[BreachExchange] Nigerian Police Arrest 11 Individuals in BEC Crackdown

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Thu Jan 20 09:26:33 EST 2022


https://www.darkreading.com/attacks-breaches/nigerian-police-arrest-11-individuals-in-bec-crackdown


Police in Nigeria, with the help of Interpol, have arrested 11 individuals
in the country for their alleged involvement in business email compromise
(BEC) scams associated with more than 50,000 targets worldwide.

Six of those arrested were identified as members of SilverTerrier, a known
BEC gang that is thought to have harmed thousands of companies globally and
has successfully evaded prosecution for more than five years.

A laptop belonging to one of the 11 alleged BEC operatives contained some
800,000 user names and credentials belonging to potential victim
organizations. Another arrested individual was found to have been
monitoring conversations between 16 companies and their customers, as well
as attempting to divert money to SilverTerrier accounts when transactions
between them were about to be made, Interpol said Wednesday.

The arrests happened in December and marked the culmination of a 10-day
operation called Operation Falcon II, in which the Nigerian Police Force
(NPF) used information supplied by Interpol to apprehend suspects in the
cities of Lagos and Asaba. As part of the operation, the NPF worked with
law enforcement authorities in several countries that were actively
investigating BEC activity in Nigeria. Also contributing to the effort were
Palo Alto Networks' Unit 42 and Group-IB's APAC Cyber Investigations Team.

"Operation Falcon II sends a clear message that cybercrime will have
serious repercussions for those involved in business email compromise
fraud," stated Craig Jones, Interpol's director of cybercrime. "INTERPOL is
closing ranks on gangs like 'SilverTerrier'; as investigations continue to
unfold, we are building a very clear picture of how such groups function
and corrupt for financial gain."

This is the second major Interpol-coordinated operation against BEC actors
in Nigeria in recent years. In November 2020 the NPF, acting on information
from the Interpol and Group-IB, arrested three members of a group called
TMT that was thought to have compromised a staggering 500,000 organizations
in more than 150 countries.

In BEC scams, attackers using spoofed or stolen email accounts typically
trick targeted officials at a victim organization into making wire
transfers to attacker-controlled bank accounts, which are usually based in
another country. For example, an attacker may pretend to be a legitimate
supplier or vendor to trick an organization into paying a fraudulent
invoice. These scams involve a lot of targeted phishing and social
engineering in which fraudsters often pretend to be a high-level executive
or someone involved with wire transfer payments at the target company.

Numerous public- and private-sector entities have lost tens to hundreds of
thousands of dollars to these scams. Last March, the FBI reported receiving
19,369 BEC-related complaints in 2020 that together cost victims $1.9
billion, or nearly half of the total $4.1 billion in combined losses from
all forms of cybercrime that year.

Brian Johnson, chief security officer at Armorblox, says threat actor
interest in BEC scams remains high because of how effective these attacks
can be compared to other vectors.

"In the current business environment, every employee has an email address
that is public-facing," he says. "Unlike other infrastructure within the
company, email systems are open to public access and need to be accessible
by anyone and everyone."

This fact, combined with how trivial it often is for attackers to
understand the business workflow of an organization, makes BEC attacks easy
to design and execute. Additionally, BEC is often the gateway to other
forms of attacks, Johnson says.

"We have seen many threats that start as a BEC vector quickly morph into
other forms of cyberattacks like ransomware," he says.

Pete Renals, principal researcher of the Palo Alto Networks' Unit 42, says
his company provided the telemetry, malware analysis, and forensic support
that resulted in the arrest of six SilverTerrier members.

"Previously, following the arrests in November 2020, Unit 42 identified
that we had historical forensic details on the actors and their associates
that would aid in the efforts to prosecute the members of SilverTerrier,"
he says.

Renals describes Operation Falcon II as taking a different approach from
the usual law enforcement tactic of targeting money mules and others that
directly benefit monetarily from BEC scams.

"Instead, it focused predominantly on the technical backbone of BEC
operations by targeting the actors who possess the skills and knowledge to
build and deploy the malware and domain infrastructure used in these
schemes," he says.

The Impact of Criminal Takedowns
As is often the case with arrests and law enforcement takedowns of
cybercrime activity, it's unclear how and whether Operation Falcon II will
make a dent in the BEC landscape.

One factor is the sheer number of cybercriminals engaged in the activity.
According to Renals, Palo Alto Networks is currently tracking over 500
threat actors tied to the SilverTerrier operation alone.

Previous arrests have done little to deter criminals from getting right
back into BEC scams. For instance, Darlington Ndukwu, an individual who
Palo Alto Networks helped arrest as part of Operation Falcon II, was
previously arrested in 2018 as part of an FBI operation called WireWire. He
has continued to operate as part of the SilverTerrier operation since then,
suggesting the initial prosecution was ineffective, Palo Alto Networks
said. Similarly, Onuegwu Ifeanyi Ephraim, another SilverTerrier operative
who was snagged in the recent law enforcement action, was previously
arrested — along with three associates — in the November 2020 law
enforcement action in Nigeria.

Nigeria, a global hot spot for BEC activity, also has a booming tech
infrastructure and a very tech-savvy talent pool, Armorblox's Johnson says.
More than 100 million Nigerians have access to high-speed broadband
Internet, and this number is growing exponentially. The country also has a
large base of deeply skilled cybersecurity talent, he says.

"Eastern Europe, Russia, and North Korea are the other top three hot spots
for BEC activity," Johnson notes. "They go hand in hand with BEC and other
forms of attacks, including ransomware and crypto."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220120/aa8ba90c/attachment.html>


More information about the BreachExchange mailing list