Account Takeover Fraud , Anti-Phishing, DMARC , Application Security & Online Fraud

Suspected Business Email Compromise Ringleader Busted

Leader of 'Transnational Cybercrime Syndicate' Arrested in Nigeria, Interpol Says
Suspected Business Email Compromise Ringleader Busted
Photo of the suspect, who has not been named by authorities (Photo: Palo Alto's Unit 42)

Police in Nigeria this week announced the arrest of a 37-year-old man who's been charged with running a criminal syndicate tied to massive business email compromise and phishing campaigns.

See Also: Webinar | Prevent, Detect & Restore: Data Security Backup Systems Made Easy

The arrest was the culmination of a yearlong investigation, with the code name Operation Delilah, into the activities of the criminal syndicate, which is tracked by cybersecurity firms as SilverTerrier - aka TMT - and which appears to have been operating since at least 2015.

"The suspect is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims," says Interpol, which coordinated the operation.

The suspect, who has not been named by authorities, was arrested by Nigerian law enforcement agents at Murtala Muhammed International Airport in Lagos, which is Nigeria's largest city.

Interpol launched Operation Delilah in May 2021 after receiving threat intelligence from three private sector partners: Group-IB, Unit 42 at Palo Alto Networks, and Trend Micro. Ultimately the governments of Australia, Canada, Nigeria and the U.S. assisted in the investigation, which was coordinated by Interpol's Africa desk, dubbed the African Joint Operation against Cybercrime, or AFJOC. Funded by the U.K. Foreign Commonwealth and Development Office, AFJOC was launched in May 2021 to help 49 African countries better tackle cybercrime.

Using the threat intelligence shared by the private partners, "investigators began to map out and track the alleged malicious online activities of the suspect, thanks to ad hoc support from private sector firm CyberToolBelt, as well as tracking his physical movements as he travelled from one country to another," Interpol says.

Third Operation Targeting Gang

This is the third Interpol-led operation to target the TMT syndicate. It follows operations codenamed Falcon I in 2020 and Falcon II in 2021, via which 14 alleged members of the gang were arrested.

Suspects arrested as a result of Falcon I (Photo: Interpol)

The suspect recently arrested via Operation Delilah "shares social media connections with Onuegbu Ifeanyi Ephraim, Darlington Ndukwu and Onukwubiri Ifeanyi Kingsley, all of whom were arrested in 2021 as part of Operation Falcon II," Palo Alto's Unit 42 reports. "He is also considered to be well connected with other known BEC actors."

The suspect appeared to have fled Nigeria in June 2021, at which time he listed his 2010 Range Rover for sale via social media, Unit 42 reports.

Listing for suspect's Range Rover on social media (Source: Unit 42)

Group-IB says it's been tracking TMT's activities since 2019. "By 2020, TMT was thought to have compromised more than 500,000 companies in more than 150 countries," it says. "According to Interpol, one of the suspects arrested during Falcon II in Nigeria was in possession of more than 800,000 potential victim domain credentials on his laptop."

Group-IB says TMT often compromised email accounts and used them to push phishing emails written in multiple languages - English, Spanish, Russian and others - based on the location of targets, which were designed to support BEC attacks.

An analysis of the group's attacks published by Group-IB in 2020, for example, found that the gang was using "mass email phishing campaigns distributing popular malware strains under the guise of purchasing orders, product inquiries, and even COVID-19 aid impersonating legitimate companies."

Sample of a 2020 phishing attack email tied to TMT (Source: Group-IB)

Malware employed by the group included a number of free tools, including AgentTesla, Loky, AzoRult, Pony and NetWire, all of which were used "to steal authentication data from browsers, email and FTP clients," Group-IB said.

The group has continued to register numerous domains to help trick victims into falling for its phishing attacks as well as relay commands to malware-infected systems. "We have identified over 240 domains that were registered using this actor's aliases," Unit 42 says. "Of that number, over 50 were used to provide command and control for malware. Most notably, this actor falsely provided a street address in New York City associated with a major financial institution when registering his malicious domains."

Massive Losses

While busting suspected BEC syndicate ringleaders is welcome news, it's unclear how much Operation Delilah will do to curb the widespread use of such tactics by criminals.

"Business email compromise/email account compromise - BEC/EAC - is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests," according to the FBI's Internet Crime Complaint Center, or IC3.

Known, combined losses tied to reported BEC theft domestically and internationally, from June 2016 through December 2021, totaled $43.3 billion, according to the latest IC3 online crime report, released earlier this month.

Of all the types of internet-enabled crime that get reported to IC3, BEC continues to account for the greatest losses.

2021 Cybercrime: Victims' Combined Losses (Selected)

  • Business email compromise: $2.4 billion (including email account compromise);
  • Data breach (personal data): $517 million;
  • Identity theft: $278 million;
  • Payment card fraud: $173 million;
  • Data breach (corporate data): $152 million;
  • Extortion: $61 million;
  • Ransomware: $49 million;
  • Phishing: $44 million, including for variants such as voice and SMS attacks;
  • Computer intrusion: $20 million;
  • Malware: $6 million.

Recovery Asset Team

To battle BEC attacks by more quickly acting on reports from victims and working with banks to freeze stolen funds, the FBI in early 2018 launched IC3's Recovery Asset Team.

Source: FBI

The FBI says that for complaints that get filed by U.S. victims for funds that have been transferred to domestic accounts, so far it has been able to help recover 74% of the transferred money. Of $444 million in lost funds, the FBI says it was able to successfully freeze $328 million.

Attackers' Increasing Sophistication

In response, attackers have designed more sophisticated campaigns and increasingly turned to bitcoin and other cryptocurrency to help launder funds.

"These schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector and fraudulent requests for large amounts of gift cards," the FBI says.

But especially during the COVID-19 pandemic as more employees relied on videoconferencing tools, attackers became more adept at stealing senior executives' credentials for such software and then inviting individuals inside the organization with the ability to initiate a wire transfer to an ad hoc meeting, the agency says.

"In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a 'deep fake' audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly," the FBI says. "The fraudsters would then use the virtual meeting platforms to directly instruct employees to initiate wire transfers or use the executives' compromised email to provide wiring instructions."

The FBI says the stolen funds often get converted to cryptocurrency to make them more difficult to track or freeze before getting cashed out.

"Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds," the FBI says. "China, which ranked in the top two destinations in previous years, ranked third in 2021, followed by Mexico and Singapore."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.