Trend Micro Partners With Interpol and Nigeria EFCC for Operation Killer Bee, Takes Down Nigerian BEC Actors
It starts with the malicious actors scraping the internet for public sites containing email addresses, which will be stored in a text file. They also use tools such as Lite Email Extractor to scrape email addresses. To expand their range of targets the malicious actors also search for specific keywords in Google, such as “LTD PLC” and “manufacturing suppliers.”
After obtaining their list of targets, they may share this information with other malicious actors via Skype and ICQ. Their next step would be either to purchase a VPS server with SMTP, or in some cases, hijack a mail server infected with an information-stealing malware. For the VPS server, they will install Gammadyne or Turbo-Mailer to help them compose the phishing email or spam email with a malicious attachment and then embed the list of email addresses. Before doing so, they may also purchase domains and set it up for phishing activities, (sometimes mimicking an official company site). They may obtain information-stealing malware from the cybercriminal underground — typically via Skype — and request for crypter services and support to configure the C&C server and set up C&C server hosting. When these are ready, the malicious actors will run Gammadyne or Turbo-Mailer and leave it running.
To minimize the chance of leaving traces, the malicious actors access the clean VPS servers — which are leased from bulletproof hosting (BPH) services such as Almahosting — via remote desktop protocol (RDP). The malicious actors will then wait for information from the infected machines that will be sent over to the drop zone or C&C server — for example, Agent Tesla can log the email server credentials, web browser activity, the IP address of the victim, and, in some cases, screenshots of the desktop and keystroke recordings. At this stage, they will consolidate the logs of stolen information or share it with other malicious actors so they can proceed to perform BEC. They try to find weak points in the organization and perform activities such as hijacking the email conversation, tampering with the invoices of their bank account, and follow up with the partners and suppliers of the target companies. They can also log into their victim’s bank account using their credentials and perform wire transfer fraud while monitoring their victims, biding for the right time to perform social engineering techniques, with the eventual goal of having money transferred to the malicious actors’ accounts.
A successful partnership between law enforcement and the private sector
Activities and operations that involve the cooperation of law enforcement and the private sector, such as Operation Killer Bee, allow security organizations and industry experts to provide their skills, resources, and years of experience to law enforcement organizations such as Interpol to augment their strengths in investigating and apprehending malicious actors and cybercrime groups. This partnership has led to many successful cybercriminal takedowns over the past few years.
To this end, we are honored tocollaborate with Interpol, and we hope to continue working with them to strengthen cybersecurity and keep the digital world safe.