks!
From: “President of Company” (Display name deception)
To: "Accounts Payable Victim"
Subject: Re: Due Payment
Send to [REDACTED AFFILIATE CRIMINAL EMAIL ACCOUNT]
Again, the criminal faces another obstacle in his play as the accounts payable team does their due diligence, but the criminal responds vaguely enough that it doesn’t raise suspicion.
On Mon, Apr 9, 2018 , “Victim” wrote:
Thanks “President.” Also, can you let me know what project this payment is for for coding purposes? Once she approves her vendor information, I’ll send you the bill for approval.
From: “President of Company” (Display name deception)
To: “Accounts Payable Victim”
Subject: Re: Due Payment
Payment is for consulting.
It seems this attack is passing the point of no return. The accounts payable team presents the criminal with multiple options for sending payment. This criminal prefers a paper check instead of electronic payment.
On Mon, Apr 9, 2018, “Accounts Payable Victim” wrote:
She submitted her electronic payment information, so if you would prefer, I could make sure her electronic payment will be processed tomorrow. Otherwise, I am still happy to overnight a check, but wanted to let you know we have that option.
19
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
From: “President of Company” (Display name deception)
To: “Accounts Payable Victim”
Subject: Re: Due Payment
“Accounts Payable Victim,” Overnight a check for this payment we will make electronic payment to vendor going forward.
Thanks, "President"
This attack has now reached its final step, as accounts payable has still not realized that “President of Company” is not who he claims to be. This criminal leverages his assumed authority over a woman that presumes he is her boss. These brief exchanges seem all too recognizable as the terse messages that a busy president or CEO would send. The target is all too eager to please her boss and wires payment for the fraudulent charge.
On Mon, Apr 9, 2018 , “Accounts Payable Victim” wrote:
Hi “President,”
WemissedthecutoffforFedExpickuptoday.Pleasegoaheadand approve the invoice in DocuSign or email back saying you approve. LetmeknowifyoustillwantmetoFedExovernightthepayment (it will go out tomorrow morning and get to her on Wednesday) or if you want me to send an ACH payment so it can get to her tomorrow.
From: “President of Company” (Display name deception)
To: "Accounts Payable Victim"
Subject: Re: Due Payment
I approve. Send ACH payment to vendor.
Thanks, "President"
In most cases, this story would end in tragedy (lost funds, potential employee termination, etc.). But this story has a happy ending. In the process of actively monitoring these captured criminal email accounts, an Agari researcher identified this BEC attack and was able to warn the accounts payable team just in time to reverse the wire payment. The response from the victim was a condemnation of the attacker using words too colorful to print. Agari advised the victim to contact her bank immediately to reverse the charge and to file a complaint with the FBI’s IC3 division.
20
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Real Estate Purchase or Escrow ScamsThere are two types of real estate scams—rental scams and purchase scams. Rental scams are a low-cost, high-volume scam. The scammers post an ad for an apartment or vacation rental they don’t own, request a deposit and then disappear (savvy security professionals can spot these a mile away on Craigslist). These are more common than purchase scams, as they require less competence to carry out, but they are also less profitable.
Purchase or escrow scams are a sophisticated man-in-the-middle attack, and are especially dangerous, potentially costing victims their life savings. The scammer targets multiple real estate agents or title companies and tricks them into installing malware, which lets him take over the account and begin forwarding all the email to him. He then begins monitoring potential purchases.
When a deal is ready for completion, the scammer sends an email to the buyer purporting to be from an escrow agent or the real estate broker, and provides payment instructions with the scammer’s account number. By knowing all the details of the transaction (address, purchase price, the name of the agent, etc.) and knowing when the buyer is expecting instructions, the fraudulent email can be made to look highly convincing even to sophisticated individuals. The victim instructs the bank to wire the money. And in an instant, their down payment—and possibly their life savings—is gone forever.
The criminals often use custom malware to compromise the accounts of their launchpad victims. Figure 17 shows our scan of one malware-laden file used by Group Five, made half a year after the malware was purchased.
Figure 17: A Custom Malware Sample.
Criminals relying on malware commonly use custom-made malware, purchased on the dark web. Because these are highly tailored pieces of malware that are used only rarely, very few antivirus services are able to detect them. As the figure above shows, one piece of custom malware was only detected by nine out of 60 engines, even six months after it was purchased and deployed.
21
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Initial Infection Vector
From: “Master Comann”
To: [REDACTED - TARGET REAL ESTATE BROKER]
Subject: Re: Pictures
Hello,
Sorry for the late respond my wife and I are relocating and we'd like to purchase a prime property that will suit all our needs. We have a comprehensive list of what we are looking for below. Wehopeyouwillbeabletohelpusfindourdreamproperties. pleasefindattachedSpecifications.
Thanks
Attached to the email was a Word document infected with malware, and a fake letter from a fake bank, New York Securities Bank, attesting that the buyer has $400 million on deposit.
The attacker, “Master Comann,” sends variations of this email to many real estate agents. In another example, he has identified himself by forging an alias to the letterhead of a rural Texas hospital.
W-2 Scams (Identity Theft and Tax Fraud)In a W-2 scam, the attacker contacts employees in a company’s human resources department with an email appearing to come from the company’s CEO or CFO. The message asks for a copy of the company’s W-2 files. W-2 forms are the Internal Revenue Service (IRS) documents U.S. employers provide to their employees shortly after the end of each year, listing the employee’s earnings, tax withholding, Social Security number and address.
Once they receive that information, the scammers can file fraudulent tax returns to receive a refund check from the IRS. More than 200 employers were victimized by W-2 scams in 2017, compromising the identity of hundreds of thousands of employees, the IRS has reported.
Nanny ScamOne group runs a nanny scam, where they place an ad for a nanny to care for a disabled child. Respondents are sent a check which they are told to deposit and use a portion of to purchase a wheelchair that the scammer found online. Naturally, the check is bogus and will eventually bounce, but not before the victim has purchased the wheelchair. To make matters worse, the wheelchair ad is also fraudulently placed by the same scammer. After the purchase is made, no goods are shipped.
Escort ScamOne of the organized crime groups runs an advance fee scam seeking an escort for a wealthy client. Respondents are sent a bogus check for the escort services with an additional amount to be spent with the wealthy client’s “agent” to arrange a hotel room, champagne service, etc. As with other “advance fee” scams, the victim of the attack will either make a payment
22
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
to a party associated with the criminal, or refund a portion of a fake check payment in excess of what they needed. The criminal would thereby receive a transfer as a result of sending a fake check, and the victim’s bank will charge the victim’s account once the scammer’s check bounces.
Nigerian Letter or 419 ScamThe grandfather of these attacks, almost always run out of Nigeria, is an email purporting to be from an African government official or prince who offers a large reward in return for helping smuggle millions of dollars out of the country. Once the victim is hooked, he is persuaded to send an advance fee (often in the thousands of dollars) to facilitate the transaction, and then the scammer disappears. These scams are old enough to have originated in physical letters before shifting to email, but have faded considerably as they have become less effective.
Job ScamsAmong the varieties we see are “mystery shopper” scams and “work-from-home” scams. These are commonly used by criminals to recruit unwitting money mules or to employ people to “help post ads on Craigslist”—a job description that in reality translates to “help evade security mechanisms deployed by Craigslist.”
“Mystery Shopper” ScamsIn this scam, ads are placed for mystery shoppers. Respondents are sent a check to cover their shopping task, which is to purchase various gift cards from a particular store. They are asked to fill out a form about their shopping experience, and to forward the gift card codes to the scammer as proof they did indeed perform their task.
A commonly observed shopping task is to receive a wire transfer (usually from a victim in another scam, unbeknownst to the mystery shopper) and to purchase iTunes cards. It might be hard to imagine why a scammer would be so dedicated to filling the gaps in their 70s disco music collection, but with the existence of online services such as paxful.com, the scammers can directly exchange the gift card’s value for Bitcoin, essentially turning the iTunes card into a form of pre-paid currency. We have also observed our scammers exchanging Walmart gift cards worth over $1,000 for Bitcoins, although Amazon, eBay, and Playstation Network gift cards could also have been used in exactly the same way.
Another variation of the mystery shopper scam involves the mystery shopper being sent a check, but for a higher value, commonly $1800. In this instance the assigned task is to evaluate Walmart, and MoneyGram, the money transfer service. They will be asked to spend $100 on grocery items for themselves; all the while making a mental note of the experience against some predefined criteria. Once they have completed this stage of the assignment they are asked to deduct their fee of $300, plus an additional $40 for the money transfer fee, and then forward the remaining $1360 on to the next mystery shopper (the scammer). The success of this scam very much hangs upon the check not being spotted to be a forgery, and for the shopper to not get cold feet and wish to return the check as they have suspicions about the legality of the role. As the check eventually bounces, the mystery shopper will realize that the money he or she transferred is lost, but then that is much too late.
23
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Work-From-Home ScamsWhat follows is a real example of a work-from-home scam and our interaction with the scammer. The attacker used fake Japanese names for himself and his company name, which we have redacted. As is typical, it begins with a spam email:
From: "Fake Company"
Subject: Accounting Position
“FAKE COMPANY,” is greatly in need of an individual/company who can handle its account receivables from its customers/clients
Capable and Interested Candidates are to E-mail their UPDATED resumes.
After responding to this email, our researchers received the following email:
From: "Fake Company"
Subject: Re: Accounting Position
Thanks for your response. Attached to this email is More details regarding your position and how you can assist us . Please go through it and get back to us with a response kindly SendUPDATEDresumedetailsofexperiencesandthe following information.
Full Name: Full Address: Tel/cell: Position Held: Email: Current Job:
Note: This is a part-time job is not time consuming
Warm Re gards
After throwing together and sending a mediocre accounting resume, we were soon offered the position of Company Representative with "Fake Company":
From: "Fake Company"
Subject: Re: Accounting Position
Be inform that your response was received regarding your details. Attached to this email is our company Representative Contract Agreement/Memorandum Of Understanding Document. Please go through it and get back to us with a signed copy of the Agreement/Memorandum Of Understanding Document before we can finallyapproveyouasourcompanyrepresentativein-chargeof ourcompanyaffairs.
I await the signed copy of the MOU as soon as possible.
24
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
After returning the signed MOU, we were soon given our first assignment:
From: "Fake Company"
Subject: Re: Accounting Position
Prior to your Approval as "Fake Company" representative in-charge of its delinquent account collections/receivablesinUSA&Canada.Belowisthedetailsofyourfirstdelinquentaccount collection on behalf of "Fake Company"
FirstOfficialAssignment:Youaretocontactthiscustomer/client(REDACTED)asyourfirstdelinquent account collections on behalf of "Fake Company" Be inform that REDACTED is one of our numerous Customers/Clients that owes our company, although the management "Fake Company" has already spoken to REDACTED regarding your employment as our company representative in-charge of delinquent account collections in USA & Canada and also we have sent him your contact details, informing him to remit all payment they owe "Fake Company" to you as Corporation representative, who is in-charge of our delinquent account collections. You are to contact this delinquent customer/client immediately you receive this message.
Details Of Delinquent Customer/Client are below:
REDACTED (CEO) REDACTED Tel: Phone: +1-403-555-5555 Cell ; +1-403-555-8888 E-mail: [email protected] Website:www.redacted.com
FILL OUT THE BELOW FORM AND SEND IT TO HIM ALSO.
Your Business/Company or Personal name to receive payment________ PleaseconfirmaddresswherePaymentcheckismailedto______ Thefinancialinstitutioncheckwillbeprocessed________ Largest Deposit ever made to this account________ Personal names__________ Direct mobile line__________ Email__________
Beinformthatthisdelinquentcustomer/clientowesourcompanythesumof$695,781.00(SixHundred And Ninety Five Thousand, Seven Hundred And Eighty One Dollars). So therefore you are to contact this delinquent customer/client via phone and E-mail communication to discuss on how and when their company (REDACTED) intend to remit payment to you, as Company representative. Although REDACTED told our company management that they were ready to remit payment in installment as soon as you establish contact with their company. Also you are to update me on every discussion and contact you establish with this delinquent customer/client.
Note: Attached to this email is the scan copy of "Fake Company" Purchase Agreement and the Purchase Invoice that was used in transacting business between "Fake Company" and REDACTED.
As soon as you are in contact with REDACTED don't hesitate to let us know.
Warm Regards "Attacker Alias" Director of Administration
At this point we were forced to resign our post, as we could not continue to act as a representative of "Fake Company" without breaking the law.
25
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Romance ScamsEvery organized crime group we captured conducts romance scams in order to find U.S.-based money mules, who aid and abet the foreign scammers by helping them launder money. Most of these money mules are themselves victims, both emotionally and financially. One such mule admitted to the investigating officer that she had been carrying on an online relationship with her handler for six years. She had already given the scammer half a million dollars of her own money, and was paying for a $250/month business contacts service that her handler used to target companies. She had been contacted by local police in the past, and several of her accounts had been closed at major banks for fraud. Sadly, her story isn’t unusual.
Romance scams were the most popular method of money mule recruitment among the groups we captured. While time-consuming, the advantage of the romance scam is the trust built up over time between the scammer and his mule. Thanks to this trust, the mule is far less likely to simply pocket the proceeds. So how does the scam work?
The attack chain is quite straightforward:
1 Create a free webmail account.
2 Establish a U.S. phone number using Google Voice or a similar service.
3 Create a fake Facebook and/or Instagram profile.
4 Join one or more online dating websites.
5 Use the dating site’s search capabilities to target vulnerable individuals.
6 Communicate via the dating website just long enough to move the conversation to another medium such as text or email.
7 Use mass-marketing email techniques to identify the loneliest, most gullible targets.
8 Continue the conversation with the most gullible targets.
9 Eventually ask the victim for small sums of money for some contrived hardship.
10 Once the victim starts complaining about money, offer them a way to get all of their money back by simply cashing a couple of checks and sending part of the money to the scammer via Moneygram or Western Union.
11 Continue pulling the romance scam victim deeper into the scams.
12 If the victim wises up, threaten to turn him or her in to law enforcement if he or she does not continue to launder money for the scammer.
26
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Broken Hearts, Broken LivesAmong the saddest and most heartless of all scams are the romance scams. We captured one long-running exchange between “Jim Blackie” and a divorced American woman with children. Blackie portrayed himself as an expatriate living in Dubai (though the attacker is actually working from Nigeria), and shared photos of attractive individuals (catphish photos) seemingly grabbed from the Internet.
The woman refinanced her home to send money to Blackie. Eventually the creditors closed in, and she was forced to sell her house, pull her children out of school, and move the family in with a friend. She sent Blackie more than $500,000. All the while, he continued asking her to go out and buy him gift cards. Despite doubts, she persisted in believing he is for real.
On May 7, 2017, at 7:50 PM, “Jim Blackie” wrote:
How was your day my baby
On Sunday, May 7, 2017, [Victim] wrote:
It was good. Enjoying time w [child’s name]. Wish you were here babe
On May 7, 2017, at 8:18 PM, “Jim Blackie” wrote:
I wish that too baby I can't wait for us to be together as family
On Sunday, May 7, 2017, [Victim] wrote:
We've been saying that for a long long time
On May 7, 2017, at 8:29 PM, Jim Blackie wrote:
Yes cos am so sure about it
On Sunday, May 7, 2017, [Victim] wrote:
I love to hear that baby. I just wonder when. Seems like it will be too good to be true
On May 7, 2017, at 8:40 PM, Jim Blackie wrote:
Honey it's bed time I need you to go to bed. I love you so much baby
27
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Her desperate emotional attachment was all too easy for her attacker to see. A few days later, after she doesn’t hear from him for a day, she wrote:
On Thursday, May 11, 2017, [Victim] wrote: When I re read all your emails I know you're there. Somewhere. I mean really, really there. They
make me feel like they always do - warm inside, special because you take time to send a message to me. I don't know if I've made you angry. Or if something has changed so that you don't have access to email as much. I wonder if you're trying to slip away from me - hoping I'll forget about you? You know there's not a chance in hell that will happen. I will never stop thinking about you and I could never, ever forget you. You've convinced me you're real - then where are you? What is all this? And why? Every time you do this I wonder if I've heard from you for the last time. And I can't bear the thought. Please don't turn this into a huge mistake. I don't deserve that. I've trusted you. I don't want to ever give up on you because I love you, but you've got to give me something to hang on to that makes sense. Anything. Just talk to me please.
The following week, she questions him on his lies.
On Wednesday, May 17, 2017, [Victim] wrote: Makes no sense that you can't get your money from the bank. What's up with that now? I even asked my
extoloanmesomemoney.Hesaidnoandnowhe'spissedatmefor"blowing"mymoneyandthekids'money.
On May 17, 2017, at 7:28 PM, Jim Blackie wrote: Wowhoney he should be able to help
On Thursday, May 18, 2017, [Victim] wrote: He said he won't. I'm on my own
On Saturday, May 20, 2017, [Victim] wrote: I'm having to talk to a friend tonight about possibly moving in with her. This is humiliating
On May 20, 2017, at 4:17 PM, Jim Blackie wrote: I am feeling sad right now for that honey, I want you to do something for me I need a vanilla card of
100$ I want to make use of it for something really important
28
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
On Saturday, May 20, 2017, [Victim] wrote: I don't know how you can possibly ask me for more.
On Saturday, May 20, 2017, Jim Blackie wrote: Honey am not asking you for more I am just asking for a little favor a vanilla card you can go to
the store and ask for a vanilla card it's just like an iTunes gift card
On May 20, 2017, at 4:58 PM, Jim Blackie wrote: It's called easy pay vanilla card master
On Sunday, May 21, 2017, [Victim] wrote: The point is that I've been telling you how broke I am but you still ask me for money. Is this a test?
Because I assure I don't have it and am not sending. I need help from you
On Sunday, May 21, 2017, Jim Blackie wrote: Yes I know honey I am also trying to help from my side here
She was forced to put her house up for sale after refinancing it to get money for Jim Blackie.
On Wednesday, May 24, 2017, [Victim] wrote:
...Wondering where you've been and why you've been away so long...Not sure - perhaps you've given up
on me? Since I can't send more money, maybe I'm of no use to you now. I certainly feel like that could be the deal here...A realtor is coming over tomorrow to help me list my house for sale. I'm talking to an attorney now about how to keep the collection agencies away and protect my kids. All this time, I'm wondering if I've heard from you for the last time. Please don't let that be the case. But only you know what's going on. You've never let me in on your story...Don't give up now baby. We still have a chance.
On Wednesday, May 24, 2017, Jim Blackie wrote: Honey I am so down right now I don't feel like talking to anyone
29
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
On May 23, 2017, at 11:56 PM, Jim Blackie wrote: I just wanna be left alone
Yet he still asked for more.
On Friday, May 26, 2017, [Victim] wrote: Is this all we will ever be? I get angry because of how you are ruining what we could've had together.
I'll take care of myself here. I have learned that I can't depend on you and that breaks my heart. But I have to pull myself up now
On May 26, 2017, at 12:17 PM, Jim Blackie wrote: Yes honey I know, honey can you help me out with 1500$ and a vanilla card
On Saturday, May 27, 2017, [Victim] wrote: No.Ihavetosellit.RememberIrefinancedtogiveyoumoneyandIowetoomuch.It'stheotherbills
that are killing me. The loans and credit cards. I have to sell to pay them
After reviewing this conversation in April 2018, we contacted the victim to confirm what we assumed she already knew—that she was being scammed. We found she had lost more than $500,000 to the scammer, lost her house, and was forced to move her children out of their school.
And as devastating as this story is, it happens to millions of innocent people. According to a February 2018 report from the Better Business Bureau, victims of romance scams in the U.S. and Canada have reported losing nearly $1 billion over the last three years, with more than a million victims in the U.S. alone—and this is only what’s reported. Millions more may go unreported due to the humiliation felt by those victimized.
30
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Criminal Gains: At What Cost?
As part of Agari’s efforts to understand these organized crime groups, we worked to identify how often the criminal organizations made a profit. Across all captured criminal email accounts, we observed requests for payment ranging from $1,500 to $201,805, as well as a few outliers requesting more than “20 million dollars.” The median request was approximately $24,000 and the average was $35,500.
Figure 18: Distribution of Requested Payment.
It is interesting to note that the above-observed average is significantly lower that the average reported by the most recent FBI/IC3 report on business email compromise ($131,902), which is almost four times greater than we observed. A likely explanation to this discrepancy is that criminals who (believe they have) received a transfer from a victim immediately turn around and request a second, often larger, transfer, continuing these requests until the well runs dry.
An analysis of the contents of the mailboxes of the captured criminal organizations reveals that not all organized crime groups are created equal. We confirmed a total of 40 profit events, 14 of which corresponded to Group 7, but none for organizations 6 and 10.
Figure 19: Confirmed Profit Events.
31
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
We also believe the profits may be even higher than what these statistics show. First, we identified various distributions of criminal email accounts for different organized crime groups. For some organized crime groups, we identified as many as 20 criminal email accounts, for others we identified fewer than five. Since we cannot analyze the emails in the accounts we did not identify, we only see a fraction of the evidence of criminal profits. Second, our researchers identified these potential losses by manually reviewing a list of 690 plausible profit emails that were initially detected by automated heuristics. Finally, we disqualified 23 uncertain events from our statistics.
Similar to the confirmed profit events, the likely total profits were also distributed unevenly, with seven belonging to Group 1 and 11 belonging to Group 7. We confirmed two victims with losses exceeding $500k, each corresponding to romance scam victims.
In comparison to the two losses of half a million each, some of the criminal profits were rather modest, with a $1,500 theft from a rental scam being illustrative of the typical amounts involved in these scams.
Our researchers have also observed other indications of criminal success. The most prominent example of this is a receipt, found in the mailboxes of Group 7, indicating that the organized crime group transferred approximately $1M in BitCoin between two accounts. The mailboxes of Group 7 show absolutely no evidence of engaging in ransomware attacks, and the victims of the observed attacks were never asked to pay using crypto payments. However, we believe that it is highly implausible that any of these funds were earned in an honest manner.
It is bleedingly evident to us why online crime is on the rise. Figure 20 shows an estimate of criminal success rates, based on observed data, for the three common types of scams that we have tracked in greater detail in this report. It is clear why BEC attacks have been growing the fastest: they are by far the most effective, particularly after an answered probe.
Type of Scam Victims/100 Probes Victims/100 Answered
BEC 0.37 3.97
Romance 0.13 1.54
Rental 0.26 0.70
Figure 20: Success Rate of Attacks.
A probe is an initial effort by the criminal to establish contact with a victim. An answered probe is a probe for which the intended victim sends at least one message to the criminal—this might be as brief as an answer “Yes” to a question “Are you at your desk?”.
If we apply these statistics to the most recent FBI/IC3 research reports, we can extrapolate that BEC attacks earn these organized crime groups between $982 to $5,236 per answered probe. Recall that an answered probe is one where the intended victim simply responds to the attacker; not all of these result in actual losses, but when they do then the actual losses are much higher. Likewise, romance scams earn $216 per answered probe and rental scams earn $14 per answered probe. It is obvious why organized crime groups have turned to BEC.
32
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
In addition to these successful attacks, Agari has also observed evidence of many successful phishing attacks. Figure 21 reveals a large collection of sensitive information obtained by these organized crime groups.
PIN 1281
Password 881
SSN 596
Zip code 436
Bank account 240
Figure 21: Sensitive Information Across All Organized Crime Groups.
Turning the Tables on CybercriminalsAt the time of writing, 24 of these criminal email accounts have been taken down. We have also reported a large number of criminal email accounts for takedown that we were unable to capture, but we have not reported any additional criminal email accounts that we have captured. Our goal has been to monitor the captured criminal email accounts for attacks so that we can warn victims and notify financial services of fraudulent bank accounts and transactions. This is more valuable than to force the criminals to create new email accounts, given the relatively limited effort needed to do so.
Agari’s analysis of the criminal accounts has given rise to a large array of benefits to date, and we hope to extend this list onwards. Here are a few examples:
1 We have notified financial institutions of hundreds of mule bank accounts, allowing them to freeze such accounts and investigate the transfers to prevent losses and crime.
2 We have intervened in several ongoing fraud attempts, resulting in a removal of criminal malware, reversal of outgoing wire transfers, and the recognition of the true nature of interactions with criminals among several intended and actual victims.
3 We have also referred one case to the FBI, and are in the process of preparing several other referrals, starting with the most active and abusive criminal organizations we have identified.
4 We have furthermore reported the contents of the captured mailboxes to associated email service providers, who are limited by their privacy commitments not to review the contents of mailboxes—unless these are explicitly provided to them.
5 Agari has interacted with professors and PhD students at several universities, influencing the PhD theses of two New York University students and one Stanford University student, as well as helping faculty members seek funding for work on fraud detection and fraud prevention at New York University and University of Maryland. The work has also given rise to several academic publications in various degrees of progress, which will further help inspire other researchers.
6 We have gained an improved understanding of the modus operandi among criminal organizations, including a clear preference among the criminals for using a small set of financial institutions for setting up mule accounts, likely due to less demanding security efforts at such institutions. Agari has notified financial institutions with an anomalous
33
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
amount of observed mule accounts, suggesting to representatives of such banks what other institutions seem to be doing much better, to stimulate information exchange between these organizations.
7 Last but not least, the collection of intelligence about criminal organizations has helped inform prioritization efforts for Agari’s Advanced Threat Protection, which protects against targeted threats, such as BEC, spear phishing, account-takeover based attacks, and ransomware.
As the community of individuals and businesses who entrust their email to Agari expands, and as Agari is able to analyze an ever-growing number of mailboxes, we will gain even greater insights into the minds of the criminals. Moreover, as we increase collaborative efforts—whether with customers, academia, financial institutions, law enforcement, email service providers or other email security vendors—we expect to perform more analysis on this data, leading to better predictions of trends and the development of increasingly accurate security controls.
Most importantly, we intend to increase the risks and lower the rewards for cybercriminals. We now know what trusted communications look like for a growing number of individuals and organizations. And a growing number of individuals and organizations are discovering the level of protection that Agari provides. No longer can the wolf in sheep’s clothing simply slip into the flock unnoticed. Our AI-driven defenses have learned what sheep’s clothing looks like. In effect, identity is the new frontier of security. And in close partnership with law enforcement, our customers and our partners, Agari will continue to capture and report identity-based attacks and help turn the tide of online crime.
34
RE
PO
RT
AG
AR
I |
B
EH
IND
TH
E “
FR
OM
” L
INE
S
Conclusion: Addressing a Future of Criminal Automation
In conclusion, let us look toward the future and imagine how organized crime groups may evolve their operations, so that we—as a community of security professionals—may assess our existing security controls against the anticipated onslaught of more effective and malicious attacks. We have had plenty of opportunity to study the modus operandi of these organized crime groups, having captured so many criminal email accounts during the past year. Throughout this process, we have frequently wondered, “if we were criminals, what would we do differently than they currently do?”
At an operational level, these organized crime groups could still become more organized by writing more convincing messages with better spelling and grammar, sending messages during “plausible” business hours, matching their signature to their display names, and keeping track of conversation threads. Most importantly, we should assume these organized crime groups want to scale up by sending many more attacks. We would not be surprised if these organized crime groups are developing automated tools to send more messages.
If we can imagine automated business email compromise (ABEC), then so can the criminals. You must believe this will be built since it will increase the yield of criminals in a notable manner. Every dollar stolen could become a dollar invested into future crime.
If we expect the rise of ABEC attackers in the next few years, how can we prepare for it now?
The answer, as you may have anticipated, is active defense. As the criminals ramp up their attacks, automation or not, we must strike back where it hurts the most: we must cause the mule accounts they use to be frozen, email accounts to be reported, and domains to be taken down. With greater effort will come greater exposure to the attacker, resulting in the emergence of real risk for abusive behavior.
© Copyright 2019 Agari Data, Inc.
AGARI CYBERINTELLIGENCE DIVISION
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spearphishing investigation. ACID supports Agari’s unique mission of protecting communications so that humanity prevails over evil. ACID uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email attacks. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.
Agari Data, Inc.950 Tower Lane Suite 2000, Foster City, CA 94404
