Global Criminal Email Rings Threaten Businesses, Bank Accounts: Agari

Business email compromise emerged as the most prevalent and effective attack vector revealed San Mateo, Calif.-based cybersecurity company Agari, in a research report at the FS-ISAC 2018 Annual Summit.

“Behind the ‘From’ Lines: Email Fraud on a Global Scale,” which provides insight into the operations and economics of organized criminal email groups, also exposed that nine of the 10 captured organized crime groups operate out of Nigeria. Though they all leverage a multitude of attack methods, BEC is far more lucrative than any other attack.

“While much of the high-profile attention paid to email security has focused on nation state actors, the reality is that American businesses are far more likely to be attacked by BEC scammers operating from Africa,” Patrick Peterson, founder and executive chairman, Agari, said. “The sad irony is that these foreign adversaries are using our own legitimate infrastructure against us in attacks that are far more damaging and much harder to detect than any intrusion or malware.”

Agari disclosed BEC leverages a variety of identity deception techniques, such as display name deception, to trick organizations into making payments. Typically, an attacker impersonates the company CEO and requests immediate payment to a vendor from its accounting team. In May 2018, the FBI IC3 “2017 Internet Crime Report” indicated BEC losses increased to $675 million during 2017, compared to $215 million in 2014.

Agari analyzed 59,652 unique messages accessed from 78 criminal email accounts to produce its report. The researchers analyzed a variety of email-based attacks, including romance and rental scams, but even though BEC did not emerge as a trend until 2016, BEC attacks accounted for 24% of all attacks analyzed. BEC attacks produce more victims and result in higher dollar losses than any other criminal email attack.

Key findings from the report include:

• Research revealed criminal email accounts request payments ranging from $1,500 to more than $200,000, with an average request of $35,500. Additionally, Agari categorized hundreds of bank accounts, social security numbers, passwords and PINs that organized crime groups obtained through social engineering, BEC and account takeover.
• Nine out of the 10 criminal email groups appear to operate out of Nigeria. Agari correlated many of these criminal email accounts with social media profiles and other personal registrations, producing a clear picture of their true identities.
• Even though BEC attacks only have an initial response rate of 32 percent, they are also ten times more likely to produce a victim if the target answers an initial probe email, such as “Are you at your desk to make a payment?”
• Romance scams, which accounted for 11% of all attacks, are also ten times more likely to produce a victim if the target answers an initial probe. Agari mentioned a Florida woman who exchanged more than 1,500 emails with an email scammer, believing him to be a wealthy expatriate living in Dubai. Over the course of six years, this woman lost more than $500,000 and had to sell her home after refinancing it to help pay a variety of fraudulent requests.
• Agari identified a sophisticated actor compromised email accounts belonging to real estate brokers by sending them malware-infected documents. This scammer leveraged these compromised email accounts to conduct account takeover-based escrow scams that could potentially bankrupt targets. Agari believes this individual, who appears to be operating out of Kenya, is in the United States.

“Business email compromise has become a pervasive threat — it is the most popular, the most effective, and the most damaging of all of the attacks we research,” Peterson said. “These organized crime groups will not stop these attacks, but whenever possible, Agari will be there to capture these criminal email accounts, to freeze their mule bank accounts and to pull back the mask of their true identity.”