Agari, a firm that offers protection against email-borne threats, has spent the last 10 months analyzing the targets, tactics and identities of 10 separate criminal organizations. All ten organizations concentrate on email scam attacks; and nine of the ten are located in Nigeria.
While this does not prove that 90% of email scams come out of Nigeria, it is probably fair to say that Nigeria dominates this vector. The organizations were originally selected via scam emails targeted at Agari customers and blocked by Agari software. But Agari’s analysis is far more than just an investigation into known scamware.
Chief scientist Markus Jakobsson told SecurityWeek that he and his team developed a method of gaining access to the scammers’ own mailboxes, using what he describes as responsible active defense. The responsible element includes gaining FBI ‘acquiescence’ on the project. It is described as ‘active defense’ because it falls short of ‘hacking back‘. “You could describe it,” he told SecurityWeek, “as a process of socially engineering the social engineers.”
During the course of the project using this methodology, he and his team captured 78 criminal email accounts belonging to 10 different criminal organizations and containing 59,652 unique emails. In a report (PDF) published Tuesday, Agari was able to analyze the process and progress of email scams rather than just the content of individual scam emails.
Just like cybercriminals globally, the Nigerian scammers are becoming more sophisticated (using, for example, persistent and stealthy malware to penetrate organizations’ email accounts), and are beginning to direct their attention against commercial organizations rather than individual computer users. As elsewhere, ‘profit’ is the motive: business email compromise (BEC) attacks require less individual effort for a much higher return.
Agari’s research shows that the average BEC incident nets $35,000 for the criminals. 3.97% of people who answer a BEC email become victims — and 24% of all email scams are now BEC. In June 2017, the FBI reported that the total worldwide dollar loss to BEC scams was in the region of $5.3 billion.
BEC works by the scammer masquerading as the company president or CEO, and requesting that Finance should send an urgent payment to a customer or business partner. The figures show that it is remarkably successful. But despite its success and despite the higher returns on effort, it is not the most frequent scam. That remains — from the same criminal organizations — the romance scam.
This is a primary method, along with work-from-home scams, used to recruit the money mules needed to get money out of the country (asking Finance to wire money direct to Nigeria or China or the Philippines would probably fail at the first hurdle). “Recruiting money mules is a full-time effort for each of the groups we captured. As the scammer groups are typically based overseas, a successful scamming operation is entirely dependent on money transfer techniques that evade suspicion.”
Typically, a romance scam works by first making contact through a dating website. As soon as possible, the conversation is moved to a separate communications channel, and the scammer starts to ask for small sums of money to help with some contrived hardship. “Once the victim starts complaining about money, offer them a way to get all of their money back by simply cashing a couple of checks and sending part of the money to the scammer via MoneyGram or Western Union.”
Once this happens, the romance victim becomes susceptible to blackmail and a money mule (or money launderer) has been recruited. Money scammed from other victims is not wired directly abroad, but wired to the local mule’s bank account, and from there on to its overseas destination.
The details of such scams — and many more categories are discussed in the Agari report — are already well-understood. What is new, however, is Agari’s ability to monitor the captured criminal email accounts over time and see the scam unfolding; both the scammers’ requests and the victims’ replies.
On several occasions Agari was able to step in and warn the victim. In November 2017, for example, it warned 5 real estate firms that their email had been compromised. In April 2018, “an Agari researcher identified [a] BEC attack and was able to warn the accounts payable team just in time to reverse the wire payment. The response from the victim was a condemnation of the attacker using words too colorful to print.”
The Agari project is an example of the growing determination of cyber defenders to stop being entirely reactive to threats, and to begin an offensive against the attackers. It is an excellent example of the potential of the concept of active defense. Not only was Agari able to disrupt criminal activity, capture of the criminals’ email accounts enabled them to identify many of the individual criminals.
“In close partnership with law enforcement, our customers and our partners, “says the report, “Agari will continue to capture and report identity-based attacks and help turn the tide of online crime.”
Agari raised $22 million Series D funding in May 2016, bringing the total raised by the company to $44.7 million.