“Nigerian prince” and “419” scams have plagued victims for decades and transitioned to the Internet in the 1990s. There are many variations and names for these scams, which originated in Nigeria. The simple con man fraud practiced by many West African-based threat actors is being replaced by a new crime, SecureWorks Counter Threat Unit (CTU) research indicates that they refer to the evolution of low-level con games into more sophisticated and conventional cybercrime that is compromising businesses around the world.
Business Email Compromise (BEC)
In BEC, an attacker compromises a seller’s email account to position himself as a “man-in-the-middle” between the seller and a buyer in existing business transactions. The threat actor then uses his control of the seller’s account to passively monitor the transaction. When it is time for payment details to be relayed to the buyer via an invoice, the threat actor intercepts the seller’s email and changes the destination bank account for the buyer’s payment. If the payment account does not appear to be suspicious, the buyer will likely submit the payment to the attacker’s account.
From the seller’s point of view, the transaction appears to be normal until the buyer does not pay for the invoiced goods. The only suspicious aspect the seller might detect is the change of email address between the request for a quote and the PO. If the threat actor is skilled at document forgery and generates a seemingly legitimate invoice, the buyer will likely believe that the seller cheated them.
Case Study
When researching wire-wire activity, CTU researchers discovered that one of the most notable cyberheists had been executed by a Nigerian wire-wire group against an Indian chemical company and its U.S. customer.
The customer, also a chemical company, sought to purchase a large quantity of chemicals from the Indian company. CTU researchers found that the wire-wire group had hijacked the email username and password of an employee at the Indian company. The company used a webmail application for its corporate email, and the employee login required only a username and password. Because employees did not have to provide another form of verification, the threat actors used the credentials to access and read the employee’s emails.
The attackers identified an opportunity when the U.S. company sent a price quote request to purchase $400,000 in chemicals from the Indian company. The threat actors added a rule to the employee’s email to redirect all future email from the U.S. company to the attacker’s email account. The attackers intercepted the U.S. company’s purchase order and resent it from another email address that closely resembled the submitter’s actual email address. At this point, the attackers established their MITM position between the buyer and the seller.
The Indian company eventually sent an invoice that contained wire payment details. Because the invoice was sent to the attacker-generated email address, the threat actors modified the following information before forwarding it to the legitimate recipient at the U.S. company:
- The bank account number or International Bank Account Number (IBAN) for the attacker-controlled account
- The full name and address of the bank where the attackers’ account was located
- The SWIFT/BIC code of the attackers’ bank
The U.S. chemical company unknowingly wired $400,000 into the attacker-controlled account. The threat actors then laundered the money through multiple accounts in different countries, making recovery impossible and the money trail difficult to trace.
So, how businesses can protect themselves:
- Implement a 2-Step-Verification (2FA) for corporate and personal email
- Carefully review wire transfer information in suppliers’ email requests to identify any suspicious details
- Always confirm wire transfer instructions with designated suppliers using a previously established non-email mode of communication, such as a fax number or phone number
- Be suspicious of pressure to take action quickly and of promises to apply large price discounts on future orders if payment is made immediately.
- Thoroughly check email addresses for accuracy and watch for small changes that mimic legitimate addresses, such as the addition, removal, substitution, or duplication of single characters in the address or hostname
- For organizations that use intrusion detection and intrusion prevention systems (IDS/IPS), create rules that flag emails with extensions that are similar to company email extensions (e.g., abc_company versus abc-company).
- Limit the information that employees post to social media and to the company website, especially information about job duties and descriptions, management hierarchy, and out-of-office details.
- Consider adopting the Financial Industry Regulatory Authority (FINRA) standards to deter money laundering and fraudulent wire transfers.