Yahoo-Yahoo Busted Cybersecurity Issues in FBI vs Invictus and 80 - - PowerPoint PPT Presentation

Yahoo-Yahoo Busted

Cybersecurity Issues in FBI vs Invictus and 80 others

Courtesy: https://www.fbi.gov/

In Invictus Obi i (O (OBINWANNE OKEKE)

• A spear phishing on CFO of Unatrac Holding

Limited, UK

• Unatrac email account was hosted by

Microsoft Office365

• The CFO logged in and supplied his Office365

credentials to the fake logon page

• The hackers passively took control of his

account

• Fraudulent wire transfer requests were sent

from the email to the finance team

• Folders and filter rules were created to hide

the conversation from the CFO

• 15 fraudulent payments were processed

between April 11 and April 19, 2018

• A total sum of about $11million was stolen

from the company

• The case was reported to FBI
• The phishing mail has forward email

iconoclast1960@gmail.com

• The email led the investigator to
• binwannem@gmail.com, Invictusobi and a

Twitter usemame of "@invictusobi.“

• Other scams aside Unatrac were unfolded

Type of Cyberattack on the CFO:

• Spear phishing mail
• Business Email Compromise

FBI and 80 Cyber cri riminals

• 252 count charges
• 80 suspects (77 Nigerians)
• Main methods used:
• Business Email Compromise
• Escrow Fraud
• Romance Scams

US Banks Involved 1. Bank of America 2. BBVA Compass Bancshares, Inc. 3. CalCom Federal Credit Union 4. Capital One Bank 5. Citibank N.A. 6. Citizens Financial Group 7. Comerica Bank 8. J.P. Morgan Chase N.A. 9. PNC Bank, Regions Financial Corporation

• 10. SunTrust Bank
• 11. TD Bank N.A.
• 12. US Bank N.A.
• 13. Wells Fargo Bank

Business Email Compromise

Business Email Compromise

• occurs

when a hacker gains unauthorized access to a business email account,

• blocks or redirects communications

to and/or from the email account,

• and then uses the compromised

email account

• or

a separate fraudulent email account to communicate with personnel from a victim company,

• attempting to trick them into making

an unauthorized wire transfer.

• Those techniques include online ploys

such as

• spear-phishing,
• social engineering,
• identity theft,
• e-mail spoofing,
• and the use of malware.

Escrow Fraud

• This is a variation of a BEC fraud scheme,
• in which a hacker may gain unauthorized access

to the email account of an escrow company or real estate agent,

• and then purported seller communicate with an

unsuspecting buyer who is seeking to purchase property,

• directing the intending buyer to make a down-

payment for purchase of property

• to a fraudulent bank account, rather than the

legitimate bank account of an escrow company.

• The ”Invictus Group” exploited business

schemes where fraudsters hack escrow company email systems, impersonate employees and direct payments that funnel money back to themselves.

• For example: The FBI stated that emails from

REDACTED EMAIL 5 also highlighted specific accounts which were engaged in large pending financial transactions. For example,

• n October 15, 2018, an email from

REDACTED EMAIL 5 to iconoclastl960@gmail.com advised of an upcoming real estate transaction valued at $585,000. In the email, REDACTED EMAIL 5 claimed the buyer had already paid 10%, with a remaining balance due of $526,000. REDACTED EMAIL 5 suggested to iconoclastl960@gmail.com that it would "make sense to tell them go transfer this balance this week prior to next week settlement."

Romance Scams

• These target persons looking for romantic

partners or friendship

• on dating websites and other social media

platforms.

• The scammers may create profiles using

fictitious or fake names, locations, images, and personas,

• allowing the scammers to cultivate false

relationships with prospective romance scam victims.

• Victims may be convinced to provide money
• r gifts to the scammers,
• or may be asked to conduct transactions on

behalf of the scammers.

• In March 2016, a man claiming to be a US Army

captain stationed in Syria reached out to a Japanese woman on an international site for digital pen pals.

• Within weeks, their relationship grew into an

international romance with the man sending daily emails in English that she translated via Google. The man who called himself Terry Garcia asked for money

• - lots of it -- from the woman identified as FK in

federal court documents. Over 10 months, she sent him a total of $200,000 that she borrowed from friends, her ex-husband and other relatives to make her love interest happy.

• But in reality, Garcia did not exist. It was all

an international online scam ran by two Nigerian men in the Los Angeles area with the help of associates in their home country and other nations, federal officials say.

• "FK estimates that she made 35 to 40 payments over

the 10 months that she had a relationship with Garcia. During that time, the fraudster(s) emailed her as many as 10 to 15 times each day, and Garcia was asking her to make the payments, so she kept paying to accounts in Turkey

How the scam worked

FBI Investigators detailed an intricate scam traced to two key suspects who oversaw the fraudulent transfer of at least $6 million and the attempted theft of an additional $40 million. Once co-conspirators. who based in Nigeria, the United States and other countries persuaded victims to send money under false pretenses, the two Nigerian men who lived in Southern California coordinated the receipt of funds, the indictment says. The two men provided bank and money-service accounts that received funds

• btained from victims and also ran the extensive money-laundering network, the

complaint alleges. The two men were arrested. All defendants will face charges of conspiracy to commit fraud, conspiracy to launder money, and aggravated identity theft. Some also will face fraud and money laundering charges.

Business Email Compromise - Safeguards

• Create intrusion detection system rules that flag e-

mails with extensions that are similar to company e-mail. For example, legitimate e-mail

• f abc_company.com would flag fraudulent e-mail
• f abc-company.com.
• Create

an e-mail rule to flag e-mail communications where the “reply” e-mail address is different from the “from” e-mail address shown.

• Color code virtual correspondence so e-mails from

employee/internal accounts are one color and e- mails from non-employee/external accounts are another.

• Verify changes in vendor payment location by

adding additional two-factor authentication such as having secondary sign-off by company personnel.

• The policy on adding new business account details

to the encrypted database should require Multi Factor Authentication and several levels of human authentication (most especially from the paying party

• Businesses and their clients should discuss with major

banking authorities on setting up an end to end encrypted database for their business account details with which they regularly (or intending to) conduct business transactions. This database will be used in verification before transfer/transaction is authorized.

• Confirm requests for transfers of funds by using

phone verification as part

• f

a two-factor authentication; use previously known numbers, not the numbers provided in the e-mail request.

• Carefully scrutinize all e-mail requests for transfer of

funds to determine if the requests are out of the

• rdinary.
• Continuous training of employees (especially Key

employees- CEO, CFO, etc)

• n how to evade social

engineering, phishing attacks, spoofing and other attacking mechanism in use.

• Implementation of Sender Policy Framework (SPF) to

prevent spammers from sending messages on behalf

• f your domain. With SPF organization can publish

authorized email servers

Escrow Fraud Safeguards

• Don’t be pressured into using a

particular escrow website or service.

Be wary the moment a seller begins to stipulate the escrow site that must be used to complete a transaction

• Try to reach customer services by
• phone. If there is no one on the other end to respond

to you, that is a big red flag. An automated or generic message is also a strong indication of a scam. If the escrow website does not list any phone number or address, there is no need dealing with them in the first place.

• Verify the endorsements listed on the
• website. It is easy to copy pictures of endorsements

and embed it on a fraudulent website. It is therefore essential to verify all endorsements and credentials on an

• nline escrow website before building trust
• Take a note of the payment
• system. A legitimate escrow company will

always ask you to wire money from your bank to theirs and will provide you an account number and a routing number.

• Keep an eye for copycats. Fraudulent

escrow websites will often use a domain name that is close to the real one to trick their victims. Be sure that you have entered the correct URL and have landed on the right website.

• Run when the words “safe” and

“secure” are emphasized. When it

comes to choosing a domain name, there are lots of ways scammers shoot themselves in the foot. The first is that too much emphasis is placed on the words “safe” and “secure.” Some push their luck too far by having these words included in their domain name (something like secure- escrow.com). The use of a dash in the domain name of an escrow company is also a red flag

Romance Fraud Safeguards

• Quickly look out for the signs:

Establishing of bond quickly, ask a lot of personal questions, ask for financial help, etc

• Don’t share personal details. If you share

personal information like your full name, date of birth and home address with a stranger, you may not know what they’ll do with it.

• Don’t send or receive money. If the

request is coming from someone you think you know, check with them offline to ensure that it’s really them.

• Use trusted dating websites. Fraudsters

tend to want to take their criminal activity

• ff reputable dating websites as soon as
• possible. They’re likely to try to convince

you to interact with them via social media

• r text messaging. This is so that the dating

website has no proof of them asking you for money

• Think twice before using your webcam. Be

careful when using your webcam with a new online love interest, even if it’s someone whom you think you know. The footage could be used against you.

• Trust your instincts. If you feel like

something is wrong, it may be. Be careful

THANK YOU