Hacking Back: Agari Turns the Tables on Next-Gen E-mail Scammers

(Page 2 of 2)

that the company’s wire transfer system was temporarily disabled. “Wait for Monday, or I’ll send a check via FedEx,” he told them. “They gave me an actual address—a hair salon in Florida.”

The fraudsters then made a request that gave Wilson another tool against them. They asked for the tracking number of the package Wilson was sending. “Whenever they believe you are sending them a check, they always want to know the tracking number,” he says. But FedEx can track those who are tracking items moving through its system.

Wilson then coordinated with a pal at FedEx. They discovered that Wilson’s decoy package—complete with a fake check—was being tracked by two devices in Nigeria that had also been tracking more than 600 other packages.

Someone signed for Wilson’s package at the hair salon, but all they got was a fake check made out to “Richard Nixon.”

“The amount was all zeroes,” Wilson says.

Wilson cooperates with law enforcement and companies such as banks, but he says the banks are mostly tight-lipped about the actions they take after a cybersecurity company such as Agari flags a mule account for them. He assumes the banks contact the FBI if any loss is incurred due to a scam.

There are a number of variants on the wire transfer scheme, such as the W-2 form scam, or the trick of posing as a target company’s business partner, such as a supplier. The scammers try to get hold of a purchase order sent from the target company—call it “AcmeCo”—to the supplier, so they can submit a fake bill to get the money AcmeCo owes to that supplier for goods sent. The criminals use a phishing e-mail to induce someone at the supplier company to share AcmeCo’s purchase order with them, by pretending to be a co-worker at the supplier company. The fake bill goes out under the supplier’s name, with AcmeCo’s real purchase order number, but with directions to send a wire transfer payment to the scammer’s bank account.

Wilson says he has carried out 20 reverse scams on the e-mail scammers to date. Agari is now planning to step up the activity a bit and automate it.

After conducting a hundred interactions or more, Wilson says, it might be possible to find more of the patterns among these fraudsters. At a rough guess, he thinks there are numerous groups in other countries conducting these low-skilled attacks that can nevertheless cost companies so much. He suspects that some people teach others, and possibly set them up as profit-sharing franchises of their own hacking operations. Some of the Nigerian scammers use inexact English, maybe relying on Google Translate to frame their messages. But many of them have grammar help from confederates in U.K. cities such as London and Bristol, to make their fraudulent ploys more plausible, he says.

“The really nasty one is the W-2 scam,” Wilson says. A company that falls victim might have to pay for identity protection for all their employees, perhaps for many years. For a small company, that could be a significant hit, he says.

Some CEOs and CFOs have had to step down after a business e-mail compromise attack succeeds, he says.

And then there are the unwitting accomplices that are left still believing in a romantic relationship with a criminal, perhaps lying to police to cover for him or her, and risking a prison term. Wilson found such victims scattered across the United States, from Florida to Washington state.

“While it is tempting to work with a bank and law enforcement to set up a mule by actually transferring some money and then having the police make an arrest, I’ve avoided doing so thus far,” Wilson says in an e-mail exchange with Xconomy. “That’s because in many cases the mules are themselves victims, as many are recruited through online romance scams. The criminal “masterminds” are almost always located overseas beyond the reach of U.S. law enforcement.”

These exploitative relationships are often conducted solely online, and the scammers target older, isolated people, Wilson says.

Wilson says he asked the Indianapolis Metropolitan Police to visit one such money mule, and the officers warned the woman that they would come back if she ever deposited one of the checks sent to the mule account she maintained. Wilson later called the woman, who told him she had met her scammer “boyfriend from Boston” only once. The woman still seemed to be making excuses for her scammer, claiming he was only planning to send her money that he owed her. Wilson says he wasn’t able to persuade her that she was being used.

“There’s a huge human toll with all of these attacks,” Wilson says.


Featured photo credit: Depositphotos; © alexgeiger

Photo of John Wilson courtesy of Agari

Single PageCurrently on Page: 1 2 previous page

Trending on Xconomy