In coordination with the Nigerian Police Force, Interpol has arrested 11 individuals analyzed for participating in an international BEC (business email compromise) ring. BEC is the type of attack conducted through email which involves the spear-phishing of some company employees responsible for approving payments to contractors, suppliers, etc.
By impersonating a coworker, a supervisor, or a client/supplier, BEC actors handle to divert payments to their bank accounts, importantly hijacking them from the targeted company. In the latest Interpol operation codenamed ‘Falcon II,’ which unfolded between December 12 and 22, 2021, the police followed leads provided by cyber-intelligence firms Group-IB and Palo Alto Networks’ Unit 42 to arrest suspects in Lagos and Asaba.
Who are the Members of the SilverTerrier Group?
According to the forensic investigation and the evidence collected so far, Interpol believes that at least some of the arrested individuals belong to the BEC gang known as SilverTerrier also known as TMT. This is the second blow for the particular group after Interpol arrested more of their members in the context of ‘Falcon I’ back in 2020.
“This preliminary analysis indicates that the suspects’ collective involvement in BEC criminal schemes may be associated with more than 50,000 targets,” details Interpol’s announcement. “One of the arrested suspects was in possession of more than 800,000 potential victim domain credentials on his laptop.”
“The other suspect had been monitoring conversations between 16 companies and their clients and diverting funds to ‘SilverTerrier’ whenever company transactions were about to be made.”
Six actors with history in BEC
According to a report shared with our experts by Palo Alto Unit 42, most of the arrested individuals have had a lengthy involvement in or prior convictions for BEC scams. The arrested individuals who were tracked and identified by Unit 42 are:
- Darlington Ndukwu – active since 2014, using ISRStealer, Keybase, Pony, LokiBot, PredatorPain, ISpySoftware. Registered websites such as “fbigov.org”, “annexbanks.com”, and “western-union.org”. He has targeted security researchers too and was arrested again during the FBI’s ‘WireWire’ 2018 operation.
- Onuegwu Ifeanyi Ephraim – active since 2014, using Lokibot, PredatorPain, ISRStealer, Pony, NanoCore, AzoRult, ISpySoftware, AgentTesla, Keybase. Registered domains like “us-military-service[.]com” and “pennssylvania.com.mx”. He sponsored at least 30 BEC actors and was arrested for BEC activities again in 2020. When released in 2021, he immediately returned to scams by registering “covid19-fundservices.com”.
- Oyebade Fisayo – Active since 2015, using ISRStealer, Pony, LuminosityLink, NanoCore, LokiBot, Keybase, Adwind, AgentTesla, PredatorPain, ImminentMonitor. He publicly offered instructions on how to use RATs on Facebook. Registered domains such as “atlanticexpresslogistics.com,” and “shipatlanticlogistics.co.uk”
- Kevin Anyanwu – Active since 2015, operating the “hsbctelex.net” scam site.
- Onukwubiri Ifeanyi Kingsley – Active since 2016, using Pony and Lokibot. He was linked to at least 20 fraudulent domains like “qatarairways.pw”. Is believed to be a core member of the TMT gang.
- Kennedy Ikechukwu Afurobi – Active since 2014, using Pony, PredatorPain, Azorult. He is also directly linked to TMT group activities and registered almost a hundred domains that were used for the distribution of spear-phishing emails.
BEC scammers cannot siphon accounts in the form of untraceable cryptocurrencies, so the only way for them to conceal is by carrying the stolen amounts around, endeavoring to conceal the money trace. Unfortunately, many banks, particularly in countries where inadequate money laundering ordinances apply, urge on safeguarding their clients’ essences and refuse to revert transactions that were part of payment diversion fraud acts.
However, the international collaboration and information exchange between law enforcement and intelligence agencies worldwide make it increasingly challenging for BEC actors to remain hidden.
How to Fight against BEC?
When asked to send money or to change to conduct all payments to a new bank, you may pick up the phone and call the supplier/colleague to confirm it. For this, use the phone number you have confirmed to be valid in past communications and not any new numbers provided in the email.
To secure your email account from takeover, enable multi-factor authentication along with a strong and unique password. Organizations should also secure their domain from spoofing by registering potential domain typo-squatting candidates and instructing employees not to over-share business information online.