LAS VEGAS – Poor operational security on the part of Nigerian scammers running a Business Email Compromise (BEC) scheme has given researchers a window into their operations.
Dell SecureWorks today published a report at Black Hat USA 2016 on what the criminals involved call wire-wire, or “waya-waya.” These attackers aren’t particularly sophisticated malware coders, for example, but the operation is adept at targeting executives in certain industries with phishing attacks that ultimately lead to fraudulent wire transfers, resulting in hundreds of thousands of dollars being lost. Manufacturing firms, chemical operations and other high-value organizations have been targeted by these campaigns that go much deeper than simply spoofing emails ordering confirming wire transfers.
The attackers behind these scams are using malware to attack email servers and sit man-in-the-middle style intercepting and redirecting messages in order to score a big pay day.
And all of this intelligence is possible because one of the leaders of the operation inadvertently infected his machine with the group’s own malware, which allowed researchers to peer into their activity, researcher Joe Stewart of Dell’s Counter Threat Unit told Threatpost.
“In this case, we got the mother load, one actor who is running the show pretty much,” Stewart said. “He’s not necessarily the guy in charge, but without him, these actors would not be able to carry out what they’re doing.”
Stewart said the unnamed criminal regularly uploads screenshots and keystroke logs to a webserver, and this intelligence, which also includes the identities of some of the 30 people in this group has been turned over to law enforcement, which is investigating. Stewart said that once any arrests are made and law enforcement investigations have wrapped up, Dell may publish another report that includes details on the malware used and other indicators of compromise. Stewart, meanwhile, characterizes the skill level of most of the group as “comical.”
“They rely on this central figure to do most of the deployment of infrastructure and creation of new variants of the malware like scripting and packing to avoid scanners, as well as setting up clone emails,” Stewart said. “He’s spent a lot of time doing that and training them, setting up remote desktop software on their computers and training these guys. We can see their communication where talking back and forth using remote desktop; we can see his and others’ desktops. A lot of them struggle with the concepts and they’re not deeply technical. More of them come from a background of social engineering fraud and they’re trying to acclimate to wire fraud, and it takes a lot of hand-holding to get them to that point.”
The schemes involve the use of a tool that allows the attackers to search for websites in a particular industry and scrape those sites for email addresses. They craft emails with malicious attachments, and despite relatively few infections, the potential for a good payoff is significant if they’re able to compromise the right email account and server.
Once they’re inside a seller’s account, they seek out high-value transactions that are in the pre-order phase, Dell said, and set up a redirect for incoming messages from a potential buyer. Buyers eventually sends a purchase order to the seller’s compromised account that is redirected to the scammers. The attacker will then clone the buyer’s email—usually creating a new address that is misspelled slightly—and forwards the purchase order to the seller. The seller then replies to the buyer’s attacker-controlled cloned address with an invoice and payment instructions. The attacker modifies the payment destination forward this to the buyer, who then wires money to the attacker-controlled account.
Dell said that one U.S. chemical company seeking to make a buy from an Indian company where an employee email account was compromised by the wire-wire group lost $400,000 in such a scam. The attackers were able to modify an invoice and change bank account numbers, location and SWIFT codes needed to complete the fraudulent transaction.
The FBI last month issued an advisory on Business Email Compromises, putting a $3.1 billion price tag on losses associated with these scams. That number is a 1,300 percent increase over 2015.
Stewart said it’s important not to conflate BEC with Business Email Spoofing scams, where spoofed emails are sent from external accounts that authorize payments. BEC involves the use of exploits or malware to hijack a high-value email account. Stewart’s concern is that execs could see that conflation and think that a phone call confirming a transaction is enough to prevent fraud.
“If they think [BES] is Business Email Compromise, we’re doing a disservice to them,” he said. “The kind of activity that goes on when compromising an email server is invisible, and difficult to detect unless you know what to look for.”