The fraudsters behind the often laughable Nigerian prince email scams have long since branched out into far more serious and lucrative forms of fraud, including account takeovers, phishing, dating scams, and malware deployment. Combating such a multifarious menace can seem daunting, and it calls for concerted efforts to tackle the problem from many different angles. This post examines the work of a large, private group of volunteers dedicated to doing just that.
According to the most recent statistics from the FBI's Internet Crime Complaint Center, the most costly form of cybercrime stems from a complex type of fraud known as the "Business Email Compromise" or BEC scam. A typical BEC scam involves phony e-mails in which the attacker spoofs a message from an executive at a company or a real estate escrow firm and tricks someone into wiring funds to the fraudsters.
The FBI says BEC scams netted thieves more than $12 billion between 2013 and 2018. However, BEC scams succeed thanks to help from a variety of seemingly unrelated types of online fraud -- most especially dating scams. I recently interviewed Ronnie Tokazowski, a reverse engineer at New York City-based security firm Flashpoint and something of an expert on BEC fraud.
Tokazowski is an expert on the subject thanks to his founding in 2015 of the BEC Mailing List, a private discussion group comprising more than 530 experts from a cross section of security firms, Internet and email providers and law enforcement agents that is dedicated to making life more difficult for scammers who perpetrate these schemes.
Earlier this month, Tokazowski was given the JD Falk award by the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) for his efforts in building and growing the BEC List (loyal readers here may recognize the M3AAWG name: KrebsOnSecurity received a different award from M3AAWG in 2014). M3AAWG presents its JD Falk Award annually to recognize "a project that helps protect the internet and embodies a spirit of volunteerism and community building."
Here are some snippets from our conversation:
Brian Krebs (BK): You were given the award by M3AAWG in part for your role in starting the BEC mailing list, but more importantly for the list’s subsequent growth and impact on the BEC problem as a whole. Talk about why and how that got started and evolved.
Ronnie Tokazowski (RT): The why is that there's a lot of money being lost to this type of fraud. If you just look at the financial losses across cybercrime -- including ransomware, banking trojans and everything else -- BEC is number one. Something like 63 percent of fraud losses reported to the FBI are related to it.
When we started the list around Christmas of 2015, it was just myself and one FBI agent. When we had our first conference in May 2016, there were about 20 people attending to try to figure out how to tackle all of the individual pieces of this type of fraud.
Fast forward to today, and the group now has about 530 people, we’ve now held three conferences, and collectively the group has directly or indirectly contributed to over 100 arrests for people involved in BEC scams.
BK: What did you discover as the group began to coalesce?
RT: As we started getting more and more people involved, we realized BEC was much broader than just phishing emails. These guys actually maintain vast networks of money mules, technical and logistical infrastructure, as well as tons of romance scam accounts that they have to maintain over time.
BK: I want to ask you more about the romance scam aspect of BEC fraud in just a moment, because that’s one of the most fascinating cogs in this enormous crime machine. But I’m curious about what short-term goals the group set in identifying the individuals behind these extremely lucrative scams?
RT: We wanted to start a collaboration group to fight BEC, and really a big part of that involved just trying to social engineer the actors and get them to click on links that we could use to find out more about them and where they’re coming from.
BK: And where are they coming from? When I’ve written about BEC scams previously and found most of them trace back to criminals in Nigeria, people often respond that this is just a stereotype, prejudice, or over-generalization. What’s been your experience?
RT: Right. A lot of people think Nigeria is just a scapegoat. However, when we trace back phone numbers, IP addresses and language usage, the vast majority of that is coming out of Nigeria.
BK: Why do you think so much of this type of fraud comes out of Nigeria?
RT: Well, corruption is a big problem there, but also there’s this subculture where doing this type of wire fraud isn’t seen as malicious exactly. There’s not only a lot of poverty there, but also a very strong subculture there to support this type of fraud, and a lot of times these actors justify their actions by seeing it as attacking organizations, and not the people behind those organizations. I think also because they rationalize that individuals who are victimized will ultimately get their money back. But of course in a lot of cases, they don’t.
BK: Is that why so many of these Nigerian prince, romance and BEC scams aren’t exactly worded in proper English and tend to read kind of funny sometimes?
RT: While a lot of the scammers are typically from Nigeria, the people doing the actual spamming side typically come from a mix of other countries in the region, including Algeria, Morocco and Tunisia. And it’s interesting looking at these scams from a language perspective, because you have them writing in English that’s also influenced by [people who speak] French and Arabic. So that explains why the emails often are written in poor English whereas to them it seems normal.
BK: Let’s talk about the romance scams. How does online dating fraud fit into the BEC scam?
RT: [The fraudsters] will impersonate both men and women who are single, divorced or widowed. But their primary target is female widows who are active on social media sites.
BK: And in most of these cases the object of the phony affection is what? To create a relationship so that the other person feels comfortable accepting money or moving money on behalf of their significant other, right?
RT: Yes, they end up being recruited as money mules. Or maybe they’re groomed in order to set up a bank account for their lovers. We’ve dealt with multiple cases where we see a money mule account coming through and then look that person up on social media and quickly able to see they were friends with a clearly fake profile or a profile that we've already identified as a BEC scammer. So there is a very strong tie between these BEC scams and romance scams.
BK: Are all of the romance scam victims truly unwitting, do you think?
RT: With the mules who don't one hundred percent know what they're doing, they might be [susceptible to the suggestion] hey, could you open this account for me. The second type of mule can be on the payroll [of the scam organization] and getting a cut of the money for assisting in the wiring of money [to the fraudsters’ accounts.]
BK: I saw in one of your tweets you mentioned personally interacting with some of these BEC scammers.
RT: Yeah, a few weeks ago I was running a romance scammer who reached out and added me as a friend on Facebook. The story they were telling was that this person was a single mom with a kid aged 43 looking for companionship. By day 4 [of back and forth conversations] they were asking me to send them iTunes gift cards.
BK: Hah! So what happened then?
RT: I went to my local grocery store, which was all too willing to help. When you’re trying to catch scammers, it doesn't cost the store a dime to give you non-activated iTunes gift cards.
BK: That sounds like fun. Beyond scamming the scammers to learn more about their operations and who they are, can you talk about what you and other members of the BEC working group have been trying to accomplish to strategically fight this kind of fraud?
RT: What we found was with BEC fraud it's really hard to find ownership, because there’s no one entity that’s responsible for shutting it down. There are a lot of moving parts to the BEC scam, including lots of romance scam social media accounts, multiple email providers, and bank accounts tied to money mules that get pulled into these scams.
The feds get a lot of flack for not making arrests, the private sector gets criticized for not doing more, and a lot of people are placing the blame on social media for not doing more. But the truth is that in order to address BEC as a whole we all have to work together on that. It’s like the old saying: How do you eat an elephant? One bite at a time.
BK: So the primary goal of the group was to figure out ways to get better and faster at shutting down the resources used by these fraudsters?
RT: Correct. The main [focus] we set when starting this group was the sheer length of time it takes for law enforcement to put together a subpoena, which can take up to 30 days to process and get the requested information back that allows you to see who was logged into what account, when and from where. At the same time, these bad actors can stand up a bunch of new accounts each day. So the question was how do we figure out a good way to start whacking the email accounts and moving much faster than the subpoena process allows.
The overall goal of the BEC group has been to put everyone in the same room, [including] social media and email providers and security companies, so that we can attack this problem from all sides at once.
BK: I see. In other words, making it easier for companies that have a role to play to be proactive in shutting down resources that are used by the BEC scammers.
RT: Exactly. And so far we have helped to close hundreds of accounts, helped contribute directly or indirectly to dozens of arrests, and prevented millions of dollars in fraud.
BK: At the same time, this work must feel like a somewhat Sisyphean task. I mean, it costs the bad guys almost nothing to set up new accounts, and there seem to be no limit to the number of people participating in various aspects of these scams.
RT: That’s true, and even with 530 people from dozens of companies and organizations in this BEC working group now it sometimes doesn’t feel like we’re making enough of an impact. But the way I look at it is for each account we get taken down, that's someone's father or mother who's not being scammed and losing their inheritance to a Nigerian scammer.
The one thing I’m proud of is we’ve now operated for three years and have had very few snafus. It’s been very cool to watch the amount of trust that organizations have put into this group and to be along for the ride there in seeing so many competitors actually working together.
Anyone interested in helping in the fight against BEC fraud and related scams should check out the Web site 419eater.com, which includes a ton of helpful resources for learning more. My favorite section of the site is the Letters Archive, which features often hilarious email threads between the scammers and "scam baiters" -- volunteers dedicated to stringing the scammers along and exposing them publicly.