Police in Nigeria, with the help of Interpol, have arrested 11 individuals in the country for their alleged involvement in business email compromise (BEC) scams associated with more than 50,000 targets worldwide.
Six of those arrested were identified as members of SilverTerrier, a known BEC gang that is thought to have harmed thousands of companies globally and has successfully evaded prosecution for more than five years.
A laptop belonging to one of the 11 alleged BEC operatives contained some 800,000 user names and credentials belonging to potential victim organizations. Another arrested individual was found to have been monitoring conversations between 16 companies and their customers, as well as attempting to divert money to SilverTerrier accounts when transactions between them were about to be made, Interpol said Wednesday.
The arrests happened in December and marked the culmination of a 10-day operation called Operation Falcon II, in which the Nigerian Police Force (NPF) used information supplied by Interpol to apprehend suspects in the cities of Lagos and Asaba. As part of the operation, the NPF worked with law enforcement authorities in several countries that were actively investigating BEC activity in Nigeria. Also contributing to the effort were Palo Alto Networks’ Unit 42 and Group-IB’s APAC Cyber Investigations Team.
“Operation Falcon II sends a clear message that cybercrime will have serious repercussions for those involved in business email compromise fraud,” stated Craig Jones, Interpol’s director of cybercrime. “INTERPOL is closing ranks on gangs like ‘SilverTerrier’; as investigations continue to unfold, we are building a very clear picture of how such groups function and corrupt for financial gain.”
This is the second major Interpol-coordinated operation against BEC actors in Nigeria in recent years. In November 2020 the NPF, acting on information from the Interpol and Group-IB, arrested three members of a group called TMT that was thought to have compromised a staggering 500,000 organizations in more than 150 countries.
In BEC scams, attackers using spoofed or stolen email accounts typically trick targeted officials at a victim organization into making wire transfers to attacker-controlled bank accounts, which are usually based in another country. For example, an attacker may pretend to be a legitimate supplier or vendor to trick an organization into paying a fraudulent invoice. These scams involve a lot of targeted phishing and social engineering in which fraudsters often pretend to be a high-level executive or someone involved with wire transfer payments at the target company.
Numerous public- and private-sector entities have lost tens to hundreds of thousands of dollars to these scams. Last March, the FBI reported receiving 19,369 BEC-related complaints in 2020 that together cost victims $1.9 billion, or nearly half of the total $4.1 billion in combined losses from all forms of cybercrime that year.
Brian Johnson, chief security officer at Armorblox, says threat actor interest in BEC scams remains high because of how effective these attacks can be compared to other vectors.
“In the current business environment, every employee has an email address that is public-facing,” he says. “Unlike other infrastructure within the company, email systems are open to public access and need to be accessible by anyone and everyone.”
This fact, combined with how trivial it often is for attackers to understand the business workflow of an organization, makes BEC attacks easy to design and execute. Additionally, BEC is often the gateway to other forms of attacks, Johnson says.
“We have seen many threats that start as a BEC vector quickly morph into other forms of cyberattacks like ransomware,” he says.
Pete Renals, principal researcher of the Palo Alto Networks’ Unit 42, says his company provided the telemetry, malware analysis, and forensic support that resulted in the arrest of six SilverTerrier members.
“Previously, following the arrests in November 2020, Unit 42 identified that we had historical forensic details on the actors and their associates that would aid in the efforts to prosecute the members of SilverTerrier,” he says.
Renals describes Operation Falcon II as taking a different approach from the usual law enforcement tactic of targeting money mules and others that directly benefit monetarily from BEC scams.
“Instead, it focused predominantly on the technical backbone of BEC operations by targeting the actors who possess the skills and knowledge to build and deploy the malware and domain infrastructure used in these schemes,” he says.
The Impact of Criminal Takedowns
As is often the case with arrests and law enforcement takedowns of cybercrime activity, it’s unclear how and whether Operation Falcon II will make a dent in the BEC landscape.
One factor is the sheer number of cybercriminals engaged in the activity. According to Renals, Palo Alto Networks is currently tracking over 500 threat actors tied to the SilverTerrier operation alone.
Previous arrests have done little to deter criminals from getting right back into BEC scams. For instance, Darlington Ndukwu, an individual who Palo Alto Networks helped arrest as part of Operation Falcon II, was previously arrested in 2018 as part of an FBI operation called WireWire. He has continued to operate as part of the SilverTerrier operation since then, suggesting the initial prosecution was ineffective, Palo Alto Networks said. Similarly, Onuegwu Ifeanyi Ephraim, another SilverTerrier operative who was snagged in the recent law enforcement action, was previously arrested — along with three associates — in the November 2020 law enforcement action in Nigeria.
Nigeria, a global hot spot for BEC activity, also has a booming tech infrastructure and a very tech-savvy talent pool, Armorblox’s Johnson says. More than 100 million Nigerians have access to high-speed broadband Internet, and this number is growing exponentially. The country also has a large base of deeply skilled cybersecurity talent, he says.
“Eastern Europe, Russia, and North Korea are the other top three hot spots for BEC activity,” Johnson notes. “They go hand in hand with BEC and other forms of attacks, including ransomware and crypto.”