September 2015 is when it all started. At the time I was working at PhishMe (now Cofense), and our CFO received a shady looking email, asking if he was busy.
“I have no idea what this is, can you guys take a look at it? Rohyt didn’t send this email.”
Aaron and I started looking at the email to figure out what was going on. At the time emails never needed a response, because malicious emails were just that: malicious, and always contained malware. This one was a little different, as there was no malware to be found. Where’s the macro or link? Where’s the payload? My handle is literally “iHeartMalware”, but there’s no way to infect a user with this. It’s just someone asking fo-AH HA!
The email wanted our CFO to do a wire transfer, but we were still lacking context. Why did they want a wire transfer? Aaron suggest responding back to the scammers to see how it played out, and we did. Without missing a beat the scammers responded, sent a bank account, and asked for us to transfer money to an account under their control. We published the research, and even referenced the FBI statistics of 2015 from Mr. Brian Krebs himself, victims have lost 1.2 billion dollars to Business Email Scams. OMG, a billion dollars? That’s a lot of money being lost, and we should probably start trying to figure this out.
Current me is looking back at past me:
The more we studied this new thing called business email compromise, the worse it got. We started working with other private companies to try and understand the problem, and that’s when the BEC mailing list was born. Christmas of 2015. Initially we were 100 security professionals and 10 FBI agents, and our goal was that: to study and begin to understand how this BEC mess worked. Everything was held at the TLP:Red level as a way to ensure that information could be shared freely and securely, and collaboration worked. It worked really well. 110 people, we got this, right? …Right?
We flew under the radar for three years until we were nominated for the JD Falk Award in 2018. After polling the 530 members of private companies, Fortune 500 companies, domestic, and international law enforcement, the vote was for a “yes” to accept the award. Through this collaboration, we were able to prevent millions of dollars of fraud, took down thousands of actor email accounts, and had gained a deep understanding into how the ecosystem works. Based on our findings, we were able to identify romance victims (used as money mules to wire funds), W2 fraud, real estate scams, and lottery scams, all being part of the BEC scheme.
In 2019, I was hired at Agari where we focus on BEC research. Throughout our research, we were able to uncover a cyber gang that we called “Scattered Canary”, who was responsible for over a decade of fraud. Throughout our research, we were able to identify Craigslist, romance, mystery shopper and employment scams, social security, retirement, unemployment, FAFSA, and tax return fraud, as well as BEC, credit card fraud, credential phishing, payroll diversion, and wire transfer requests tying back to the same group. Pic related.
Yes it’s all related, no we aren’t blowing smoke. Yes we have plenty of evidence to support our facts and are happy. Here’s a direct link to the report before anyone calls “Crown Sterling” on me.
As time went on, we uncovered more BEC groups doing other things. Some laundered gift cards, some did ATO to MiTMBox just to inject a mule account, others asked for aging reports to impersonate your company, and others asked for W2’s for all of your employees. If I had to count we’re up to 419 problems of BEC, but who’s counting?
Sadly, I am. Or at least I was trying to.
I tried counting dollars flying out the window, the number of romance victims whose lives have been devastated, the number of depressed and suicidal victims, the foreclosed homes, the hundreds of fake checks, the thousands of W2’s, the thousands of romance profiles and email accounts, and all of the other crimes related, but I have officially lost count around $30 billion dollars of confirmed BEC fraud.
BEC? You know, that thing that’s 40% of all cybercrime in 2019. When you look at other crimes that are tied to BEC, almost 70% of cybercrime reported to the FBI directly ties to Nigerian fraud.
You see, all of these things have traditionally been done by Nigerian actors, or Yahoo Boys, if you will. Those low-tech phishing kits, poorly written emails, romance profiles, and “that has to be someone whose native language isn’t English on the other end of the keyboard” is responsible for the biggest piece of pie.
(Fun Nigeria fact: English is the primary language)
But here’s the thing…we wanted to pretend that this wasn’t our problem because users are “stupid” or “don’t know better”.
$30 billion is a lot of of money because someone should know better.
$30 billion is a lot when it’s all 50 states.
$30 billion is a lot when it’s 177 countries.
Getting angry yet? Good, because all of that was before 2020. But you’d better buckle up, because the story gets worse. Much worse.
So where is BEC now? It turns out that Scattered Canary, the BEC group with (now over) a decade of fraud under their belts is targeting unemployment funds. In multiple states. With hundreds of millions of dollars being stolen from Washington state. (Well technically the tax payers, aka me and you?) But thankfully $333 million was recovered. Did I mention the dozens of other states, too? Or the CARES act fraud? Or the other COVID relief funds that were meant for the American people, but are being used to buy expensive cars in foreign countries?
Here we are today, where one of the “simplest” and oldest forms of social engineering on the internet has caused the biggest hurt due to everything it overlaps with. It’s a mangled web of suck where there is no end to even begin untangling it. BEC isn’t new, but it’s a symptom of 419 and “Nigerian prince” fraud that was ignored. It’s super effective in its simplest form, and we’ve lost billions because of it. Not to mention the lives, abuse, and depression that goes along with being a victim.
Things are bad right now, but if I had to come up with the worst case scenario for BEC, what would it look like? The day I have always dreaded is when more sophisticated groups figure out that they don’t need to use malware in order to make a dollar. Why spend the time, money, energy, and risk purchasing malware, being detected, leaving a trail, having infrastructure taken over, losing your work, or ransoming a device when you can simply just…ask for the money?
And if it’s worded well enough, you can probably go after higher value targets. And ask for higher amounts of money.
Welcome to today, the day I have always feared. I have tried to prevent this day for the last 5 years. Hundreds on the BEC list have tried to prevent this day for the last 5 years. Over 1,000 people on the BEC Slack have tried to prevent this.
But more importantly, hundreds of people who fought 419 and related fraud 20 years before today who came before me tried to prevent this.
And no one listened. Well…a few did, and to all of those who have been fighting the good fight you’re awesome human beings. The world will never understand how much of an impact you truly had.
Now that we have a sophisticated BEC group with perfect English, perfect French, amazing opsec, uses bulletproof hosting, monitors communications, has ties to the Russian underground, and performs reconnaissance against targets, maybe now we can finally put our petty differences aside because this now affects all of us. If BEC is such a simple and unsophisticated problem, why not put your money where your mouth is and try to do something about it?
Enter Cosmic Lynx from stage left, a sophisticated BEC group that knows what the hell they’re doing. Welcome to the new age of BEC.
BEC isn’t new and there are victims on both sides of the fraud. This is no longer my problem anymore, but it’s now your problem. Well technically it’s our problem now, because I’m not going away until this thing is solved for everyone.
Didn’t think you could shut me up that easily, did you? :)
Now…what are we going to do about it?
