, Major BEC Phishing Ring Cracked Open with 3 Arrests

Some 50,000 targeted victims have been identified so far in a massive, global scam enterprise that involves 26 different malwares.

Three men suspected of participating in a massive business email compromise (BEC) ring have been arrested in Lagos, Nigeria.

A joint INTERPOL, Group-IB and Nigeria Police Force cybercrime investigation resulted in the arrest of the Nigerian nationals, believed to be responsible for distributing malware, carrying out phishing campaigns and extensive scams worldwide.

In a BEC attack, a scammer impersonates a company executive or other trusted party, and tries to trick an employee responsible for payments or other financial transactions into wiring money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organization’s vendors, billing system practices and other information to help mount a convincing attack.

, Major BEC Phishing Ring Cracked Open with 3 Arrests

The elements of this particular campaign are myriad, according to INTERPOL: The suspects are alleged to have developed phishing links and domains, then carrying out mass-emailing campaigns where they impersonated employees at various organizations.

Upon successful social-engineering efforts, they then spread 26 distinct malware variants to victims, including spyware and remote access trojans (RATs), according to law enforcement. The samples included AgentTesla, Loki, Azorult, Spartan and the nanocore and Remcos RATs.

While investigations are still ongoing, some 50,000 targeted victims have been identified so far.

“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” according to INTERPOL, in a Wednesday announcement. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”

According to the year-long investigation, dubbed “Operation Falcon,” the gang in question is divided into subgroups, and a number of individuals are still at large.

“This group was running a well-established criminal business model,” said Craig Jones, INTERPOL’s cybercrime director. “From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation.”

The news comes as the average wire-transfer loss from BEC attacks is significantly on the rise: In the second quarter of 2020 the average was $80,183, up from $54,000 in the first quarter, according to the Anti-Phishing Working Group (APWG).

While Nigeria and West Africa are still top hotspots for BEC gangs, the APWG report found that the rise in dollar amounts could be driven largely by one Russian BEC operation, which has been targeting companies for an average of $1.27 million per effort.

The Russian BEC group, Cosmic Lynx, was spotted prowling around earlier this summer by researchers at Agari. It has launched more than 200 BEC campaigns since July 2019, which have targeted individuals in 46 countries on six continents, according to Agari’s statistics. Favorite targets include Fortune 500 and Global 2,000 companies, which helps explain the large paydays.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.