Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/6/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

BEC Busts Take Down Multimillion-Dollar Operations

The two extraditions of business email compromise attackers indicate a step forward for international law enforcement collaboration.

On Friday, July 3, the Department of Justice announced extraditions of two Nigerian nationals to face charges related to separate business email compromise (BEC) operations. Both men are accused of participating in BEC schemes to defraud US organizations out of millions of dollars.

Ramon Olorunwa Abbas, also known as "Ray Hushpuppi" and "Hush," was expelled from the United Arab Emirates to Chicago, where he made his first court appearance. Charges allege he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.

Abbas was arrested in the UAE last month and brought to the US to face a charge of conspiring to engage in money laundering, as alleged in a criminal complaint filed June 25. This complaint describes an Instagram account with several publicly viewable images of Abbas posing on or in luxury vehicles, wearing designer clothing, and possessing luxury items "indicating substantial wealth." In one photo, Abbas posed in front of two vehicles, one of which he said was his new Rolls-Royce Wraith. Multiple photos showed him in private jets or traveling to cities around the world.

"The FBI's investigation has revealed that Abbas finances this opulent lifestyle through crime, and that he is one of the leaders of a transnational network that facilitates computer intrusions, fraudulent schemes (including BEC schemes), and money laundering, targeting victims around the world in schemes designed to steal hundreds of millions of dollars," the affidavit states.

This case targeted a key player in a large, transnational scheme who used illicit funds to support his lifestyle while allegedly giving a safe haven to stolen money, says US Attorney Nick Hanna in a statement. The affidavit alleges Abbas and co-conspirators conspired to launder funds in a $14.7 million operation targeting a foreign financial institution. Another scheme attempted to defraud a New York-based law firm out of approximately $922,857 in October 2019. In one case, Abbas and others tried to steal roughly $124 million from an English Premier League club.

"With Hushpuppi, what's really important about this arrest is he is one of the primary money launderers of the BEC threat landscape," says Crane Hassold, senior director of threat research at Agari. "From a financial perspective, that is where I think the biggest impact of this will be."

Hassold describes Abbas as "an essential chokepoint" to money coming in from US BEC attacks and funds going out to Nigeria. Following his arrest, many Nigerian threat actors will need to find a way to transfer money from point to point. "That will take some time, to replace someone at the scale of Hushpuppi," he adds.

A second case involves Nigerian national Olalekan Jacob Ponle, also known as "Mr. Woodbery" and "Mark Kain." A criminal complaint accuses him of orchestrating BEC schemes to defraud US companies, which led to attempted or actual losses amounting to tens of millions of dollars. One Chicago company was tricked into sending wire transfers totaling $15.2 million. Ponle was arrested last month in the UAE and, like Abbas, made his first court appearance in Chicago.

Ponle's alleged operation lasted the first nine months of 2019, during which one or more actors gained unauthorized access to the email account of a US-based company and sent messages to employees claiming to be from the company or a known contact. These fake emails instructed employees to send wire funds to a bank account set up by money mules at Ponle's request. He instructed the mules to convert funds to Bitcoin and send them to a virtual wallet he controlled.

In addition to Chicago, Ponle targeted firms in Iowa, Kansas, Michigan, New York, and California.

Bringing BEC Operations to Justice
These extraditions represent a step forward in how foreign BEC attackers will be brought to justice. The DoJ, in collaboration with the Department of Treasury, recently published the first set of formal sanctions against Nigerian cybercriminals. Officials imposed financial sanctions on each of six individuals charged with involvement in BEC operations.

"This action represents a significant shift in how the United States responds to these types of criminal activities and demonstrates a willingness to impose cost to cyber actors living abroad outside of the reach of US law enforcement," says Pete Renals, principal researcher for Unit 42 at Palo Alto Networks. He anticipates more extraditions will be announced in coming months.

It's worth noting that many BEC attackers have a global footprint, Hassold points out. It's likely they will be extradited to other countries if they cause more damage somewhere else. Even so, what we see here is not only are more people being extradited for BEC — the transition from arrest to extradition is happening quickly, indicating a willingness among international law enforcement organizations to work together and support extradition for these types of attacks.

"It's important to consider that extradition isn't necessarily a long-term solution," says Renals. "At a macro level, there is a need for rapid adoption of legal frameworks tailored to what is arguably a new and nascent threat."

BEC schemes haven't been around long, but in that time, they have "grown exponentially" in terms of scale, global reach, and financial impact, he adds. These threats cost businesses $1.7 billion in 2019 alone, the FBI reported back in February. In the cases of both Abbas and Ponle, the attackers made hundreds of thousands of dollars in a single operation, emphasizing the financial impact of these types of attacks.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Profile of the Post-Pandemic CISO."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...