A recent law enforcement operation led by Interpol has seen 11 members of a Nigerian cybercrime gang arrested for their role in a massive campaign of business email compromise (BEC) attacks. The operation has shed light on how the gangs operate and defraud their victims.

According to the FBI, business email compromise (BEC) is the costliest type of computer fraud. While the number of BEC attacks is relatively low compared to phishing, the attacks result in the largest losses of any type of cybercrime, even ransomware attacks. In 2020, $1.8 billion was lost to BEC scams and $5 billion has been lost to the scams between 2018 and 2020.

BEC attacks often involve the impersonation of a vendor. A vendor email account is compromised, and an email is sent to a customer requesting a change to payment details for an upcoming invoice. The victim is tricked into sending the payment to an attacker-controlled account, and by the time the scam is detected, the money has usually been withdrawn from the account and is unrecoverable. The transfers are often for tens of thousands, hundreds of thousands, or even millions of dollars.

These scams usually start with phishing emails. A spear phishing email is sent to the targeted company with a view to compromising the email account of the CEO, CFO, or another individual high up in the organization. With access to the account, the attacker is able to monitor communications and forward emails of interest to their own account – messages containing payment, invoice, transfer, and those containing payment information. The emails are redirected to the attacker’s account before they can be viewed by the account holder or are hidden in service directories. The attacker can then send their version of a message with altered payment details. In some of the scams, both parties – the victim and a business partner – believe they are communicating with each other, when they are each communicating with the scammer.

Another version of the scam involves the use of a compromised company email account to send messages to employees with responsibilities for making SWIFT transfers asking for payments to be made. Since the emails are sent from the CEO or CFO’s email account and the attackers copy the writing style of the account holder, these requests are often not questioned and the payments are made per the requests.

The Nigerian gang is tracked as Silver Terrier by Palo Alto Networks, which assisted Interpol in the investigation. Around 500 individuals in Nigeria are believed to be involved in the attacks. In this operation, rather than targeting the money mules, the law enforcement operation targeted the individuals involved in the technical infrastructure of the operation such as malware development, phishing attacks, and the domain infrastructure.

One suspect’s computer was found to contain th800,000 usernames and passwords that could potentially be used to hack into corporate email accounts. Another suspect’s computer showed he was monitoring conversations between 16 companies and their clients with a view to diverting legitimate payments as they were about to be made.

Once BEC scammers have access to corporate email accounts, it can be difficult to identify their scam emails. While policies can be introduced that require all requests for bank account changes or changes to the method of payment be verified by telephone, that is often impractical for every single transaction.

The best method of avoiding becoming a victim of these scams is to implement robust email security measures to block the initial phishing emails, ensure strong credentials are set for email accounts, and multi-factor authentication is implemented. The Nigerian gangs are prolific malware developers and use their malware to provide access to victims’ computers to steal credentials. It is essential for antimalware solutions to be deployed on all endpoints, and to have an email security solution with strong antimalware controls.

TitanHQ’s SpamTitan suite of email security solutions provides protection against phishing and malware attacks that are used to obtain credentials to access email accounts. SpamTitan Plus has faster and more comprehensive detection of links in phishing emails than any of the current market-leading email security solutions and the entire suite of products has excellent protection against malware, thanks to dual antivirus engines and sandboxing. The SpamTitan next-gen email sandbox is powered by Bitdefender and allows in-depth analysis of email attachments. If email attachments pass the signature-based anti-malware checks, their behavior is analyzed in detail in the sandbox to determine if they have any malicious properties. This feature is vital as it allows zero-day malware threats and command-and-control callbacks to be detected.

If you want to improve your defenses against phishing, malware, and BEC attacks, give the TitanHQ team a call today.