Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/13/2020
02:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

25% of BEC Cybercriminals Based in the US

While the US is known to be a prime target for BEC attacks, just how many perpetrators are based there came as a surprise to researchers.

A new analysis of business email compromise (BEC) attacks reveals the global footprint of BEC activity: Twenty-five percent of perpetrators behind these threats are located in the United States. Of these attackers, nearly half are based in five states: California, Georgia, Florida, Texas, and New York.

The Agari Cyber Intelligence Division (ACID) today published the results of a study to better understand the operations of BEC attacks – in particular, the location of attackers and the money mules responsible for laundering their proceeds. While Nigeria has been a hot spot for social engineering scams, researchers found only half of attacks came from the West African country.

Related Content:

Scale Up Threat Hunting to Skill Up Analysts

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What Is End-to-End Encryption?

Their report contains information from more than 9,000 defense engagements between May 2019 and July 2020. In more than 2,200 of these, researchers could identify the attackers' likely locations. These do not include incidents in which attackers were likely using a proxy or other technique to anonymize their locations.

Based on these engagements, researchers identified BEC attackers in more than 50 different countries. Sixty percent of the attackers were based in 11 African countries; of these, 83% were based in Nigeria. South Africa was home to 14% of Africa-based attackers and the third-largest base for BEC groups worldwide. This was the only country in the study to see a decline in BEC attackers during the study. Eleven percent of global BEC actors were in South Africa during the last eight months of 2019, but this number dropped to 6% in the first seven months of this year.

Nearly 30% of global attackers were based in the Americas. Of these, 89% call the US home. While the US is known to be a prime target for BEC attacks, researchers were surprised to learn many perpetrators are based there. They also noticed clusters of attackers around a few metro areas including Atlanta, New York, Los Angeles, Houston, and Miami.

"The part about the US took us by surprise," says Crane Hassold, senior director of threat research at Agari. After removing instances in which attackers were using proxies and other anonymization sources, researchers assumed the percentage of US-based attacks would drop.

A closer look at the top US metro areas for BEC activity reveals a correlation with major arrests that have happened over the past couple of years, Hassold continues. One of these was Operation reWired, a law enforcement operation targeting BEC that led to the arrest of 281 people worldwide, including 74 in the US, 167 in Nigeria, 18 in Turkey, and 15 in Ghana.

"Geolocation is one of the many data points that defense is taking on when they're thinking of where threats come from," he explains. "One of the big things to keep in mind here is that location data may not be as helpful in some cases."

If security teams are only watching for attacks that originate in Nigeria, for example, they'll only see half of all BEC attacks that occur.

Tracking Illicit Funds: A Look at BEC Money Mules
Money mules were spotted all around the world: Over the course of the 15-month study, the team collected 2,900 mule accounts in 39 countries. Through these accounts, scammers intended to receive more than $64 million in stolen funds from BEC victims, researchers report.

Learning where money mules are located, and whether they're witting or unwitting in BEC operations, was a significant part of the research, Hassold says.

"The money mules are essentially the piece of the machine that makes this entire attack go, and without the mules, the entire ecosystem would fall apart," he explains. "Really understanding where they are, especially in the US, I found very fascinating because they're essentially the first stop for the money when it comes down to the business."

BEC attackers typically use a mule in the country where the target is based. This is unsurprising – Hassold says most mules were based in the US to start with – but may be partly due to restrictions that prohibit large international transfers. If an attacker sends a $30,000 payment to someone in the same country, it may not raise as many red flags as an international transfer. International transfers are typically disguised as corporate account payments, he notes. 

Researchers identified more than 900 US-based money mules used in BEC scams between May 2019 and July 2020. At least one mule was spotted in every state, as well as the District of Columbia. Many of these are people who fall for romance scams or work-from-home scams, in which victims apply for and accept a job that could include receiving and reshipping goods, receiving "payments" from clients, or printing and sending checks – all part of a BEC operation.

While most mule accounts were at US-based banks, payments requested for those accounts were much lower than in other countries. For example, the average payment requested by BEC scammers for US-based accounts was $39,500. Payments requested for Hong Kong-based mule accounts averaged $257,300.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).