Researchers gained significant insight into a Nigerian business email compromise (BEC) operation that likely costs companies $6 million annually, including one incident where a firm was tricked into sending $400,000 to the group's bank accounts.
Nigerian cyber-criminals hacked into the email of an Indian chemical company, hijacking a deal between the company and its U.S. customer and stealing the entire $400,000 payment, according to researchers with security firm SecureWorks.
Details of the attack
—of a type known as business email compromise (BEC)—is part of the intelligence gleaned by researchers from a misconfigured server used by the group. The fraud scheme is known as "wire-wire" in West African nations and involves compromising the email accounts of potential victims, waiting for a high-value order or transaction, and then sending new bank account details to the customer.
If done right, the scheme can be very lucrative—scoring between $30,000 and $60,000 on average—and hard to detect, Joe Stewart, director of malware research at SecureWorks, told eWEEK
. The collected evidence shows that West African groups are quickly evolving from 411 and Nigerian prince scams to more sophisticated social engineering, he said.
"What we learned from watching these actors over a period of months is that they worked in a way substantially different from our preconceived notions of Nigerian threat actors," he said. "Week to week, given the average [we're seeing], they are probably taking in $6 million a year."
SecureWorks named the group that stole the $400,000 Wire-Wire Group 1 (WWG1) and suspects that it has more than 30 members. Most members of the group live in the same region of Nigeria, the company stated in its report.
The details of the West African group come the same week that international law enforcement announced the arrest of the Nigerian head of a group conducting similar scams. That unnamed group, which may have stolen as much as $60 million, used both business email compromise and romance scams to bilk victims of money. In one case, a target paid $15.4 million before the scam ended
Law enforcement officials did not name the group or its leader, but referred to him as "Mike." The group's members come from Malaysia, South Africa and Nigeria.
To avoid being tracked, the group laundered its gains through contacts in China, Europe and the U.S., according to authorities. The groups pay a significant amount of money to such criminal services. In the case of Wire-Wire Group 1, for example, about half of the stolen funds end up in the hands of the criminal group that launders the money, according to SecureWorks.
The groups are not only evolving their techniques, but have evolved themselves: They are, for example, more likely to consist of mature adults, rather than younger actors, according to SecureWorks investigation into WWG1. While 411 scammers tend to be students and 20-something adults, who show off their cash and work from cyber-cafes, members of WWG1 are in their late 20s, 30s and 40s, operate from their home Internet connection and are involved in mainstream church groups. Messages between members of WWG1 show that they work to help out other members of their community by introducing them to the money-making scheme, according to SecureWorks.
The security firm dubbed the leader of the group they are investigating as "Mr. X" and stressed that the group is unrelated to the one shut down by law enforcement this week.
Business email compromise has grown to be a significant threat to companies, especially small and medium businesses that do not have good accounting controls. In April, the FBI warned that, since October 2013, more than 17,600 victims have reported the scam, with business losses totally $2.3 billion.
The attacks are accelerating as well. Since the beginning of 2015, the FBI has noted a 270 percent increase in victims and losses.
The FBI warned companies to beware of account information or changes that are only sent through email. Any changes should be verified over the phone by calling known contacts at the partner's business. In addition, companies should implement multiple levels of authentication as part of their accounting practices.