I’m sort of like the boogieman. If anyone mutters the phrase “BEC” somewhere on the internet, another person will chime in and say “Hey, ping @iHeartMalware. He knows all about it and is willing to help.” This is a task I have quietly accepted for quite some time, however things are rapidly accelerating towards a breaking point in the space. The last 6 years of fighting, screaming, and trying to convince the world that “Yes, BEC sucks, we need to fix it” has left me rather horse.
Strangely enough, I often find that my biggest competitors in the space are Winnie-the-Xi who farts somewhere in China and likes arresting Muslims in concentration camps, or English-speaking Vladdy-Pu who thinks it’s a great idea to attack the corruption of capitalism with corruption, then gets all pissy when Navalny tries to call him out on it. You’re an asshole Vlad, and seriously, don’t polonium teabag me simply because I disagree with you on the internet. Frankly I’ve got bigger problems to deal with than you being a shithead to America.
But back to the topic at hand: what does it mean to truly understand Business Email Compromise?
Understanding BEC means that you know how DMARC works, as scammers will often spoof CEO’s.
Understanding BEC means analyzing phishing emails, only to find bank accounts and routing numbers used to steal hundreds of thousands of dollars from a company.
Understanding BEC means knowing that each and every one of those bank accounts tie back to a romance victim, who was tricked into love simply because they were alone.
Understanding BEC means working with victims who struggle to leave the abusive relationship, simply because they don’t want to be alone again.
Understanding BEC means fighting for those victims and trying to convince the world that “No, we don’t need to call them a dumb bitch just because someone lied to them on the internet.” And that your local police department is really fucking heartless when it comes to this stuff.
Understanding BEC means tracking actors back to their origins, to only discover that they are involved in 419 other crimes. Fake checks? Car wrapping? Gift cards? W2 fraud? Advanced-fee fraud? Credential phishing? Unemployment fraud? Drug trafficking? Human trafficking? …Sacrifices?
Understanding BEC means that you know how actors target singles on Plenty of Fish, Facebook, Christian Mingle, Farmers Dating, HIV+ dating, elderly and international dating…and even when you have the exact words that are used, no one is able to help. Or even wants to help.
Understanding BEC is making small talk with victims about dogs because you know the second you hang up they’re going to be in tears. And you’ll be in tears too, but no one ever sees that.
Understanding BEC is Uber drives at Blackhat with victims who were in the scheme for 10 years, who fell for the lure because of her spouse was abusive and she just wanted to be loved. It’s knowing about the lost home, children, credit, and fact that no job other than an Uber.
Understanding BEC is understanding all of the loneliness, depression, anxiety, hopelessness, suicidal thoughts, and actual suicides from victims. It’s knowing the pain, suffering, and long nights that victims go through just to anxiously wait for that text saying “Good morning dear, can you open a bank account for me?” and not being able to escape. For years.
Understanding BEC is fighting for that victim who tried to commit suicide, was committed by her mother, who then explained everything to her “lover” only for the lover to calm her down with messages from the CIA and had her cashing checks and continuing the scam a week later. Then it’s fighting that Fortune 5 company for over 4 years just so they can begin to assist in the bleeding.
Understanding BEC is working with law enforcement to stop these threats, only for threats not to be stopped because “the victim doesn’t want to come forward,” “not enough money was stolen,” or “you’re giving us too much information for us to do anything about it.”
Understanding BEC is saying no, you won’t be getting your money back because you wired it 30 days ago. It’s also the occasional win, but just that: occasional.
Understanding BEC is being the one stupid enough to say “let’s see if we can work together to stop BEC,” only to uncover how big of a flaming shit pile of shit it really is.
Understanding BEC is watching $26 billion dollars fly out the window over 5 years.
Understanding BEC is watching $36 billion dollars fly out the window in 2020 due to unemployment fraud.
Understanding BEC is knowing that there are hundreds of thousands of victims out there, billions more that was lost, and not being able to do a single fucking thing about it.
Understanding BEC means studying Nigeria and the political tensions that exist there. It’s understanding the government corruption and the do-nothingness of Buhari, and understanding what #EndSARS really means.
Understanding BEC means learning about the massive unemployment problem in Nigeria, where 50% of the youth (15–35) are currently unemployed.
Understanding BEC means accepting the fact that yes, many of those 40 million people are without work, have to resort to scamming to make a living, are starving, or going without food because they can’t afford it.
Understanding BEC means understanding the twisted religions, practices, and perceptions that Yahoo Boys use and practice.
Understanding BEC means understanding the grandmother that was murdered for a voodoo sacrifice to enhance the powers of the scammers so they can steal more money from living (and lonely) grandmothers.
Understanding BEC means understanding the psychosis that unsuspecting woman who get greedy and date Yahoo Boys are put through as unwitting participants of these voodoo rituals. Only to be left naked and alone in the streets, with every passing moment captured by a cell phone. * Hits upload button to Twitter and Facebook
Understanding BEC means understanding the abuse, be-headings, and knowing that there are mountains victim photographs covered in juju candle wax, just so scammers can receive a blessing to take more money from their “clients.”
Understanding BEC means studying Nigerian rap culture and listening to hours of scammers rap about how they’ve stolen millions, only to find other rappers singing about the vast amount of corruption. It’s listening to folks like Davido, Naira Marley, Zlatan, and literally dozens of other Yahoo Boys who made their money and are trying to go “legit.”
Understanding BEC means understanding the selfish nature of Nigerian police, who would rather accept a bribe from a Yahoo Boy than arrest them.
Understanding BEC means understanding the infidelity in Lagos, where “positive role models” are virtually non-existent. It’s not having a mother, a father, or siblings. There could be a father, but who knows where he is at that point.
Understanding BEC is sending $50 in Bitcoin out of your own pocket to starving youth on multiple occasions who just want to learn about how computers work and get out of the environment where they are.
Understanding BEC is watching your peers talk about some cool piece of malware they found, only to realize that you’re standing on a literal pile of corpses, missing the days where bits and bytes being tossed between countries was your biggest concern.
Understanding BEC means warning everyone about the threat, about the pile of corpses, about the damage, and trying to call out the damage, only for it to go ignored as you silently fume in the corner.
Understanding BEC is sleepless nights studying culture, emotions, psychology, brain chemistry, dopamine, serotonin, anxiety, depression, social engineering, and feeling many of those emotions, only to realize how stupid arguing about masks or vaccines on Facebook really is.
Understanding BEC is walking away from the computer when the emotions get too high. It’s the crying, stress, panic attacks, and laying under heavy blankets because….just because.
But to truly understand BEC, you have to realize that Russia has started dabbling their toe in this, too.
Understanding BEC means watching sophisticated Russian actors sharpen their arrows, take aim, and fire it directly into the heart of Americans. It’s watching ransomware, Dyre, Trickbot, Emotet, and disinformation slowly creep in and, even after society was warned, they never took warning.
It’s watching ThreatConnect say that yes, Russia is a problem in 2016 only for the chief orange trumpkin to shit all over it, calling it a “conspiracy” and “Russian hoax” because Vladdy-Pu said it was.
Welcome to my life where conspiracies and reality meet. No cookies to be found in this timeline.
Understanding BEC means watching Russian BEC actors steal 10x the amount of money as their Nigerian counterparts, because they know how to socially engineer people. They understand exactly how to socially engineer a society with false information to watch them eat their selves from within. They understand the true power of feeding the narcissistic ego and how to twist a person to a shell of their former self, only to be left with monkeys regurgitating bullshit, screaming about how a piece of cloth over their mouth is oppression, or “Let’s go to Parler because Twitter might be actually removing false information, not just oppressing your rights.” But let’s trust the Parler’s Russian wife and Russian hosting provider who’s going to keep it running.
And everything is fine, right?
Understanding BEC means writing long letters to your peers with the hopes that for once they will take your advice when you say “don’t fuck up this investigation.” It’s running every other possible simulation through your head only to see absolute destruction in each and every outcome. It’s remembering back to those deleted Reddit posts where time possible travelers warned against certain things happening, only to question your own sanity with “Am I crazy? Were they right? Were those time traveling posts warning us about things to come actually correct?”
Understanding BEC means realizing that there are victims in 90% of the countries in the world, and 89.9% of that has no idea what’s going on. (That 89.9% may not be accurate, but it hopefully drives the point home…)
Understanding BEC is watching, working, and trying to fix the broken processes only for some new sexy hack to happen and everyone squirrels the fuck out when you’re like “no, things are actually broken.”
Understanding BEC means understanding the emotions that go along with anxiety, burnout, and depression, and it’s seeing it in your colleagues. It’s posting memes, saying “you got this” because you really do understand pain. More than you ever wished and more than they will (hopefully) ever understand.
Understanding BEC is realizing that while you’ve only been fighting this for 6 years, it’s simply the fact that problems have been ignored since the 90's. It’s realizing that people in Nigeria are just trying to feed and support their families, but the corruption has infected society so deeply that scamming each other is becoming the norm. Neighbors taking care of neighbors? Leave your humor at the door and please drop off your bribe to the nearest cop, or else they’re going to shoot your pregnant wife in the head over $10. This is Nigeria.
Understanding BEC is watching your colleagues struggle to cope with a large scale attacks like SolarWinds, only to know exactly how it feels and where they’re coming from, because you’ve literally spent the last 6 years in this hell.
Understanding BEC is working with international law enforcement and other governmental bodies to build awareness around this type of threat, only for international, foreign, and domestic laws to break down and tip the scales for the scammers.
Understanding BEC is being told “BEC isn’t important” and “no one cares” only to know that what you’re doing is right. Right by who? I’m afraid that the verdict is still out on that one.
But to truly understand BEC, you have to be the one who delivers the news and delivers the pain. You have to take all of that knowledge, death, darkness, anxiety, depression, and hell that you, the victims, scammers and world has been through and take your mark. You have to start pounding, grinding, and sharpening the diamond tipped arrow. It’s grabbing the twine, twisting it around the shaft and fletching the arrow with precision and accuracy, to ensure complete and utter destruction. It’s spending years watching society to figure out what the best way is to articulate how large a problem really is, and why it needs to be cared about. It’s reaching back and pulling the arrow out of the quiver, loading the bow, and rolling your shoulders as far as you can while pointing it directly at the hearts of the people you love. It’s soaking the arrow in the blood, evil magic, juju, voodoo, severed heads, corpses, and the rest of the darkness this world has to offer. It’s using the arrow to stir the pot with millions of emotionally abused victims on brink of suicide, and in many cases…BANG.
At least we have one less victim to worry about, right? #SilverLinings
It’s aiming that arrow directly at the heart of all of the people you love, so that one day they might begin to understand the full context of what you really mean when you say “BEC sucks.” It’s showing them exactly what you’ve been trying to protect them against and spent countless hours, conferences, presentations, and emails trying to prevent, only for it to go ignored. It’s posting a meme not just for the laughs, but also for coping with whatever hell-on-Earth you just witnessed. Why does Ronnie always post memes? It’s because BEC is fucking horrible, that’s why.
Now, can you tell me again why your rights are being violated about wearing a mask to protect your neighbor, why I should care about your malware, or something something 5G Bill Gates and COVID? I promise I’ll do my best to listen, but I’ve been a little pre-occupied with things over the years.
