Connect with us

internet

A Look at Business Email Compromise Scam, the Costliest Type of Cybercrime

Published

on

A shopping spree in Beverly Hills, a luxury vacation in Mexico, a bank account that jumped from $299.77 (roughly Rs. 22,740) to $1.4 million (roughly Rs. 10.6 crore) overnight.

From the outside, it looked like Moe and Kateryna Abourched had won the lottery.

But this big payday didn’t come from lucky numbers. Rather, a public school district in Michigan was tricked into wiring its monthly health insurance payment to the bank account of a California nail salon the Abourcheds owned, according to a search warrant application filed by a Secret Service agent in federal court.

Advertisement

The district — and taxpayers — fell victim to an online scam called Business Email Compromise, or BEC for short, police say. The couple deny any wrongdoing and have not been charged with any crimes.

BEC scams are a type of crime where criminals hack into email accounts, pretend to be someone they’re not and fool victims into sending money where it doesn’t belong. These crimes get far less attention than the massive ransomware attacks that have triggered a powerful government response, but BEC scams have been by far the costliest type of cybercrime in the US for years, according to the FBI — siphoning untold billions from the economy as authorities struggle to keep up.

The huge payoffs and low risks associated with BEC scams have attracted criminals worldwide. Some flaunt their ill-gotten riches on social media, posing in pictures next to Ferraris, Bentleys and stacks of cash.

“The scammers are extremely well organised and law enforcement is not,” said Sherry Williams, a director of a San Francisco nonprofit recently hit by a BEC scam.

Losses in the US to BEC scams in 2021 were nearly $2.4 billion (roughly Rs, 18,200 crore), according to a new report by the FBI. That’s a 33 percent increase from 2020 and more than a tenfold increase from just seven years ago.

And experts say many victims never come forward and the FBI’s numbers only show a small fraction of how much money is stolen.

“It’s one of the most lucrative things out there,” said Shalabh Mohan, chief product officer at Area 1 Security.

Advertisement

In the nail salon case involving Grand Rapids, police say $2.8 million (roughly Rs. 21 crore) was stolen. Banks were able to recall about half that amount once the scam was discovered, court records show.

A Secret Service agent said in an affidavit as part of a search warrant application that someone hacked into the email account of one of the school district’s human resource employees and sent emails that persuaded a colleague in the finance department to change the bank account where the health insurance payments were sent.

The emails were brief and unfailingly polite. “Please kindly update” the records, one of them said — words the real HR employee would later tell police she never uses, according to the affidavit.

Police tracked the money to the salon’s bank account owned by the Abourcheds, the affidavit says. After the theft was detected, Moe Abourched contacted a Grand Rapids police detective and said he’d been fooled by a European woman named “Dora” into accepting the funds and forwarding them to other accounts, according to the affidavit.

The Secret Service agent said Abourched’s claims were false and he’d used a similar ruse with police after he received money from a BEC scam targeting a Florida storage company.

Advertisement

Police put the couple under surveillance and in October searched their apartment, offices and BMW, court records show. Police said earlier this year they needed more time to examine the data in the couple’s phones and computers.

The Abourcheds’ lawyer, Kevin Gres, said his clients have done nothing wrong and no charges should be filed.

“My clients were unwitting victims in this scheme,” he said.

BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases they shouldn’t. Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.

In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the organisation’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000 (roughly Rs. 5 crore).

Advertisement

After she discovered what happened, Williams said, her calls to law enforcement went nowhere.

The FBI told her the local US attorney’s office won’t take her case. She flew to Odessa, Texas, where the bank that initially received the stolen money was located. The money by then was long gone and the local detective was powerless to help. Williams asked her US senators for help and later learned the Secret Service was investigating, but said it hasn’t given her any updates.

Crane Hassold, an expert on BEC scams and former cyber analyst with the FBI, has heard of federal prosecutors declining to take BEC cases unless several million dollars were stolen, a minimum threshold that speaks to how out of control the problem is.

“There’s so many of them they can’t possibly work them all,” said Hassold, now director of threat intelligence at Abnormal Security.

Almost every enterprise is vulnerable to BEC scams, from Fortune 500 companies to small towns. Even the State Department got duped into sending BEC scammers more than $200,000 (roughly Rs. 1.5 crore) in grant money meant to help Tunisian farmers, court records show.

Advertisement

The Justice Department has launched months-long operations in recent years that have netted hundreds of arrests worldwide.

“Our message to criminals involved in these types of BEC schemes will remain clear: The FBI’s memory and reach is long and wide-ranging, we will relentlessly pursue you no matter where you may be located,” said Brian Turner, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch.

But security experts say the wave of arrests has had little impact, and the FBI’s own numbers show that BEC scams continue to grow at a rapid clip.

“You can arrest 100 of the guys and there’s no ripple effect,” said Hassold.

Many of those arrested by US authorities are lower-level “money mules,” who move stolen money around the banking system until it’s out of reach to authorities.

Advertisement

“Mules” don’t need hacking skills and come from a variety of backgrounds. A South Florida man, Alfredo Veloso, pleaded guilty in 2019 after prosecutors say he recruited women he met through his business making “kink pornography” videos to be money mules for BEC and other cyberscams.

Sophisticated BEC scams targeting businesses and other organisations started taking off in the mid-2010s. It was also around that time when ransomware attacks — in which hackers break into networks and encrypt data — started to grow in frequency and severity.

For years both BEC scams and ransomware attacks were treated largely as a law enforcement problem. That’s still true for BEC attacks, but ransomware is now a key national security concern after a series of disruptive attacks on critical infrastructure like the one last year against the biggest fuels pipeline in the US that led to gas shortages along the East Coast.

The National Security Agency’s hackers have taken action to disrupt ransomware operators’ networks. The Justice Department set up a ransomware task force to better organise the law enforcement response. And US President Joe Biden has pressed the issue directly with President Vladimir Putin of Russia, where many ransomware operators are located.

Nothing close to those efforts has been deployed against BEC fraud despite the huge financial losses.

Advertisement

“It’s a bunch of tiny little silos, and they still haven’t figured out a way to have just a single source that goes after these things,” said John Wilson, a threat researcher at the cybersecurity firm Agari.

If the US were to launch a whole-of-government response to BEC fraud, it almost certainly would focus heavily on Nigeria.

Nowhere are BEC fraudsters more active than in Africa’s most populous nation, where scammers have able to operate almost unchecked for decades. The well-worn Nigerian Prince scam may now be a global punchline, but a new generation is making fortunes through sophisticated BEC fraud.

BEC scammers from Nigeria are glorified in pop songs and show off their wealth on Instagram and Facebook, posing with expensive cars or piles of money.

Ramon Abbas, a well-known Nigerian social media influencer who went by Ray Hushpuppi, had more than 2 million followers on Instagram before he was arrested in Dubai. Abbas’ social media posts showed him living a life of total luxury, complete with private jets, ultra-expensive cars and high-end clothes and watches.

Advertisement

“I hope someday I will be inspiring more young people to join me on this path,” read one Instagram post by Abbas, who pleaded guilty in the US to international money laundering related to BEC and other cybercrimes last year. His sentencing is currently set for July.

Pete Renals, a threat researcher at Palo Alto’s Unit 42, said tech-savvy Nigerian criminals started learning how to use available malware to steal victims’ credentials around 2014. As the software changed, the scammers changed too. In 2018, he said, researchers started seeing Nigerian malware being developed in-country by the BEC scammers themselves.

“It does not seem like there’s a whole lot slowing them down,” he said. They see “no reason to stop.”

Obinwanne Okeke was one of Nigeria’s best known young entrepreneurs when he was a featured panelist at an event hosted by the prestigious London School of Economics.

“If it’s not born in you to take up challenges, you cannot do it,” Okeke said at the 2018 event when discussing his entrepreneurial drive.

Advertisement

But just days before he made those comments, Okeke had been busy sending fake invoices and defrauding the British sales office of the heavy equipment manufacturer Caterpillar out of $11 million (roughly Rs. 83 crore) through a BEC scam, according to the FBI. He was arrested at Dulles Airport outside Washington in 2019, pleaded guilty to wire fraud a year later and is now serving a 10-year prison sentence.

BEC scammers arrested by police in Nigeria often have better luck and win back their freedom by paying fines or bribes, experts say. Adedeji Oyenuga, a sociology professor at Lagos State University who has studied cybercrime culture, said there’s little fear by BEC scammers of being punished if caught.

“The person will walk around the streets freely knowing nobody is going to say anything about what he or she is doing,” Oyenuga said.

In the Hushpuppi case, US prosecutors have also charged Abba Kyari, a top Nigerian law enforcement official who prosecutors say falsely imprisoned one of Abbas’ criminal rivals. Kyari remains in Nigeria, where media reports say he’s been arrested on a separate charges related to alleged drug smuggling.

Doug Witschi, an assistant director at the global police organisation Interpol, said tech companies that help facilitate BEC crimes need to be more active in stopping such behavior.

Advertisement

“We can’t arrest our way out of this challenge,” he said.

Unlike ransomware operators who try to keep their communications private, BEC scammers often openly exchange services, share tips or show off their wealth on social media platforms like Facebook and Telegram.

A Facebook group called Wire Wire.com, which was until recently available to anyone with a Facebook account, acted as a message board for people to offer BEC-related services and other cybercrimes.

The page, which had a profile picture of a duffle bag filled with cash, was created in 2015 and had more than 1,400 members. It was taken down shortly after The Associated Press asked Facebook about it last month. The company declined comment.

In the case of the stolen Grand Rapids money, it was social media that helped law enforcement when seeking a federal judge’s approval for a search warrant.

Advertisement

Included in the application was a vacation Instagram post by Kateryna Abourched, which linked the timing of her trip with a $3,503 (roughly Rs. 2 lakh) payment to a luxury resort in Mexico made from the bank account that had received the stolen Grand Rapids money.

“Vacation is always inspiring,” she wrote in her Instagram post.


Why are they still making more Harry Potter? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Source link

Advertisement

internet

Google to Allow Tinder Owner Match to Offer Alternate Payment Systems to Users on Play Store

Published

on

Match Group said on Friday that Alphabet’s Google will allow the dating apps maker to offer users a choice in payment systems, eliminating Google’s control over user data.

Match sued Google in May, calling the action a “last resort” to prevent Tinder and its other apps from being booted off the Google Play store for refusing to share up to 30 percent of sales.

The company said it has withdrawn its request for a temporary restraining order against Google after some concessions, including eliminating its complete control over user data.

Advertisement

Match’s lawsuit came against the backdrop of ongoing cases brought by Fortnite maker Epic Games, dozens of US state attorneys general and others in targeting Google’s allegedly anticompetitive conduct related to the Play store.

The development comes almost 10 days after Google rejected an app store monopoly suit filed by Tinder parent Match Group, saying it is a “self-interested” campaign putting money ahead of user safety.

Google’s response came a day after Match filed a lawsuit in federal court in San Francisco accusing the tech titan of abusing control of the Play Store that sells digital content for Android-powered phones.

“This is just a continuation of Match Group’s self-interested campaign to avoid paying for the significant value they receive from the mobile platforms they’ve built their business on,” a Google spokesperson told AFP.

The litigation comes as part of an ongoing battle by Match, Epic Games and others to force Google parent Alphabet and iPhone maker Apple to loosen their grips on their respective app stores.

Match’s filing came after Google modified Play Store rules to require its family of apps to use the Internet giant’s payment system, which collects fees of up to 30 percent on transactions, court paperwork said.

Google has made it clear that it will remove Match apps from the Play Store if they do not comply with the rule, Match said in the filing, which described such punishment as a “death knell.”

Advertisement

“This is a case about the strategic manipulation of markets, broken promises, and abuse of power,” Match said in the suit.

Google countered that Match is free to make its apps available elsewhere online, including on its own website.

While the App Store is the only gateway for content to get onto Apple mobile devices, users of Android-powered smartphones or tablets can download apps at their own risk from online venues other than Google’s Play Store.

Match’s lawsuit contends that despite having options, users get content for Android devices from the Play Store more than 90 percent of the time.

Match apps offered in the Play Store qualify to pay fees of just 15 percent on subscriptions, according to the Google spokesperson.

Advertisement

© Thomson Reuters 2022


Should you pick Vivo over Galaxy S22 and OnePlus 10 Pro? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Source link

Continue Reading

internet

Google Incognito Mode Not Really Private, Collects User Data, Says Texas Lawsuit

Published

on

The Google search engine collects data on users who think they can be anonymous if they use a “private browsing” mode, Texas Attorney General Ken Paxton claimed on Thursday, filing an amended privacy lawsuit against the Alphabet unit.

Texas, Indiana, Washington State, and the District of Columbia filed separate suits against Google in January in state courts over what they called deceptive location-tracking practices that invade users’ privacy.

Paxton’s filing adds Google’s Incognito mode to the lawsuit filed in January. Incognito mode or “private browsing” is a Web browser function that Paxton said implies Google will not track search history or location activity.

Advertisement

The lawsuit said Google offers the option of “private browsing” that could include “viewing highly personal websites that might indicate, for example, their medical history, political persuasion, or sexual orientation. Or maybe they simply want to buy a surprise gift without the gift recipient being tipped off by a barrage of targeted ads.”

The suit said “in reality, Google deceptively collects an array of personal data even when a user has engaged Incognito mode.”

Google said on Thursday that Paxton’s filing is again “based on inaccurate claims and outdated assertions about our settings. We have always built privacy features into our products and provided robust controls for location data.”

“We strongly dispute these claims and will vigorously defend ourselves to set the record straight,” it added.

Paxton previously alleged Google misled consumers by continuing to track their location even when users sought to prevent it.  

Google has a “Location History” setting and informs users if they turn it off “the places you go are no longer stored,” Texas said.

In January, an Arizona judge ruled allegations Google deceived users with unclear smartphone location tracking settings should be weighed by a jury, refusing to toss out a lawsuit brought by the state’s attorney general.

Advertisement

How is Alexa faring in India? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Source link

Continue Reading

internet

Amazon, Meta, Google owner Alphabet to Face Strong Opposition From Schroders Over Workers, Digital Rights

Published

on

Schroders, Britain’s biggest listed asset manager, said on Wednesday it would back a swathe of shareholder resolutions at Amazon, Meta and Google-owner Alphabet concerning workers’ and digital rights.

Schroders, which manages around GBP 730 billion (roughly Rs. 70,65,210 crore), said it was declaring its intention to vote against management on the issues as an escalation measure following talks with the companies.

While any move to declare voting plans is still relatively rare among asset managers, more are starting to do so as part of efforts to accelerate change on environmental, social, and governance-related issues such as climate change.

Advertisement

In total, Schroders said it would vote against 11 resolutions across the three companies at their annual general meetings.

The money manager said its engagement with Amazon had centred on supporting workers’ rights, specifically improving staff pay and benefits, the health, and wellbeing of workers and worker representation within the company.

At Meta and Alphabet, Schorders said it would vote in favour of improving their approach to digital rights, including the management of exploitative content, misinformation and privacy.

“These issues are growing in importance for our clients who are pressing us to do more to ensure the companies that we invest in are acting responsibly,” said Kate Rogers, Head of Sustainability, Schroders Wealth Management.

“By voting against the management at Alphabet and Meta we are signalling the importance of big technology companies acting to avoid harm and tackling misinformation on their platforms. At Amazon, we stand with the workers, seeking more disclosure on working conditions and their treatment.”

Schroders added that it was still considering and would likely vote against other agenda items at the companies’ AGMs.

© Thomson Reuters 2022

Advertisement

How is Alexa faring in India? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Source link

Continue Reading

Most Popular