Three Nigerian nationals have been arrested in Lagos for their suspected involvement in Business Email Compromise (BEC) scams.
The three — identified only as OC, 32, IO, 34, and OI, 35 — are believed to be part of a larger organized crime group called TMT, which has been involved in malware distribution, phishing, and extensive BEC fraud.
According to the Interpol, the three likely set up phishing links, domains, and mass mailing campaigns. By impersonating representatives of organizations, the suspects leveraged the campaigns to deliver 26 malware families, including spyware and remote access tools.
Some of the malicious programs employed by the group include AgentTesla, Azorult, Loki, the nanocore RAT, Spartan, and Remcos RAT.
In preparation for launching the scams and stealing funds, the malware was leveraged to gain access to and monitor the systems of victim organizations and individuals.
Since 2017, the TMT group is believed to have targeted government and private sector companies in over 150 countries. Data extracted from devices pertaining to the three arrested members has helped identify approximately 50,000 victims.
The three were arrested as part of Operation Falcon, a year-long investigation conducted by Interpol and Singapore-based security firm Group-IB, with assistance from the Nigerian police.
Group-IB, which has been tracking the cybercrime ring since 2019, claims that roughly half a million government and private sector companies could have been compromised.
Furthermore, the security firm discovered that the group is divided into subgroups and says that a number of individuals who are members of the ring remain at large.
“The analysis of their operations revealed that the gang focuses on mass email phishing campaigns distributing popular malware strains under the guise of purchasing orders, product inquiries, and even COVID-19 aid impersonating legitimate companies,” Group-IB says.
Phishing emails were sent using Gammadyne Mailer and Turbo-Mailer, while MailChimp was employed to track whether recipients did open a message. Compromised email accounts were also used to send phishing messages.
The cybercriminals targeted organizations in the US, the UK, Singapore, Japan, Nigeria, and other countries, looking to steal login information from browsers, email, and FTP clients. The monetization methods are still under investigation, Group-IB says.
“This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation,” Craig Jones, INTERPOL’s Cybercrime Director, said.
Related: COVID-19 Fuels Phishing and Scams While BEC Attacks Evolve and Increase
Related: Cybercriminals Stole $15 Million From 150 Companies in BEC Attacks
Related: Nigerian Threat Actors Specializing in BEC Attacks Continue to Evolve
