The operations and economics of organized criminal email groups

Register for the upcoming webinar: Top 6 Security Needs for APIs and Serverless Apps

Nine of the 10 captured organized criminal email groups operate out of Nigeria, they all leverage a multitude of attack methods, and business email compromise (BEC) is far more lucrative than any other attack, according to Agari.

criminal email groups

BEC is the most common attack type, indicative of a growing risk since the average age of the accounts was more than four years old, but BEC did not emerge until less than two years ago.

“While much of the high-profile attention paid to email security has focused on nation state actors, the reality is that American businesses are far more likely to be attacked by BEC scammers operating from Africa,” said Patrick Peterson, executive chairman, Agari. “The sad irony is that these foreign adversaries are using our own legitimate infrastructure against us in attacks that are far more damaging and much harder to detect than any intrusion or malware.”

Business email compromise leverages a variety of identity deception techniques, such as display name deception, to bamboozle organizations into making fraudulent payments. Typically, an attacker will impersonate the CEO of a company and request immediate payment to a vendor from its accounting team. In May 2018, the FBI IC3 “2017 Internet Crime Report” indicated that BEC losses increased to $675 million during 2017, more than 300 percent compared to $215 million in 2014.

Researchers analyzed a variety of email based attacks, including romance scams and rental scams, but even though BEC did not emerge as a trend until 2016, BEC attacks account for 24 percent of all attacks analyzed. BEC attacks produce more victims and result in higher dollar losses than any other criminal email attack. BEC attacks are also ten times more likely to produce a victim if the target answers an initial probe email, such as “Are you at your desk to make a payment?”

criminal email groups

A custom malware sample

Agari analyzed 59,652 unique messages accessed from 78 criminal email accounts to produce “Behind the ‘From’ Lines: Email Fraud on a Global Scale.” Key findings from the report include:

Nigerian scammers target American businesses

Nine out of the 10 criminal email groups appear to operate out of Nigeria. Agari has correlated many of these criminal email accounts with social media profiles and other personal registrations, producing a clear picture of their true identities.

BEC emerges as most popular, most effective attack vector

BEC attacks accounted for 24 percent of all attacks, with 0.37 victims per 100 probes, even though BEC attacks only have an initial response rate of 32 percent. BEC attacks are ten times more likely to produce a victim if the target answers an initial probe, with 3.97 victims per 100 answered probes. Romance scams accounted for 11 percent of all attacks, with 0.13 victims per 100 probes, even though it has a much higher initial response rate of 72 percent. Romance scams are also ten times more likely to produce a victim if the target answers an initial probe, with 1.54 victims per 100 answered probes.

Romance scams break more than the bank

Agari lays bare the tale of a Florida woman who exchanged more than 1,500 emails with an email scammer, believing him to be a wealthy expatriate living in Dubai. Over the course of six years, this woman lost more than $500,000 and was forced to sell her home after refinancing it to help pay a variety of fraudulent requests.

Man-in-the-Middle Account Takeover (ATO) targets real estate

Agari has identified a sophisticated actor that has compromised email accounts belonging to real estate brokers by sending them malware-infected documents. This master conman leverages these compromised email accounts to conduct ATO-based escrow scams that can potentially bankrupt his targets. Agari has reason to believe this individual, who appears to be operating out of Kenya, may actually be in the United States.

The big business of email compromise

Research reveals that criminal email accounts request payment ranging from $1,500 to more than $200,000, with an average request of $35,500. Additionally, Agari has categorized hundreds of bank accounts, social security numbers, passwords and PIN numbers that these organized crime groups have obtained through social engineering, business email compromise and account takeover.

“Business email compromise has become a pervasive threat — it is the most popular, the most effective, and the most damaging of all of the attacks we research,” said Peterson. “These organized crime groups will not stop these attacks, but whenever possible, Agari will be there to capture these criminal email accounts, to freeze their mule bank accounts and to pull back the mask of their true identity.”