Wednesday, May 16, 2018 12.45PM / Crowdstrike Global Intelligence Team
Business email compromise (BEC) is a form of fraud by which a team of cybercriminals convince victims to wire large amounts of funds or send valuable data to criminally controlled accounts; it is facilitated by the victim’s belief that they are actually being asked or instructed to do so by a trusted party.
According to the Internet Crime Complaint Center (IC3), BEC occurs when “a criminal compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds”.
In 2016, the IC3 received 12,005 BEC complaints amounting to losses of more than $360 million USD.
There have been multiple open-source reports describing how money stolen through BEC fraud is directed to bank accounts in China, particularly Hong Kong. The IC3 has tracked fraudulent bank transfers to 72 countries and it has determined that the majority go to banks in China and Hong Kong.
As eCrime has evolved over the past decade and become a global issue costing companies and individuals billions of dollars, prolific Nigerian cybercriminals have evolved, too.
They have moved to BEC scams, which are much more sophisticated than advanced-fee fraud (also called 419 fraud).
Industry reporting shows that BEC has been perpetrated by Nigerian groups or individuals and that the tools are readily available. (Trend Micro, “Cybercrime in West Africa”, 2017, https://documents.trendmicro[.]com/assets/wp/wp-cybercrime-in-westafrica. Pdf)
Additional analysis by CrowdStrike Intelligence shows that larger and more sinister Nigerian criminal groups are involved in BEC, specifically Nigerian Confraternities.
The Neo Black Movement (NBM) was founded in 1977 at the University of Benin, Nigeria. NBM claims that it is an officially registered organization in Nigeria, however it is widely considered to be one and the same as the Black Axe confraternity, and both have been banned by law. Since its foundation, Black Axe has developed into a formidable criminal organization and has developed a hierarchical, inter-state organization while at the same time retaining cult-like tendencies.
Black Axe gangs are involved in a multitude of organized crime ventures such as running prostitution rings, human trafficking, narcotics trafficking, grand theft, money laundering, and email fraud/cybercrime. These activities primarily take place in Nigeria, and they also are conducted by Black Axe members (known as Axemen) in Europe and North America.
Black Axe maintains a hierarchical command structure at the national level, and it also operates Black Axe “Zones” (also pyramidal in structure) in foreign locations. Arrests of criminals in Canada in 2015 revealed that the Black Axe zone for Canada is heavily involved in wire fraud, money laundering, romance scams, and BEC.
U.S. law enforcement arrested several Nigerian criminals on BEC fraud over the past few years, and Canadian and Italian law enforcement agencies have had limited success confronting and dealing with the Black Axe zones in their respective countries. Yet the magnitude of this criminal threat has only recently begun to be understood. As such, the threat posed by Black Axe and similar groups will remain high for the foreseeable future, and BEC will remain an effective eCrime technique in the near to midterm.
Structure of BEC Frauds
· Business email compromise (BEC) is a form of fraud where criminals compromise legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
· Over the past 12 months, CrowdStrike has observed three different types of BEC scams: wire transfer attempts, payroll fraud, and compromises that have led to follow-on spam campaigns. In many BEC cases, CrowdStrike has observed Office 365 (or Google suites) being compromised because two-factor authentication (2FA) was not enabled.
· CrowdStrike has also observed eCrime campaigns using the Netwire remote access tool (RAT) that are tied to Nigerian BEC fraud and that have affected companies in the energy, travel, financial, and hospitality sectors.
· In many cases, money stolen through BEC fraud is directed to bank accounts in China, particularly Hong Kong.
· Nigerian confraternities, most notably Black Axe, have developed into formidable criminal organizations that include cyber components.
· The Black Axe confraternity maintains a pyramidal command structure at the national level, and also operates Black Axe “Zones” that conduct wire fraud in foreign locations.
· In mid-2015, police in Toronto, Canada arrested three Nigerian criminals on fraud charges for stealing more than $600,000 USD from a Canadian widow through a romance scam. Police also charged one with the crime “money laundering for criminal organization” because they identified him as the bookkeeper for Black Axe’s Canada zone.
· Although the perpetration of Nigerian 419 scams is not as advanced technically as the activity conducted by Russian actors who develop and manage sophistication banking Trojans, Nigerian BEC scams are just as advanced given their global scale, the amount of money involved, and the advanced money laundering techniques that include the use of banks in China.
· As such, the threat posed by Black Axe and similar groups will remain high for the foreseeable future, and BEC will remain an effective eCrime technique in the near to mid-term.
Business email compromise (BEC) has become a massive eCrime challenge; it is essentially a global problem that affects all geographical regions and involves actors conducting fraud on multiple continents. The FBI has estimated that this fraud has resulted in billions of dollars stolen from large and small businesses alike, and CrowdStrike has observed cases were singe BEC cases have resulted in losses in the seven figures.
Many descriptions and advisories or press releases on BEC describe it in relatively simple terms, and the basic construct is simple in nature, which makes the success of the scam more impressive. However, the different variations of BEC that have been crafted show that in its different forms, it is actually a complex series of movements and events that require a multifunctional criminal team. When BEC scams are combined or conducted in conjunction with romance scams, money mule recruitments, and complex money-laundering operations, they present an enormous challenge to law enforcement, businesses, cyber security firms, and even individuals.
These scams should not be thought of separately, but rather as crimes that support one another, and as such they should be considered an advanced form of eCrime. Although the perpetration of Nigerian 419 scams and the use of keyloggers are not as advanced technically as the sophisticated banking Trojans developed and managed by Russian actors, the argument can be made that Nigerian BEC scams are just as advanced given their global scale, the amount of money involved, and the advanced moneylaundering
techniques that include the use of banks in China.
The arrests of Black Axe personnel in Toronto shed light on a criminal gang that is ruthless, while at the same time extremely organized and dedicated to conducting wire fraud, romance scams, money laundering, and BEC. The emergence this confraternity as a global scamming menace and advanced eCrime threat is alarming.
While the online security of these actors is not complete, they take greater security measures than “standard” Nigerian criminals. Furthermore, it has been difficult for law enforcement in countries outside Nigeria to gain an understanding of how Black Axe zones are structured and how they operate. These factors, combined with persistence and tenacity, have allowed fraud conducted by Black Axe and other Nigerian criminals to flourish.
U.S. law enforcement has arrested several Nigerian criminals on BEC fraud over the past few years, and Canadian and Italian law enforcement agencies have had limited success confronting and dealing the Black Axe zones in their respective countries. Yet the magnitude of this criminal threat has only recently begun to be understood. As such, the threat posed by Black Axe and similar groups will remain high for the foreseeable future, and BEC will remain an effective eCrime technique in the near to mid-term.
This CRIS – 18004 report was released on March 20, 2018
Intelligence Report Content
1. EXECUTIVE SUMMARY pg 3
2. KEY POINTS pg 4
· Introduction pg 4
· The Nigerian Connection: A Tradition in eCrime pg 7
· Nigerian Confraternities pg 8
· Recent Arrests of Nigerian BEC Threat Actors pg 12
3. BEC Campaigns Observed by CrowdStrike in 2017 pg 14
4. MITIGATION AND REMEDIATION pg 18
5. INDICATORS OF ATTACK pg 18
· Host Indicators pg 18
6. NETWORK INDICATORS pg 18
· Network Artifacts pg 18
7. CONCLUSION pg 22
Kindly download PDF report here
NOTICE TO READERS: This report is provided for situational awareness and network defense purposes only. DO NOT conduct searches on, communicate with, or engage any individuals, organizations, or network addresses identified in this report. Doing so may put you or your employer at risk and jeopardize ongoing investigation efforts.