Operation Falcon: Group-IB helps INTERPOL identify Nigerian BEC cybercrime ring members

A global threat hunting and intelligence firm, Group-IB, sponsored an INTERPOL-led Falcon operation targeting Nigeria's business email compromise (BEC) cybercrime gang, dubbed TMT by Group-IB. The arrest of three people in Lagos culminated in a cross-border anti-cybercrime effort involving INTERPOL's Cybercrime Directorate, the Nigerian Police Force, and the APAC Cyber Investigations Team of Group IB. The prolific gang has infiltrated at least 500,000 government and private sector enterprises in more than 150 nations since at least 2017. As some of the gang members remain at large, the investigation continues.

A type of email phishing attack that relies on social engineering is Business Email Compromise (BEC). Phishing emails may be targeted at specific individuals with an entity as part of BEC or sent out en masse. They attempt to steal confidential data, frequently disguised as money transfer requests, HR messages or business proposals.

With the support of Group-IB Cyber Investigations and CERT-GIB teams, the three BEC gang members with the initials «OC» (32 y.o.), «IO» (34 y.o.), and «OI» (35 y.o.) were arrested in Lagos not long ago as part of the Falcon operation by the Nigerian cybercrime police unit. According to the Nigerian Police, the data found on the computers of the arrested TMT members verified their role in the criminal scheme and reported stolen data from at least 50,000 targeted victims.

Pic. 1 Photograph courtesy of INTEPROL

Since 2019, Group-IB has been monitoring the gang and identified that TMT gang members may have compromised about 500,000 government and private sector businesses. Group-IB was also able to determine that the gang is split into subgroups with a number of individuals still at large based on the infrastructure that the attackers use and their techniques. The results of other alleged gang members that Group-IB was able to track were shared with the Cybercrime Directorate of INTERPOL. The inquiry continues.

The study of their activities showed that the gang focuses on mass email phishing campaigns spreading common strains of malware under the pretext of buying orders, product inquiries, and even COVID-19 help impersonating legitimate businesses:

Fig. 1 Sample of the TMT’s phishing email

The attackers send out phishing emails using Gammadyne Mailer and Turbo-Mailer. MailChimp is used to monitor whether the message has been opened by a receiving victim.

Fig. 2 Gammadyne Mailer used by cybercriminals

The gang was also seen using earlier compromised email account to push a new round of phishing attempts. The discovered email samples, detected and analyzed by Group-IB Threat Hunting Framework, were crafted in English, Russian, Spanish, and other languages, depending on the scammers target list.

Fig. 3 The example of the compromised data from the cybercriminals’ logs

Researchers from Group-IB note that the cybercriminals behind these BEC activities rely solely on a range of publicly accessible spyware and remote access (RAT) trojans, such as AgentTesla, Loky, AzoRult, Pony, NetWire, etc. The gang uses public crypters to prevent detection and monitoring by conventional security techniques. TMT-operated malware most frequently interacts with the C&C server of the attackers using SMTP, FTP and HTTP protocols.

The objective of their attacks is to steal browser, email, and FTP clients' authentication data. According to Group-IB info, the gang has managed to infect organizations around the world, including in the US the UK, Singapore, Japan, and even back home in Nigeria over the course of their operations. Although this gang's monetization tactics are still being investigated, selling account access as well as confidential data collected from emails to the highest bidder in the underground markets is not unusual for cybercriminals.

Craig Jones, INTERPOL’s Cybercrime Director highlighted the outstanding cooperation between all those involved in the investigation and underlined the importance of public-private relationships in disrupting virtual crimes.

reference: https://www.interpol.int/en/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group

"Group-IB is one of Tactical Intelligence Security's strategic partners.

If you want to know more about how Group-IB's solution can help your Business

contact us +233-574-55-09-79 info@taise.tech"