A New and Potent Cyber-Scam
August 16, 2016 by Bill Rosenthal

A couple months back, I discussed with you the BEC, or “business email compromise,” scam. According to an FBI alert, “The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.” 

It’s like a phishing attack, with the particular goal of fooling the victim into sending money to the attacker. Now, from IEEE Spectrum, there is a report of a new variation on this scam called “wire-wire.” In this variation, according to security researchers James Bettke and Joe Stewart, the criminals find email addresses of employees and send them legitimate-looking messages that appear to come from within the victim’s own company. A recipient who responds with a click is then infected with malware that can take screenshots and also serves as a keylogger. 

The malware allows the criminal to watch what the victim does on the computer, and the criminal uses this ability to intercept third-party billing information. The criminal can then modify the information to redirect payments to the criminal’s own account. One of the reasons the criminals love this scam is that it generally takes a long time for the business to recognize it has been robbed. The first sign is generally a vendor complaint about an overdue payment. 

If you know this is going on, you have a better chance of avoiding being victimized by it. And while I think it is essential to try to keep up with criminal innovations, I don’t believe it is ultimately the right answer. It’s better to put in place policies and procedures that can prevent schemes before they are even invented. Two-step authentication, for example, would protect against the wire-wire attack. It’s also important to provide user training and to field a first response team. But you probably knew I was going to say that :).

What is particularly interesting about the wire-wire scam is that it is mostly emanating from Nigeria. Nigeria is so closely associated with ham-handed 419 scams that you might be forgiven for stereotyping its criminals as yokels and fools. But these people are obviously not yokels and fools. Here’s a paragraph from the IEEE Spectrum story: 

Bettke and Stewart estimate that the group they studied has at least 30 members and is likely earning a total of about $3 million a year from the thefts. The scammers appear to be family men” in their late 20s to 40s who are well-respected, churchgoing figures in their communities. They’re increasing the economic potential of the region they’re living in by doing this, and I think they feel somewhat of a duty to do this,” Stewart says.

On the other hand, Bettke and Stewart were able to observe this group so closely because one of the criminals had inadvertently infected his or her own computer with the malware used in the scam. So maybe they are yokels and fools after all. But calling them names would be small consolation to you if they robbed you. Audit your security policies now, train your users, field a first response team.