“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (DOJ.gov)
Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro)
I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent, or really wouldn’t have an impact given the breadth of fraud associated with Business E-mail Compromise, or BEC. I’d imagine those people are looking at aggregate totals from the mile high, not the full scale of the damage to small businesses in our country. Companies have gone out of business, and schools have been attacked by these perpetrators. I can’t say I agree or support the position that it’s just another arrest to glaze like picking off a few credit card skimmers.
The economies of scale with traditional Credit Card Fraud vs. Business E-mail Compromise are of no direct comparison, given who they impact and the average losses. This issue has never been about mitigating an impact on consumers as the criminals have always been focused on attacking small to medium-sized businesses. It’s typically the commercial accounts that vulnerable to this kind of wire transfer fraud anyways, unlike consumer credit cards with the built-in fraud protection of randomly generated numbers, and a Visa or Mastercard logo. In these cases, the wires are facilitated directly from account number being compromised.
Criminals obviously have a lot more to gain from raiding the digital coffers of businesses handling millions in revenue, given that the average consumer credit card limit hovers around a measly $8,000. The average per-incident loss for a successful BEC scam is around $130,000, in comparison robbing a bank rakes in you an average $3,800. The losses for traditional credit card fraud reported per incidence are much lower, for example in 2014 the median loss was $300. The average reported loss was $1,343. If you ask somebody crushed by these low numbers with high volume fraud occurrence, I can see how it wouldn’t make a dent. The reality, however, is that many BEC scams can net over a million dollars from a single source, something that’s impossible with those who live in a world of old-fashioned CC fraud. This isn’t like that time somebody bought a $100 pair of sneakers using my debit card.
Not sure if this is a problem yet? Just ask Google, and Facebook, who were both victims in part of a 100+ million dollar scam perpetrated almost entirely by a single individual in Lithuania. There are Nigerian men who have stolen almost 4 million in a short time. If you really want to know, ask Leoni AG who lost 44 million in a single scam just a few years back. Are these extreme examples of BEC? No, as many go over a million in losses in just a single incident, but almost always hundreds of thousands. The collateral damage from ripping off employees social security numbers could take a long time to remediate. I don’t need to know the exact figures on the median, or average losses to make the connection that attackers with minimal sophistication are pulling it off for huge piles of cash. BEC scammers have operated mostly with impunity before this crackdown effort by the DOJ. If they haven’t, how could the losses possibly add up the 3 billion dollars? They’ve been able to lock up a few here and there, but nothing like the 71 people from this sweep.
Any Law Enforcement action is welcomed as it’s still protecting companies from scams, and sending a clear message to the criminals abroad, if your activity trends upwards so will the effort to capture you. Not to mention the hands of justice are orienting themselves with how to efficiently take down these networks, opening the door for streamlined enforcement for this type of crime. The DOJ is doing a good job, and I don’t see it as a dog and pony show to drag these scammers out in front of the world. It’s about justice, and showing people in other countries that the internet may be like free plane tickets to communicate overseas, but you can still get arrested where that connection lands just like you could in an airport. You’ve got to get started sometime and today works well for tomorrow’s potential victims. I think people who work on the ground in Cyber Security know that this day is long overdue, and it’s to be celebrated not shrugged off as a waste of time. I’d never say that, who in my industry would?
The same this ‘doesn’t make a difference’ logic applied to the distribution of illegal narcotics seems unlikely to be popular: If the DEA were to arrest 50 heroin dealers in Massachusetts, are those actions futile because others will simply step in and take over? Is it not worthwhile because they didn’t make any arrests in Mexico? No. We have the worst drug problem in the entire country. It’s saving lives today and sending a message to bosses, and the mules who might consider becoming involved in future criminal activity. Let’s not turn the war on fraud into the war on drugs. Great work out there folks!
Google TranslateAfrikaans Albanian Amharic Arabic Armenian Azerbaijani Basque Belarusian Bengali Bosnian Bulgarian Catalan Cebuano Chichewa Chinese (Simplified) Chinese (Traditional) Corsican Croatian Czech Danish Dutch English Esperanto Estonian Filipino Finnish French Frisian Galician Georgian German Greek Gujarati Haitian Creole Hausa Hawaiian Hebrew Hindi Hmong Hungarian Icelandic Igbo Indonesian Irish Italian Japanese Javanese Kannada Kazakh Khmer Korean Kurdish (Kurmanji) Kyrgyz Lao Latin Latvian Lithuanian Luxembourgish Macedonian Malagasy Malay Malayalam Maltese Maori Marathi Mongolian Myanmar (Burmese) Nepali Norwegian Pashto Persian Polish Portuguese Punjabi Romanian Russian Samoan Scottish Gaelic Serbian Sesotho Shona Sindhi Sinhala Slovak Slovenian Somali Spanish Sudanese Swahili Swedish Tajik Tamil Telugu Thai Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa Yiddish Yoruba Zulu
- Operation WireWire – ACH Fraud Takedown June 12, 2018
- SWIFT E-mail Leads To Evasive Gootkit June 11, 2018
- Suppoie Crypto Hijack April 24, 2018
- Feodo Banking Trojan – Dropper Analysis April 2, 2018
- OVH Hosting – Web Security Headache March 22, 2018
- Wrong Spelling – Brand Name Hijack March 21, 2018
- Cloud Website Firewall – Sucuri StackPath CloudFlare March 17, 2018
- Misspelled JetBlue domain leads to Malware March 12, 2018
Tagsach fraud antip2p antivirus bank fraud bittorrent bluetack breaches compliance cryptojack cryptomining Cyber Security data breach report Edge Transport Server Role Exchange Posters filesharing firefox plugin IP blocklist it security keylogging limewire Mailbox Server Role malicious software malware malware dropper mediadefender Microsoft Exchange mitm attack monero mpaa National Security password stealer peerguardian phishing protowall riaa security security tool social engineering statistics torpig torrent trojan Unified Messaging Server Role verizon zeus
Who's Online7 visitors online now3 guests, 4 bots