In coordination with the Nigerian Police Force, Interpol has arrested 11 individuals suspected of participating in an international BEC (business email compromise) ring.
BEC is a type of attack conducted via email involving the spear-phishing of certain company employees responsible for approving payments to contractors, suppliers, etc.
By impersonating a coworker, a supervisor, or a client/supplier, BEC actors manage to divert payments to their bank accounts, essentially stealing them from the targeted company.
In the latest Interpol operation codenamed ‘Falcon II,’ which unfolded between December 12 and 22, 2021, the police followed leads provided by cyber-intelligence firms Group-IB and Palo Alto Networks’ Unit 42 to arrest suspects in Lagos and Asaba.
Members of the SilverTerrier gang
According to the forensic investigation and the evidence collected so far, Interpol believes that at least some of the arrested individuals belong to the BEC gang known as SilverTerrier (aka TMT).
This is the second blow for the particular group after Interpol arrested more of their members in the context of ‘Falcon I’ back in 2020.
“This preliminary analysis indicates that the suspects’ collective involvement in BEC criminal schemes may be associated with more than 50,000 targets,” details Interpol’s announcement.
“One of the arrested suspects was in possession of more than 800,000 potential victim domain credentials on his laptop.”
“Another suspect had been monitoring conversations between 16 companies and their clients and diverting funds to ‘SilverTerrier’ whenever company transactions were about to be made.”
Six actors with history in BEC
According to a report shared with Bleeping Computer by Palo Alto Unit 42, most of the arrested individuals have had a lengthy involvement in or prior convictions for BEC scams.
The arrested individuals who were tracked and identified by Unit 42 are:
Darlington Ndukwu – active since 2014, using ISRStealer, Keybase, Pony, LokiBot, PredatorPain, ISpySoftware. Registered websites such as “fbigov[.]org”, “annexbanks[.]com”, and “western-union[.]org”. He has targeted security researchers too, and was arrested again during FBI’s ‘WireWire’ 2018 operation.
Onuegwu Ifeanyi Ephraim – active since 2014, using Lokibot, PredatorPain, ISRStealer, Pony, NanoCore, AzoRult, ISpySoftware, AgentTesla, Keybase. Registered domains like “us-military-service[.]com” and “pennssylvania[.]com[.]mx”. He sponsored at least 30 BEC actors and was arrested for BEC activities again in 2020. When released in 2021, he immediately returned to scams by registering “covid19-fundservices[.]com”.
Oyebade Fisayo – Active since 2015, using ISRStealer, Pony, LuminosityLink, NanoCore, LokiBot, Keybase, Adwind, AgentTesla, PredatorPain, ImminentMonitor. He publicly offered instructions on how to use RATs on Facebook. Registered domains such as “atlanticexpresslogistics[.]com,” and “shipatlanticlogistics.co[.]uk”
Kevin Anyanwu – Active since 2015, operating the “hsbctelex[.]net” scam site.
Onukwubiri Ifeanyi Kingsley – Active since 2016, using Pony and Lokibot. He was linked to at least 20 fraudulent domains like “qatarairways[.]pw”. Is believed to be a core member of the TMT gang.
Kennedy Ikechukwu Afurobi – Active since 2014, using Pony, PredatorPain, Azorult. He is also directly linked to TMT group activities and registered almost a hundred domains that were used for distribution of spear-phishing email.
Hiding behind banks
BEC scammers cannot siphon funds in the form of untraceable cryptocurrencies, so the only way for them to hide is by moving the stolen amounts around, attempting to obscure the money trace.
Unfortunately, many banks, especially in countries where weak money laundering regulations apply, insist on protecting their clients’ identities and refuse to revert transactions that were part of payment diversion fraud acts.
However, the international collaboration and information exchange between law enforcement and intelligence agencies worldwide make it increasingly challenging for BEC actors to remain hidden.
How to defend against BEC
When requested to send money or to change to conduct all payments to a new bank, you may pick up the phone and call the supplier/colleague to confirm it.
For this, use the phone number you have confirmed to be valid in past communications and not any new numbers provided in the email.
To protect your email account from takeover, enable multi-factor authentication along with a strong and unique password.
Organizations should also secure their domain from spoofing by registering potential domain typo-squatting candidates and instructing employees not to over-share business information online.
Post updated to add more info shared with Bleeping Computer by Unit 42 on a subset of the arrested individuals.