Turning Tables on Nigerian Business Email Scammers

Researchers from Dell SecureWorks infiltrated a Nigerian business email spoofing and business email compromise operation, shutting down a number of money mule accounts in the process.

SAN FRANCISCO – Traditional takedowns of cybercrime enterprises generally rely on court orders that facilitate either taking servers offline or sending the criminals malware that helps identify them or their locations.

Sometimes, however, the technical option is second best.

Researchers at Dell SecureWorks today at RSA Conference 2017 shared details on their efforts to shut down a Nigerian scammer running a complex and profitable business email compromise and business email spoofing operation. The job required researchers gaining the scammer’s trust, speaking his language, learning his tradecraft as well as he knows it, and frustrating him to the point where he turns tail because the cost of doing business becomes too great.

“It’s interesting how they are very specialized; this looks nothing like other types of scams associated with Nigerian fraud. These guys are seeking out people looking for business loans on forums used by investors,” said researcher Joe Stewart. Stewart said the fraudsters targeted executives in a number of industries, including oil and health care.

Stewart and fellow researcher James Bettke have extensively studied other groups involved in wire fraud, which involved the proliferation of malware and more technical attacks to steal form targets. The researchers’ work involved not only learning about how targets are selected and how fraud is perpetrated, but Stewart said the researchers learned local dialects used by the criminals such as Pidgin English.

“We’ve gotten a good handle on local dialects and learned how to speak as they speak to one another,” Stewart said. “This gave us the opportunity to go deeper with these operations.”

Last November, Stewart and Bettke investigated a business email spoofing campaign targeting a U.S. technology company. The targeted attack went after executives posing as the actual CEO of an American private equity firm specializing in investments in technology services. The fraudsters used spear-phishing emails that established a rapport with the executive before attempting to convince make a large transfer of money to a third party complete with wire instructions that included necessary account numbers and SWIFT transaction codes.

The key to infiltrating these operations is of course first recognizing the immediate risk and potential for fraud—something Stewart said is getting more difficult. But also, the targets need a willingness to string the fraudsters along and turn the tables on them in an attempt to learn about their numerous third-party money mule accounts so that the affected banks can be notified and the accounts frozen.

In this case as Stewart and Bettke interceded they also sent the fraudsters PDF documents laced with a web bug that would allow the researchers to collect IP addresses and potentially identify the criminals behind the scam.

With this particular operation, Stewart and Bettke posing as the target executive stalled the criminals telling them over and over that the banks involved in the transactions were returning payments, and asked for new account information—details on more mule accounts used to launder money—from the fraudsters. These accounts were all eventually shut down.

The IP addresses, however, were not enough to identify the individual. So Stewart said they used a tool called Phission used in pen-testing engagements that presents a customizable front end to the target to trick them into entering more identifiable personal information. Since the key to the transaction on the criminal’s end is the wire transfer receipt verifying payment was made—otherwise the money launderer could keep the funds and claim payment was never made—Stewart said this was the pretext under which they went after the additional information.

Stewart said they used the Phission tool to set up a phony page under the pretext of needing a second form of authentication from the scammer to collect the wire transfer receipt. The criminal, however, is never able to download the payment slip and in his desperation, continues to add more information to Phission. In this case, Stewart and Bettke were able to eventually learn he used OAUTH to verify his Google and Facebook accounts and his real mobile number, which led them to his personal Facebook account.

Since in this particular case, no real money was being transferred, it was futile for the researchers to inform law enforcement; instead they pursued more social engineering powered by the data they’d collected to further infiltrate the operation.

Stewart said they then began posing as another Nigerian fraudster who told the scammer he too had access to the same executive’s email account. Stewart said this was not an uncommon occurrence where two criminals had access to the same executive.

Stewart, posing as the second fraudster, connected with the scammer they called Seun and convinced him they had owned the exec’s inbox using a RAT, and that the victim now had strict accounting controls in the U.S. and that it would be necessary to now have a U.K.-based mule. The researchers continued to amass personal information on Seun, learning of more money mules and his interest in expanding to the use of malware as well. As proof of their malware capabilities, they eventually sent Seun a malware control page that included screenshots of phony emails from the victim claiming that law enforcement was about to make an arrest. Ironically, Seun left his new virtual partners out to dry and disappeared but not before learning seven email addresses used in his various scams and freezing numerous mule accounts that would have otherwise held tens or hundreds of thousands in stolen funds.

Stewart said that given the potential for extensive loss with these campaigns, it would be critical for researchers to have a centralized entity accepting and coordinating fraud reports with law enforcement worldwide.

“There’s no shortage of people who recognize these things and string them along. The problem is that there’s no central place to report these accounts and get them shut down,” Stewart said. “Some of these guys have accounts in every country. Try to find the right contact at a particular bank in a particular country and tell them that they have accounts used by fraudsters. There’s no easy way to do it. There needs to be someone leading the effort and the charge.”

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.