Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/6/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

BEC Busts Take Down Multimillion-Dollar Operations

The two extraditions of business email compromise attackers indicate a step forward for international law enforcement collaboration.

On Friday, July 3, the Department of Justice announced extraditions of two Nigerian nationals to face charges related to separate business email compromise (BEC) operations. Both men are accused of participating in BEC schemes to defraud US organizations out of millions of dollars.

Ramon Olorunwa Abbas, also known as "Ray Hushpuppi" and "Hush," was expelled from the United Arab Emirates to Chicago, where he made his first court appearance. Charges allege he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.

Abbas was arrested in the UAE last month and brought to the US to face a charge of conspiring to engage in money laundering, as alleged in a criminal complaint filed June 25. This complaint describes an Instagram account with several publicly viewable images of Abbas posing on or in luxury vehicles, wearing designer clothing, and possessing luxury items "indicating substantial wealth." In one photo, Abbas posed in front of two vehicles, one of which he said was his new Rolls-Royce Wraith. Multiple photos showed him in private jets or traveling to cities around the world.

"The FBI's investigation has revealed that Abbas finances this opulent lifestyle through crime, and that he is one of the leaders of a transnational network that facilitates computer intrusions, fraudulent schemes (including BEC schemes), and money laundering, targeting victims around the world in schemes designed to steal hundreds of millions of dollars," the affidavit states.

This case targeted a key player in a large, transnational scheme who used illicit funds to support his lifestyle while allegedly giving a safe haven to stolen money, says US Attorney Nick Hanna in a statement. The affidavit alleges Abbas and co-conspirators conspired to launder funds in a $14.7 million operation targeting a foreign financial institution. Another scheme attempted to defraud a New York-based law firm out of approximately $922,857 in October 2019. In one case, Abbas and others tried to steal roughly $124 million from an English Premier League club.

"With Hushpuppi, what's really important about this arrest is he is one of the primary money launderers of the BEC threat landscape," says Crane Hassold, senior director of threat research at Agari. "From a financial perspective, that is where I think the biggest impact of this will be."

Hassold describes Abbas as "an essential chokepoint" to money coming in from US BEC attacks and funds going out to Nigeria. Following his arrest, many Nigerian threat actors will need to find a way to transfer money from point to point. "That will take some time, to replace someone at the scale of Hushpuppi," he adds.

A second case involves Nigerian national Olalekan Jacob Ponle, also known as "Mr. Woodbery" and "Mark Kain." A criminal complaint accuses him of orchestrating BEC schemes to defraud US companies, which led to attempted or actual losses amounting to tens of millions of dollars. One Chicago company was tricked into sending wire transfers totaling $15.2 million. Ponle was arrested last month in the UAE and, like Abbas, made his first court appearance in Chicago.

Ponle's alleged operation lasted the first nine months of 2019, during which one or more actors gained unauthorized access to the email account of a US-based company and sent messages to employees claiming to be from the company or a known contact. These fake emails instructed employees to send wire funds to a bank account set up by money mules at Ponle's request. He instructed the mules to convert funds to Bitcoin and send them to a virtual wallet he controlled.

In addition to Chicago, Ponle targeted firms in Iowa, Kansas, Michigan, New York, and California.

Bringing BEC Operations to Justice
These extraditions represent a step forward in how foreign BEC attackers will be brought to justice. The DoJ, in collaboration with the Department of Treasury, recently published the first set of formal sanctions against Nigerian cybercriminals. Officials imposed financial sanctions on each of six individuals charged with involvement in BEC operations.

"This action represents a significant shift in how the United States responds to these types of criminal activities and demonstrates a willingness to impose cost to cyber actors living abroad outside of the reach of US law enforcement," says Pete Renals, principal researcher for Unit 42 at Palo Alto Networks. He anticipates more extraditions will be announced in coming months.

It's worth noting that many BEC attackers have a global footprint, Hassold points out. It's likely they will be extradited to other countries if they cause more damage somewhere else. Even so, what we see here is not only are more people being extradited for BEC — the transition from arrest to extradition is happening quickly, indicating a willingness among international law enforcement organizations to work together and support extradition for these types of attacks.

"It's important to consider that extradition isn't necessarily a long-term solution," says Renals. "At a macro level, there is a need for rapid adoption of legal frameworks tailored to what is arguably a new and nascent threat."

BEC schemes haven't been around long, but in that time, they have "grown exponentially" in terms of scale, global reach, and financial impact, he adds. These threats cost businesses $1.7 billion in 2019 alone, the FBI reported back in February. In the cases of both Abbas and Ponle, the attackers made hundreds of thousands of dollars in a single operation, emphasizing the financial impact of these types of attacks.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Profile of the Post-Pandemic CISO."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.