Scammers Mobilize Business Email Compromise: Agari

Business email compromise attacks have gone mobile. The initial contact still happens through email deception, but includes a request for a personal mobile number to better coerce the intended target.

Researcher James Linton in a blog for Foster City, Calif.-based Agari, which uses predictive artificial intelligence to stop advanced email attacks, defined how BEC covers a variety of techniques cybercriminals leverage to obtain money or data via identity deception. “One constant has remained throughout: the correspondence between scammer and victim was done, almost without exception, over email. This foundational conduit between attacker and victim has also now become the focus of evolution, with actors increasingly looking to transfer potential victims from email over to SMS.”

Like with most BEC attacks, these new campaigns, written to provoke a response, begin with an email sent to a potential victim. The sole variance is that the scammer includes a request for the recipient’s mobile phone number. By moving over to their mobile phone, the scammer equips their victim with all the functionality needed to complete the task. The report revealed a mobile device offers instant and direct messaging, the ability (in most cases) to still access email and take pictures, and far greater portability than a laptop or even a tablet. All this increases the scammer’s chances for achieving their desired outcome.

From the victim’s point of view, they must immediately decide about whether they trust the situation, and the scammer gets their initial green light that the plan is working once they receive a reply containing the requested cell number. “Whether this approach is more realistic than a purely email based exchange is, to a large extent, dependent on whether a mobile device is used in everyday communication within a targeted organization and would be quickly demonstrated by how the victim reacts to the initial request,” Linton wrote.

Agari, based on an analysis of campaigns using these tactics, noted the identity generally impersonated by an actor is that of the organization’s CEO. “Once a recipient replies with their cell number, the actor is immediately placed in a strong position.” They’ve minimized the risk of deception detection, and established a communication method with greater emphasis on a more instantaneous reply than its email counterpart.

Agari suggested in terms of operational security, the scammers do not increase their risks of identification by any tangible amount; and for gangs operating outside the U.S. costs no more than a few dollars to set up a temporary U.S.-based number. Plus, there are many legitimate services providing numbers both online and on Google and Apple’s respective app stores.

Having access to a U.S. number allows the scammer to create, for example, a Google Voice number, which is Agari mentioned is extremely popular with non-U.S. based cybergangs. Features such as assigning personalized greetings to specific callers, and sending and receiving SMS messages directly from a computer, allows the actor to remain within their primary operations center.

Scammers can also record and transcribe voice calls and voicemails within an email, which allows the gang to keep a detailed record of the interaction.

“What unfolds next between the fraudulent CEO and their employee is fairly typical of how an email-based gift card scam plays out,” the Agari blog held. There are some subtle differences.

The blog reported in a mobile BEC scam, the actor can play a greater role in guiding the victim throughout the entire gift card buying process.

The SMS dialogue also lends itself to getting the gift cards into the scammer’s hands quickly. “Scammers generally ask a victim to take a picture of the back of the gift cards, after revealing the redemption codes.” Once the scammer has pictures of the gift cards and redemption codes, they waste no time in laundering the gift cards through online services.

Agari recently reported about a group called Scarlet Widow, which launders gift cards through Paxful, an online peer-to-peer marketplace, which allows users to buy bitcoin from other users using hundreds of different payment methods, including different types of gift cards. However, sellers take a significant hit when it comes to exchange rate. For example, most Apple iTunes gift cards trade for 40 to 80 cents on the dollar.