Cyber SecurityInternet

When BEC scammers specialize

A group of BEC scammers has been focusing its efforts on the global maritime shipping industry, compromising emails accounts and attempting to trick targets into delivering considerable sums to bank accounts set up by the group.

Secureworks researchers have been tracking the group’s activities for quite a while and have been warning the targets. They estimate that between June 2017 and January 2018, the scammers attempted to steal a minimum of $3.9 million U.S. dollars from maritime shipping businesses and their customers in South Korea, Japan, Singapore, Philippines, Norway, US, Egypt, Saudi Arabia, and Colombia.

Preferred targets

“Companies involved in shipping industries are typically globally dispersed and operate in different time zones, meaning that they are often entirely reliant on email for conducting business transactions. Some maritime shipping businesses are therefore susceptible to BEC fraud methods,” the researchers noted.

Among the targets were companies companies that provide ship management services, port services, and cash to master services.

About the scammers

The group, dubbed Gold Galleon by the researchers:

  • Decides whom to send the phishing emails to after purchasing email lists of target businesses or scraping publicly available contact information from targets’ website
  • Purchases domains and registers email accounts that closely resemble the buyer or seller’s company name and employee email accounts.
  • Uses spear-phishing emails to deliver keylogging and password-stealing malware to company employees
  • Buys commodity keyloggers, RATs and crypters from online hacking markets, and test it on its own systems and tracks detection rates via online virus scanners.

Once a target’s system is compromised, the scammers use stolen credentials to access the business email account, harvest contacts from the address book, and use the access to get an idea of the company’s business dealings. And, when the right opportunity presents itself, they change the payment details in emailed invoices and hope that the buyer will not notice and will submit the payment.

After tracking the group’s activities for a while, the researchers believe that the group is based in Nigeria: they use Nigerian Pidgin phrases while communicating via instant messages, regularly connect to the Internet via Nigeria-based infrastructure, and use phrases, usernames, and passwords linked to a criminal subset of a well-known Nigerian human rights and social justice movement.

“The group appears to have a loose organizational structure, with activities coordinated by several senior individuals. Tasks are allocated to individuals in the group; for example, one group member may have responsibility for obfuscating the group’s RATs with crypters, while others are tasked with monitoring victims’ email for business transactions that are about to be invoiced,” they explained.

“Some senior members often handle the purchasing of malware, crypters, and infrastructure, and they frequently experiment with alternative tools. CTU researchers also observed senior members coaching and mentoring less-experienced group members and liaising with external providers of related criminal services (e.g., suppliers of mule accounts for transferring stolen funds and crypter sellers).”

Mitigating the risk

What’s good to hear that many of the fraud attempts the researchers warned targets about were already marked as suspicious by the targets themselves.

The researchers offer the usual advice to businesses looking to mitigate the BEC threat: use two-factor authentication for corporate and personal email, check for suspicious email redirect rules, carefully review wire transfer information in suppliers’ email requests, confirm wire transfer instructions independently (but not via email or any contact info contained in the emails), and be suspicious of changes to typical business practices and designated wire transfer activity.

They also believe it’s a good idea to create detection rules that flag emails with extensions that are similar to company email addresses and have provided a free tool that can detect suspicious edits to PDF invoice files.

Leave a Reply

Your email address will not be published. Required fields are marked *